Researchers are cautioning users against clicking unsubscribe links embedded in email bodies, citing new data showing such actions can expose recipients to malicious websites and confirm active email addresses to attackers. DNSFilter found that one in every 644 clicks on unsubscribe links leads users to potentially malicious websites.

"You've left the safe, structured environment of your email client and entered the open web," TK Keanini, DNSFilter's chief technology officer, told WSJ. The risks range from confirming to bad actors that an email address belongs to an active user to redirecting victims to fake websites designed to steal login credentials or install malware. Clicking such links "can make you a bigger target in the future," said Michael Bargury, CTO of security company Zenity.

Microsoft has disabled Windows Hello's ability to authenticate users in low-light environments through a recent security update that now requires both infrared sensors and color cameras to verify faces. The change forces the system to see a visible face through the webcam before completing authentication with IR sensors.

Windows Hello earlier relied solely on infrared sensors to create 3D facial scans, allowing the feature to work in complete darkness similar to iPhone's Face ID. Microsoft pushed the dual-camera requirement to address a spoofing vulnerability in the biometric system.

KDE isn't the only organization reaching out to " as Microsoft prepares to end support for Windows 10.

"Now, The Document Foundation, maker of LibreOffice, has also joined in to support the Endof10 initiative," reports the tech blog Neowin: The foundation writes: "You don't have to follow Microsoft's upgrade path. There is a better option that puts control back in the hands of users, institutions, and public bodies: Linux and LibreOffice. Together, these two programmes offer a powerful, privacy-friendly and future-proof alternative to the Windows + Microsoft 365 ecosystem."

It further adds the "real costs" of upgrading to Windows 11 as it writes:

"The move to Windows 11 isn't just about security updates. It increases dependence on Microsoft through aggressive cloud integration, forcing users to adopt Microsoft accounts and services. It also leads to higher costs due to subscription and licensing models, and reduces control over how your computer works and how your data is managed. Furthermore, new hardware requirements will render millions of perfectly good PCs obsolete.... The end of Windows 10 does not mark the end of choice, but the beginning of a new era. If you are tired of mandatory updates, invasive changes, and being bound by the commercial choices of a single supplier, it is time for a change. Linux and LibreOffice are ready — 2025 is the right year to choose digital freedom!"
The first words on LibreOffice's announcement? "The countdown has begun...."

An anonymous reader quotes a report from the Wall Street Journal: Since 2022, the U.S. has tightened the noose around the sale of high-end AI chips and other technology to China overnational-security concerns. Yet Chinese companies have made advances using workarounds. In some cases, Chinese AI developers have been able to substitute domestic chips for the American ones. Another workaround is to smuggle AI hardware into China through third countries. But people in the industry say that has become more difficult in recent months, in part because of U.S. pressure. That is pushing Chinese companies to try a further option: bringing their data outside China so they can use American AI chips in places such as Southeast Asia and the Middle East (source paywalled; alternative source). The maneuvers are testing the limits of U.S. restrictions. "This was something we were consistently concerned about," said Thea Kendler, who was in charge of export controls at the Commerce Department in the Biden administration, referring to Chinese companies remotely accessing advanced American AI chips. Layers of intermediaries typically separate the Chinese users of American AI chips from the U.S. companies -- led by Nvidia -- that make them. That leaves it opaque whether anyone is violating U.S. rules or guidance. [...]

At the Chinese AI developer, the Malaysia game plans take months of preparation, say people involved in them. Engineers decided it would be fastest to fly physical hard drives with data into the country, since transferring huge volumes of data over the internet could take months. Before traveling, the company's engineers in China spent more than eight weeks optimizing the data sets and adjusting the AI training program, knowing it would be hard to make major tweaks once the data was out of the country. The Chinese engineers had turned to the same Malaysian data center last July, working through a Singaporean subsidiary. As Nvidia and its vendors began to conduct stricter audits on the end users of AI chips, the Chinese company was asked by the Malaysian data center late last year to work through a Malaysian entity, which the companies thought might trigger less scrutiny.

The Chinese company registered an entity in Kuala Lumpur, Malaysia's capital, listing three Malaysian citizens as directors and an offshore holding company as its parent, according to a corporate registry document. To avoid raising suspicions at Malaysian customs, the Chinese engineers packed their hard drives into four different suitcases. Last year, they traveled with the hard drives bundled into one piece of luggage. They returned to China recently with the results -- several hundred gigabytes of data, including model parameters that guide the AI system's output. The procedure, while cumbersome, avoided having to bring hardware such as chips or servers into China. That is getting more difficult because authorities in Southeast Asia are cracking down on transshipments through the region into China.

Japan must stop being overly optimistic about how quickly its population is going to shrink, economists have warned, as births plunge at a pace far ahead of core estimates. From a report: Japan this month said there were a total of 686,000 Japanese births in 2024, falling below 700,000 for the first time since records began in the 19th century and defying years of policy efforts to halt population decline. The total represented the ninth straight year of decline and pushed the country's total fertility rate -- the average number of children born per woman over her lifetime -- to a record low of 1.15.

But public and parliamentary dismay over the latest evidence of Japan's decline was intensified by the extent to which the figures undershot population estimates calculated by government demographers just two years ago. The median forecast produced by the National Institute of Population and Social Security Research (IPSS) in 2023 did not foresee the number of annual births -- which does not include children born to non-Japanese people -- dropping into the 680,000 range until 2039.

During this week's Worldwide Developers Conference, Apple unveiled a secure import/export feature for passkeys that addresses one of their biggest limitations: lack of interoperability across platforms and credential managers. The feature, built in collaboration with the FIDO Alliance, enables encrypted, user-initiated passkey transfers between apps and systems. Ars Technica's Dan Goodin says it "provides the strongest indication yet that passkey developers are making meaningful progress in improving usability." From the report: "People own their credentials and should have the flexibility to manage them where they choose," the narrator of the Apple video says. "This gives people more control over their data and the choice of which credential manager they use." The transfer feature, which will also work with passwords and verification codes, provides an industry-standard means for apps and OSes to more securely sync these credentials.

As the video explains: "This new process is fundamentally different and more secure than traditional credential export methods, which often involve exporting an unencrypted CSV or JSON file, then manually importing it into another app. The transfer process is user initiated, occurs directly between participating credential manager apps and is secured by local authentication like Face ID. This transfer uses a data schema that was built in collaboration with the members of the FIDO Alliance. It standardizes the data format for passkeys, passwords, verification codes, and more data types. The system provides a secure mechanism to move the data between apps. No insecure files are created on disk, eliminating the risk of credential leaks from exported files. It's a modern, secure way to move credentials."

An anonymous reader quotes a report from The Register: The US Cybersecurity and Infrastructure Security Agency has lost another senior leader: executive director Bridget Bean departed on Wednesday. Bean, who served as the de facto agency boss for five months between former CISA director Jen Easterly's departure in January and Madhu Gottumukkala's appointment to the deputy director post last month, said she was "officially retiring from Federal service once again" in a LinkedIn post. "My time at CISA has been truly remarkable," she wrote. "Having had the privilege to serve as the Senior Official Performing the Duties of Director of CISA for 5 months has been a profound honor."

CISA's executive leadership page now lists Gottumukkala as its acting director, and the agency remains without a Senate-confirmed leader. President Trump nominated Sean Plankey to serve as the agency's director, and his nomination is scheduled for consideration (PDF) by the Senate's Homeland Security and Governmental Affairs Committee today. However, his appointment still requires a full Senate vote. Senator Ron Wyden (D-OR) has said he will continue to block Plankey's confirmation until CISA releases an unclassified report on American telecommunications networks' weak security.

At the time of her departure, Bean had spent three and a half years with CISA and more than three decades with the federal government, including a job as the Federal Emergency Management Agency's third-ranking official. Before accepting the executive director post, she was CISA's first chief integration officer. In this position, she "led the integration of the agency's operations and ensured CISA's frontline of regional staff seamlessly supported the critical infrastructure that Americans rely on every hour of every day," according to her bio on the agency's website. [...] Bean's retirement comes during a talent exodus from CISA -- and other federal government agencies -- with some folks getting fired and others taking the Trump administration's buyout offer to resign from public service. As of May 30, the heads of five of CISA's six operational divisions and six of its 10 regional offices had left the agency, and around 1,000 people, nearly one-third of its total staff, have reportedly left CISA since Trump took office.

BrianFagioli writes: Barbie is getting a brain upgrade. Mattel has officially partnered with OpenAI in a move that brings artificial intelligence to the toy aisle. Yes, you read that right, folks. Barbie might soon be chatting with your kids in full sentences, powered by ChatGPT.

This collaboration brings OpenAI's advanced tools into Mattel's ecosystem of toys and entertainment brands. The goal? To launch AI-powered experiences that are fun, safe, and age-appropriate. Mattel says it wants to keep things magical while also respecting privacy and security. Basically, Barbie won't be data-mining your kids... yet.

More than a dozen private browsing apps on Apple and Google's app stores have undisclosed ties to Chinese companies, leaving user data at risk of exposure to the Chinese government, according to a new report from the Tech Transparency Project. From a report: Thirteen virtual private network (VPN) apps on Apple's App Store and 11 apps on Google's Play Store have ties to Chinese companies, the tech watchdog group said in the report released Thursday.

Chinese law requires Chinese companies to share data with the government upon request, creating privacy and security risks for American users. Several of the apps, including two on both app stores and two others on Google Play Store, have ties to Chinese cybersecurity firm Qihoo 360, which has been sanctioned by the U.S. government, according to the report. The Tech Transparency Project previously identified more than 20 VPN apps on Appleâ(TM)s App Store with Chinese ties in an April report. The iPhone maker has since removed three apps linked to Qihoo 360.

Google has removed device trees and driver binaries for Pixel phones from the Android 16 source code release, significantly complicating custom ROM development for those devices. The Android-maker intentionally omitted these resources as it shifts its Android Open Source Project reference target from Pixel hardware to a virtual device called "Cuttlefish."

The change forces custom ROM developers to reverse-engineer configurations they previously received directly from Google. Nolen Johnson from LineageOS said the process will become "painful," requiring developers to "blindly guess and reverse engineer from the prebuilt binaries what changes are needed each month." Google also squashed the Pixel kernel source code's commit history, eliminating another reference point developers used for features and security patches.

Google VP Seang Chau dismissed speculation that AOSP itself is ending, stating the project "is NOT going away." However, the changes effectively bring Pixel devices down to the same difficult development level as other Android phones.

An anonymous reader quotes a report from ZDNet: Denmark's Minister of Digitalization, Caroline Stage, has announced that the Danish government will start moving away from Microsoft Office to LibreOffice. Why? It's not because open-source is better, although I would argue that it is, but because Denmark wants to claim "digital sovereignty." In the States, you probably haven't heard that phrase, but in the European Union, digital sovereignty is a big deal and getting bigger.

A combination of security, economic, political, and societal imperatives is driving the EU's digital sovereignty moves. EU leaders are seeking to reduce Europe's dependence on foreign technology providers, primarily those from the United States, and to assert greater control over its digital infrastructure, data, and technological future. Why? Because they're concerned about who controls European data, who sets the rules, and who can potentially cut off access to essential services in times of geopolitical tension. "Money issues have also played a decisive role," writes ZDNet's Steven Vaughan-Nichols. "Copenhagen's Microsoft software bill has soared from 313 million kroner in 2018 to 538 million kroner -- about $53 million in 2023, a 72% increase in just five years.

David Heinemeier Hansson (DHH), a Dane, inventor of Ruby on Rails, and co-owner of the software developer company 37Signals, has said: "Denmark is one of the most highly digitalized countries in the world. It's also one of the most Microsoft-dependent. In fact, Microsoft is by far and away the single biggest dependency, so it makes perfect sense to start the quest for digital sovereignty there."

BrianFagioli shares a report from NERDS.xyz: Apple has released a new developer tool on GitHub called Container, offering a fresh approach to running Linux containers directly on macOS. Unlike Docker or Podman, this tool is designed to feel at home in the Apple ecosystem and hooks into frameworks already built into the operating system. Container runs standard OCI images, but it doesn't use a single shared Linux VM. Instead, it creates a small Linux virtual machine for every container you spin up. That sounds heavy at first, but the VMs are lightweight and boot quickly. Each one is isolated, which Apple claims improves both security and privacy. Developers can run containerized workloads locally with native macOS support and without needing to install third-party container platforms.

Since filing for bankruptcy in March, 23andMe has received data deletion requests from 1.9 million users -- around 15% of its customer base. That number was revealed by 23andMe's interim chief executive Joseph Selsavage during a House Oversight Committee hearing, during which lawmakers scrutinized the company's sale following an earlier bankruptcy auction. "The bankruptcy sparked concerns that the data of millions of Americans who used 23andMe could end up in the hands of an unscrupulous buyer, prompting customers to ask the company to delete their data," adds TechCrunch. From the report: Pharmaceutical giant Regeneron won the court-approved auction in May, offering $256 million for 23andMe and its banks of customers' DNA and genetic data. Regeneron said it would use the 23andMe data to aid the discovery of new drugs, and committed to maintain 23andMe's privacy practices. Truly deleting your personal genetic information from the DNA testing company is easier said than done. But if you were a 23andMe customer and are interested, MIT Technology Review outlines that steps you can take.

Hong Kong authorities have invoked national security laws for the first time to ban the Taiwan-made video game Reversed Front: Bonfire, accusing it of promoting "secessionist agendas, such as 'Taiwan independence' and 'Hong Kong independence.'" Engadget reports: Reversed Front: Bonfire was developed by a group known as ESC Taiwan, who are outspoken critics of the China's Communist Party. The game disappeared from the Apple App Store in Hong Kong less than 24 hours after authorities issued the warning. Google already removed the game from the Play Store back in May, because players were using hate speech as part of their usernames. ESC Taiwan told The New York Times that that the game's removal shows that apps like theirs are subject to censorship in mainland China. The group also thanked authorities for the free publicity on Facebook, as the game experienced a surge in Google searches.

The game uses anime-style illustrations and allows players to fight against China's Communist Party by taking on the role of "propagandists, patrons, spies or guerrillas" from Hong Kong, Taiwan, Tibet, Mongolia and Xinjiang, which is home to ethnic minorities like the Uyghur. That said, they can also choose to play as government soldiers. In its warning, Hong Kong Police said that anybody who shares or recommends the game on the internet may be committing several offenses, including "incitement to secession, "incitement to subversion" and "offenses in connection with seditious intention." Anybody who has downloaded the game will be considered in "possession of a publication that has a seditious intention," and anybody who provides financial assistance to it will be violating national security laws, as well. "Those who have downloaded the application should uninstall it immediately and must not attempt to defy the law," the authorities wrote.

An anonymous reader shares a report: A data broker owned by the country's major airlines, including Delta, American Airlines, and United, collected U.S. travellers' domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes passenger names, their full flight itineraries, and financial details.

CBP, a part of the Department of Homeland Security (DHS), says it needs this data to support state and local police to track people of interest's air travel across the country, in a purchase that has alarmed civil liberties experts. The documents reveal for the first time in detail why at least one part of DHS purchased such information, and comes after Immigration and Customs Enforcement (ICE) detailed its own purchase of the data. The documents also show for the first time that the data broker, called the Airlines Reporting Corporation (ARC), tells government agencies not to mention where it sourced the flight data from.

"The big airlines -- through a shady data broker that they own called ARC -- are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used," Senator Ron Wyden said in a statement. ARC is owned and operated by at least eight major U.S. airlines, other publicly released documents show. The company's board of directors include representatives from Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, and European airlines Lufthansa and Air France, and Canada's Air Canada. More than 240 airlines depend on ARC for ticket settlement services.

WhatsApp has applied to submit evidence in Apple's legal battle against the UK Home Office over government demands for access to encrypted user data. The messaging platform's boss Will Cathcart told the BBC the case "could set a dangerous precedent" by "emboldening other nations" to seek to break encryption protections.

The confrontation began when Apple received a secret Technical Capability Notice from the Home Office earlier this year demanding the right to access data from its global customers for national security purposes. Apple responded by first pulling its Advanced Data Protection system from the UK, then taking the government to court to overturn the request.

Cathcart said WhatsApp "would challenge any law or government request that seeks to weaken the encryption of our services." US Director of National Intelligence Tulsi Gabbard has called the UK's demands an "egregious violation" of American citizens' privacy rights.

An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administration's cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Biden's cyber policy legacy -- while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber Trust Mark program -- an Energy Star-type labeling initiative for consumer smart devices. But hallmark programs tied to software bills of materials, zero-trust implementation, and space contractor cybersecurity requirements have been either rescinded or left in limbo. The new executive order amends both the Biden cyber executive order signed in January and an Obama administration order.

Each of the following Biden-era programs is now out the door or significantly rolled back:
- A broad requirement for federal software vendors to provide a software bill of materials - essentially an ingredient list of code components - is gone.
- Biden-era efforts to encourage federal agencies to accept digital identity documents and help states develop mobile driver's licenses were revoked.
- Several AI cybersecurity research mandates, including those focused on AI-generated code security and AI-driven patch management pilots, have been scrapped or deprioritized.
- The requirement that software contractors formally attest they followed secure development practices - and submit those attestations to a federal repository - has been cut. Instead, the National Institute of Standards and Technology will now coordinate a new industry consortium to review software security guidelines.

Connor Jones reports via The Register: Security researchers managed to access the live feeds of 40,000 internet-connected cameras worldwide and they may have only scratched the surface of what's possible. Supporting the bulletin issued by the Department of Homeland Security (DHS) earlier this year, which warned of exposed cameras potentially being used in Chinese espionage campaigns, the team at Bitsight was able to tap into feeds of sensitive locations. The US was the most affected region, with around 14,000 of the total feeds streaming from the country, allowing access to the inside of datacenters, healthcare facilities, factories, and more. Bitsight said these feeds could potentially be used for espionage, mapping blind spots, and gleaning trade secrets, among other things.

Aside from the potential national security implications, cameras were also accessed in hotels, gyms, construction sites, retail premises, and residential areas, which the researchers said could prove useful for petty criminals. Monitoring the typical patterns of activity in retail stores, for example, could inform robberies, while monitoring residences could be used for similar purposes, especially considering the privacy implications. "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea, and yet thousands of them are still accessible," said Bitsight in a report. "Some don't even require sophisticated hacking techniques or special tools to access their live footage in unintended ways. In many cases, all it takes is opening a web browser and navigating to the exposed camera's interface."

HTTP-based cameras accounted for 78.5 percent of the total 40,000 sample, while RTSP feeds were comparatively less open, accounting for only 21.5 percent.

To protect yourself or your company, Bitsight says you should secure your surveillance cameras by changing default passwords, disabling unnecessary remote access, updating firmware, and restricting access with VPNs or firewalls. Regularly monitoring for unusual activity also helps to prevent your footage from being exposed online.

Cisco is updating its networking and security products to make AI networks speedier and more secure, part of a broader push to capitalize on the AI spending boom. From a report: A new generation of switches -- networking equipment that links computer systems -- will offer a 10-fold improvement in performance, the company said on Tuesday. That will help prevent AI applications from suffering bottlenecks when transferring data, Cisco said. Networking speed has become a bigger issue as data center operators try to manage a flood of AI information -- both in the cloud and within the companies' own facilities. Slowdowns can hinder AI models, Cisco President and Chief Product Officer Jeetu Patel said in an interview. That applies to the development phase -- known as training -- and the operation of the models, a stage called inference. A massive build-out of data centers has made Cisco more relevant, he said. "AI is going to be network-bound, both on training and inference," Patel said. Having computer processors sit idle during training because of slow networks is "just throwing away money."

Apple announced that macOS 26 "Tahoe" will be the final version to support Intel-based Macs, with future macOS releases running exclusively on Apple Silicon devices (that is, 2020 M1 models and newer). They will, however, continue to receive security updates for a few more years. 9to5Mac reports: In some ways, Apple has already stopped supporting some non-Apple Silicon models of its lineup. macOS Tahoe does not work with any Intel MacBook Air or Mac mini for instance. But Tahoe does still support some Intel Macs. That includes compatibility with the 2019 16-inch MacBook Pro, the 2020 Intel 13-inch MacBook Pro, 2020 iMac, and the 2019 Mac Pro.

Based on Apple's warning, you can expect that macOS 27 will drop support for all of these legacy machines, and therefore macOS 26 will be the last compatible version. These devices will continue to receive security updates for another three years, however. Going forward, the minimum support hardware generations will be from 2020 onwards, as that is when Apple began the Apple Silicon transition with the M1. M1 Pro and M1 Max MacBook Pros followed in 2021.