An anonymous reader quotes a report from Data Center Dynamics: BlackRock plans to launch a new $30 billion artificial intelligence (AI) investment fund focused on data centers and energy projects. Microsoft and Abu Dhabi-backed investment company MGX are general partners of the fund. GPU giant Nvidia will also advise. Run through BlackRock's Global Infrastructure Partners fund, which it acquired for $12.5 billion earlier this year, the 'Global AI Investment Partnership,' plans to raise up to $30 billion in equity investments. Another $70 billion could come via leveraged debt financing. "Mobilizing private capital to build AI infrastructure like data centers and power will unlock a multi-trillion-dollar long-term investment opportunity," said Larry Fink, chairman and CEO of BlackRock. "Data centers are the bedrock of the digital economy, and these investments will help power economic growth, create jobs, and drive AI technology innovation."

Brad Smith, Microsoft's president, added: "The capital spending needed for AI infrastructure and the new energy to power it goes beyond what any single company or government can finance. This financial partnership will not only help advance technology, but enhance national competitiveness, security, and economic prosperity."

Bayo Ogunlesi, CEO of Global Infrastructure Partners, said: "There is a clear need to mobilize significant amounts of private capital to fund investments in essential infrastructure. One manifestation of this is the capital required to support the development of AI. We are highly confident that the combined capabilities of our partnership will help accelerate the pace of investments in AI-related infrastructure."

The Register's Jessica Lyons reports: Chinese state-sponsored spies have been spotted inside a global engineering firm's network, having gained initial entry using an admin portal's default credentials on an IBM AIX server. In an exclusive interview with The Register, Binary Defense's Director of Security Research John Dwyer said the cyber snoops first compromised one of the victim's three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer's IT environment for four months while poking around for more boxes to commandeer. It's a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants.

This particular company, which Dwyer declined to name, makes components for public and private aerospace organizations and other critical sectors, including oil and gas. The intrusion has been attributed to an unnamed People's Republic of China team, whose motivation appears to be espionage and blueprint theft. It's worth noting the Feds have issued multiple security alerts this year about Beijing's spy crews including APT40 and Volt Typhoon, which has been accused of burrowing into American networks in preparation for destructive cyberattacks.

After discovering China's agents within its network in August, the manufacturer alerted local and federal law enforcement agencies and worked with government cybersecurity officials on attribution and mitigation, we're told. Binary Defense was also called in to investigate. Before being caught and subsequently booted off the network, the Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network -- putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation. If a compromised component makes it out of the supply chain and into machinery in production, whoever is using that equipment or vehicle will end up feeling the brunt when that component fails, goes rogue, or goes awry.

"The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product -- whether it is the government, the US Department of the Defense, school systems â" assumes all of the risks of all the interconnected pieces of the supply chain," Dwyer told The Register. Plus, he added, adversarial nations are well aware of this, "and the attacks continually seem to be shifting left." That is to say, attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline, thus affecting more and more victims and being more deep-rooted in systems. Breaking into a classified network to steal designs or cause trouble is not super easy. "But can I get into a piece of the supply chain at a manufacturing center that isn't beholden to the same standards and accomplish my goals and objectives?" Dwyer asked. The answer, of course, is yes. [...]

An anonymous reader shares a report: Israel blew up thousands of two-way personal radios used by Hezbollah members in Lebanon in a second wave of an intelligence operation that started on Tuesday with the explosions of pager devices, two sources with knowledge of the operation told Axios. The second wave of clandestine attacks is another serious security breach in Hezbollah's ranks and increases the pressure on the militant Lebanese group.

Lebanon's official news agency reported that at least three people were killed and dozens wounded in the explosions across the country. The walkie-talkies were booby-trapped in advance by Israeli intelligence services and then delivered to Hezbollah as part of the militia's emergency communications system, which was supposed to be used during a war with Israel, the sources said. Associated Press reports: Lebanon's official news agency reports that solar energy systems exploded in homes in several areas of Beirut and in southern Lebanon, wounding at least one girl.

Wireless communication pagers, carried by thousands, exploded around the same time across Lebanon on Tuesday, injuring over 2,700 people and killing eight, in what security experts suspect was a sophisticated Israeli intelligence operation. New York Times: Hundreds of pagers blew up at the same time across Lebanon on Tuesday in an apparently coordinated attack that killed eight people and injured more than 2,700, health officials said on Tuesday. [...] Hezbollah said that pagers belonging to its members had exploded and accused Israel of being behind the attack. The Israeli military declined to comment.

[...] Three officials briefed on the attack said that it had targeted hundreds of pagers belonging to Hezbollah operatives who have used such devices for years to make it harder for their messages to be intercepted. The devices were programmed to beep for several seconds before exploding, according to the officials, who spoke on the condition of anonymity because of the sensitivity of the matter. Further reading: Reuters; CNN; NPR; Fox News; and WSJ.

Edward Snowden said, "If it were iPhones that were leaving the factory with explosives inside, the media would be a hell of a lot faster to cotton on to what a horrific precedent has been set today. Nothing can justify this. It's a crime. A crime. And everyone in the world is less safe for it."

Google is updating the post-quantum cryptography in Chrome, replacing the experimental Kyber with the fully standardized Module Lattice Key Encapsulation Mechanism (ML-KEM) to enhance protection against quantum computing attacks. BleepingComputer reports: This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges. The move from Kyber to ML-KEM though is not related to those early problems, that got resolved soon after manifesting. Rather, its a strategic choice to abandon an experimental system for a NIST-approved and fully standardized mechanism.

ML-KEM was fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."

Oracle cofounder Larry Ellison envisions AI as the backbone of a new era of mass surveillance, positioning Oracle as a key player in AI infrastructure through its unique networking architecture and partnerships with AWS and Microsoft. The Register reports: Ellison made the comments near the end of an hour-long chat at the Oracle financial analyst meeting last week during a question and answer session in which he painted Oracle as the AI infrastructure player to beat in light of its recent deals with AWS and Microsoft. Many companies, Ellison touted, build AI models at Oracle because of its "unique networking architecture," which dates back to the database era.

"AI is hot, and databases are not," he said, making Oracle's part of the puzzle less sexy, but no less important, at least according to the man himself - AI systems have to have well-organized data, or else they won't be that valuable. The fact that some of the biggest names in cloud computing (and Elon Musk's Grok) have turned to Oracle to run their AI infrastructure means it's clear that Oracle is doing something right, claimed now-CTO Ellison. "If Elon and Satya [Nadella] want to pick us, that's a good sign - we have tech that's valuable and differentiated," Ellison said, adding: One of the ideal uses of that differentiated offering? Maximizing AI's pubic security capabilities.

"The police will be on their best behavior because we're constantly watching and recording everything that's going on," Ellison told analysts. He described police body cameras that were constantly on, with no ability for officers to disable the feed to Oracle. Even requesting privacy for a bathroom break or a meal only meant sections of recording would require a subpoena to view - not that the video feed was ever stopped. AI would be trained to monitor officer feeds for anything untoward, which Ellison said could prevent abuse of police power and save lives. [...] "Citizens will be on their best behavior because we're constantly recording and reporting," Ellison added, though it's not clear what he sees as the source of those recordings - police body cams or publicly placed security cameras. "There are so many opportunities to exploit AI," he said.

China will "gradually raise" its retirement age for the first time since the 1950s, as the country confronts an ageing population and a dwindling pension budget. From a report: The top legislative body on Friday approved proposals to raise the statutory retirement age from 50 to 55 for women in blue-collar jobs, and from 55 to 58 for females in white-collar jobs. Men will see an increase from 60 to 63. China's current retirement ages are among the lowest in the world.

According to the plan passed on Friday, the change will set in from 1 January 2025, with the respective retirement ages raised every few months over the next 15 years, said Chinese state media. Retiring before the statutory age will not be allowed, state news agency Xinhua reported, although people can extend their retirement by no more than three years. Starting 2030, employees will also have to make more contributions to the social security system in order to receive pensions. By 2039, they would have to clock 20 years of contributions to access their pensions.

On Tuesday Ivanti issued a "high severity vulnerability" announcement for version 4.6 of its Cloud Service Appliance (or CSA). "Successful exploitation could lead to unauthorized access to the device running the CSA." And Friday that announcement got an update: Ivanti "has confirmed exploitation of this vulnerability in the wild."

While Ivanti released a security update, they warned that "with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support."

This prompted a response from CISA (the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security). The noted that Ivanti is urging customers to upgrade to version 5.0, as "Ivanti no longer supports CSA 4.6 (end-of-life)." But in addition, CISA "ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4," reports the Record: Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved.

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.

An EFF article calls out a "brazen attempt to privatize" a wireless frequency band (900 MHz) which America's FCC's left " as a commons for all... for use by amateur radio operators, unlicensed consumer devices, and industrial, scientific, and medical equipment." The spectrum has also become "a hotbed for new technologies and community-driven projects. Millions of consumer devices also rely on the range, including baby monitors, cordless phones, IoT devices, garage door openers." But NextNav would rather claim these frequencies, fence them off, and lease them out to mobile service providers. This is just another land-grab by a corporate rent-seeker dressed up as innovation. EFF and hundreds of others have called on the FCC to decisively reject this proposal and protect the open spectrum as a commons that serves all.

NextNav [which sells a geolocation service] wants the FCC to reconfigure the 902-928 MHz band to grant them exclusive rights to the majority of the spectrum... This proposal would not only give NextNav their own lane, but expanded operating region, increased broadcasting power, and more leeway for radio interference emanating from their portions of the band. All of this points to more power for NextNav at everyone else's expense.

This land-grab is purportedly to implement a Positioning, Navigation and Timing (PNT) network to serve as a US-specific backup of the Global Positioning System(GPS). This plan raises red flags off the bat. Dropping the "global" from GPS makes it far less useful for any alleged national security purposes, especially as it is likely susceptible to the same jamming and spoofing attacks as GPS. NextNav itself admits there is also little commercial demand for PNT. GPS works, is free, and is widely supported by manufacturers. If Nextnav has a grand plan to implement a new and improved standard, it was left out of their FCC proposal. What NextNav did include however is its intent to resell their exclusive bandwidth access to mobile 5G networks. This isn't about national security or innovation; it's about a rent-seeker monopolizing access to a public resource. If NextNav truly believes in their GPS backup vision, they should look to parts of the spectrum already allocated for 5G.

The open sections of the 900 MHz spectrum are vital for technologies that foster experimentation and grassroots innovation. Amateur radio operators, developers of new IoT devices, and small-scale operators rely on this band. One such project is Meshtastic, a decentralized communication tool that allows users to send messages across a network without a central server. This new approach to networking offers resilient communication that can endure emergencies where current networks fail. This is the type of innovation that actually addresses crises raised by Nextnav, and it's happening in the part of the spectrum allocated for unlicensed devices while empowering communities instead of a powerful intermediary. Yet, this proposal threatens to crush such grassroots projects, leaving them without a commons in which they can grow and improve.

This isn't just about a set of frequencies. We need an ecosystem which fosters grassroots collaboration, experimentation, and knowledge building. Not only do these commons empower communities, they avoid a technology monoculture unable to adapt to new threats and changing needs as technology progresses. Invention belongs to the public, not just to those with the deepest pockets. The FCC should ensure it remains that way.

NextNav's proposal is a direct threat to innovation, public safety, and community empowerment. While FCC comments on the proposal have closed, replies remain open to the public until September 20th. The FCC must reject this corporate land-grab and uphold the integrity of the 900 MHz band as a commons.

"New malicious software packages tied to the North Korean Lazarus Group were observed posing as a Python coding skills test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware," reports SC magazine: Researchers at ReversingLabs explained in a September 10 blog post that the scheme was a follow-on to the VMConnect campaign that they first identified in August 2023 in which developers were lured into downloading malicious code via fake job interviews.
More details from The Hacker News These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase... It's implemented in the form of a Base64-encoded string that obscures a downloader function, which establishes contact with a command-and-control server in order to execute commands received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes. This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs."

More from The Hacker News Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation. It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.

The Rust foundation is making "considerable progress" on a complete security audit of the Rust ecosystem, according to the coding news site I Programmer, citing a newly-released report from the nonprofit Rust foundation: The foundation is investigating the development of a Public Key Infrastructure (PKI) model for the Rust language, including the design and implementation for a PKI CA and a resilient Quorum model for the project to implement, and the report says that language updates suggested by members of the Project were nearly ready for implementation.

Following the XZ backdoor vulnerability, the Security Initiative has focused on supply chain security, including work on provenance-tracking, verifying that a given crate is actually associated with the repository it claims to be. The top 5,000 crates by download count have been checked and verified.

Threat modeling has now been completed on the Crates ecosystem. Rust Infrastructure, crates.io and the Rust Project.

Two open source security tools, Painter and Typomania, have been developed and released. Painter can be used to build a graph database of dependencies and invocations between all crates within the crates.io ecosystem, including the ability to obtain 'unsafe' statistics, better call graph pruning, and FFI boundary mapping. Typomania ports typogard to Rust, and can be used to detect potential typosquatting as a reusable library that can be adapted to any registry.
They've also tightened admin privileges for Rust's package registry, according to the article. And "In addition to the work on the Security Initiative, the Foundation has also been working on improving interoperability between Rust and C++, supported by a $1 million contribution from Google."

According to the Rust foundation's technology director, they've made "impressive technical strides and developed new strategies to reinforce the safety, security, and longevity of the Rust programming language." And the director says the new report "paints a clear picture of the impact of our technical projects like the Security Initiative, Safety-Critical Rust Consortium, infrastructure and crates.io support, Interop Initiative, and much more."

Samba is "a free software re-implementation of the SMB networking protocol," according to Wikipedia. And now the Samba project "has secured significant funding (€688,800.00) from the German Sovereign Tech Fund to advance the project," writes Jeremy Allison — Sam (who is Slashdot reader #8,157 — and also a long standing member of Samba's core team): The investment was successfully applied for by [information security service provider] SerNet. Over the next 18 months, Samba developers from SerNet will tackle 17 key development subprojects aimed at enhancing Samba's security, scalability, and functionality.

The Sovereign Tech Fund is a German federal government funding program that supports the development, improvement, and maintenance of open digital infrastructure. Their goal is to sustainably strengthen the open source ecosystem.

The project's focus is on areas like SMB3 Transparent Failover, SMB3 UNIX extensions, SMB-Direct, Performance and modern security protocols such as SMB over QUIC. These improvements are designed to ensure that Samba remains a robust and secure solution for organizations that rely on a sovereign IT infrastructure. Development work began as early as September the 1st and is expected to be completed by the end of February 2026 for all sub-projects.

All development will be done in the open following the existing Samba development process. First gitlab CI pipelines have already been running and gitlab MRs will appear soon!
Back in 2000, Jeremy Allison answered questions from Slashdot readers about Samba.

Allison is now a board member at both the GNOME Foundation and the Software Freedom Conservancy, a distinguished engineer at Rocky Linux creator CIQ, and a long-time free software advocate.

23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. BleepingComputer reports: The proposed class action settlement (PDF), filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval. "23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum filed (PDF) Friday.

23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions. "23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.

"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."

An anonymous reader quotes a report from Ars Technica: Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries. Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user. "These off-brand devices discovered to be infected were not Play Protect certified Android devices," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."

Users can confirm if their device runs Android TV OS via this link and following the steps here.

An anonymous reader quotes a report from Wired: You can tell a lot about someone from their eyes. They can indicate how tired you are, the type of mood you're in, and potentially provide clues about health problems. But your eyes could also leak more secretive information: your passwords, PINs, and messages you type. Today, a group of six computer scientists are revealing a new attack against Apple's Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device's virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes. "Based on the direction of the eye movement, the hacker can determine which key the victim is now typing," says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple's headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime. The researchers alerted Apple to the vulnerability in April, and the company issued a patch to stop the potential for data to leak at the end of July. It is the first attack to exploit people's "gaze" data in this way, the researchers say. The findings underline how people's biometric data -- information and measurements about your body -- can expose sensitive information and beused as part of the burgeoning surveillance industry.

The GAZEploit attack consists of two parts, says Zhan, one of the lead researchers. First, the researchers created a way to identify when someone wearing the Vision Pro is typing by analyzing the 3D avatar they are sharing. For this, they trained a recurrent neural network, a type of deep learning model, with recordings of 30 people's avatars while they completed a variety of typing tasks. When someone is typing using the Vision Pro, their gaze fixates on the key they are likely to press, the researchers say, before quickly moving to the next key. "When we are typing our gaze will show some regular patterns," Zhan says. Wang says these patterns are more common during typing than if someone is browsing a website or watching a video while wearing the headset. "During tasks like gaze typing, the frequency of your eye blinking decreases because you are more focused," Wang says. In short: Looking at a QWERTY keyboard and moving between the letters is a pretty distinct behavior.

The second part of the research, Zhan explains, uses geometric calculations to work out where someone has positioned the keyboard and the size they've made it. "The only requirement is that as long as we get enough gaze information that can accurately recover the keyboard, then all following keystrokes can be detected." Combining these two elements, they were able to predict the keys someone was likely to be typing. In a series of lab tests, they didn't have any knowledge of the victim's typing habits, speed, or know where the keyboard was placed. However, the researchers could predict the correct letters typed, in a maximum of five guesses, with 92.1 percent accuracy in messages, 77 percent of the time for passwords, 73 percent of the time for PINs, and 86.1 percent of occasions for emails, URLs, and webpages. (On the first guess, the letters would be right between 35 and 59 percent of the time, depending on what kind of information they were trying to work out.) Duplicate letters and typos add extra challenges.

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company's Microsoft Sharepoint server. From a report: Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet's Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download. The threat actor, known as "Fortibitch," claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay. In response to our questions about incident, Fortinet confirmed that customer data was stolen from a "third-party cloud-based shared file drive."

An anonymous reader quotes a report from InsideEVs: General Motors is joining forces with EVgo, one of the biggest electric vehicle charging operators in the United States, to build 400 ultra-fast DC chargers nationwide to support the growing number of battery-powered cars hitting U.S. roads. To be clear, these are individual stalls, not charging stations. However, the two companies describe the new locations as "flagship destinations" which will feature 350-kilowatt DC chargers, ample lighting, canopies, pull-through spots and security cameras. Most locations will feature up to 20 ultra-fast charging stalls, but some will have even more -- good news for those crowded holiday road trips. GM and EVgo said the fancy new stations would be located near shopping areas offering dining, coffee shops and other amenities.

We don't know exactly where the new stations will be built, but EVgo mentioned that the "flagship destinations" will be deployed coast to coast, including in metropolitan areas in states like Arizona, California, Florida, Georgia, Michigan, New York and Texas. The stalls will be co-branded EVgo and GM Energy -- the automaker's charging and energy management division. The first new "flagship station" is expected to open next year. The new stalls will make use of EVgo's prefabrication approach which can reduce the total cost of a new station by 15% and the deployment time by 50%. Similar to Tesla's prefabricated Supercharger stalls, EVgo's ready-made structures come with stalls and accompanying equipment already mounted on a metal base plate which is transported from the factory to the charging site.

Microsoft announced plans to modify Windows, enabling security vendors like CrowdStrike to operate outside the operating system's kernel. The move follows the July incident where a faulty CrowdStrike update caused widespread system failures. From a report: Microsoft says it has now "discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors" with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.

[...] While Microsoft isn't directly saying it's going to close off access to the Windows kernel, it's clearly at the early stages of designing a security platform that can eventually move CrowdStrike and others out of the kernel. Microsoft last tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators.

An anonymous reader quotes a report from Ars Technica: Microsoft has updated a key cryptographic library with two new encryption algorithms designed to withstand attacks from quantum computers. The updates were made last week to SymCrypt, a core cryptographic code library for handing cryptographic functions in Windows and Linux. The library, started in 2006, provides operations and algorithms developers can use to safely implement secure encryption, decryption, signing, verification, hashing, and key exchange in the apps they create. The library supports federal certification requirements for cryptographic modules used in some governmental environments. Despite the name, SymCrypt supports both symmetric and asymmetric algorithms. It's the main cryptographic library Microsoft uses in products and services including Azure, Microsoft 365, all supported versions of Windows, Azure Stack HCI, and Azure Linux. The library provides cryptographic security used in email security, cloud storage, web browsing, remote access, and device management. Microsoft documented the update in a post on Monday. The updates are the first steps in implementing a massive overhaul of encryption protocols that incorporate a new set of algorithms that aren't vulnerable to attacks from quantum computers. [...]

The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren't vulnerable to Shor's algorithm when the keys are of a sufficient size. [...] The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it's based on "stateful hash-based signature schemes." These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses. Monday's post said Microsoft will add additional post-quantum algorithms to SymCrypt in the coming months. They are ML-DSA, a lattice-based digital signature scheme, previously called Dilithium, and SLH-DSA, a stateless hash-based signature scheme previously called SPHINCS+. Both became NIST standards last month and are formally referred to as FIPS 204 and FIPS 205. In Monday's post, Microsoft Principal Product Manager Lead Aabha Thipsay wrote: "PQC algorithms offer a promising solution for the future of cryptography, but they also come with some trade-offs. For example, these typically require larger key sizes, longer computation times, and more bandwidth than classical algorithms. Therefore, implementing PQC in real-world applications requires careful optimization and integration with existing systems and standards."

A security researcher has exposed a critical vulnerability in the WHOIS system. Benjamin Harris, CEO of watchTowr, gained unprecedented access by registering an expired domain once used for .mobi's authoritative WHOIS server. His rogue server received millions of queries from thousands of systems, including government agencies, certificate authorities, and major tech companies. ArsTechnica adds: The humor aside, the rogue WHOIS server gave him powers he never should have had. One of the greatest was the ability to dictate the email address certificate authority GlobalSign used to determine if a party applying for a TLS certificate was the rightful owner of the domain name the certificate would apply to. Like the vast majority of its competitors, GlobalSign uses an automated process. An application for example.com, for instance, will prompt the certificate authority to send an email to the administrative email address listed in the authoritative WHOIS for that domain. If the party on the other end clicks a link, the certificate is automatically approved. When Harris generated a certificate signing request for microsoft.mobi, he promptly received an email from GlobalSign. The email gave him the option of receiving a verification link at whois@watchtowr.com. For ethical reasons, he stopped the experiment at this point. The vulnerability stems from outdated WHOIS client configurations, which underscores systemic weaknesses in internet infrastructure management.