America's federal government "is a veritable cosmos of information, made up of constellations of databases," warns the Atlantic. The FBI "has a facial-recognition apparatus capable of matching people against more than 640 million photos — a database made up of driver's license and passport photos, as well as mug shots. The Homeland Security department holds data "about the movements of every person who travels by air commercially". America's Drug Enforcement Administration "tracks license plates scanned on American roads." And there's also every taxpayer's finance and employment history..." Government agencies including the IRS, the FBI, DHS, and the Department of Defense have all purchased cellphone-location data, and possibly collected them too, via secretive groups such as the National Geospatial-Intelligence Agency. That means the government has at least some ability to map or re-create the past everyday movements of some American citizens.
But now the information at individual agencies "is being pooled together. The question is Why? And what does the administration intend to do with it?" A White House spokesperson confirmed to the Atlantic that data collected by different agencies is now being combined. (They said that "Through data sharing between agencies, departments are collaborating to identify fraud and prevent criminals from exploiting hardworking American taxpayers.") But a March executive explicitly stated an aim "to eliminate the data silos that keep everything separate." The article accuses the administration officials of "not just undoing decades of privacy measures. They appear to be ignoring that they were ever written."

The Atlantic spoke with former government officials "who have spent time in these systems," reporting that "to a person, these experts are alarmed about the possibilities for harm, graft, and abuse... Collecting and then assembling data in the industrial way — just to have them in case they might be useful — would represent a huge and disturbing shift for the government..."

"A fragile combination of decades-old laws, norms, and jungly bureaucracy has so far prevented repositories such as these from assembling into a centralized American surveillance state. But that appears to be changing... DOGE has systematically gained access to sensitive data across the federal government "in ways that people in several agencies have described to us as both dangerous and disturbing."

The Open Source Initiative is joining "a global community of contributors" for GitHub's annual event "honoring the individuals who steward and sustain Open Source projects."

And the theme of the 5th Annual "Maintainer Month" will be: securing Open Source: Throughout the month, OSI and our affiliates will be highlighting maintainers who prioritize security in their projects, sharing their stories, and providing a platform for collaboration and learning... Maintainer Month is a time to gather, share knowledge, and express appreciation for the people who keep Open Source projects running. These maintainers not only review issues and merge pull requests — they also navigate community dynamics, mentor new contributors, and increasingly, adopt security best practices to protect their code and users....

- OSI will publish a series of articles on Opensource.net highlighting maintainers whose work centers around security...

- As part of our programming for May, OSI will host a virtual Town Hall [May 21st] with our affiliate organizations and invite the broader Open Source community to join....

- Maintainer Month is also a time to tell the stories of those who often work behind the scenes. OSI will be amplifying voices from across our affiliate network and encouraging communities to recognize the people whose efforts are often invisible, yet essential.
"These efforts are not just celebrations — they are opportunities to recognize the essential role maintainers play in safeguarding the Open Source infrastructure that underpins so much of our digital world," according to the OSI's announcement. And this year they're focusing on three key areas of open source security:

• Adopting security best practices in projects and communities

• Recognizing contributors who improve project security

• Collaborating to strengthen the ecosystem as a whole

Remember when U.S. National Security Adviser Mike Waltz mistakenly included a journalist in an encrypted chatroom to discuss looming U.S. military action against Yemen's Houthis?

A recent photo of a high-level cabinet meeting caught Waltz using a "less-secure Signal app knockoff," reports the Guardian: The chat app Waltz was using appears to be a modified version of Signal called TM SGNL, made by a company that copies messaging apps but adds an ability to retain messages and archive them. The White House officials may be using the modified Signal in order to comply with the legal requirement that presidential records be preserved... That function suggests the end-to-end encryption that makes Signal trusted for sharing private communications is possibly "not maintained, because the messages can be later retrieved after being stored somewhere else", according to 404 Media.
Thursday the national security adviser was removed from his position, the article points out.

He was instead named America's ambassador to the United Nations.

Microsoft has appointed a Deputy CISO for Europe to address growing regulatory pressure and reassure EU leaders about its cybersecurity commitment. "The move also highlights strong fears from European IT execs and government officials that the Trump administration may exert significant influence on cybersecurity companies," reports CSO Online. From the report: Who that Deputy CISO will ultimately be is unclear. Wednesday's statement simply said that Microsoft CISO Igor Tsyganskiy is "appointing a new Deputy CISO for Europe as part of the Microsoft Cybersecurity Governance Council," but the phrasing made it unclear when that would happen. However, Tsyganskiy made a separate announcement on LinkedIn that he has given the role to current Deputy CISO Ann Johnson. But he then said that Johnson, who is based at Microsoft's head office in Redmond, Washington, will hold that post "temporarily."

In his LinkedIn post, Tsyganskiy explained that the Cybersecurity Governance Council, which was created in 2024, consists of "our Global CISO and Deputy Chief Information Security Officers (Deputy CISOs) representing each of our technology services. This Council oversees the company's cyber risks, defenses, and compliance across regions and domains." "The Deputy CISO for Europe will be accountable for compliance with current and emerging cybersecurity regulations in Europe, including the Digital Operational Resilience Act (DORA), the NIS 2 Directive, and the Cyber Resilience Act (CRA)," Tsyganskiy wrote. "These laws will prove transformative not only in EU markets, but worldwide, and Microsoft is actively engaged in preparing for what lies ahead." Microsoft said in Wednesday's statement: "the appointment of a Deputy CISO for Europe reflects the importance and global influence of EU cybersecurity regulations and the company's commitment to meeting and exceeding those expectations to prioritize cybersecurity across the region. This new position will report directly to Microsoft's CISO."

Michela Menting, France-based digital security research director at ABI Research, said when she heard on Wednesday that Microsoft was creating such a role, "I was mostly surprised that they don't already have one."

"GDPR has been in place for quite some time now and the fact they are only now putting in a European deputy CISO is concerning," Menting added. "They are playing catch up."

An anonymous reader quotes a report from the Associated Press: A European Union privacy watchdog fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation found that the video sharing app's data transfers to China put users at risk of spying, in breach of strict EU data privacy rules. Ireland's Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent and ordered the company to comply with the rules within six months.

The Irish national watchdog serves as TikTok's lead data privacy regulator in the 27-nation EU because the company's European headquarters is based in Dublin. "TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," Deputy Commissioner Graham Doyle said in a statement. The Irish watchdog said its investigation found that TikTok failed to address "potential access by Chinese authorities" to European users' personal data under Chinese laws on anti-terrorism, counterespionage, cybersecurity and national intelligence that were identified as "materially diverging" from EU standards. Grahn said TikTok has "has never received a request for European user data from the Chinese authorities, and has never provided European user data to them."

[...] The investigation, which opened in September 2021, also found that TikTok's privacy policy at the time did not name third countries, including China, where user data was transferred. The watchdog said the policy, which has since been updated, failed to explain that data processing involved "remote access to personal data stored in Singapore and the United States by personnel based in China." TikTok faces further scrutiny from the Irish regulator, which said that the company had provided inaccurate information throughout the inquiry by saying that it didn't store European user data on Chinese servers. It wasn't until April that it informed the regulator that it discovered in February that some data had in fact been stored on Chinese servers. TikTok disagrees with the decision and plans to appeal. The company said the decision focuses on a "select period" ending in May 2023, before it embarked on a data localization project called Project Clover that involved building three data centers in Europe.

"The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm," said Christine Grahn, TikTok's European head of public policy and government relations. "The decision fails to fully consider these considerable data security measures."

Microsoft has taken its most significant step yet toward eliminating passwords by making new Microsoft accounts "passwordless by default." The change means new users will never need to create a password, instead using more secure authentication methods like biometrics, PINs, or security keys.

The move builds on Microsoft's decade-long push toward passwordless authentication that began with Windows Hello in 2015. According to company data, passkey sign-ins are eight times faster than password and multi-factor authentication combinations, with users achieving a 98% success rate compared to just 32% for password users. Microsoft also said it now registers nearly one million passkeys daily across its consumer services.

Nvidia publicly criticized AI startup Anthropic on Thursday over claims about Chinese smuggling tactics, just days before the Biden-era "AI Diffusion Rule" takes effect on May 15. The confrontation highlights growing tensions between AI hardware providers and model developers over export controls.

"American firms should focus on innovation and rise to the challenge, rather than tell tall tales that large, heavy, and sensitive electronics are somehow smuggled in 'baby bumps' or 'alongside live lobsters,'" an Nvidia spokesperson said, responding to Anthropic's Wednesday blog post.

The Amazon and Google-backed AI startup had called for tighter restrictions and enforcement, arguing that "maintaining America's compute advantage through export controls is essential for national security." Anthropic specifically proposed lowering export thresholds for Tier 2 countries to prevent China from gaining ground in AI development.

Nvidia countered that policy shouldn't be used to limit competitiveness: "China, with half of the world's AI researchers, has highly capable AI experts at every layer of the AI stack. America cannot manipulate regulators to capture victory in AI."

An anonymous reader quotes a report from TechCrunch: Apple sent notifications this week to several people who the company believes were targeted with government spyware, according to two of the alleged targets. In the past, Apple has sent similar notifications to targets and victims of spyware, and directed them to contact a nonprofit that specializes in investigating such cyberattacks. Other tech companies, like Google and WhatsApp, have in recent years also periodically sent such notifications to their users. As of Wednesday, only two people appear to have come forward to reveal they were among those who received the notifications from Apple this week.

One is Ciro Pellegrino, an Italian journalist who works for online news outlet Fanpage. Pellegrino wrote in an article that he received an email and a text message from Apple on Tuesday notifying him that he was targeted with spyware. The message, according to Pellegrino, also said he wasn't the only person targeted. "Today's notification is being sent to affected users in 100 countries," the message read, according to Pellegrino's article. "Did this really happen? Yes, it is not a joke," Pellegrino wrote.

The second person to receive an Apple notification is Eva Vlaardingerbroek, a Dutch right-wing activist, who posted on X on Wednesday. "Apple detected a targeted mercenary spyware attack against your iPhone," the Apple alert said, according to a screenshot shown in a video that Vlaardingerbroek posted on X. "This attack is likely targeting you specifically because of who you are or what you do. Although it's never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning -- please take it seriously." Reacting to the notification, Vlaardingerbroek said that this was an "attempt to intimidate me, an attempt to silence me, obviously."

A newly revealed set of vulnerabilities dubbed AirBorne in Apple's AirPlay SDK could allow attackers on the same Wi-Fi network to hijack tens of millions of third-party devices like smart TVs and speakers. While Apple has patched its own products, many third-party devices remain at risk, with the most severe (though unproven) threat being potential microphone access. 9to5Mac reports: Wired reports that a vulnerability in Apple's software development kit (SDK) means that tens of millions of those devices could be compromised by an attacker: "On Tuesday, researchers from the cybersecurity firm Oligo revealed what they're calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple's proprietary radio-based protocol for local wireless communication. Bugs in Apple's AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they're on the same Wi-Fi network as the hacker's machine [...]

Oligo's chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch -- or they will never be patched,' Elbaz says. 'And it's all because of vulnerabilities in one piece of software that affects everything.'"

For consumers, an attacker would first need to gain access to your home Wi-Fi network. The risk of this depends on the security of your router: millions of wireless routers also have serious security flaws, but access would be limited to the range of your Wi-Fi. AirPlay devices on public networks, like those used everywhere from coffee shops to airports, would allow direct access. The researchers say the worst-case scenario would be an attacker gaining access to the microphones in an AirPlay device, such as those in smart speakers. However, they have not demonstrated this capability, meaning it remains theoretical for now.

LG will permanently shut down its Android smartphone update servers on June 30, 2025, ending all software, app, and security updates for its devices. If you're still using an smartphone, you'll want to install any remaining updates before that date, as no future updates will be available afterward. 9to5Google reports: When LG called it quits for Android smartphones, the company also committed to a few more updates. That included an Android 12 update for select devices, the last major update the company would put out, as well as security updates for at least three years after each device had been released. That three-year cutoff has long since passed for all LG devices, but any devices still floating around out there will soon no longer be able to pull updates. LG's notice can be read here.

A new study [PDF] reveals AI-generated code frequently references non-existent third-party libraries, creating opportunities for supply-chain attacks. Researchers analyzed 576,000 code samples from 16 popular large language models and found 19.7% of package dependencies -- 440,445 in total -- were "hallucinated."

These non-existent dependencies exacerbate dependency confusion attacks, where malicious packages with identical names to legitimate ones can infiltrate software. Open source models hallucinated at nearly 22%, compared to 5% for commercial models. "Once the attacker publishes a package under the hallucinated name, containing some malicious code, they rely on the model suggesting that name to unsuspecting users," said lead researcher Joseph Spracklen. Alarmingly, 43% of hallucinations repeated across multiple queries, making them predictable targets.

South Korean telecom network SK Telecom is providing free SIM card replacements to all 25 million mobile subscribers following an April 19 security breach where malware compromised Universal Subscriber Identity Module data.

Despite the company's announcement, only 6 million replacement cards will be available through May 2025. The stolen data potentially includes IMSI numbers, authentication keys, and network usage information, though customer names, identification details, and financial information remain secure. The primary risk is unauthorized SIM swapping attacks, where threat actors could clone SIM cards.

The Karnataka High Court on Tuesday directed India's government to block Switzerland-based email service Proton Mail, citing national security concerns and law enforcement challenges. Justice M Nagaprasanna ordered authorities to initiate proceedings under Section 69A of the Information Technology Act to ban the service, while mandating immediate blocking of "offending URLs" until final decisions are made.

The ruling followed a petition from M Moser Design Associates India, which claimed its female employees were targeted with obscene emails containing "AI-generated deepfake images" sent via Proton Mail. Petitioners argued Proton Mail operates servers outside India, making it inaccessible to law enforcement. The court noted several bomb threats to Indian schools were sent using the service, which has already been banned in Russia and Saudi Arabia. Additional Solicitor General Aravind Kamath, representing the government, said authorities would comply with the court's direction.

Hackers working for governments were responsible for the majority of attributed zero-day exploits used in real-world cyberattacks last year, per new research from Google. From a report: Google's report said that the number of zero-day exploits -- referring to security flaws that were unknown to the software makers at the time hackers abused them -- had dropped from 98 exploits in 2023 to 75 exploits in 2024.

But the report noted that of the proportion of zero-days that Google could attribute -- meaning identifying the hackers who were responsible for exploiting them -- at least 23 zero-day exploits were linked to government-backed hackers. Among those 23 exploits, 10 zero-days were attributed to hackers working directly for governments, including five exploits linked to China and another five to North Korea.

Oracle engineers mistakenly triggered a five-day software outage at a number of Community Health Systems hospitals, causing the facilities to temporarily return to paper-based patient records. From a report: CHS told CNBC that the outage involving Oracle Health, the company's electronic health record (EHR) system, affected "several" hospitals, leading them to activate "downtime procedures." Trade publication Becker's Hospital Review reported that 45 hospitals were hit.

The outage began on April 23, after engineers conducting maintenance work mistakenly deleted critical storage connected to a key database, a CHS spokesperson said in a statement. The outage was resolved on Monday, and was not related to a cyberattack or other security incident. CHS is based in Tennessee and includes 72 hospitals in 14 states, according to the medical system's website.

The sale of bankrupt DNA data bank 23andMe is delayed as the company struggles to secure a lead bidder who can meet regulatory and privacy requirements, pushing the initial auction deadline from Friday to Monday. Seeking Alpha reports: 23andMe Holdings (OTC:MEHCQ), currently in Chapter 11 bankruptcy proceedings, is requiring that any potential bidders for the company's assets "guaranty that they will comply with the Company's privacy policies and applicable law." The genetics company said this is necessary to protect customers' data.

In addition, bidders will need to submit documentation of their intended use of any data, describe the privacy programs and security controls they have in place or would implement, and say whether they would ask for current privacy policies to be amended. 23andMe has also filed a motion asking for the appointment of an independent customer Data representative to review whether a proposed deal is in alignment with the company's privacy policies and data privacy laws.

"Not so long ago, working in tech meant job security, extravagant perks and a bring-your-whole-self-to-the-office ethos rare in other industries," writes the Wall Street Journal.

But now tech work "looks like a regular job," with workers "contending with the constant fear of layoffs, longer hours and an ever-growing list of responsibilities for the same pay." Now employees find themselves doing the work of multiple laid-off colleagues. Some have lost jobs only to be rehired into positions that aren't eligible for raises or stock grants. Changing jobs used to be a surefire way to secure a raise; these days, asking for more money can lead to a job offer being withdrawn.

The shift in tech has been building slowly. For years, demand for workers outstripped supply, a dynamic that peaked during the Covid-19 pandemic. Big tech companies like Meta and Salesforce admitted they brought on too many employees. The ensuing downturn included mass layoffs that started in 2022...

[S]ome longtime tech employees say they no longer recognize the companies they work for. Management has become more focused on delivering the results Wall Street expects. Revenue remains strong for tech giants, but they're pouring resources into costly AI infrastructure, putting pressure on cash flow. With the industry all grown up, a heads-down, keep-quiet mentality has taken root, workers say... Tech workers are still well-paid compared with other sectors, but currently there's a split in the industry. Those working in AI — and especially those with Ph.D.s — are seeing their compensation packages soar. But those without AI experience are finding they're better off staying where they are, because companies aren't paying what they were a few years ago.
Other excepts from the Wall Street Journal's article:

• "I'm hearing of people having 30 direct reports," says David Markley, who spent seven years at Amazon and is now an executive coach for workers at large tech companies. "It's not because the companies don't have the money. In a lot of ways, it's because of AI and the narratives out there about how collapsing the organization is better...."

• In some cases, companies post record revenue while still trimming head count.

• Google co-founder Sergey Brin told a group of employees in February that 60 hours a week was the sweet spot of productivity, in comments reported earlier by the New York Times.

• One recruiter at Meta who had been laid off by the company was rehired into her old role last year, but with a catch: She's now classified as a "short-term employee." Her contract is eligible for renewal, but she doesn't get merit pay increases, promotions or stock. The recruiter says she's responsible for a volume of work that used to be spread among several people. The company refers to being loaded with such additional responsibilities as "agility."

• More than 50,000 tech workers from over 100 companies have been laid off in 2025, according to Layoffs.fyi, a website that tracks job cuts and crowdsources lists of laid off workers...

Even before those 50,000 layoffs in 2025, Silicon Valley's Mercury News was citing some interesting statistics from economic research/consulting firm Beacon Economics. In 2020, 2021 and 2022, the San Francisco Bay Area added 74,700 tech jobs But then in 2023 and 2024 the industry had slashed even more tech jobs -- 80,200 -- for a net loss (over five years) of 5,500.

So is there really a cutback in perks and a fear of layoffs that's casting a pall over the industry? share your own thoughts and experiences in the comments. Do you agree with the picture that's being painted by the Wall Street Journal?

They told their readers that tech workers are now "just like the rest of us: miserable at work."

Some patches for Linux 6.15-rc4 (updating the kernel driver for the Bcachefs file system) triggered some "straight-to-the-point wisdom" from Linus Torvalds about case-insensitive filesystems, reports Phoronix.

Bcachefs developer Kent Overstreet started the conversation, explaining how some buggy patches for their case-insensitive file and folder support were upstreamed into the Bcachefs kernel driver nearly two years ago: When I was discussing with the developer who did the implementation, I noted that fstests should already have tests. However, it seems I neglected to tell him to make sure the tests actually run... It is _not_ enough to simply rely on the automated tests. You have to have eyes on what your code is doing.
Overstreet added "There's a story behind the case insensitive directory fixes, and lessons to be learned." To which Torvalds replied.... "No."

"The only lesson to be learned is that filesystem people never learn."

Torvalds: Case-insensitive names are horribly wrong, and you shouldn't have done them at all. The problem wasn't the lack of testing, the problem was implementing it in the first place. The problem is then compounded by "trying to do it right", and in the process doing it horrible wrong indeed, because "right" doesn't exist, but trying to will make random bytes have very magical meaning.

And btw, the tests are all completely broken anyway. Last I saw, they didn't actually test for all the really interesting cases — the ones that cause security issues in user land. Security issues like "user space checked that the filename didn't match some security-sensitive pattern". And then the shit-for-brains filesystem ends up matching that pattern *anyway*, because the people who do case insensitivity *INVARIABLY* do things like ignore non-printing characters, so now "case insensitive" also means "insensitive to other things too"....

Dammit. Case sensitivity is a BUG. The fact that filesystem people *still* think it's a feature, I cannot understand. It's like they revere the old FAT filesystem _so_ much that they have to recreate it — badly.
And this led to a very lively back-and-forth discussion.

Slashdot's summary of the highlights:

Slashdot reader itwbennett writes: Personal health information on 4.7 million Blue Shield California subscribers was unintentionally shared between Google Analytics and Google Ads between April 2021 and January 2025 due to a misconfiguration error. Security consultant and SANS Institute instructor Brandon Evans points to two lessons to take from this debacle:

- Read the documentation of any third party service you sign up for, to understand the security and privacy controls;
- Know what data is being collected from your organization, and what you don't want shared.

"If there is a concern by the organization that Google Ads would use this information, they should really consider whether or not they should be using a platform like Google Analytics in the first place," Evans says in the article. "Because from a technical perspective, there is nothing stopping Google from sharing the information across its platform...

"Google definitely gives you a great bunch of controls, but technically speaking, that data is within the walls of that organization, and it's impossible to know from the outside how that data is being used."

An anonymous reader shared this report from the Washington Post: The acting U.S. attorney for the District of Columbia sent a letter to the nonprofit that runs Wikipedia, accusing the tax-exempt organization of "allowing foreign actors to manipulate information and spread propaganda to the American public."

In the letter dated April 24, Ed Martin said he sought to determine whether the Wikimedia Foundation's behavior is in violation of its Section 501(c)(3) status. Martin asked the foundation to provide detailed information about its editorial process, its trust and safety measures, and how it protects its information from foreign actors. "Wikipedia is permitting information manipulation on its platform, including the rewriting of key, historical events and biographical information of current and previous American leaders, as well as other matters implicating the national security and the interests of the United States," Martin wrote. "Masking propaganda that influences public opinion under the guise of providing informational material is antithetical to Wikimedia's 'educational' mission."
Google prioritizes Wikipedia articles, the letter points out, which "will only amplify propaganda" if the content contained in Wikipedia articles "is biased, unreliable, or sourced by entities who wish to do harm to the United States." And as a U.S.-based non-profit, Wikipedia enjoys tax-exempt status while its board "is composed primarily of foreign nationals," the letter argues, "subverting the interests of American taxpayers."

While noting Martin's concerns about "allowing foreign actors to manipulate information and spread propaganda," the Washington Post also notes that before being named U.S. attorney, "Martin appeared on Russia-backed media networks more than 150 times, The Washington Post reported last week...."

Additional articles about the letter here and here.