An anonymous reader quotes a report from BleepingComputer: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named 'rose87168' claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them.

The threat actor released multiple text files consisting of a database, LDAP data, and a list of 140,621 domains for companies and government agencies that were allegedly impacted by the breach. It should be noted that some of the company domains look like tests, and there are multiple domains per company. In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach. However, Oracle has denied that it suffered a breach of Oracle Cloud and has refused to respond to any further questions about the incident.

"There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company told BleepingComputer last Friday. This denial, however, contradicts findings from BleepingComputer, which received additional samples of the leaked data from the threat actor and contacted the associated companies. Representatives from these companies, all who agreed to confirm the data under the promise of anonymity, confirmed the authenticity of the information. The companies stated that the associated LDAP display names, email addresses, given names, and other identifying information were all correct and belonged to them. The threat actor also shared emails with BleepingComputer, claiming to be part of an exchange between them and Oracle.

Microsoft plans to roll out a new Windows scheduled task in May that launches automatically to help Microsoft Office apps load faster. From a report: The company says the "Startup Boost" task will launch in the background on logon, with the roll-out to start in mid-May and worldwide general availability to be reached by late May 2025. On systems where it's toggled on, users will see new Office Startup Boost and Office Startup Boost Logon tasks in the Windows Task Scheduler, which will ensure that Office apps can preload "performance enhancements."

"We are introducing a new Startup Boost task from the Microsoft Office installer to optimize performance and load-time of experiences within Office applications," Microsoft says on the Microsoft 365 message center. "After the system performs the task, the app remains in a paused state until the app launches and the sequence resumes, or the system removes the app from memory to reclaim resources. The system can perform this task for an app after a device reboot and periodically as system conditions allow."

An anonymous reader shares a report: You can now choose WhatsApp as your iPhone's default app for calls and text messages, as noted by WABetaInfo. After updating WhatsApp to version 25.8.74, you'll see the app appear as an option in your Messaging and Calling default app settings.

Apple first announced that it would let iPhone users in the European Union change their default phone and messaging apps, but it later said that everyone would be able to do the same in iOS 18.2.

Signal president Meredith Whittaker challenged recent assertions by WhatsApp head Will Cathcart that minimal differences exist between the two messaging platforms' privacy protections. "We're amused to see WhatsApp stretching the limits of reality to claim that they are just like Signal," Whittaker said in a statement published Monday, responding to Cathcart's comments to Dutch journalists last week.

While WhatsApp licenses Signal's end-to-end encryption technology, Whittaker said that WhatsApp still collects substantial user metadata, including "location data, contact lists, when they send someone a message, when they stop, what users are in their group chats, their profile picture, and much more." Cathcart had previously stated that WhatsApp doesn't track users' communications or share contact information with other companies, claiming "we strongly believe in private communication."

A software engineer discovered that his newly purchased Bosch 500 series dishwasher locks basic functionality behind cloud connectivity, reigniting concerns about internet-dependent home appliances. Jeff Geerling found that features like rinse cycle, delayed start and eco mode on his $1,000 dishwasher require connecting to WiFi and creating an account with "Home Connect," Bosch's cloud service.

Geerling criticized the approach as potentially part of planned obsolescence, noting that without a current subscription fee, the company will likely either shutter the service or introduce payments for previously standard features.

Two in five tech workers quit in the past year due to inflexible workplace policies around hours, location, and workload intensity, with most citing a desire for remote work and greater autonomy. The Register reports: The findings come from a survey of 26,000 plus staff that operate in 35 markets, including 2,548 respondents in tech, and fly in the face of more and more corporations issuing return to office mandates and demanding long working hours. Amsterdam-based recruitment biz Randstad, which commissioned the research, says 40 percent of the tech people it polled said they resigned due to hardline policies, and 56 percent threatened to seek an alternative if their requests for flexibility were ignored.

Almost three-quarters claim remote work boosts a "sense of community" with colleagues -- versus the average of 58 percent across other sectors -- and 68 percent say they'd trust their employer more if they were more easy going on hours, the intensity of the work and the place where they can work. Graig Paglieri, Randstad Digital boss, said the "IT sector has shown that personalized work benefits and flexible options are essential not only for attracting top talent but also for retaining them in competitive markets. Policies should align with organizational, team and individual needs, ensuring a flexible and tailored approach."

Microsoft is expanding its Security Copilot platform with six new AI agents designed to autonomously assist cybersecurity teams by handling tasks like phishing alerts, data loss incidents, and vulnerability monitoring. There are also five third-party AI agents created by its partners, including OneTrust and Tanium. The Verge reports: Microsoft's six security agents will be available in preview next month, and are designed to do things like triage and process phishing and data loss alerts, prioritize critical incidents, and monitor for vulnerabilities. "The six Microsoft Security Copilot agents enable teams to autonomously handle high-volume security and IT tasks while seamlessly integrating with Microsoft Security solutions," says Vasu Jakkal, corporate vice president of Microsoft Security.

Microsoft is also working with OneTrust, Aviatrix, BlueVoyant, Tanium, and Fletch to enable some third-party security agents. These extensions will make it easier to analyze data breaches with OneTrust or perform root cause analysis of network outages and failures with Aviatrix. [...] While these latest AI agents in the Security Copilot are designed for security teams to take advantage of, Microsoft is also improving its phishing protection in Microsoft Teams. Microsoft Defender for Office 365 will start protecting Teams users against phishing and other cyberthreats within Teams next month, including better protection against malicious URLs and attachments.

Google has confirmed that a technical issue has permanently deleted location history data for numerous users of its Maps application, with no recovery possible for most affected customers. The problem emerged after Google transitioned its Timeline feature from cloud to on-device storage in 2024 to enhance privacy protections. Users began reporting missing historical location data on support forums and social media platforms in recent weeks. "This is the result of a technical issue and not user error or an intentional change," said a Google spokesperson. Only users who manually enabled encrypted cloud backups before the incident can recover their data, according to Google. The company began shifting location storage policies in 2023, initially stopping collection of sensitive location data including visits to abortion clinics and domestic violence shelters.

For weeks Signal has been one of the three most-downloaded apps in the Netherlands, according to a local news site. And now "Higher education institutions in the Netherlands have been looking for an alternative," according to DUB (an independent news site for the Utrecht University community): Employees of the Utrecht University of Applied Sciences (HU) were recently advised to switch to Signal. Avans University of Applied Sciences has also been discussing a switch...The National Student Union is concerned about privacy. The subject was raised at last week's general meeting, as reported by chair Abdelkader Karbache, who said: "Our local unions want to switch to Signal or other open-source software."
Besides being open source, Signal is a non-commercial nonprofit, the article points out — though its proponents suggest there's another big difference. "HU argues that Signal keeps users' data private, unlike WhatsApp." Cybernews.com explains the concern: In an interview with the Dutch newspaper De Telegraaf, Meredith Whittaker [president of the Signal Foundation] discussed the pitfalls of WhatsApp. "WhatsApp collects metadata: who you send messages to, when, and how often. That's incredibly sensitive information," she says.... The only information [Signal] collects is the date an account was registered, the time when an account was last active, and hashed phone numbers... Information like profile name and the people a user communicates with is all encrypted... Metadata might sound harmless, but it couldn't be further from the truth. According to Whittaker, metadata is deadly. "As a former CIA director once said: 'We kill people based on metadata'."
WhatsApp's metadata also includes IP addresses, TechRadar noted last May: Other identifiable data such as your network details, the browser you use, ISP, and other identifiers linked to other Meta products (like Instagram and Facebook) associated with the same device or account are also collected... [Y]our IP can be used to track down your location. As the company explained, even if you keep the location-related features off, IP addresses and other collected information like phone number area codes can be used to estimate your "general location."

WhatsApp is required by law to share this information with authorities during an investigation...

[U]nder scrutiny is how Meta itself uses these precious details for commercial purposes. Again, this is clearly stated in WhatsApp's privacy policy and terms of use. "We may use the information we receive from [other Meta companies], and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings," reads the policy. This means that yes, your messages are always private, but WhatsApp is actively collecting your metadata to build your digital persona across other Meta platforms...
The article suggests using a VPN with WhatsApp and turning on its "advanced privacy feature" (which hides your IP address during calls) and managing the app's permissions for data collection. "While these steps can help reduce the amount of metadata collected, it's crucial to bear in mind that it's impossible to completely avoid metadata collection on the Meta-owned app... For extra privacy and security, I suggest switching to the more secure messaging app Signal."

The article also includes a cautionary anecdote. "It was exactly a piece of metadata — a Proton Mail recovery email — that led to the arrest of a Catalan activist."

Thanks to long-time Slashdot reader united_notions for sharing the article.

Besides administering standardized pre-college tests, America's nonprofit College Board designs college-level classes that high school students can take. But now they're also crafting courses "not just with higher education at the table, but industry partners such as the U.S. Chamber of Commerce and the technology giant IBM," reports Education Week.

"The organization hopes the effort will make high school content more meaningful to students by connecting it to in-demand job skills." It believes the approach may entice a new kind of AP student: those who may not be immediately college-bound.... The first two classes developed through this career-driven model — dubbed AP Career Kickstart — focus on cybersecurity and business principles/personal finance, two fast-growing areas in the workforce." Students who enroll in the courses and excel on a capstone assessment could earn college credit in high school, just as they have for years with traditional AP courses in subjects like chemistry and literature. However, the College Board also believes that students could use success in the courses as a selling point with potential employers... Both the business and cybersecurity courses could also help fulfill state high school graduation requirements for computer science education...

The cybersecurity course is being piloted in 200 schools this school year and is expected to expand to 800 schools next school year... [T]he College Board is planning to invest heavily in training K-12 teachers to lead the cybersecurity course.
IBM's director of technology, data and AI called the effort "a really good way for corporations and companies to help shape the curriculum and the future workforce" while "letting them know what we're looking for." In the article the associate superintendent for teaching at a Chicago-area high school district calls the College Board's move a clear signal that "career-focused learning is rigorous, it's valuable, and it deserves the same recognition as traditional academic pathways."

Also interesting is why the College Board says they're doing it: The effort may also help the College Board — founded more than a century ago — maintain AP's prominence as artificial intelligence tools that can already ace nearly every existing AP test on an ever-greater share of job tasks once performed by humans. "High schools had a crisis of relevance far before AI," David Coleman, the CEO of the College Board, said in a wide-ranging interview with EdWeek last month. "How do we make high school relevant, engaging, and purposeful? Bluntly, it takes [the] next generation of coursework. We are reconsidering the kinds of courses we offer...."

"It's not a pivot because it's not to the exclusion of higher ed," Coleman said. "What we are doing is giving employers an equal voice."
Thanks to long-time Slashdot reader theodp for sharing the article.

Two "groundbreaking research reports" on open source security were announced this week by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe. The reports specifically address the EU's Cyber Resilience Act (or CRA) and "highlight knowledge gaps and best practices for CRA compliance."

"Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source" includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.") Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)

"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."

The French National Assembly has rejected a controversial provision that would have forced messaging platforms like Signal and WhatsApp to allow government access to encrypted private conversations, lawmakers voted Thursday night. The measure, embedded within anti-drug trafficking legislation, would have implemented a "ghost participant model" allowing law enforcement to silently join encrypted chats without users' knowledge.

Nvidia CEO Jensen Huang on Thursday walked back comments he made in January, when he cast doubt on whether useful quantum computers would hit the market in the next 15 years. From a report: At Nvidia's "Quantum Day" event, part of the company's annual GTC Conference, Huang admitted that his comments came out wrong. "This is the first event in history where a company CEO invites all of the guests to explain why he was wrong," Huang said.

In January, Huang sent quantum computing stocks reeling when he said 15 years was "on the early side" in considering how long it would be before the technology would be useful. He said at the time that 20 years was a timeframe that "a whole bunch of us would believe." In his opening comments on Thursday, Huang drew comparisons between pre-revenue quantum companies and Nvidia's early days. He said it took over 20 years for Nvidia to build out its software and hardware business.

He also expressed surprise that his comments were able to move markets, and joked he didn't know that certain quantum computing companies were publicly traded. "How could a quantum computer company be public?" Huang said.

Nvidia is selling its scarce RTX 5080 and 5090 graphics cards from a pop-up "food truck" at its GPU Technology Conference, where attendees paying over $1,000 for tickets can purchase the coveted hardware alongside merchandise. The company has only 2,000 cards available (1,000 each of RTX 5080 and 5090), released in small batches at random times during the three-day conference which concludes tomorrow.

Microsoft is developing a new Windows 11 feature that will explain how hardware limitations affect PC performance. The latest preview builds include a hidden FAQ section in system settings that addresses GPU memory, system RAM, and OS version impacts.

The feature, discovered by Windows observer "phantomofearth" in this week's Dev Channel build, requires manual activation. It provides specific recommendations for configurations like low RAM or GPUs with less than 4GB memory, and flags outdated Windows versions.

An anonymous reader shares a report: PCI Express 7 is nearing completion, the PCI Special Interest Group said, and the final specification should be released later this year. PCI Express 7, the backbone of the modern motherboard, is at the stage 0.9, which the PCI-SIG characterizes as the "final draft" of the specification. The technology was at version 0.5 a year ago, almost to the day, and originally authored in 2022.

The situation remains the same, however. While modern PC motherboards are stuck on PCI Express 5.0, the specification itself moves ahead. PCI Express has doubled the data rate about every three years, from 64 gigtransfers per second in PCI Express 6.0 to the upcoming 128 gigatransfers per second in PCIe 7. (Again, it's worth noting that PCIe 6.0 exists solely on paper.) Put another way, PCIe 7 will deliver 512GB/s in both directions, across a x16 connection.

It's worth noting that the PCI-SIG doesn't see PCI Express 7 living inside the PC market, at least not initially. Instead, PCIe 7 is expected to be targeted at cloud computing, 800-gigabit Ethernet and, of course, artificial intelligence. It will be backwards-compatible with the previous iterations of PCI Express, the SIG said.

Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports: The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.

Eric Migicovsky, founder of Pebble, will release two new smartwatches running the newly open-sourced Pebble operating system through his company Core Devices. The Core 2 Duo, priced at $149 and shipping in July, utilizes unused Pebble 2 frames with the same black-and-white E Ink display.

The device features a 30-day battery life -- quadruple its predecessor's -- and incorporates a speaker for AI assistant interaction. Approximately 10,000 units will be available. The Core Time 2, arriving in December at $225, adds touchscreen functionality to the classic Pebble design while maintaining physical buttons and month-long battery life.

Both devices face iPhone integration challenges. Migicovsky cautioned potential tariff increases would be passed to consumers, stating, "We're going to charge more if it costs more." "I'm not building a company to sell millions of these," Migicovsky said. "The goal is to make something I really want."

An anonymous reader shares a report: Xbox 360 modders have discovered a new way to get homebrew apps and games running on the console. A new software-only exploit known as BadUpdate allows you to use a USB key to hack past Microsoft's Hypervisor protections and run unsigned code and games.

Modern Vintage Gamer has tested BadUpdate and found that you don't even have to open up your Xbox 360 console to get it running. Unlike the RGH or JTAG exploits for the Xbox 360, this BadUpdate method just requires a USB key. If you have the time and patience to get this running successfully, you'll be able to run the Xbox 360 homebrew store which includes games, apps, emulators, utilities, and even custom dashboards.

Zillow CEO Jeremy Wacksman "recently told Entrepreneur magazine that almost five years of remote work has 'been fantastic for us,'" writes the Seattle Times. Zillow shifted to allowing people to work fully remote during the pandemic. It's been a recruiting and retention tool for Zillow as they "now see four times the number of job applicants for every job we have versus what we did before the pandemic," Wacksman said.

While Zillow still lists its corporate headquarters as Seattle, the company bills itself as "cloud-headquartered," with remote workers and satellite offices. Wacksman's comments are backed by serious real estate moves the company has made over the past five years. An annual report detailing Zillow's financial results for 2024 shows its Seattle headquarters and offices across the country are shrinking. In 2019, Zillow had 386,275 square feet of office space in Seattle after steadily gobbling up floors of the Russell Investments Center downtown over the prior five years. The company reported it had 113,470 square feet in Seattle at the end of 2024... The company has drastically cut costs by shedding offices. Zillow's total leasing costs reached $54 million in 2022 and dropped to $34 million last year... It expects those costs to decrease even further, to $18 million by 2029. Zillow is also taking advantage of subleasing some of its office space and expects $26 million in sublease income between 2025 and 2030...

Zillow's financial results from last year suggest the workforce has been productive while logging in from home. The company reported Tuesday that it beat Wall Street expectations for the last three months of 2024 with a quarterly revenue of $554 million. Wacksman said in a news release Tuesday that 2024 was a "remarkable year for Zillow," as it reached its goal of double-digit revenue growth.