Hong Kong authorities have invoked national security laws for the first time to ban the Taiwan-made video game Reversed Front: Bonfire, accusing it of promoting "secessionist agendas, such as 'Taiwan independence' and 'Hong Kong independence.'" Engadget reports: Reversed Front: Bonfire was developed by a group known as ESC Taiwan, who are outspoken critics of the China's Communist Party. The game disappeared from the Apple App Store in Hong Kong less than 24 hours after authorities issued the warning. Google already removed the game from the Play Store back in May, because players were using hate speech as part of their usernames. ESC Taiwan told The New York Times that that the game's removal shows that apps like theirs are subject to censorship in mainland China. The group also thanked authorities for the free publicity on Facebook, as the game experienced a surge in Google searches.

The game uses anime-style illustrations and allows players to fight against China's Communist Party by taking on the role of "propagandists, patrons, spies or guerrillas" from Hong Kong, Taiwan, Tibet, Mongolia and Xinjiang, which is home to ethnic minorities like the Uyghur. That said, they can also choose to play as government soldiers. In its warning, Hong Kong Police said that anybody who shares or recommends the game on the internet may be committing several offenses, including "incitement to secession, "incitement to subversion" and "offenses in connection with seditious intention." Anybody who has downloaded the game will be considered in "possession of a publication that has a seditious intention," and anybody who provides financial assistance to it will be violating national security laws, as well. "Those who have downloaded the application should uninstall it immediately and must not attempt to defy the law," the authorities wrote.

WhatsApp has applied to submit evidence in Apple's legal battle against the UK Home Office over government demands for access to encrypted user data. The messaging platform's boss Will Cathcart told the BBC the case "could set a dangerous precedent" by "emboldening other nations" to seek to break encryption protections.

The confrontation began when Apple received a secret Technical Capability Notice from the Home Office earlier this year demanding the right to access data from its global customers for national security purposes. Apple responded by first pulling its Advanced Data Protection system from the UK, then taking the government to court to overturn the request.

Cathcart said WhatsApp "would challenge any law or government request that seeks to weaken the encryption of our services." US Director of National Intelligence Tulsi Gabbard has called the UK's demands an "egregious violation" of American citizens' privacy rights.

An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administration's cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Biden's cyber policy legacy -- while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber Trust Mark program -- an Energy Star-type labeling initiative for consumer smart devices. But hallmark programs tied to software bills of materials, zero-trust implementation, and space contractor cybersecurity requirements have been either rescinded or left in limbo. The new executive order amends both the Biden cyber executive order signed in January and an Obama administration order.

Each of the following Biden-era programs is now out the door or significantly rolled back:
- A broad requirement for federal software vendors to provide a software bill of materials - essentially an ingredient list of code components - is gone.
- Biden-era efforts to encourage federal agencies to accept digital identity documents and help states develop mobile driver's licenses were revoked.
- Several AI cybersecurity research mandates, including those focused on AI-generated code security and AI-driven patch management pilots, have been scrapped or deprioritized.
- The requirement that software contractors formally attest they followed secure development practices - and submit those attestations to a federal repository - has been cut. Instead, the National Institute of Standards and Technology will now coordinate a new industry consortium to review software security guidelines.

United Natural Foods (UNFI), a major distributor of groceries to Whole Foods and other retailers, said on Monday that it was hit by a cyberattack, warning of disruptions to its ability to fulfill and distribute customer orders. From a report: UNFI said in a Monday filing with the U.S. Securities and Exchange Commission that it became aware of unauthorized access to its IT systems last Thursday, and began shutting down portions of its network. The filing added that the company has "implemented workarounds for certain operations in order to continue servicing its customers where possible," but noted that the intrusion has caused ongoing disruptions to its business operations.

The Providence, Rhode Island-based company is one of the largest grocery distributors in North America, selling fresh produce, goods, and food products to more than 30,000 stores and supermarket locations across the U.S. and Canada. UNFI also serves as the "primary distributor" to Whole Foods, the Amazon-owned grocery chain. Last year, the two companies extended their long-running contract until May 2032.

A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests. From a report: The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples' personal information. "I think this exploit is pretty bad since it's basically a gold mine for SIM swappers," the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email.

[...] In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account. "Essentially, it's bruting the number," brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number.

Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said. In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.

Last month, Duolingo CEO Luis von Ahn "shared on LinkedIn an email he had sent to all staff announcing Duolingo was going 'AI-first'," remembers the Financial Times.

"I did not expect the amount of blowback," he admits.... He attributes this anger to a general "anxiety" about technology replacing jobs. "I should have been more clear to the external world," he reflects on a video call from his office in Pittsburgh. "Every tech company is doing similar things [but] we were open about it...."

Since the furore, von Ahn has reassured customers that AI is not going to replace the company's workforce. There will be a "very small number of hourly contractors who are doing repetitive tasks that we no longer need", he says. "Many of these people are probably going to be offered contractor jobs for other stuff." Duolingo is still recruiting if it is satisfied the role cannot be automated. Graduates who make up half the people it hires every year "come with a different mindset" because they are using AI at university.

The thrust of the AI-first strategy, the 46-year-old says, is overhauling work processes... He wants staff to explore whether their tasks "can be entirely done by AI or with the help of AI. It's just a mind shift that people first try AI. It may be that AI doesn't actually solve the problem you're trying to solve.....that's fine." The aim is to automate repetitive tasks to free up time for more creative or strategic work.

Examples where it is making a difference include technology and illustration. Engineers will spend less time writing code. "Some of it they'll need to but we want it to be mediated by AI," von Ahn says... Similarly, designers will have more of a supervisory role, with AI helping to create artwork that fits Duolingo's "very specific style". "You no longer do the details and are more of a creative director. For the vast majority of jobs, this is what's going to happen...." [S]ocietal implications for AI, such as the ethics of stealing creators' copyright, are "a real concern". "A lot of times you don't even know how [the large language model] was trained. We should be careful." When it comes to artwork, he says Duolingo is "ensuring that the entirety of the model is trained just with our own illustrations".

Cybercriminals have been increasingly turning to "residential proxy" services over the past two to three years to disguise malicious web traffic as everyday online activity, according to research presented at the Sleuthcon cybercrime conference. The shift represents a response to law enforcement's growing success in targeting traditional "bulletproof" hosting services, which previously allowed criminals to maintain anonymous web infrastructure.

Residential proxies route traffic through decentralized networks running on consumer devices like old Android phones and low-end laptops, providing real IP addresses assigned to homes and offices. This approach makes malicious activity extremely difficult to detect because it appears to originate from trusted consumer locations rather than suspicious server farms. The technology creates particular challenges when attackers appear to come from the same residential IP ranges as employees of target organizations.

alternative_right shares a report: New York state lawmakers voted to stop the NYPD's attempt to block its radio communications from the public Thursday, with the bill expected to head to Gov. Kathy Hochul's desk. The "Keep Police Radio Public Act" passed both the state Senate and state Assembly, with a sponsor of the legislation arguing the proposal strikes the "proper balance" in the battle between transparency and sensitive information.

"Preserving access to police radio is critical for a free press and to preserve the freedoms and protections afforded by the public availability of this information," state Sen. Michael Gianaris (D-Queens) said in a statement. "As encrypted radio usage grows, my proposal strikes the proper balance between legitimate law enforcement needs and the rights and interests of New Yorkers."

The bill, which was sponsored in the Assembly by lawmaker Karines Reyes (D-Bronx), is meant to make real-time police radio communications accessible to emergency services organizations and reporters. "Sensitive information" would still be kept private, according to the legislation. In late 2023, the NYPD began encrypting its radio communications to increase officer safety and "protect the privacy interests of victims and witnesses." However, it led to outcry from press advocates and local officials concerned about reduced transparency and limited access to real-time information.

A bill to address the issue has passed both chambers of New York's legislature, but Governor Hochul has not yet indicated whether she will sign it.

An anonymous reader quotes a report from BleepingComputer: The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. The BADBOX botnet is commonly found on Chinese Android-based smart TVs, streaming boxes, projectors, tablets, and other Internet of Things (IoT) devices. "The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," warns the FBI.

These devices come preloaded with the BADBOX 2.0 malware botnet or become infected after installing firmware updates and through malicious Android applications that sneak onto Google Play and third-party app stores. "Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process," explains the FBI. "Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services4 known to be used for malicious activity."

Once infected, the devices connect to the attacker's command and control (C2) servers, where they receive commands to execute on the compromised devices, such as [routing malicious traffic through residential IPs to obscure cybercriminal activity, performing background ad fraud to generate revenue, and launching credential-stuffing attacks using stolen login data]. Over the years, the malware botnet continued expanding until 2024, when Germany's cybersecurity agency disrupted the botnet in the country by sinkholing the communication between infected devices and the attacker's infrastructure, effectively rendering the malware useless. However, that did not stop the threat actors, with researchers saying they found the malware installed on 192,000 devices a week later. Even more concerning, the malware was found on more mainstream brands, like Yandex TVs and Hisense smartphones. Unfortunately, despite the previous disruption, the botnet continued to grow, with HUMAN's Satori Threat Intelligence stating that over 1 million consumer devices had become infected by March 2025. This new larger botnet is now being called BADBOX 2.0 to indicate a new tracking of the malware campaign. "This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, 'off brand,' uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN.

"The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally; indeed, HUMAN observed BADBOX 2.0-associated traffic from 222 countries and territories worldwide."

YouTube pulled a popular tutorial video from tech creator Jeff Geerling this week, claiming his guide to installing LibreELEC on a Raspberry Pi 5 violated policies against "harmful content." The video, which showed viewers how to set up their own home media servers, had been live for over a year and racked up more than 500,000 views. YouTube's automated systems flagged the content for allegedly teaching people "how to get unauthorized or free access to audio or audiovisual content."

Geerling says his tutorial covered only legal self-hosting of media people already own -- no piracy tools or copyright workarounds. He said he goes out of his way to avoid mentioning popular piracy software in his videos. It's the second time YouTube has pulled a self-hosting content video from Geerling. Last October, YouTube removed his Jellyfin tutorial, though that decision was quickly reversed after appeal. This time, his appeal was denied.

BrianFagioli writes: Google is flexing its engineering muscles today by announcing a record-breaking score on the Speedometer 3 benchmark with its Chrome browser. If you've felt like the web got snappier lately, this could be why.

According to the search giant, Chrome's latest performance improvements translate to real-world time savings. Believe it or not, that could potentially add up to 58 million hours saved annually for users. That's the equivalent of about 83 human lifetimes not wasted waiting for web pages to load!

An anonymous reader quotes a report from Bloomberg: Corporate investigators found evidence that Chinese hackers broke into an American telecommunications company in the summer of 2023, indicating that Chinese attackers penetrated the US communications system earlier than publicly known. Investigators working for the telecommunications firm discovered last year that malware used by Chinese state-backed hacking groups was on the company's systems for seven months starting in the summer of 2023, according to two people familiar with the matter and a document seen by Bloomberg News. The document, an unclassified report sent to Western intelligence agencies, doesn't name the company where the malware was found and the people familiar with the matter declined to identify it.

The 2023 intrusion at an American telecommunications company, which hasn't been previously reported, came about a year before US government officials and cybersecurity companies said they began spotting clues that Chinese hackers had penetrated many of the country's largest phone and wireless firms. The US government has blamed the later breaches on a Chinese state-backed hacking group dubbed Salt Typhoon. It's unclear if the 2023 hack is related to that foreign espionage campaign and, if so, to what degree. Nonetheless, it raises questions about when Chinese intruders established a foothold in the American communications industry. "We've known for a long time that this infrastructure has been vulnerable and was likely subject to attack," said Marc Rogers, a cybersecurity and telecommunications expert. "What this shows us is that it was attacked, and that going as far back as 2023, the Chinese were compromising our telecom companies." Investigators linked the sophisticated rootkit malware Demodex to China's Ministry of State Security, noting it enabled deep, stealthy access to systems and remained undetected on a U.S. defense-linked company's network until early 2024.

A Chinese government spokesperson denied responsibility for cyberattacks and accused the U.S. and its allies of spreading disinformation and conducting cyber operations against China.

A group of financially motivated cyberscammers who specialize in Scattered-Spider-like fake IT support phone calls managed to trick employees at about 20 organizations into installing a modified version of Salesforce's Data Loader that allows the criminals to steal sensitive data. From a report: Google Threat Intelligence Group (GTIG) tracks this crew as UNC6040, and in research published today said they specialize in voice-phishing campaigns targeting Salesforce instances for large-scale data theft and extortion.

These attacks began around the beginning of the year, GTIG principal threat analyst Austin Larsen told The Register. "Our current assessment indicates that a limited number of organizations were affected as part of this campaign, approximately 20," he said. "We've seen UNC6040 targeting hospitality, retail, education and various other sectors in the Americas and Europe." The criminals are really good at impersonating IT support personnel and convincing employees at English-speaking branches of multinational corporations into downloading a modified version of Data Loader, a Salesforce app that allows users to export and update large amounts of data.

The CEO of Indian grocery ordering app KiranaPro has claimed an attacker deleted its GitHub and AWS resources in a targeted and deliberate attack and vowed to name the perpetrator. From a report: KiranaPro lets users shop at "Kiranas," the Indian equivalent of convenience stores, which mostly stock basic foodstuffs. Users of the app place an order, which KiranaPro sends to nearby Kiranas who bid to win the sale. The winner arranges delivery of the goods. The elapsed time from ordering to delivery seldom tops 20 minutes.

KiranaPro CEO Deepak Ravindran claims the app "powers the livelihoods of thousands of Kirana store owners" and handles 2,000-plus orders each day. Ravindran also claims the app was destroyed by someone who holds a grudge. "Our startup @Kirana_Pro was deliberately hacked -- entire GitHub repo & AWS data wiped. Logs suggest malicious insider action," he wrote on June 3rd. The attack happened last week, and the app has been inoperable since.

"It appears as though Meta (aka: Facebook's parent company) and Yandex have found a way to sidestep the Android Sandbox," writes Slashdot reader TheWho79. Researchers disclose the novel tracking method in a report: We found that native Android apps -- including Facebook, Instagram, and several Yandex apps including Maps and Browser -- silently listen on fixed local ports for tracking purposes.

These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users' web activity.

While there are subtle differences in the way Meta and Yandex bridge web and mobile contexts and identifiers, both of them essentially misuse the unvetted access to localhost sockets. The Android OS allows any installed app with the INTERNET permission to open a listening socket on the loopback interface (127.0.0.1). Browsers running on the same device also access this interface without user consent or platform mediation. This allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs using standard Web APIs. This technique circumvents privacy protections like Incognito Mode, cookie deletion, and Android's permission model, with Meta Pixel and Yandex Metrica scripts silently communicating with apps across over 6 million websites combined.

Following public disclosure, Meta ceased using this method on June 3, 2025. Browser vendors like Chrome, Brave, Firefox, and DuckDuckGo have implemented or are developing mitigations, but a full resolution may require OS-level changes and stricter enforcement of platform policies to prevent further abuse.

An anonymous reader quotes a report from the Latin Times: A once-hyped AI startup backed by Microsoft has filed for bankruptcy after it was revealed that its so-called artificial intelligence was actually hundreds of human workers in India pretending to be chatbots. Builder.ai, a London-based company previously valued at $1.5 billion, marketed its platform as an AI-powered solution that made building apps as simple as ordering pizza. Its virtual assistant, "Natasha," was supposed to generate software using artificial intelligence. In reality, nearly 700 engineers in India were manually coding customer requests behind the scenes, the Times of India reported.

The ruse began to collapse in May when lender Viola Credit seized $37 million from the company's accounts, uncovering that Builder.ai had inflated its 2024 revenue projections by 300%. An audit revealed the company generated just $50 million in revenue, far below the $220 million it claimed to investors. A Wall Street Journal report from 2019 had already questioned Builder.ai's AI claims, and a former executive sued the company that same year for allegedly misleading investors and overstating its technical capabilities. Despite that, the company raised over $445 million from big names including Microsoft and the Qatar Investment Authority. Builder.ai's collapse has triggered a federal investigation in the U.S., with prosecutors in New York requesting financial documents and customer records.

An anonymous reader shares a report: Open source software used by hobbyist drones powered an attack that wiped out a third of Russia's strategic long range bombers on Sunday afternoon, in one of the most daring and technically coordinated attacks in the war. In broad daylight on Sunday, explosions rocked air bases in Belaya, Olenya, and Ivanovo in Russia, which are hundreds of miles from Ukraine. The Security Services of Ukraine's (SBU) Operation Spider Web was a coordinated assault on Russian targets it claimed was more than a year in the making, which was carried out using a nearly 20-year-old piece of open source drone autopilot software called ArduPilot.

ArduPilot's original creators were in awe of the attack. "That's ArduPilot, launched from my basement 18 years ago. Crazy," Chris Anderson said in a comment on LinkedIn below footage of the attack. On X, he tagged his the co-creators Jordi Munoz and Jason Short in a post about the attack. "Not in a million years would I have predicted this outcome. I just wanted to make flying robots," Short said in a reply to Anderson. "Ardupilot powered drones just took out half the Russian strategic bomber fleet."

ArduPilot is an open source software system that takes its name from the Arduino hardware systems it was originally designed to work with. It began in 2007 when Anderson launched the website DIYdrones.com and cobbled together a UAV autopilot system out of a Lego Mindstorms set.

Coinbase reportedly knew as early as January about a customer data breach linked to its outsourcing partner TaskUs, where an employee in India was caught leaking customer information in exchange for bribes. "At least one part of the breach [...] occurred when an India-based employee of the U.S. outsourcing firm TaskUs was caught taking photographs of her work computer with her personal phone," reports Reuters, citing five former TaskUs employees. Though Coinbase disclosed the incident in May after receiving an extortion demand, the newly revealed timeline raises questions about how long the company was aware of the breach, which could cost up to $400 million. Reuters reports: Coinbase said in the May SEC filing that it knew contractors accessed employee data "without business need" in "previous months." Only when it received an extortion demand on May 11 did it realize that the access was part of a wider campaign, the company said. In a statement to Reuters on Wednesday, Coinbase said the incident was recently discovered and that it had "cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls." Coinbase did not disclose who the other foreign agents were.

TaskUs said in a statement that two employees had been fired early this year after they illegally accessed information from a client, which it did not identify. "We immediately reported this activity to the client," the statement said. "We believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client." The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January.

An anonymous reader shares a report: Microsoft's changes in response to the Digital Markets Act already included allowing Windows machines in the regions it covers to uninstall Edge and remove Bing results from Windows search, but now the list is growing in some meaningful ways. New features announced Monday for Microsoft Windows users in the European Economic Area (the EU plus Iceland, Liechtenstein, and Norway) include the option to uninstall the Microsoft Store and avoid extra nags or prompts asking them to set Microsoft Edge as the default browser unless they choose to open it.

Additionally, setting a different browser, like Chrome, Firefox, Brave, or something else, will pin it to the taskbar unless the user chooses not to. While setting a different browser default already attaches it to a few link and file types like https and .html, now users in the EEA will see it apply to more types like "read," ftp, and .svg. The default browser changes are live for some users in the beta channel and are set to roll out widely on Windows 10 and Windows 11 in July.

Microsoft, CrowdStrike, Palo Alto Networks, and Google announced Monday they will create a public glossary standardizing the nicknames used for state-sponsored hacking groups and cybercriminals.

The initiative aims to reduce confusion caused by the proliferation of disparate naming conventions across cybersecurity firms, which have assigned everything from technical designations like "APT1" to colorful monikers like "Cozy Bear" and "Kryptonite Panda" to the same threat actors. The companies hope to bring additional industry partners and the U.S. government into the effort to streamline identification of digital espionage groups.