An anonymous reader quotes a report from ZDNet: Today, open-source software powers the world. It didn't have to be that way. The Open Invention Network's (OIN) origins are rooted in a turbulent era for open source. In the mid-2000s, Linux faced existential threats from copyright and patent litigation. Besides, the infamous SCO lawsuit and Microsoft's claims that Linux infringed on hundreds of its patents cast a shadow over the ecosystem. Business leaders became worried. While SCO's attacks petered out, patent trolls -- formally known as Patent Assertion Entities (PAEs) -- were increasing their attacks. So, open-source friendly industry giants, including IBM, Novell, Philips, Red Hat, and Sony, formed the Open Invention Network (OIN) to create a bulwark against patent threats targeting Linux and open-source technologies. Founded in 2005, the Open Invention Network (OIN) has evolved into a global community comprising over 4,000 participants, ranging from startups to multinational corporations, collectively holding more than three million patents and patent applications.

At the heart of OIN's legal strategy is a royalty-free cross-license agreement. Members agree not to assert their patents against the Linux System, creating a powerful network effect that shields open-source projects from litigation. As OIN CEO Keith Bergelt explained, this model enables "broad-based participation by ensuring patent risk mitigation in key open-source technologies, thereby facilitating open-source adoption." This approach worked then, and it continues to work today. [...] Over the years, OIN's mission has expanded beyond Linux to cover a range of open-source technologies. Its Linux System Definition, which determines the scope of patent cross-licensing, has grown from a few core packages to over 4,500 software components and platforms, including Android, Apache, Kubernetes, and ChromeOS. This expansion has been critical, as open source has become foundational across industries such as finance, automotive, telecommunications, and artificial intelligence.

A new study [PDF] reveals AI-generated code frequently references non-existent third-party libraries, creating opportunities for supply-chain attacks. Researchers analyzed 576,000 code samples from 16 popular large language models and found 19.7% of package dependencies -- 440,445 in total -- were "hallucinated."

These non-existent dependencies exacerbate dependency confusion attacks, where malicious packages with identical names to legitimate ones can infiltrate software. Open source models hallucinated at nearly 22%, compared to 5% for commercial models. "Once the attacker publishes a package under the hallucinated name, containing some malicious code, they rely on the model suggesting that name to unsuspecting users," said lead researcher Joseph Spracklen. Alarmingly, 43% of hallucinations repeated across multiple queries, making them predictable targets.

Hackers working for governments were responsible for the majority of attributed zero-day exploits used in real-world cyberattacks last year, per new research from Google. From a report: Google's report said that the number of zero-day exploits -- referring to security flaws that were unknown to the software makers at the time hackers abused them -- had dropped from 98 exploits in 2023 to 75 exploits in 2024.

But the report noted that of the proportion of zero-days that Google could attribute -- meaning identifying the hackers who were responsible for exploiting them -- at least 23 zero-day exploits were linked to government-backed hackers. Among those 23 exploits, 10 zero-days were attributed to hackers working directly for governments, including five exploits linked to China and another five to North Korea.

Oracle engineers mistakenly triggered a five-day software outage at a number of Community Health Systems hospitals, causing the facilities to temporarily return to paper-based patient records. From a report: CHS told CNBC that the outage involving Oracle Health, the company's electronic health record (EHR) system, affected "several" hospitals, leading them to activate "downtime procedures." Trade publication Becker's Hospital Review reported that 45 hospitals were hit.

The outage began on April 23, after engineers conducting maintenance work mistakenly deleted critical storage connected to a key database, a CHS spokesperson said in a statement. The outage was resolved on Monday, and was not related to a cyberattack or other security incident. CHS is based in Tennessee and includes 72 hospitals in 14 states, according to the medical system's website.

An anonymous reader quotes a report from Milwaukee Journal Sentinel: Milwaukee police are mulling a trade: 2.5 million mugshots for free use of facial recognition technology. Officials from the Milwaukee Police Department say swapping the photos with the software firm Biometrica will lead to quicker arrests and solving of crimes. But that benefit is unpersuasive for those who say the trade is startling, due to the concerns of the surveillance of city residents and possible federal agency access. "We recognize the very delicate balance between advancement in technology and ensuring we as a department do not violate the rights of all of those in this diverse community," Milwaukee Police Chief of Staff Heather Hough said during an April 17 meeting.

For the first time, Milwaukee police officials detailed their plans to use the facial recognition technology during a meeting of the city's Fire and Police Commission, the oversight body for those departments. In the past, the department relied on facial recognition technology belonging to neighboring police agencies. In an April 24 email, Hough said the department has not entered into an agreement with any facial recognition and the department intends to continue engaging the public before doing so. The department will discuss it at a future meeting of the city's Public Safety and Health Committee next, she said. "While we would like to acquire the technology to assist in solving cases, being transparent with the community that we serve far outweighs the urgency to acquire," she said in an email.

Officials said the technology alone could not be used as probable cause to arrest someone and the only authorized uses would be when there's basis to believe criminal activity has happened or could happen, or a threat to public safety is imminent. Hough said the department intended to craft a policy that would ensure no one is arrested solely based on facial recognition matches. That reassurance and others from police officials came as activists, residents and some public officials voiced concern.

"4chan, down for more than a week after hackers got in through an insecure script that handled PDFs, is back online," notes BoingBoing. (They add that Thursday saw 4chan's first blog postin years — just the words "Testing testing 123 123...") But 4chan posted a much longer explanation on Friday," confirming their servers were compromised by a malicious PDF upload from "a hacker using a UK IP address," granting access to their databases and administrative dashboard.

The attacker "spent several hours exfiltrating database tables and much of 4chan's source code. When they had finished downloading what they wanted, they began to vandalize 4chan at which point moderators became aware and 4chan's servers were halted, preventing further access." While not all of our servers were breached, the most important one was, and it was due to simply not updating old operating systems and code in a timely fashion. Ultimately this problem was caused by having insufficient skilled man-hours available to update our code and infrastructure, and being starved of money for years by advertisers, payment providers, and service providers who had succumbed to external pressure campaigns. We had begun a process of speccing new servers in late 2023. As many have suspected, until that time 4chan had been running on a set of servers purchased second-hand by moot a few weeks before his final Q&A [in 2015], as prior to then we simply were not in a financial position to consider such a large purchase. Advertisers and payment providers willing to work with 4chan are rare, and are quickly pressured by activists into cancelling their services. Putting together the money for new equipment took nearly a decade...

The free time that 4chan's development team had available to dedicate to 4chan was insufficient to update our software and infrastructure fast enough, and our luck ran out. However, we have not been idle during our nearly two weeks of downtime. The server that was breached has been replaced, with the operating system and code updated to the latest versions. PDF uploads have been temporarily disabled on those boards that supported them, but they will be back in the near future. One slow but much beloved board, /f/ — Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files.

We are bringing on additional volunteer developers to help keep up with the workload, and our team of volunteer janitors & moderators remains united despite the grievous violations some have suffered to their personal privacy.

4chan is back. No other website can replace it, or this community. No matter how hard it is, we are not giving up.

An anonymous reader quotes a report from IEEE Spectrum: The XPrize Foundation today announced the winners of its four-year, $100 million XPrize competition in carbon removal. The contest is one of dozens hosted by the foundation in its 20-year effort to encourage technological development. Contestants in the carbon removal XPrize had to demonstrate ways to pull carbon dioxide from the atmosphere or oceans and sequester it sustainably.

Mati Carbon, a Houston-based startup developing a sequestration technique called enhanced rock weathering, won the grand prize of $50 million. The company spreads crushed basalt on small farms in India and Africa. The silica-rich volcanic rock improves the quality of the soil for the crops but also helps remove carbon dioxide from the air. It does this by reacting with dissolved CO2 in the soil's water, turning it into bicarbonate ions and preventing it from returning to the atmosphere.

More than a dozen organizations globally are developing enhanced rock weathering approaches at an industrial scale, but Mati's tech-heavy verification and software platform caught the XPrize judges' attention. "On the one hand, they're moving rocks around in trucks—that's not very techy. But when we looked under the hood... what we saw was a very impressive data-collection exercise," says Michael Leitch, XPrize's technical lead for the competition. Here's a list of the runners-up:

- Paris-based NetZero won $15 million for turning agricultural waste into biochar through pyrolysis, a method that locks carbon into a stable, solid form.
- Houston-based Vaulted Deep won $8 million for geologically sequestering carbon-rich organic waste by injecting it deep underground.
- London-based Undo Carbon won $5 million for its enhanced rock weathering approach, spreading silicate minerals to speed up natural carbon removal.

Additionally, Project Hajar and Planetary Technologies each received $1 million honorary XFactor prizes, recognizing their promising work in direct air capture and ocean carbon removal, despite not meeting the competition's 1,000-tonne removal threshold.

Some developers are "crying foul" after Microsoft's C/C++ extension for Visual Studio Code stopped working with VS Code derivatives like VS Codium and Cursor, reports The Register. The move has prompted Cursor to transition to open-source alternatives, while some developers are calling for a regulatory investigation into Microsoft's alleged anti-competitive behavior. From the report: In early April, programmers using VS Codium, an open-source fork of Microsoft's MIT-licensed VS Code, and Cursor, a commercial AI code assistant built from the VS Code codebase, noticed that the C/C++ extension stopped working. The extension adds C/C++ language support, such as Intellisense code completion and debugging, to VS Code. The removal of these capabilities from competing tools breaks developer workflows, hobbles the editor, and arguably hinders competition. The breaking change appears to have occurred with the release of v1.24.5 on April 3, 2025.

Following the April update, attempts to install the C/C++ extension outside of VS Code generate this error message: "The C/C++ extension may be used only with Microsoft Visual Studio, Visual Studio for Mac, Visual Studio Code, Azure DevOps, Team Foundation Server, and successor Microsoft products and services to develop and test your applications." Microsoft has forbidden the use of its extensions outside of its own software products since at least September 2020, when the current licensing terms were published. But it hasn't enforced those terms in its C/C++ extension with an environment check in its binaries until now. [...]

Developers discussing the issue in Cursor's GitHub repo have noted that Microsoft recently rolled out a competing AI software agent capability, dubbed Agent Mode, within its Copilot software. One such developer who contacted us anonymously told The Register they sent a letter about the situation to the US Federal Trade Commission, asking them to probe Microsoft for unfair competition -- alleging self-preferencing, bundling Copilot without a removal option, and blocking rivals like Cursor to lock users into its AI ecosystem.

Google announced it will end software updates and remote control support for the first- and second-generation Nest Learning Thermostats (plus the 2014 European model) starting October 25th. "You will no longer be able to control them remotely from your phone or with Google Assistant, but can still adjust the temperature and modify schedules directly on the thermostat," the company wrote in a Friday blog post. The Verge reports: In other significant news, Google is flatly stating that it has no plans to release additional Nest thermostats in Europe. "Heating systems in Europe are unique and have a variety of hardware and software requirements that make it challenging to build for the diverse set of homes," the company said. "The Nest Learning Thermostat (3rd gen, 2015) and Nest Thermostat E (2018) will continue to be sold in Europe while current supplies last." [...]

In a clear attempt to ease customer anger, Google is offering a $130 discount on the fourth-gen Nest Learning Thermostat in the US, $160 off the same device in Canada, and 50 percent savings on the Tado Smart Thermostat X in Europe since the Nest lineup will soon be gone. The original Nest thermostats were released while the company was an independent brand under the leadership of former Apple executive Tony Fadell. Google acquired Nest in 2014 for $3.2 billion.

An anonymous reader quotes a report from Ars Technica: Russian military personnel are being targeted with recently discovered Android malware that steals their contacts and tracks their location. The malware is hidden inside a modified app for Alpine Quest mapping software, which is used by, among others, hunters, athletes, and Russian personnel stationed in the war zone in Ukraine. The app displays various topographical maps for use online and offline. The trojanized Alpine Quest app is being pushed on a dedicated Telegram channel and in unofficial Android app repositories. The chief selling point of the trojanized app is that it provides a free version of Alpine Quest Pro, which is usually available only to paying users.

The malicious module is named Android.Spy.1292.origin. In a blog post, researchers at Russia-based security firm Dr.Web wrote: "Because Android.Spy.1292.origin is embedded into a copy of the genuine app, it looks and operates as the original, which allows it to stay undetected and execute malicious tasks for longer periods of time. Each time it is launched, the trojan collects and sends the following data to the C&C server:

- the user's mobile phone number and their accounts;
- contacts from the phonebook;
- the current date;
- the current geolocation;
- information about the files stored on the device;
- the app's version."

If there are files of interest to the threat actors, they can update the app with a module that steals them. The threat actors behind Android.Spy.1292.origin are particularly interested in confidential documents sent over Telegram and WhatsApp. They also show interest in the file locLog, the location log created by Alpine Quest. The modular design of the app makes it possible for it to receive additional updates that expand its capabilities even further.

The software-as-a-service industry is undergoing a fundamental transformation, abandoning the decades-old "per seat" licensing model in favor of usage-based pricing structures. This shift, Business Insider reports, is primarily driven by the astronomical compute costs associated with new "reasoning" AI models that power modern enterprise software.

Unlike traditional generative AI, these reasoning models execute multiple computational loops to check their work -- a process called inference-time compute -- dramatically increasing token usage and operational expenses. OpenAI's o3-high model reportedly consumes 1,000 times more tokens than its predecessor, with a single benchmark response costing approximately $3,500, according to Barclays.

Companies including Bolt.new, Vercel, and Monday.com have already implemented usage-based or hybrid pricing models that tie costs directly to AI resource consumption. ServiceNow maintains primarily seat-based pricing but has added usage meters for extreme cases. "When it goes beyond what we can credibly afford, we have to have some kind of meter," ServiceNow CEO Bill McDermott said, while emphasizing that customers "still want seat-based predictability."

New Jersey sued the property management software company RealPage, accusing it and 10 of the state's largest landlords of conspiring to drive up residential rents, violating federal and state antitrust laws and New Jersey consumer fraud laws. From a report: The complaint filed on Wednesday by state Attorney General Matthew Platkin said the defendants, including AvalonBay Communities illegally used RealPage's revenue management software and algorithms to inflate rents for apartments in multifamily properties.

New Jersey said the defendants also quietly exchanged non-public data such as lease prices, amenities, concessions offered, property values and housing inventory, in order to align pricing and avoid competition to lower rents. The state said the collusion has inflated rents for hundreds of thousands of residents, with half of low-income renters paying more than 30% of their gross incomes toward rent. Many real estate and financial experts recommend a 30% limit.

An anonymous reader shares a report: For two years, ChatGPT has been OpenAI's cash cow. But by the end of the decade, the company has told some potential and current investors it expects combined sales from agents and other new products to exceed its popular chatbot, lifting total sales to $125 billion in 2029 and $174 billion the next year, according to documents seen by The Information.

The projections, which would propel the 10-year-old startup's sales toward the level of Nvidia or Meta Platforms today, reflect rapid revenue gains from agents, or AI software that can take actions on behalf of customers, as well as other new products. These include those tied to "free user monetization," likely meaning money made from OpenAI's nonpaying users.

An anonymous reader quotes a report from Reuters: A U.S. appeals court on Monday revived a proposed data privacy class action against Shopify, a decision that could make it easier for American courts to assert jurisdiction over internet-based platforms. In a 10-1 decision, the 9th U.S. Circuit Court of Appeals in San Francisco said the Canadian e-commerce company can be sued in California for collecting personal identifying data from people who make purchases on websites of retailers from that state.

Brandon Briskin, a California resident, said Shopify installed tracking software known as cookies on his iPhone without his consent when he bought athletic wear from the retailer I Am Becoming, and used his data to create a profile it could sell to other merchants. Shopify said it should not be sued in California because it operates nationwide and did not aim its conduct toward that state. The Ottawa-based company said Briskin could sue in Delaware, New York or Canada. A lower court judge and a three-judge 9th Circuit panel had agreed the case should be dismissed, but the full appeals court said Shopify "expressly aimed" its conduct toward California.

"Shopify deliberately reached out ... by knowingly installing tracking software onto unsuspecting Californians' phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous," Circuit Judge Kim McLane Wardlaw wrote for the majority. A spokesman for Shopify said the decision "attacks the basics of how the internet works," and drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate. Shopify's next legal steps are unclear.

Walmart is taking a lesson from the humble honeybee in its quest to make its deliveries as fast as possible. From a report: The retail giant already boasts a formidable store count of 4,700 locations across the US, which puts it within a short drive of more than 90% of households. But in order to grow its reach without necessarily having to build new supercenters, Walmart says it has been using a relatively new hexagonal map segmentation -- a change from the conventional ZIP code or radius-based strategies that are commonly used in determining delivery areas.

Walmart says the strategy allows it to better understand where customers are and which stores have what they want. As bees have long known, hexagons can be an excellent shape for making the most of a given space, and Walmart says the more precise maps allow it to reach an additional 12 million US households with same-day delivery.

"This is helping us to adapt how we service our customers, by allowing us to go from a fixed-mile radius into a much more dynamic catchment area that caters to the needs of the customers that a particular store will serve," Walmart global tech senior director of engineering Parthibban Raja told Fast Company in December, following a pilot of the concept. Walmart says its platform uses a combination of its own data and open-source software to create new delivery zones.

Researchers have uncovered a new supply chain attack called Slopsquatting, where threat actors exploit hallucinated, non-existent package names generated by AI coding tools like GPT-4 and CodeLlama. These believable yet fake packages, representing almost 20% of the samples tested, can be registered by attackers to distribute malicious code. CSO Online reports: Slopsquatting, as researchers are calling it, is a term first coined by Seth Larson, a security developer-in-residence at Python Software Foundation (PSF), for its resemblance to the typosquatting technique. Instead of relying on a user's mistake, as in typosquats, threat actors rely on an AI model's mistake. A significant number of packages, amounting to 19.7% (205,000 packages), recommended in test samples were found to be fakes. Open-source models -- like DeepSeek and WizardCoder -- hallucinated more frequently, at 21.7% on average, compared to the commercial ones (5.2%) like GPT 4. Researchers found CodeLlama ( hallucinating over a third of the outputs) to be the worst offender, and GPT-4 Turbo ( just 3.59% hallucinations) to be the best performer.

These package hallucinations are particularly dangerous as they were found to be persistent, repetitive, and believable. When researchers reran 500 prompts that had previously produced hallucinated packages, 43% of hallucinations reappeared every time in 10 successive re-runs, with 58% of them appearing in more than one run. The study concluded that this persistence indicates "that the majority of hallucinations are not just random noise, but repeatable artifacts of how the models respond to certain prompts." This increases their value to attackers, it added. Additionally, these hallucinated package names were observed to be "semantically convincing." Thirty-eight percent of them had moderate string similarity to real packages, suggesting a similar naming structure. "Only 13% of hallucinations were simple off-by-one typos," Socket added. The research can found be in a paper on arXiv.org (PDF).

Amazon has delayed some commitments around new data center leases, Wells Fargo analysts said Monday, the latest sign that economic concerns may be affecting tech companies' spending plans. From a report: A week ago, a Microsoft executive said the software company was slowing down or temporarily holding off on advancing early build-outs. Amazon Web Services and Microsoft are the leading providers of cloud infrastructure, and both have ramped up their capital expenditures in recent quarters to meet the demands of the generative artificial intelligence boom.

"Over the weekend, we heard from several industry sources that AWS has paused a portion of its leasing discussions on the colocation side (particularly international ones)," Wells Fargo analysts wrote in a note. They added that "the positioning is similar to what we've heard recently from MSFT," in that both companies are reeling in some new projects but not canceling signed deals.

Cursor AI users recently encountered an ironic AI failure when the platform's support bot falsely claimed a non-existent login restriction policy. Co-founder Michael Truell apologized for the issue, clarified that no such policy exists, and attributed the mishap to AI hallucination and a session management bug. The Register reports: Users of the Cursor editor, designed to generate and fix source code in response to user prompts, have sometimes been booted from the software when trying to use the app in multiple sessions on different machines. Some folks who inquired about the inability to maintain multiple logins for the subscription service across different machines received a reply from the company's support email indicating this was expected behavior. But the person on the other end of that email wasn't a person at all, but an AI support bot. And it evidently made that policy up.

In an effort to placate annoyed users this week, Michael Truell co-founder of Cursor creator Anysphere, published a note to Reddit to apologize for the snafu. "Hey! We have no such policy," he wrote. "You're of course free to use Cursor on multiple machines. Unfortunately, this is an incorrect response from a front-line AI support bot. We did roll out a change to improve the security of sessions, and we're investigating to see if it caused any problems with session invalidation." Truell added that Cursor provides an interface for viewing active sessions in its settings and apologized for the confusion.

In a post to the Hacker News discussion of the SNAFU, Truell again apologized and acknowledged that something had gone wrong. "We've already begun investigating, and some very early results: Any AI responses used for email support are now clearly labeled as such. We use AI-assisted responses as the first filter for email support." He said the developer who raised this issue had been refunded. The session logout issue, now fixed, appears to have been the result of a race condition that arises on slow connections and spawns unwanted sessions.

Over 100 mid-market software companies are caught in a dangerous "squeeze" between AI-native startups and tech giants, according to a new AlixPartners study released Monday. The consulting firm warns many face "threats to their survival over the next 24 months" as generative AI fundamentally reshapes enterprise software.

The squeeze reflects a dramatic shift: AI agents are evolving from mere assistants to becoming applications themselves, potentially rendering traditional SaaS architecture obsolete. High-growth companies in this sector plummeted from 57% in 2023 to 39% in 2024, with further decline expected. Customer stickiness is also deteriorating, with median net dollar retention falling from 120% in 2021 to 108% in Q3 2024.

Chad Anderson is the founder/managing partner of the early-stage VC Space Capital (and an investor in SpaceX, along with dozens of other space companies). Space Capital produces quarterly reports on the space economy, and he says today, unlike 2021, "the froth is gone. But so is the hype. What's left is a more grounded — and investable — space economy."

On Yahoo Finance he shares several of the report's insights — including the emergence of "investable opportunities across defense-oriented startups in space domain awareness, AI-driven command systems, and hardened infrastructure." The same geopolitical instability that's undermining public markets is driving national urgency around space resilience. China's simulated space "dogfights" prompted the US Department of Defense to double down on orbital supremacy, with the proposed "Golden Dome" missile shield potentially unleashing a new wave of federal spending...

Defense tech is on fire, but commercial location-based services and logistics are freezing over. Companies like Shield AI and Saronic raised monster rounds, while others are relying on bridge financings to stay afloat...

Q1 also saw a breakout quarter for geospatial artificial intelligence (GeoAI). Software developer Niantic launched a spatial computing platform. SkyWatch partnered with GIS software supplier Esri. Planet Labs collaborated with Anthropic. And Xona Space Systems inked a deal with Trimble to boost precision GPS. This is the next leg of the space economy, where massive volumes of satellite data is finally made useful through machine learning, semantic indexing, and real-time analytics.

Distribution-layer companies are doing more with less. They remain underfunded relative to infrastructure and applications but are quietly powering the most critical systems, such as resilient communications, battlefield networks, and edge-based geospatial analysis. Don't let the low round count fool you; innovation here is quietly outpacing capital.
The article includes several predictions, insights, and possible trends (going beyond the fact that defense spending "will carry the sector...")

• "AI's integration into space (across geospatial intelligence, satellite communications, and sensor fusion) is not a novelty. It's a competitive necessity."

• "Focusing solely on rockets and orbital assets misses where much of the innovation and disruption is occurring: the software-defined layers that sit atop the physical backbone..."

• "For years, SpaceX faced little serious competition, but that's starting to change." [He cites Blue Origin's progress toward approval for launching U.S. military satellites, and how Rocket Lab and Stoke Space "have also joined the competition for lucrative government launch contracts." Even Relativity Space may make a comeback, with former GOogle CEO Eric Schmidt acquiring a controlling stake.]

• "An infrastructure reset is coming. The imminent ramp-up of SpaceX's Starship could collapse the cost structure for the infrastructure layer. When that happens, legacy providers with fixed-cost-heavy business models will be at risk. Conversely, capital-light innovators in station design, logistics, and in-orbit servicing could suddenly be massively undervalued."