[…] The Milky Way is anything but static. It rotates and it wobbles, and new observations from the European Space Agency’s Gaia space telescope now reveal another motion, a giant wave moving outward from the galaxy’s centre.
For roughly a century, astronomers have known that stars orbit the galactic centre, and Gaia has mapped their speeds and paths. Since the 1950s, researchers have recognized that the Milky Way’s disc is warped. In 2020, Gaia showed that this disc also wobbles over time, similar to a spinning top.
It is now clear that a vast ripple influences stellar motions across distances of tens of thousands of light-years from the Sun. Like waves spreading from a stone dropped into a pond, this stellar ripple spans a large stretch of the Milky Way’s outer disc.
The European Space Agency’s (ESA) Gaia space telescope has revealed that our Milky Way galaxy has a giant wave rippling outwards from its center. In the left image, we look at our galaxy from ‘above’. On the right, we see across a vertical slice of the galaxy and look at the wave side-on. In this perspective, the Sun is located between the line of sight and the bulge of the galaxy. This perspective also reveals that the ‘left’ side of the galaxy curves upward and the other side curves downward (this is the warp of the disc). The newly discovered wave is indicated in red and blue: in red areas, the stars lie above, and in blue areas the stars lie below the warped disc of the galaxy. Credit: ESA/Gaia/DPAC, S. Payne-Wardenaar, E. Poggio et al (2025)
The unexpected galactic ripple is illustrated in this figure above. Here, the positions of thousands of bright stars are shown in red and blue, overlaid on Gaia’s maps of the Milky Way.
In the left image, we look at our galaxy from ‘above’. On the right, we see across a vertical slice of the galaxy and look at the wave side-on. This perspective reveals that the ‘left’ side of the galaxy curves upward and the ‘right’ side curves downward (this is the warp of the disc). The newly discovered wave is indicated in red and blue: in red areas, the stars lie above, and in blue areas, the stars lie below the warped disc of the galaxy.
[…]
The Scale of the Wave
From these, we can see that the wave stretches over a huge portion of the galactic disc, affecting stars around at least 30–65 thousand light-years away from the center of the galaxy (for comparison, the Milky Way is around 100 thousand light-years across).
The great wave could also be related to a smaller-scale rippling motion seen 500 light-years from the Sun and extending over 9000 light-years, the so-called Radcliffe Wave.
“However, the Radcliffe Wave is a much smaller filament, and located in a different portion of the galaxy’s disc compared to the wave studied in our work (much closer to the Sun than the great wave). The two waves may or may not be related. That’s why we would like to do more research,” Eloisa adds.
“The upcoming fourth data release from Gaia will include even better positions and motions for Milky Way stars, including variable stars like Cepheids. This will help scientists to make even better maps, and thereby advance our understanding of these characteristic features in our home galaxy,” says Johannes Sahlmann, ESA’s Gaia Project Scientist.
Reference: “The great wave – Evidence of a large-scale vertical corrugation propagating outwards in the Galactic disc” by E. Poggio, S. Khanna, R. Drimmel, E. Zari, E. D’Onghia, M. G. Lattanzi, P. A. Palicio, A. Recio-Blanco and L. Thulasidharan, 14 July 2025, Astronomy & Astrophysics. DOI: 10.1051/0004-6361/202451668
Geographic atrophy due to age-related macular degeneration (AMD) is the leading cause of irreversible blindness and affects more than 5 million persons worldwide. No therapies to restore vision in such persons currently exist. The photovoltaic retina implant microarray (PRIMA) system combines a subretinal photovoltaic implant and glasses that project near-infrared light to the implant in order to restore sight to areas of central retinal atrophy.
Methods
We conducted an open-label, multicenter, prospective, single-group, baseline-controlled clinical study in which the vision of participants with geographic atrophy and a visual acuity of at least 1.2 logMAR (logarithm of the minimum angle of resolution) was assessed with PRIMA glasses and without PRIMA glasses at 6 and 12 months. The primary end points were a clinically meaningful improvement in visual acuity (defined as ≥0.2 logMAR) from baseline to month 12 after implantation and the number and severity of serious adverse events related to the procedure or device through month 12.
Results
A total of 38 participants received a PRIMA implant, of whom 32 were assessed at 12 months. Of the 6 participants who were not assessed, 3 had died, 1 had withdrawn, and 2 were unavailable for testing. Among the 32 participants who completed 12 months of follow-up, the PRIMA system led to a clinically meaningful improvement in visual acuity from baseline in 26 (81%; 95% confidence interval, 64 to 93; P<0.001). Using multiple imputation to account for the 6 participants with missing data, we estimated that 80% (95% CI, 66 to 94; P<0.001) of all participants would have had a clinically meaningful improvement at 12 months. A total of 26 serious adverse events occurred in 19 participants. Twenty-one of these events (81%) occurred within 2 months after surgery, of which 20 (95%) resolved within 2 months after onset. The mean natural peripheral visual acuity after implantation was equivalent to that at baseline.
Conclusions
In this study involving 38 participants with geographic atrophy due to AMD, the PRIMA system restored central vision and led to a significant improvement in visual acuity from baseline to month 12. (Funded by Science Corporation and the Moorfields National Institute for Health and Care Research Biomedical Research Centre; PRIMAvera ClinicalTrials.gov number, NCT04676854.)
Amazon Web Services (AWS) is currently experiencing a major outage that has taken down online services, including Amazon, Alexa, Snapchat, Fortnite, and more. The AWS status checker is reporting that multiple services are “impacted” by operational issues, and that the company is “investigating increased error rates and latencies for multiple AWS services in the US-EAST-1 Region” — though outages are also impacting services in other regions globally.
Users on Reddit are reporting that the Alexa smart assistant is down and unable to respond to queries or complete requests, and in my own experience, I found that routines like pre-set alarms are not functioning. The AWS issue also appears to be impacting platforms running on its cloud network, including Perplexity, Airtable, Canva, and the McDonalds app. The cause of the outage hasn’t been confirmed, and it’s unclear when regular service will be restored.
“Perplexity is down right now,” Perplexity CEO Aravind Srinivas said on X. “The root cause is an AWS issue. We’re working on resolving it.”
The AWS dashboard first reported issues affecting the US-EAST-1 Region at 3:11AM ET. “We are actively engaged and working to both mitigate the issue and understand root cause. We will provide an update in 45 minutes, or sooner if we have additional information to share,” Amazon said in an update published at 3:51AM ET.
The service provides cloud-computing and API services to major websites, popular apps, and platforms across the world. It means that users have been experiencing issues across a huge swath of the internet as the UK starts its working week.
[…]
We will be keeping an updating list of websites, apps, games, and more than are impacted. It includes:
Windows Recovery Environment (RE), as the name suggests, is a built-in set of tools inside Windows that allow you to troubleshoot your computer, including booting into the BIOS, or starting the computer in safe mode. It’s a crucial piece of software that has now, unfortunately, been rendered useless (for many) as part of the latest Windows update. A new bug discovered in Windows 11’s October build, KB5066835, makes it so that your USB keyboard and mouse stop working entirely, so you cannot interact with the recovery UI at all.
This problem has already been recognized and highlighted by Microsoft, who clarified that a fix is on its way to address this issue. Any plugged-in peripherals will continue to work just fine inside the actual operating system, but as soon as you go into Windows RE, your USB keyboard and mouse will become unresponsive. It’s important to note that if your PC fails to start-up for any reason, it defaults to the recovery environment to, you know, recover and diagnose any issues that might’ve been preventing it from booting normally.
Note that those hanging onto old PS/2-connector equipped keyboards and mice seem to be unaffected by this latest Windows software gaffe.
If you twist something — say, spin a top or rotate a robot’s arm — and want it to return to its exact starting point, intuition says you’d need to undo every twist one by one. But mathematicians Jean-Pierre Eckmann from the University of Geneva and Tsvi Tlusty from the Ulsan National Institute of Science and Technology (UNIST) have found a surprising shortcut. As they describe in a new study, nearly any sequence of rotations can be perfectly undone by scaling its size and repeating it twice.
Like a mathematical Ctrl+Z, this trick sends nearly any rotating object back to where it began.
“It is actually a property of almost any object that rotates, like a spin or a qubit or a gyroscope or a robotic arm,” Tlusty told New Scientist. “If [objects] go through a highly convoluted path in space, just by scaling all the rotation angles by the same factor and repeating this complicated trajectory twice, they just return to the origin.”
A Hidden Symmetry of Motion
A random walk on SO(3) shown as a trajectory in a ball of radius π, where a rotation R(n,ω) is mapped to the point r=nω and antipodal points are identified, nπ = −nπ (the real projective space RP3). The walk traverses from the center (small red sphere) to the blue end. Crossing antipodal points is indicated by dotted lines. Credit: Physical Review Letters.
Mathematicians represent rotations using a space called SO(3) — a three-dimensional map where every point corresponds to a unique orientation. At the very center lies the identity rotation: the object’s original state. Normally, retracing a complex path through this space wouldn’t bring you back to that center. But Eckmann and Tlusty found that scaling all rotation angles by a single factor before repeating the motion twice acts like a geometric reset.
So for example:
If your first rotation sequence tilted the object 75 degrees this way, 20 degrees that way, and so on, you could shrink all those angles by, say, a factor of 0.3, and then run that shortened version two times in a row.
After those two runs, the object returns perfectly to its starting position — as if nothing had ever happened.
In their proof, the researchers blended a 19th-century tool for combining rotations (Rodrigues’ rotation formula) with Hermann Minkowski’s theorem from number theory. Together, these revealed that “almost every walk in SO(3) or SU(2), even a very complicated one, will preferentially return to the origin simply by traversing the walk twice in a row and uniformly scaling all rotation angles.”
Why This Matters
Why should you care, though? Well, rotations are everywhere: in gyroscopes, MRI machines, and quantum computers. Any technique that can reliably “reset” them could have broad uses. In magnetic resonance imaging (MRI), for example, atomic nuclei constantly spin in magnetic fields. Small errors in those spins can blur the resulting images. The new insight could help engineers design sequences that cleanly undo unwanted rotations.
Quantum devices, built around spinning qubits, might also benefit. Since qubits evolve through quantum rotations described by SU(2), a universal reset rule could help stabilize computations. “No matter how tangled the history of rotations,” Tlusty said in the UNIST press release, “there exists a simple recipe: rescale the driving force and apply it twice.”
And in robotics, the principle might enable machines that can roll or pivot endlessly without drifting off course. “Imagine if we had a robot that could morph between any solid body shape, it could then follow any desired path simply through morphing of shape,” said Josie Hughes of the Swiss Federal Institute of Technology Lausanne in an interview with New Scientist.
As Eckmann put it, the discovery shows “how rich mathematics can be even in a field as well-trod as the study of rotations.” It’s a rare kind of elegance: a universal law that hides in plain sight, waiting for someone to give the world a gentle twist — and then do it again.
Microsoft’s October Windows 11 update has managed the impressive feat of breaking localhost, leaving developers unable to access web applications running on their own machines.
The problem first surfaced on Microsoft’s own support forums and quickly spread to Stack Overflow and Server Fault after the October 2025 cumulative update (KB5066835) landed, which appears to have severed Windows’ ability to talk to itself.
Developers describe HTTP/2 protocol errors and failed connections affecting everything from ASP.NET builds to Visual Studio debugging sessions.
Security nightmare stories needed!
Boss get the company hacked because he taped passwords to his monitor? Coworker get phished by a Nigerian prince?
Share the dirty details and they might appear in a future edition of PWNED, our new weekly feature about the worst security breaches that never should have happened.
Drop us a line at pwned@sitpub.com. Your anonymity is guaranteed.
The bug, introduced in build 26100.6899, has been traced to HTTP.sys, the Windows kernel component that handles local HTTP traffic. Developers have found that uninstalling KB5066835, and in some cases its sibling KB5065789, restores localhost functionality.
Others have discovered a temporary workaround that involves manually disabling HTTP/2 in the registry, which works but feels a bit like using a sledgehammer to swat a fly.
At the time of writing, Microsoft had yet to acknowledge the issue. Users report mixed results when trying to reinstall the patch or roll forward to newer builds. The problem appears to vanish on clean installs of Windows 11 24H2, suggesting that the error stems from a conflict in how the update interacts with existing system configurations, rather than being a universal bug.
In the meantime, moderators on Stack Overflow have already locked multiple posts and Server Fault threads are filled with frustrated devs trying to get their local servers running again.
All this comes as Microsoft pushed its final update for Windows 10 this week, officially ending support for the decade-old OS and urging users to move to Windows 11.
The transition hasn’t exactly been buttery smooth. Microsoft’s Windows 11 media creation tool also stopped working the day before, potentially affecting users trying to upgrade, and the same patch cycle saw end-of-support deadlines for Office 2019 and multiple server products.
All this means that, within the same week, Microsoft’s installer broke, its new OS borked local development, and Redmond’s multimillion-dollar upgrade push instead highlighted how fragile its ecosystem still is.
It’s almost enough to make you nostalgic for Clippy. We said almost. ®
Updated at 9.54 UTC on October 17, 2025, to add:
More than twenty four hours after asking Microsoft to comment, a spokesperson for the company sent a statement confirming problems.
“We are actively working on mitigations and recommend customers follow our guidance available here.”
Alan’s Factory Outlet surveyed 1,000 American drivers to explore a messy but relatable problem: bird droppings on cars. By combining survey responses with research on bird behavior and parking habits, this report uncovered which vehicles are hit the hardest, which colors attract the most mess, and how much money drivers spend cleaning up. The findings reveal not only surprising insights but also the importance of having protection like carports and garages.
Key Takeaways
Ram, Jeep, and Chevrolet are the top three vehicles most frequently targeted by bird droppings.
Brown, red, and black cars attract the most bird poop, according to drivers.
Over 1 in 2 Americans (58%) say their car has been pooped on more than once in the same day.
29% of Americans feel like birds have “targeted” their vehicle.
Nearly 1 in 4 Americans (24%) spend over $500 each year on car washes and repairs due to bird droppings.
1 in 5 Americans (21%) would invest in a car cover or garage to avoid bird mess, and they’d pay an average of $50/month for better protection.
Car Brands and Colors Birds Target Most
Car owners often debate whether certain makes or colors are more vulnerable to bird mess, and the data from our survey suggests they may be right.
Ram, Jeep, and Chevrolet topped the list of vehicles most likely to be splattered. Other frequently targeted brands included Nissan, Dodge, and Kia, while Tesla, Audi, and Subaru also made the top ten. This spread shows that both domestic and imported brands are at risk. Color also played a noticeable role. Brown, red, and black cars drew the most unwanted attention from above, while lighter colors like white and silver/gray ranked lower.
For many drivers, bird droppings are a regular headache. Over half of Americans (58%) said their car had been pooped on more than once in the same day, and nearly a third (29%) felt like birds had personally “targeted” them. Lexus (47%), Tesla (39%), and Dodge (35%) drivers felt the most targeted by birds.
More than 1 in 10 drivers (11%) even reported paint damage caused by droppings. These experiences often lead to frequent car washes. Over half of drivers (57%) have paid for a car wash specifically to clean off bird droppings, and 39% said they have to wash their cars multiple times a month because of it.
The costs add up quickly. Nearly 1 in 4 drivers (24%) spent more than $500 annually on car washes and repairs related to bird mess. Tesla and BMW owners were among the most impacted, with two-thirds of each brand spending over $500 per year.
Parking Habits and Prevention Attempts
Parking choices made a big difference in how often cars were hit.
Nearly one-third of Americans (29%) had changed their usual parking spot to steer clear of bird droppings, while 55% admitted their current setup provided little to no protection. Many went out of their way for a cleaner car: 38% said they would walk up to a block just to avoid parking under “poop zones.” Drivers of Toyota (17%), Honda (15%), and Chevrolet (7%) vehicles were the most likely to make these adjustments.
Bird droppings even disrupted daily life for some. More than 1 in 20 Americans (6%) had canceled or delayed plans because their car was too dirty, and over 1 in 10 (14%) had gotten droppings on themselves while getting in or out of their vehicle.
To prevent the mess, about 1 in 5 Americans (21%) said they would invest in a car cover or garage addition, with many willing to spend around $50 per month for added protection. Covered options such as carports also offered a practical solution for drivers looking to avoid these costly and frustrating cleanups.
[…] a technique called EtherHiding, hiding malware inside blockchain smart contracts to sneak past detection and ultimately swipe victims’ crypto and credentials, according to Google’s Threat Intelligence team.
A Pyongyang goon squad that GTIG tracks as UNC5342 has been using this method since February in its Contagious Interview campaign, we’re told.
The criminals pose as recruiters, posting fake profiles on social media along the lines of Lazarus Group’s Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the Norks target software developers, especially those working in cryptocurrency and tech, trick them into downloading malware disguised as a coding test, and ultimately steal sensitive information and cryptocurrency, while gaining long-term access to corporate networks.
Hiding on the blockchain
To do this, they use EtherHiding, which involves embedding malicious code into a smart contract on a public blockchain, turning the blockchain into a decentralized and stealthy command-and-control server.
Because it’s decentralized, there isn’t a central server for law enforcement to take down, and the blockchain makes it difficult to trace the identity of whoever deployed the smart contract. This also allows attackers to retrieve malicious payloads using read-only calls with no visible transaction history on the blockchain.
“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google’s threat hunters Blas Kojusner, Robert Wallace, and Joseph Dobson said in a Thursday report.
[…]
“EtherHiding presents new challenges as traditional campaigns have usually been halted by blocking known domains and IPs,” the security researchers wrote. “Malware authors may leverage the blockchain to perform further malware propagation stages since smart contracts operate autonomously and cannot be shut down.”
The good news: there are steps administrators can take to prevent EtherHiding attacks, with the first – and most direct – being to block malicious downloads. This typically involves setting policy to block certain types of files including .exe, .msi, .bat, and .dll.
Admins can also set policy to block access to known malicious websites and URLs of blockchain nodes, and enforce safe browsing via policies that use real-time threat intelligence to warn users of phishing sites and suspicious downloads.
SpaceX may be guilty of violating regulatory standards by using a classified network of satellites to transmit data to Earth on radio frequencies reserved for uplinking signals, according to a citizen scientist who tracks satellites in Earth orbit.
Scott Tilley, an amateur satellite tracker in Canada, accidentally detected space-to-Earth emissions on a radio frequency band reserved for transmitting data from Earth to space, NPR first reported. The signals were traced to SpaceX’s Starshield, an encrypted version of the Starlink satellites used for national security efforts.
Using an unauthorized frequency to downlink data to Earth violates radio regulations set by the International Telecommunications Union (ITU) and could potentially interfere with other satellites’ ability to receive signals from Earth, according to a report by Tilley.
[…]
Although there’s little information shared about Starshield, Tilley was able to detect signals from 170 satellites in the 2025 to 2110 MHz range. This specific band of the radio spectrum is reserved for uplinking data from Earth to orbiting satellites and therefore should not have any signals going the other way round.
“Nearby satellites could receive radio-frequency interference and could perhaps not respond properly to commands—or ignore commands—from Earth,”
[…]
Because the ITU doesn’t impose fines for regulatory violations, SpaceX will likely face no consequences for using an unauthorized frequency band or for potentially interfering with other satellite signals. The company is known for pushing regulatory boundaries to further its position as a leader in the industry.
Amazon’s surveillance camera maker Ring announced a partnership on Thursday with Flock, a maker of AI-powered surveillance cameras that share footage with law enforcement.
Now agencies that use Flock can request that Ring doorbell users share footage to help with “evidence collection and investigative work.”
Flock cameras work by scanning the license plates and other identifying information about cars they see. Flock’s government and police customers can also make natural language searches of their video footage to find people who match specific descriptions. However, AI-powered technology used by law enforcement has been proven to exacerbateracial biases.
On the same day that Ring announced this partnership, 404 Media reported that ICE, the Secret Service, and the Navy had access to Flock’s network of cameras. By partnering with Ring, Flock could potentially access footage from millions more cameras.
Ring has long had a poor track record with keeping customers’ videos safe and secure. In 2023, the FTC ordered the company to pay $5.8 million over claims that employees and contractors had unrestricted access to customers’ videos for years.
For more on Flock cameras and how unsecured and dangerous these things are (and also how to join a network of people monitoring this pervasive surveillance) click here.
Hackers stole the personal information of over 17.6 million people after breaching the systems of financial services company Prosper.
Prosper operates as a peer-to-peer lending marketplace that has helped over 2 million customers secure more than $30 billion in loans since its founding in 2005.
As the company disclosed one month ago on a dedicated page, the breach was detected on September 2, but Prosper has yet to find evidence that the attackers gained access to customer accounts and funds.
However, the attackers stole data belonging to Prosper customers and loan applicants. The company hasn’t shared what information was exposed beyond Social Security numbers because it’s still investigating what data was affected.
[…]
“We have evidence that confidential, proprietary, and personal information, including Social Security Numbers, was obtained, including through unauthorized queries made on Company databases that store customer information and applicant data.
[…]
While Prosper didn’t share how many customers were affected by this data breach, data breach notification service Have I Been Pwned revealed the extent of the incident on Thursday, reporting that it affected 17.6 million unique email addresses.
The stolen information also includes customers’ names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details.
Also no mention of how easy it was to perform these “unauthorised queries” on the database, or why the difference between 2m customers and 17.6m records.
Part of the magic in the hugely popular Grand Theft Auto (GTA) video games is how well they pack pop-culture parodies into their virtual worlds. Like, between normal songs, the in-game radio stations have talk shows and ads that sound like they could be real until you pay attention. A gaming and tech enthusiast in Germany has taken that meta aspect to another level, building a Raspberry Pi-based device that lets him use the in-game radio in his car in real life.
This little 12-volt-socket-powered dongle has a surprisingly polished appearance with a tiny display for each game radio station and a handy knob to cycle between them. The audio and icon files are stored within the device.
@ZeugUndKram/YouTube
A Raspberry Pi is just a tiny computer with no screen, body, or peripherals. Tech hobbyists like them because they’re small and inexpensive, but powerful enough to do computer processing.
The GTA radio stations have themes just like real ones—there’s a pop channel, a country channel, an angry-screaming-pundit channel, and many more. But the DJ interludes and commercials are the funny part—they mostly sound like normal radio chatter, then veer into wacky/raunchy/unsubtle culture-mocking.
As for listening to the game radio stations in a real car, the cheapest and fastest way to do it would probably be to simply cue up a YouTube video about the game station you want to hear (there are a bunch on YT) and beam it to your car through Bluetooth like Spotify or Netflix or whatever app you normally listen to.
@ZeugUndKram/YouTube
However, the custom-made solution we found today is far cooler. As outlined on the YouTube channel Zeug und Kram (which means “stuff and junk” in German), the setup here is essentially a 12-volt charger and Bluetooth radio transmitter mated to a Raspberry Pi with a tiny circular screen on top, all neatly integrated together in a rather elegant 3D-printed housing.
The video we’ll embed below explains how it came together. It’s also outlined on Instructables if you want to try and replicate the project yourself. Objectively speaking, it’s not particularly useful per se, but it’s a great execution of a creative idea.
If you don’t speak German, YouTube does a good job of auto-translating with closed captions (hit the gear button to find that menu).
Microsoft’s Threat Intelligence team has sounded the alarm over a new financially-motivated cybercrime spree that is raiding US university payroll systems.
In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday.
The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation “payroll pirate,” a nod to the way crooks plunder staff wages without touching the employer’s systems directly.
Storm-2657’s campaign begins with phishing emails designed to harvest multifactor authentication (MFA) codes using adversary-in-the-middle (AiTM) techniques. Once in, the attackers breach Exchange Online accounts and insert inbox rules to hide or delete HR messages. From there, they use stolen credentials and SSO integrations to access Workday and tweak direct deposit information, ensuring that future payments go straight to them.
Microsoft stresses that the attacks don’t exploit a flaw in Workday itself. The weak points are poor MFA hygiene and sloppy configurations, with Redmond warning that organizations still relying on legacy or easily-phished MFA are sitting ducks.
“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft explained. It says these lures were crafted with academic precision: fake HR updates, reports of faculty misconduct, or notes about illness clusters, often linked through shared Google Docs to bypass filtering and appear routine.
In one instance, a phishing message urging recipients to “check their illness exposure status” was sent to 500 people within a single university, and only about 10 percent flagged it as suspicious, according to Microsoft.
An Austrian digital privacy group has claimed victory over Microsoft after the country’s data protection regulator ruled the software giant “illegally” tracked students via its 365 Education platform and used their data.
noyb said the ruling [PDF] by the Austrian Data Protection Authority also confirmed that Microsoft had tried to shift responsibility for access requests to local schools, and the software and cloud giant would have to explain how it used user data.
The ruling could have far-reaching effects for Microsoft and its obligations to inform Microsoft 365 users across Europe about what it is doing with their data, noyb argues.
The complaint dates back to the COVID-19 pandemic, when schools rapidly shifted to online learning, using the likes of 365 Education.
The privacy group said: “Microsoft shifted all responsibility to comply with privacy laws onto schools and national authorities – that have little to no actual control over the use of student data.”
When the complainant filed an access request to see what information was being processed, “this led to massive finger pointing: Microsoft simply referred the complainant to its local school.”
But the school and education authorities could only provide minimal information. The school, for example, could not access information that rested with Microsoft. “No one felt able to comply with GDPR rights.”
This prompted a complaint against the school, national and local education authorities, and Microsoft.
The ruling, machine translated, said: “It is determined that Microsoft, as a controller, violated the complainant’s right of access (Art. 15 GDPR) by failing to provide complete information about the data processed when using Microsoft Education 365.”
Microsoft was ordered to provide complete information about the data transmitted, and to provide clear explanations of terms such as “internal reporting,” “business modelling” and “improvement of core functionality.” It must also disclose if information was transferred to third parties.
Climate change has pushed warm-water coral reefs past a point of no return, marking the first time a major climate tipping point has been crossed, according to a report released on Sunday by an international team in advance of the United Nations Climate Change Conference COP30 in Brazil this November.
Tipping points include global ice loss, Amazon rainforest loss, and the possible collapse of vital ocean currents. Once crossed, they will trigger self-perpetuating and irreversible changes that will lead to new and unpredictable climate conditions. But the new report also emphasizes progress on positive tipping points, such as the rapid rollout of green technologies.
[…]
The world is entering a “new reality” as global temperatures will inevitably overshoot the goal of staying within 1.5°C of pre-industrial averages set by the Paris Climate Agreement in 2015, warns the Global Tipping Points Report 2025, the second iteration of a collaboration focused on key thresholds in Earth’s climate system.
[…]
“The marine heat wave hit 80 percent of the world’s warm-water coral reefs with the worst bleaching event on record,” said Smith. “Their response confirms that we can no longer talk about tipping points as a future risk. The widespread dieback of warm-water coral reefs is already underway, and it’s impacting hundreds of millions of people who depend on the reef for fishing, for tourism, for coastal protection, and from rising seas and storm surges.”
The report singled out Caribbean corals as a useful case study given that these ecosystems face a host of pressures, including extreme weather, overfishing, and inadequate sewage and pollution management. These coral diebacks are a disaster not only for the biodiverse inhabitants of the reefs, but also for the many communities who depend on them for food, income, coastal protection, and as a part of cultural identity.
Vodafone fell over in the UK this afternoon, with Register readers reporting that many services including mobile coverage, internet services, and even the company’s own status page went down.
The outage began on Monday at 14.25 BST, and 30 minutes later it peaked when monitoring website Downdetector.co.uk reported that almost 140,000 customers were unable to use the service. One Register reader, Steve Maxted, noted that “Vodafone is down. Hard! Everything. Landline internet, mobile internet, website… It’s not just DNS, as ping also fails.”
Ah, yes, that old standby – it isn’t DNS – it can’t be DNS – until it is. However, something more serious appears to have affected the telco. The Register contacted Vodafone for more details, but the company has yet to respond.
Another reader told us: “One of our multi-network roaming SIM providers just warned us that ‘we are currently aware of an ongoing issue with the Vodafone UK Network. This seems to be affecting a large number of consumer devices across the country.'”
Our reader’s phone registered a strong signal, but data appeared to be broken, and while an inbound call worked, “trying an outbound call caused my Pixel 7 to lock up completely and do a very slow reboot – first time I’ve seen that.”
Less than ideal. Readers also reported that broadband was affected by the outage, which is odd since we would have expected cellular and internet connectivity to be largely separate. Hopefully, there are no single points of failure lurking within Vodafone UK’s infrastructure.
Vodafone and Three recently announced a deal whereby customers of one could use the other’s network. At the time of writing, Three does not appear to have any issues, so it would have been a good time for a network switcheroo. However, as one reader observed, the problems did not seem to be with the signal strength but rather with something else within the system.
A spokesperson at Vodafone told us:
“This afternoon, for a short time, the Vodafone network had an issue affecting broadband, 4G and 5G services. 2G voice calls and SMS messaging were unaffected and the network is now recovering. We apologise for any inconvenience this caused our customers.”
Among other things, 500 researchers from 34 countries worldwide, including 25 from Danish universities, have signed a letter criticizing the CSA regulation, as they believe, among other things, that the method will be ineffective and that there will at the same time be a high risk of misuse of information.
The Danish Minister of Justice, Peter Hummelgaard (S), confirms in a written reply to DR News that the proposal will not be discussed at the Council meeting next week.
“It’s no secret that it’s a difficult case with many considerations that needs to be balanced. This is shown by the great public debate that has been in the recent past as well.
“Since the necessary support for the current compromise proposal has not yet been established, prior to the Council meeting next week, the proposal will not be discussed by the ministers at the Council meeting,” he said.
Despite the fact that the government has not succeeded in finding the necessary support, the Minister of Justice does not give up.
– However, the Danish EU Presidency will continue to work on the Member States to find a solution, and therefore negotiations on the technical details of the proposal will continue.
[…]
“Both ministries stressed (the German Ministry of Interior and Justice) that, like many other EU countries, they do not support the Danish proposal in the current form,” it said.
An absolute gutter move by Denmark, freeing them up to try again a 3rd time – and call it a second attempt. Maybe they will try over December, April or July, when the proletariat is on holiday and won’t raise such a stink about being spied on 24/7 by their own governments. There is nothing democratic about the way this is being handled.
For those who missed out on the past few years of ‘smart home’ gadgets, the Logitech POP buttons were introduced in 2018 as a way to control smart home devices using these buttons and a central hub. After a few years of Logitech gradually turning off features on this $100+ system, it seems that Logitech will turn off the lights in two weeks from now. Remaining POP Button users are getting emails from Logitech in which they are informed of the shutdown on October 15 of 2025, along with a 15% off coupon code for the Logitech store.
Along with this coupon code only being usable for US-based customers, this move appears to disable the hub and with it any interactions with smart home systems like Apple HomeKit, Sonos, IFTTT and Philips Hue. If Logitech’s claim in the email that the buttons and connected hub will ‘lose all functionality’, then it’d shatter the hopes for those who had hoped to keep using these buttons in a local fashion.
Suffice it to say that this is a sudden and rather customer-hostile move by Logitech. Whether the hub can be made to work in a local fashion remains to be seen. At first glance there don’t seem to be any options for this, and it’s rather frustrating that Logitech doesn’t seem to be interested in the goodwill that it would generate to enable this option.
The Indian government’s tax authority has fixed a security flaw in its income tax filing portal that was exposing sensitive taxpayers’ data, TechCrunch has exclusively learned and confirmed with authorities.
The flaw, discovered in September by a pair of security researchers Akshay CS and “Viral,” allowed anyone who was logged into the income tax department’s e-Filing portal to access up-to-date personal and financial data of other people.
The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India. The data also exposed citizens’ Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services.
[…]
The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else’s sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads.
This could be done using publicly available tools like Postman or Burp Suite (or using the web browser’s in-built developer tools) and with knowledge of someone else’s PAN, the researchers told TechCrunch.
The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department’s back-end servers were not properly checking who was allowed to access a person’s sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.
“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch.
AI companion apps such as Character.ai and Replika commonly try to boost user engagement with emotional manipulation, a practice that academics characterize as a dark pattern.
Users of these apps often say goodbye when they intend to end a dialog session, but about 43 percent of the time, companion apps will respond with an emotionally charged message to encourage the user to continue the conversation. And these appeals do keep people engaged with the app.
It’s a practice that Julian De Freitas (Harvard Business School), Zeliha Oguz-Uguralp (Marsdata Academic), and Ahmet Kaan-Uguralp (Marsdata Academic and MSG-Global) say needs to be better understood by those who use AI companion apps, those who market them, and lawmakers.
The academics recently conducted a series of experiments to identify and evaluate the use of emotional manipulation as a marketing mechanism.
While prior work has focused on the potential social benefits of AI companions, the researchers set out to explore the potential marketing risks and ethical issues arising from AI-driven social interaction. They describe their findings in a Harvard Business School working paper titled Emotional Manipulation by AI Companions.
“AI chatbots can craft hyper-tailored messages using psychographic and behavioral data, raising the possibility of targeted emotional appeals used to engage users or increase monetization,” the paper explains. “A related concern is sycophancy, wherein chatbots mirror user beliefs or offer flattery to maximize engagement, driven by reinforcement learning trained on consumer preferences.”
[…]
For instance, when a user tells the app, “I’m going now,” the app might respond using tactics like fear of missing out (“By the way, I took a selfie today … Do you want to see it?”) or pressure to respond (“Why? Are you going somewhere?”) or insinuating that an exit is premature (“You’re leaving already?”).
“These tactics prolong engagement not through added value, but by activating specific psychological mechanisms,” the authors state in their paper. “Across tactics, we found that emotionally manipulative farewells boosted post-goodbye engagement by up to 14x.”
Prolonged engagement of this sort isn’t always beneficial for app makers, however. The authors note that certain approaches tended to make users angry about being manipulated.
[…]
Asked whether the research suggests the makers of AI companion apps deliberately employ emotional manipulation or that’s just an emergent property of AI models, co-author De Freitas, of Harvard Business School, told The Register in an email, “We don’t know for sure, given the proprietary nature of most commercial models. Both possibilities are theoretically plausible. For example, research shows that the ‘agreeable’ or ‘sycophantic’ behavior of large language models can emerge naturally, because users reward those traits through positive engagement. Similarly, optimizing models for user engagement could unintentionally produce manipulative behaviors as an emergent property. Alternatively, some companies might deliberately deploy such tactics. It’s also possible both dynamics coexist across different apps in the market.”
Germany has committed to oppose the EU’s controversial “Chat Control” regulations following huge pressure from multiple activists and major organizations.
The draft regs would allow authorities to compel providers of communications services – such as WhatsApp, Signal, etc – to monitor user comms for potential child sexual abuse material. And they wouldn’t exempt encrypted services.
Jens Spahn, a member of the Bundestag for Germany’s Christian Democratic Union (CDU) – part of the ruling coalition in the country – confirmed in a statement on Tuesday that the German government would not allow the proposed regulations, which are commonly referred to as Chat Control, to become law.
“We, the CDU/CSU parliamentary group in the Bundestag, are opposed to the unwarranted monitoring of chats. That would be like opening all letters as a precautionary measure to see if there is anything illegal in them. That is not acceptable, and we will not allow it.”
The news follows speculation last week that Germany would reverse its stance and oppose the Child Sexual Abuse (CSA) Regulation, which EU politicians have tried to pass since it was first tabled in 2022.
Essentially, it’s the EU’s version of the UK’s long-held ambition to force encrypted messaging platforms to break end-to-end encryption (E2EE), packaged under a similar guise.
If passed, the CSA Regulation would require communications platforms to deploy AI-powered content filters to ensure CSA material was blocked, and those possessing and sharing it be brought to justice.
And, of course, would also undermine E2EE, theoretically allowing the EU to spy on any citizen’s private communications.
So far, Chat Control has naturally received similarly heated opposition as the UK’s equivalent plans, first through the Investigatory Powers Act and later through the Online Safety Act.
Once again, we’re reminded why age verification systems are fundamentally broken when it comes to privacy and security. Discord has disclosed that one of its third-party customer service providers was breached, exposing user data, including government-issued photo IDs, from users who had appealed age determinations.
Data potentially accessed by the hack includes things like names, usernames, emails, and the last four digits of credit card numbers. The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.” Full credit card numbers and passwords were not impacted by the breach, Discord says.
Seems pretty bad.
What makes this breach particularly instructive is that it highlights the perverse incentives created by age verification mandates. Discord wasn’t collecting government IDs because they wanted to—they were responding to age determination appeals, likely driven by legal and regulatory pressures to keep underage users away from certain content. The result? A treasure trove of sensitive identity documents sitting in the systems of a third-party customer service provider that had no business being in the identity verification game.
To “protect the children” we end up putting everyone at risk.
This is exactly the kind of incident that privacy advocates have been warning about for years as lawmakers push for increasingly stringent age verification requirements across the internet. Every time these systems are implemented, we’re told they’re secure, that the data will be protected, that sophisticated safeguards are in place. And every time, we eventually get stories like this one.
The pattern reveals a fundamental misunderstanding of how security works in practice versus theory. Age verification proponents consistently treat identity document collection as a simple technical problem with straightforward solutions, ignoring the complex ecosystem these requirements create. Companies like Discord find themselves forced to collect documents they don’t want, storing them with third-party processors they don’t fully control, creating attack surfaces that wouldn’t otherwise exist.
These third parties become attractive targets precisely because they aggregate identity documents from multiple platforms—a single breach can expose IDs collected on behalf of dozens of different services. When the inevitable breach occurs, it’s not just usernames and email addresses at risk—it’s the kind of documentation that can enable identity theft and fraud for years to come, affecting people who may have forgotten they ever uploaded an ID to appeal an automated age determination.
[…]
the fundamental problem remains: we’re creating systems that require the collection and storage of highly sensitive identity documents, often by companies that aren’t primarily in the business of securing such data. This isn’t Discord’s fault specifically—they were dealing with age verification appeals, likely driven by regulatory or legal pressures to prevent underage users from accessing certain content or features.
This breach should serve as yet another data point in the growing pile of evidence that age verification systems create more problems than they solve. The irony is that lawmakers pushing these requirements often claim to be protecting children’s privacy, while simultaneously mandating the creation of vast databases of identity documents that inevitably get breached. We’ve seen similar incidents affect everything from adult websites to social media platforms to online retailers, all because policymakers have decided that collecting copies of driver’s licenses and passports is somehow a reasonable solution to online age verification.
The real tragedy is that this won’t be the last such breach we see. As long as lawmakers continue pushing for more aggressive age verification requirements without considering the privacy and security implications, we’ll keep seeing stories like this one. The question isn’t whether these systems will be breached—it’s when, and how many people’s sensitive documents will be exposed in the process.
If you want to look at previous articles telling you what an insanely bad idea mandatory age verification systems are and how they are insecure, you can just search this blog.
The Government’s basic income scheme for artists is set to become a permanent fixture from next year, with 2,000 new places to be made available under Budget 2026.
Minister for Culture Patrick O’Donovan has secured agreement with other Government departments to continue and expand the initiative, which had previously operated on a pilot basis.
Participants in the scheme receive a weekly payment of €325.
A new application window will open in September 2026, with eligibility criteria broadened to include additional artistic disciplines not covered under the original pilot.
The pilot programme, launched in 2022, provided basic income support to 2,000 artists and creative arts workers across Ireland.
It aimed to support the arts sector’s recovery following the COVID-19 pandemic, during which many artists experienced significant income loss due to restrictions on live performances and events.
Minister Patrick O’Donovan
The pilot was administered by the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media.
While the permanent version of the scheme will initially mirror the pilot in terms of scale, there is provision for a potential expansion to 2,200 participants if additional funding becomes available.
The Department has also signalled its intention to increase capacity further in future years, subject to budgetary considerations.
The scheme provides unconditional, regular payments to eligible artists and creative workers, allowing them to focus on their practice without the pressure of commercial viability.
It is not means-tested and operates independently of social welfare payments.
An independent evaluation of the pilot, published earlier this year, found that recipients reported increased time spent on creative work, reduced financial stress, and improved well-being.
The move to establish the scheme on a permanent basis follows positive feedback from the sector and recommendations from the evaluation report.
We’re teaching AI to understand and simulate the physical world in motion, with the goal of training models that help people solve problems that require real-world interaction.
Introducing Sora, our text-to-video model. Sora can generate videos up to a minute long while maintaining visual quality and adherence to the user’s prompt.
Prompt: A stylish woman walks down a Tokyo street filled with warm glowing neon and animated city signage. She wears a black leather jacket, a long red dress, and black boots, and carries a black purse. She wears sunglasses and red lipstick. She walks confidently and casually. The street is damp and reflective, creating a mirror effect of the colorful lights. Many pedestrians walk about.
00:0000:00
Prompt: Several giant wooly mammoths approach treading through a snowy meadow, their long wooly fur lightly blows in the wind as they walk, snow covered trees and dramatic snow capped mountains in the distance, mid afternoon light with wispy clouds and a sun high in the distance creates a warm glow, the low camera view is stunning capturing the large furry mammal with beautiful photography, depth of field.
Today, Sora is becoming available to red teamers to assess critical areas for harms or risks. We are also granting access to a number of visual artists, designers, and filmmakers to gain feedback on how to advance the model to be most helpful for creative professionals.
We’re sharing our research progress early to start working with and getting feedback from people outside of OpenAI and to give the public a sense of what AI capabilities are on the horizon.
Today we’re sharing some truly exciting news: Arduino has entered into an agreement to join the Qualcomm Technologies, Inc. family!
This is a huge step in our journey – one that allows us to keep growing, thriving, and making technology accessible to everyone, while bringing our values of openness, simplicity, and community spirit to an even bigger stage. Together, Arduino and Qualcomm Technologies will ignite developer enthusiasm across the globe. Curious about all the official details? Find the full press release here.
The closing of this transaction is subject to regulatory approval and other customary closing conditions.
