The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Microsoft warns of ‘payroll pirate’ attacks against US universities

Posted on by

Microsoft’s Threat Intelligence team has sounded the alarm over a new financially-motivated cybercrime spree that is raiding US university payroll systems.

In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday.

The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation “payroll pirate,” a nod to the way crooks plunder staff wages without touching the employer’s systems directly.

Storm-2657’s campaign begins with phishing emails designed to harvest multifactor authentication (MFA) codes using adversary-in-the-middle (AiTM) techniques. Once in, the attackers breach Exchange Online accounts and insert inbox rules to hide or delete HR messages. From there, they use stolen credentials and SSO integrations to access Workday and tweak direct deposit information, ensuring that future payments go straight to them.

Microsoft stresses that the attacks don’t exploit a flaw in Workday itself. The weak points are poor MFA hygiene and sloppy configurations, with Redmond warning that organizations still relying on legacy or easily-phished MFA are sitting ducks.

“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft explained. It says these lures were crafted with academic precision: fake HR updates, reports of faculty misconduct, or notes about illness clusters, often linked through shared Google Docs to bypass filtering and appear routine.

In one instance, a phishing message urging recipients to “check their illness exposure status” was sent to 500 people within a single university, and only about 10 percent flagged it as suspicious, according to Microsoft.

[…]

Source: Microsoft warns of ‘payroll pirate’ attacks against US unis • The Register

Microsoft illegally tracked students via 365 Education, must now say what it did with the data

Posted on by

An Austrian digital privacy group has claimed victory over Microsoft after the country’s data protection regulator ruled the software giant “illegally” tracked students via its 365 Education platform and used their data.

noyb said the ruling [PDF] by the Austrian Data Protection Authority also confirmed that Microsoft had tried to shift responsibility for access requests to local schools, and the software and cloud giant would have to explain how it used user data.

The ruling could have far-reaching effects for Microsoft and its obligations to inform Microsoft 365 users across Europe about what it is doing with their data, noyb argues.

The complaint dates back to the COVID-19 pandemic, when schools rapidly shifted to online learning, using the likes of 365 Education.

The privacy group said: “Microsoft shifted all responsibility to comply with privacy laws onto schools and national authorities – that have little to no actual control over the use of student data.”

When the complainant filed an access request to see what information was being processed, “this led to massive finger pointing: Microsoft simply referred the complainant to its local school.”

But the school and education authorities could only provide minimal information. The school, for example, could not access information that rested with Microsoft. “No one felt able to comply with GDPR rights.”

This prompted a complaint against the school, national and local education authorities, and Microsoft.

The ruling, machine translated, said: “It is determined that Microsoft, as a controller, violated the complainant’s right of access (Art. 15 GDPR) by failing to provide complete information about the data processed when using Microsoft Education 365.”

Microsoft was ordered to provide complete information about the data transmitted, and to provide clear explanations of terms such as “internal reporting,” “business modelling” and “improvement of core functionality.” It must also disclose if information was transferred to third parties.

[…]

 

Source: Microsoft ‘illegally’ tracked students via 365 Education • The Register

Earth’s Climate Has Passed Its First Irreversible Tipping Point and Entered a ‘New Reality’

Posted on by

Climate change has pushed warm-water coral reefs past a point of no return, marking the first time a major climate tipping point has been crossed, according to a report released on Sunday by an international team in advance of the United Nations Climate Change Conference COP30 in Brazil this November.

Tipping points include global ice loss, Amazon rainforest loss, and the possible collapse of vital ocean currents. Once crossed, they will trigger self-perpetuating and irreversible changes that will lead to new and unpredictable climate conditions. But the new report also emphasizes progress on positive tipping points, such as the rapid rollout of green technologies.

[…]

The world is entering a “new reality” as global temperatures will inevitably overshoot the goal of staying within 1.5°C of pre-industrial averages set by the Paris Climate Agreement in 2015, warns the Global Tipping Points Report 2025, the second iteration of a collaboration focused on key thresholds in Earth’s climate system.

[…]

“The marine heat wave hit 80 percent of the world’s warm-water coral reefs with the worst bleaching event on record,” said Smith. “Their response confirms that we can no longer talk about tipping points as a future risk. The widespread dieback of warm-water coral reefs is already underway, and it’s impacting hundreds of millions of people who depend on the reef for fishing, for tourism, for coastal protection, and from rising seas and storm surges.”

The report singled out Caribbean corals as a useful case study given that these ecosystems face a host of pressures, including extreme weather, overfishing, and inadequate sewage and pollution management. These coral diebacks are a disaster not only for the biodiverse inhabitants of the reefs, but also for the many communities who depend on them for food, income, coastal protection, and as a part of cultural identity.

[…]

 

Source: Earth’s Climate Has Passed Its First Irreversible Tipping Point and Entered a ‘New Reality’

Vodafone UK keels over, leaving millions disconnected

Posted on by

Vodafone fell over in the UK this afternoon, with Register readers reporting that many services including mobile coverage, internet services, and even the company’s own status page went down.

The outage began on Monday at 14.25 BST, and 30 minutes later it peaked when monitoring website Downdetector.co.uk reported that almost 140,000 customers were unable to use the service. One Register reader, Steve Maxted, noted that “Vodafone is down. Hard! Everything. Landline internet, mobile internet, website… It’s not just DNS, as ping also fails.”

Ah, yes, that old standby – it isn’t DNS – it can’t be DNS – until it is. However, something more serious appears to have affected the telco. The Register contacted Vodafone for more details, but the company has yet to respond.

Another reader told us: “One of our multi-network roaming SIM providers just warned us that ‘we are currently aware of an ongoing issue with the Vodafone UK Network. This seems to be affecting a large number of consumer devices across the country.'”

Our reader’s phone registered a strong signal, but data appeared to be broken, and while an inbound call worked, “trying an outbound call caused my Pixel 7 to lock up completely and do a very slow reboot – first time I’ve seen that.”

Less than ideal. Readers also reported that broadband was affected by the outage, which is odd since we would have expected cellular and internet connectivity to be largely separate. Hopefully, there are no single points of failure lurking within Vodafone UK’s infrastructure.

Vodafone and Three recently announced a deal whereby customers of one could use the other’s network. At the time of writing, Three does not appear to have any issues, so it would have been a good time for a network switcheroo. However, as one reader observed, the problems did not seem to be with the signal strength but rather with something else within the system.

A spokesperson at Vodafone told us:

“This afternoon, for a short time, the Vodafone network had an issue affecting broadband, 4G and 5G services. 2G voice calls and SMS messaging were unaffected and the network is now recovering. We apologise for any inconvenience this caused our customers.”

Source: Vodafone keels over, leaving millions disconnected • The Register

Germany against ChatControl: Denmark takes it off the table so the EU can’t vote against it NOW, but will re-try (3rd time lucky) later again, when the people aren’t looking.

Posted on by

Germany does not support the Danish proposal on the so-called CSA regulation, which is called ‘chat control’ by critics.

The proposal was to be voted on on Tuesday in the EU Council of Ministers, but it has now been taken off the table.

The Danish government, which currently holds the EU Presidency, has chosen to withdraw the proposal from the vote. This is stated in a press release from the German parliament.

[…]

Among other things, 500 researchers from 34 countries worldwide, including 25 from Danish universities, have signed a letter criticizing the CSA regulation, as they believe, among other things, that the method will be ineffective and that there will at the same time be a high risk of misuse of information.

And leading experts in encryption have compared the suggestion of placing a spy microphone in everyone’s pockets.

[…]

The Danish Minister of Justice, Peter Hummelgaard (S), confirms in a written reply to DR News that the proposal will not be discussed at the Council meeting next week.

“It’s no secret that it’s a difficult case with many considerations that needs to be balanced. This is shown by the great public debate that has been in the recent past as well.

“Since the necessary support for the current compromise proposal has not yet been established, prior to the Council meeting next week, the proposal will not be discussed by the ministers at the Council meeting,” he said.

Despite the fact that the government has not succeeded in finding the necessary support, the Minister of Justice does not give up.

– However, the Danish EU Presidency will continue to work on the Member States to find a solution, and therefore negotiations on the technical details of the proposal will continue.

[…]

“Both ministries stressed (the German Ministry of Interior and Justice) that, like many other EU countries, they do not support the Danish proposal in the current form,” it said.

Source: Tyskland fejer kontroversielt ‘chatkontrol’-forslag af bordet | Politik | DR

An absolute gutter move by Denmark, freeing them up to try again a 3rd time – and call it a second attempt. Maybe they will try over December, April or July, when the proletariat is on holiday and won’t raise such a stink about being spied on 24/7 by their own governments. There is nothing democratic about the way this is being handled.

Logitech POP Buttons Are About Become e-waste

Posted on by

For those who missed out on the past few years of ‘smart home’ gadgets, the Logitech POP buttons were introduced in 2018 as a way to control smart home devices using these buttons and a central hub. After a few years of Logitech gradually turning off features on this $100+ system, it seems that Logitech will turn off the lights in two weeks from now. Remaining POP Button users are getting emails from Logitech in which they are informed of the shutdown on October 15 of 2025, along with a 15% off coupon code for the Logitech store.

Along with this coupon code only being usable for US-based customers, this move appears to disable the hub and with it any interactions with smart home systems like Apple HomeKit, Sonos, IFTTT and Philips Hue. If Logitech’s claim in the email that the buttons and connected hub will ‘lose all functionality’, then it’d shatter the hopes for those who had hoped to keep using these buttons in a local fashion.

Suffice it to say that this is a sudden and rather customer-hostile move by Logitech. Whether the hub can be made to work in a local fashion remains to be seen. At first glance there don’t seem to be any options for this, and it’s rather frustrating that Logitech doesn’t seem to be interested in the goodwill that it would generate to enable this option.

Source: Logitech POP Buttons Are About To Go Pop | Hackaday

Security bug in India’s income tax portal exposed taxpayers’ sensitive data – by swapping credential numbers :(

Posted on by

The Indian government’s tax authority has fixed a security flaw in its income tax filing portal that was exposing sensitive taxpayers’ data, TechCrunch has exclusively learned and confirmed with authorities.

The flaw, discovered in September by a pair of security researchers Akshay CS and “Viral,” allowed anyone who was logged into the income tax department’s e-Filing portal to access up-to-date personal and financial data of other people.

The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India. The data also exposed citizens’ Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services.

[…]

The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else’s sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads.

This could be done using publicly available tools like Postman or Burp Suite (or using the web browser’s in-built developer tools) and with knowledge of someone else’s PAN, the researchers told TechCrunch.

The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department’s back-end servers were not properly checking who was allowed to access a person’s sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.

“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch.

[…]

Source: Security bug in India’s income tax portal exposed taxpayers’ sensitive data | TechCrunch

This kind of stuff was well known and supposed to be stopped around 20 years ago…

AI companion bots use emotional manipulation to boost usage

Posted on by

AI companion apps such as Character.ai and Replika commonly try to boost user engagement with emotional manipulation, a practice that academics characterize as a dark pattern.

Users of these apps often say goodbye when they intend to end a dialog session, but about 43 percent of the time, companion apps will respond with an emotionally charged message to encourage the user to continue the conversation. And these appeals do keep people engaged with the app.

It’s a practice that Julian De Freitas (Harvard Business School), Zeliha Oguz-Uguralp (Marsdata Academic), and Ahmet Kaan-Uguralp (Marsdata Academic and MSG-Global) say needs to be better understood by those who use AI companion apps, those who market them, and lawmakers.

The academics recently conducted a series of experiments to identify and evaluate the use of emotional manipulation as a marketing mechanism.

While prior work has focused on the potential social benefits of AI companions, the researchers set out to explore the potential marketing risks and ethical issues arising from AI-driven social interaction. They describe their findings in a Harvard Business School working paper titled Emotional Manipulation by AI Companions.

“AI chatbots can craft hyper-tailored messages using psychographic and behavioral data, raising the possibility of targeted emotional appeals used to engage users or increase monetization,” the paper explains. “A related concern is sycophancy, wherein chatbots mirror user beliefs or offer flattery to maximize engagement, driven by reinforcement learning trained on consumer preferences.”

[…]

For instance, when a user tells the app, “I’m going now,” the app might respond using tactics like fear of missing out (“By the way, I took a selfie today … Do you want to see it?”) or pressure to respond (“Why? Are you going somewhere?”) or insinuating that an exit is premature (“You’re leaving already?”).

“These tactics prolong engagement not through added value, but by activating specific psychological mechanisms,” the authors state in their paper. “Across tactics, we found that emotionally manipulative farewells boosted post-goodbye engagement by up to 14x.”

Prolonged engagement of this sort isn’t always beneficial for app makers, however. The authors note that certain approaches tended to make users angry about being manipulated.

[…]

Asked whether the research suggests the makers of AI companion apps deliberately employ emotional manipulation or that’s just an emergent property of AI models, co-author De Freitas, of Harvard Business School, told The Register in an email, “We don’t know for sure, given the proprietary nature of most commercial models. Both possibilities are theoretically plausible. For example, research shows that the ‘agreeable’ or ‘sycophantic’ behavior of large language models can emerge naturally, because users reward those traits through positive engagement. Similarly, optimizing models for user engagement could unintentionally produce manipulative behaviors as an emergent property. Alternatively, some companies might deliberately deploy such tactics. It’s also possible both dynamics coexist across different apps in the market.”

[…]

Source: AI companion bots use emotional manipulation to boost usage • The Register

Germany slams brakes on EU’s Chat Control snoopfest

Posted on by

Germany has committed to oppose the EU’s controversial “Chat Control” regulations following huge pressure from multiple activists and major organizations.

The draft regs would allow authorities to compel providers of communications services – such as WhatsApp, Signal, etc – to monitor user comms for potential child sexual abuse material. And they wouldn’t exempt encrypted services.

Jens Spahn, a member of the Bundestag for Germany’s Christian Democratic Union (CDU) – part of the ruling coalition in the country – confirmed in a statement on Tuesday that the German government would not allow the proposed regulations, which are commonly referred to as Chat Control, to become law.

“We, the CDU/CSU parliamentary group in the Bundestag, are opposed to the unwarranted monitoring of chats. That would be like opening all letters as a precautionary measure to see if there is anything illegal in them. That is not acceptable, and we will not allow it.”

As The Reg has mentioned previously, to pass the legislation, EU leaders need support from nations representing the majority of the member-state bloc’s population – which is why Germany’s is a key player.

The news follows speculation last week that Germany would reverse its stance and oppose the Child Sexual Abuse (CSA) Regulation, which EU politicians have tried to pass since it was first tabled in 2022.

Essentially, it’s the EU’s version of the UK’s long-held ambition to force encrypted messaging platforms to break end-to-end encryption (E2EE), packaged under a similar guise.

If passed, the CSA Regulation would require communications platforms to deploy AI-powered content filters to ensure CSA material was blocked, and those possessing and sharing it be brought to justice.

And, of course, would also undermine E2EE, theoretically allowing the EU to spy on any citizen’s private communications.

So far, Chat Control has naturally received similarly heated opposition as the UK’s equivalent plans, first through the Investigatory Powers Act and later through the Online Safety Act.

[…]

Source: Germany slams brakes on EU’s Chat Control snoopfest • The Register

Another Day, Another Age Verification Data Breach: Discord’s Third-Party Partner Leaked Government IDs. That didn’t take long, did it?

Posted on by

Once again, we’re reminded why age verification systems are fundamentally broken when it comes to privacy and security. Discord has disclosed that one of its third-party customer service providers was breached, exposing user data, including government-issued photo IDs, from users who had appealed age determinations.

Data potentially accessed by the hack includes things like names, usernames, emails, and the last four digits of credit card numbers. The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.” Full credit card numbers and passwords were not impacted by the breach, Discord says.

Seems pretty bad.

What makes this breach particularly instructive is that it highlights the perverse incentives created by age verification mandates. Discord wasn’t collecting government IDs because they wanted to—they were responding to age determination appeals, likely driven by legal and regulatory pressures to keep underage users away from certain content. The result? A treasure trove of sensitive identity documents sitting in the systems of a third-party customer service provider that had no business being in the identity verification game.

To “protect the children” we end up putting everyone at risk.

This is exactly the kind of incident that privacy advocates have been warning about for years as lawmakers push for increasingly stringent age verification requirements across the internet. Every time these systems are implemented, we’re told they’re secure, that the data will be protected, that sophisticated safeguards are in place. And every time, we eventually get stories like this one.

The pattern reveals a fundamental misunderstanding of how security works in practice versus theory. Age verification proponents consistently treat identity document collection as a simple technical problem with straightforward solutions, ignoring the complex ecosystem these requirements create. Companies like Discord find themselves forced to collect documents they don’t want, storing them with third-party processors they don’t fully control, creating attack surfaces that wouldn’t otherwise exist.

These third parties become attractive targets precisely because they aggregate identity documents from multiple platforms—a single breach can expose IDs collected on behalf of dozens of different services. When the inevitable breach occurs, it’s not just usernames and email addresses at risk—it’s the kind of documentation that can enable identity theft and fraud for years to come, affecting people who may have forgotten they ever uploaded an ID to appeal an automated age determination.

[…]

the fundamental problem remains: we’re creating systems that require the collection and storage of highly sensitive identity documents, often by companies that aren’t primarily in the business of securing such data. This isn’t Discord’s fault specifically—they were dealing with age verification appeals, likely driven by regulatory or legal pressures to prevent underage users from accessing certain content or features.

This breach should serve as yet another data point in the growing pile of evidence that age verification systems create more problems than they solve. The irony is that lawmakers pushing these requirements often claim to be protecting children’s privacy, while simultaneously mandating the creation of vast databases of identity documents that inevitably get breached. We’ve seen similar incidents affect everything from adult websites to social media platforms to online retailers, all because policymakers have decided that collecting copies of driver’s licenses and passports is somehow a reasonable solution to online age verification.

The real tragedy is that this won’t be the last such breach we see. As long as lawmakers continue pushing for more aggressive age verification requirements without considering the privacy and security implications, we’ll keep seeing stories like this one. The question isn’t whether these systems will be breached—it’s when, and how many people’s sensitive documents will be exposed in the process.

[…]

Source: Another Day, Another Age Verification Data Breach: Discord’s Third-Party Partner Leaked Government IDs | Techdirt

If you want to look at previous articles telling you what an insanely bad idea mandatory age verification systems are and how they are insecure, you can just search this blog.

Irish Basic Income for Artists Scheme to become permanent

Posted on by

The Government’s basic income scheme for artists is set to become a permanent fixture from next year, with 2,000 new places to be made available under Budget 2026.

Minister for Culture Patrick O’Donovan has secured agreement with other Government departments to continue and expand the initiative, which had previously operated on a pilot basis.

Participants in the scheme receive a weekly payment of €325.

A new application window will open in September 2026, with eligibility criteria broadened to include additional artistic disciplines not covered under the original pilot.

The pilot programme, launched in 2022, provided basic income support to 2,000 artists and creative arts workers across Ireland.

It aimed to support the arts sector’s recovery following the COVID-19 pandemic, during which many artists experienced significant income loss due to restrictions on live performances and events.

27 February 2025; Minister for Arts, Media, Communications, Culture and Sport, Patrick O'Donovan TD addresses attendees during a Sport Ireland Core Grant Investment announcement for 2025 for Local Sports Partnerships, National Governing Bodies and other funded bodies at the National Indoor Arena on
Minister Patrick O’Donovan

The pilot was administered by the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media.

While the permanent version of the scheme will initially mirror the pilot in terms of scale, there is provision for a potential expansion to 2,200 participants if additional funding becomes available.

The Department has also signalled its intention to increase capacity further in future years, subject to budgetary considerations.

The scheme provides unconditional, regular payments to eligible artists and creative workers, allowing them to focus on their practice without the pressure of commercial viability.

It is not means-tested and operates independently of social welfare payments.

An independent evaluation of the pilot, published earlier this year, found that recipients reported increased time spent on creative work, reduced financial stress, and improved well-being.

The move to establish the scheme on a permanent basis follows positive feedback from the sector and recommendations from the evaluation report.

Source: Budget 2026: Basic Income for Artists Scheme to become permanent

OpenAI releases tool to turn prompts into videos: SORA

Posted on by

We’re teaching AI to understand and simulate the physical world in motion, with the goal of training models that help people solve problems that require real-world interaction.

Introducing Sora, our text-to-video model. Sora can generate videos up to a minute long while maintaining visual quality and adherence to the user’s prompt.

https://openai.com/index/sora/?video=913331489

00:0000:59

wooly mammoth

00:0000:00

Prompt: Several giant wooly mammoths approach treading through a snowy meadow, their long wooly fur lightly blows in the wind as they walk, snow covered trees and dramatic snow capped mountains in the distance, mid afternoon light with wispy clouds and a sun high in the distance creates a warm glow, the low camera view is stunning capturing the large furry mammal with beautiful photography, depth of field.

Today, Sora is becoming available to red teamers to assess critical areas for harms or risks. We are also granting access to a number of visual artists, designers, and filmmakers to gain feedback on how to advance the model to be most helpful for creative professionals.

We’re sharing our research progress early to start working with and getting feedback from people outside of OpenAI and to give the public a sense of what AI capabilities are on the horizon.

[…]

Source: Sora | OpenAI

Why is the EU tech sector doing badly? EU Arduino Sells Out to US based Qualcomm

Posted on by

Today we’re sharing some truly exciting news: Arduino has entered into an agreement to join the Qualcomm Technologies, Inc. family!

This is a huge step in our journey – one that allows us to keep growing, thriving, and making technology accessible to everyone, while bringing our values of openness, simplicity, and community spirit to an even bigger stage. Together, Arduino and Qualcomm Technologies will ignite developer enthusiasm across the globe. Curious about all the official details? Find the full press release here.

The closing of this transaction is subject to regulatory approval and other customary closing conditions.

Source: A new chapter for Arduino – with Qualcomm, UNO Q, and you!  | Arduino Blog

So all those EU people buying US stocks are funding this kind of behavior.

Chat Control Is Back On The Menu In The EU. It Still Must Be Stopped

Posted on by

The European Union Council is once again debating its controversial message scanning proposal, aka “Chat Control,” that would lead to the scanning of private conversations of billions of people.

Chat Control, which EFF has strongly opposed since it was first introduced in 2022, keeps being mildly tweaked and pushed by one Council presidency after another.

Chat Control is a dangerous legislative proposal that would make it mandatory for service providers, including end-to-end encrypted communication and storage services, to scan all communications and files to detect “abusive material.” This would happen through a method called client-side scanning, which scans for specific content on a device before it’s sent. In practice, Chat Control is chat surveillance and functions by having access to everything on a device with indiscriminate monitoring of everything. In a memo, the Danish Presidency claimed this does not break end-to-end encryption.

This is absurd.

We have written extensively that client-side scanning fundamentally undermines end-to-end encryption, and obliterates our right to private spaces. If the government has access to one of the “ends” of an end-to-end encrypted communication, that communication is no longer safe and secure. Pursuing this approach is dangerous for everyone, but is especially perilous for journalists, whistleblowers, activists, lawyers, and human rights workers.

If passed, Chat Control would undermine the privacy promises of end-to-end encrypted communication tools, like Signal and WhatsApp. The proposal is so dangerous that Signal has stated it would pull its app out of the EU if Chat Control is passed. Proponents even seem to realize how dangerous this is, because state communications are exempt from this scanning in the latest compromise proposal.

This doesn’t just affect people in the EU, it affects everyone around the world, including in the United States. If platforms decide to stay in the EU, they would be forced to scan the conversation of everyone in the EU. If you’re not in the EU, but you chat with someone who is, then your privacy is compromised too. Passing this proposal would pave the way for authoritarian and tyrannical governments around the world to follow suit with their own demands for access to encrypted communication apps.

Even if you take it in good faith that the government would never do anything wrong with this power, events like Salt Typhoon show there’s no such thing as a system that’s only for the “good guys.”

Despite strong opposition, Denmark is pushing forward and taking its current proposal to the Justice and Home Affairs Council meeting on October 14th.

We urge the Danish Presidency to drop its push for scanning our private communication and consider fundamental rights concerns. Any draft that compromises end-to-end encryption and permits scanning of our private communication should be blocked or voted down.

Phones and laptops must work for the users who own them, not act as “bugs in our pockets” in the service of governments, foreign or domestic. The mass scanning of everything on our devices is invasive, untenable, and must be rejected.

Republished from the EFF’s Deeplinks blog.

Source: Chat Control Is Back On The Menu In The EU. It Still Must Be Stopped | Techdirt

No account? No Windows 11 for you, says Microsoft

Posted on by

Microsoft is closing a popular loophole that allowed users to install Windows 11 without a Microsoft account.

The change has appeared in recent Insider builds of Windows 11, indicating it is likely to be included in the production version soon.

Microsoft refers to these loopholes as “known mechanisms” and is talking about local commands in this instance. You can learn all about these in our piece for getting Windows 11 installed with a local account, but suffice to say start ms-cxh:localonly is no more.

“While these mechanisms were often used to bypass Microsoft account setup, they also inadvertently skip critical setup screens, potentially causing users to exit OOBE with a device that is not fully configured for use,” Microsoft said.

“Users will need to complete OOBE with internet and a Microsoft account, to ensure [the] device is set up correctly.”

As far as Redmond is concerned, this is all for the user’s own good. It is also important to note that managed devices are not directly affected, just hardware that users want to get running with Windows 11 without having to deal with a Microsoft Account during setup.

The change is part of Microsoft’s ongoing game of Whac-A-Mole with users trying to find ways of avoiding its online services. In March, it removed the bypassnro.cmd script that allowed users to get through the Windows 11 setup without needing an internet connection. That time, Microsoft said the change was to “enhance security and user experience of Windows 11.”

There remain a number of ways to avoid the Microsoft account requirement during setup, including setting up an unattended installation, but these are more complicated. It is also clear that Microsoft is determined to continue closing loopholes where it can.

It is getting increasingly difficult to use Windows 11 on an unmanaged device without a Microsoft account. Users who don’t want to sign up should perhaps consider whether it’s time to look at an alternative operating system instead.

Source: No account? No Windows 11 for you, says Microsoft • The Register

Motion sensors in high-performance mice can be used as a microphone to spy on users, thanks to AI — Mic-E-Mouse technique harnesses mouse sensors, converts acoustic vibrations into speech

Posted on by

A group of researchers from the University of California, Irvine, have developed a way to use the sensors in high-quality optical mice to capture subtle vibrations and convert them into audible data. According to the abstract of Mic-E-Mouse (full PDF here), the high polling rate and sensitivity of high-performance optical mice pick up acoustic vibrations from the surface where they sit. By running the raw data through signal processing and machine learning techniques, the team could hear what the user was saying through their desk.

Mouse sensors with a 20,000 DPI or higher are vulnerable to this attack. And with the best gaming mice becoming more affordable annually, even relatively affordable peripherals are at risk.

[…]

Mic-E-Mouse Pipeline Demonstration – YouTube Mic-E-Mouse Pipeline Demonstration - YouTube

Watch On

[…]

this method is empowered by AI models, allowing the researchers to get a speech recognition accuracy of about 42 to 61%,

[…]

Source: Motion sensors in high-performance mice can be used as a microphone to spy on users, thanks to AI — Mic-E-Mouse technique harnesses mouse sensors, converts acoustic vibrations into speech | Tom’s Hardware

The Supreme Court Tells Google To Change Play Store after Loss from Epic Games, Not to Wait for Appeal

Posted on by

In August, Google had just two weeks to begin cracking open Android, and to stop forcing app developers to use its own payment systems, after Epic Games won its Google lawsuit for the second time.

Now, Google has just over two weeks once again — because the US Supreme Court has decided not to save Google ahead of its Supreme Court appeal. Today, the Court denied the company’s request for a partial stay, meaning the permanent injunction is still in effect, meaning Google must do the following things this month or be in violation:

  • Stop Google from forcing app developers to use Google Play Billing
  • Let Android developers tell users about other ways to pay from within the Play Store
  • Let Android developers link to ways to download their apps outside of the Play Store
  • Let developers set their own prices
  • Stop sharing money or perks with phonemakers, carriers, and app developers in exchange for Google Play exclusivity or preinstallation
  • Work with Epic to resolve any disputes as Google builds a system to let rival app stores into Google Play

Epic Games says the deadline for Google to comply is now October 22nd, 2025. “Starting October 22, developers will be legally entitled to steer US Google Play users to out-of-app payments without fees, scare screens, and friction – same as Apple App Store users in the US!” writes Epic CEO Tim Sweeney.

[…]

Source: The Supreme Court didn’t save Google from Epic, and now the clock is ticking | The Verge

UK government says digital ID won’t be compulsory – unless you want a job. Even Palantir steps back from this one.

Posted on by

The British government has finally given more details about the proposed digital ID project, directly responding to the 2.76 million naysayers that signed an online petition calling for it to be ditched.

This came a day after controversial spy-tech biz Palantir said it has no intention of helping the government implement the initiative – announced last week by prime minister Keir Starmer but not included in his political party’s manifesto at last year’s general election.

It is for this reason that Louis Mosley, UK boss at Palantir – the grandson of Sir Oswald Mosley – says his employer is not getting involved, despite being mentioned as a potential bidder.

“Digital ID is not one that was tested at the last election. It wasn’t in the manifesto. So we haven’t had a clear resounding public support at the ballot box for its implementation. So it isn’t one for us,” he told The Times

[…]

Following in the footsteps of Estonia and other nations, including China, the UK government wants to introduce a “free” digital ID card for people aged 16 and over – though it is consulting on whether this should start at 13 – to let people access public and private services “seamlessly.” It will “build on” GOV.UK One Login and the GOV.UK Wallet, we’re told.

“This system will allow people to access government services – such as benefits or tax records – without needing to remember multiple logins or provide physical documents.

[…]

The card, scheduled to be implemented by the end of the current Parliament, means employers will have to check digital ID when going through right-to-work checks, and despite previously saying the card will be mandatory, the government confirmed: “For clarity, it will not be a criminal offence to not hold a digital ID and police will not be able to demand to see a digital ID as part of a ‘stop and search.’

[…]

Big Brother Watch says the national ID system is a “serious threat to civil liberties.”

“Digital ID systems can be uniquely harmful to privacy, equality and civil liberties. They would allow the state to amass vast amounts of personal information about the public in centralised government databases. By linking government records through a unique single identifier, digital ID systems would make it very easy to build up a comprehensive picture of an individual’s life.”

[…]

Source: UK government says digital ID won’t be compulsory – honest • The Register

It also creates a single point of entry for anyone willing to hack the database. Centralised databases are incredibly broken ideas.

Also see: New digital ID will be mandatory to work in the UK. Ausweiss bitte!

And a quick search for “centralised database”

This is why people hate woke: some moron decided to remove the guns from James Bond. And Amazon Agreed.

Posted on by

Last year, for April Fools, we ran a spoof news story about cigarettes being digitally removed from the James Bond films due to pressure to distance the character from smoking. It touched a nerve, and many commented that this could happen in the future.

In a disappointing case of fiction becoming fact, Amazon has decided to remove guns from the key art used on all the James Bond films on Prime. Whilst it may be appealing to have a unified look for the series on streaming, removing the Walthers has left Bond with some awkward poses.

Some covers have been achieved by cropping the image so the gun is outside the lower edge, but in some cases the images have been digitally manipulated to varying levels of success, including: Dr No (awkwardly folded arms), A View To A Kill (long arms), GoldenEye (contemplation), and Spectre (clumsily shortened empty holster).

 

Source: Disarming – Amazon has digitally removed guns from James Bond film key art – James Bond 007 :: MI6 – The Home Of James Bond

Which fuckwit thought this was a good idea, and which bunch of morons agreed to this?

Unity Real-Time Development Platform Vulnerability Let Attackers Execute Arbitrary Code

Posted on by

Unity Technologies has issued a critical security advisory warning developers about a high-severity vulnerability affecting its widely used game development platform.

The flaw, designated CVE-2025-59489, exposes applications built with vulnerable Unity Editor versions to unsafe file loading attacks that could enable local code execution and privilege escalation across multiple operating systems.

The vulnerability stems from an untrusted search path weakness (CWE-426) that allows attackers to exploit unsafe file loading mechanisms within Unity-built applications.

With a CVSS score of 8.4, this security issue affects virtually all Unity Editor versions from 2017.1 through current releases, potentially impacting millions of deployed games and applications worldwide.

Local File Inclusion Vulnerability

The vulnerability manifests differently across operating systems, with Android applications facing the highest risk as they are susceptible to both code execution and elevation of privilege attacks.

Windows, Linux Desktop, Linux Embedded, and macOS platforms experience elevation of privilege risks, allowing attackers to gain unauthorized access at the application’s privilege level.

Security researchers at GMO Flatt Security Inc. discovered the flaw on June 4, 2025, through responsible disclosure practices.

The vulnerability exploits local file inclusion mechanisms, enabling attackers to execute arbitrary code confined to the vulnerable application’s privilege level while potentially accessing confidential information available to that process.

On Windows systems, the threat landscape becomes more complex when custom URI handlers are registered for Unity applications.

Attackers who can trigger these URI schemes may exploit the vulnerable library-loading behavior without requiring direct command-line access, significantly expanding the attack surface.

Risk Factors Details
Affected Products Unity Editor versions 2017.1+ and applications built with these versions across Android, Windows, Linux, and macOS
Impact Local code execution, privilege escalation, information disclosure
Exploit Prerequisites Local system access, vulnerable Unity-built application present on target system
CVSS 3.1 Score 8.4 (High)

Mitigations

Unity has released patches for all supported versions and extended fixes to legacy versions dating back to Unity 2019.1.

The company provides two primary remediation approaches: rebuilding applications with updated Unity Editor versions or applying binary patches using Unity’s specialized patch tool for deployed applications.

[…]

Source: Unity Real-Time Development Platform Vulnerability Let Attackers Execute Arbitrary Code

vitamin D2 supplements could weaken your immunity – take D3 instead

Posted on by

Taking vitamin D2 might lower the body’s levels of the more efficient form of vitamin D, vitamin D3, according to new research from the University of Surrey, John Innes Centre and Quadram Institute Bioscience. Many people take vitamin D supplements to support their bone and immune health and meet the UK government recommendation of 10 micrograms (µg) each day, especially during the winter months.

There are two forms of vitamin D supplements available: vitamin D2 and vitamin D3. Researchers have found that taking vitamin D2 supplements can lead to a drop in the body’s concentration of vitamin D3, which is the form our bodies naturally produce from sunlight and use most effectively to raise overall vitamin D levels.

The study, published in Nutrition Reviews, analysed data from randomised controlled trials and found that vitamin D2 supplementation resulted in a reduction in vitamin D3 levels compared to those not taking a vitamin D2 supplement. In many of the studies, the vitamin D3 levels went lower than in the control group.

Emily Brown, PhD Research Fellow and Lead Researcher of the study from the University of Surrey’s Nutrition, Exercise, Chronobiology & Sleep Discipline, said:

“Vitamin D supplements are important, especially between October and March, when our bodies cannot make vitamin D from sunlight in the UK. However, we discovered that vitamin D2 supplements can actually decrease levels of vitamin D3 in the body, which is a previously unknown effect of taking these supplements. This study suggests that subject to personal considerations, vitamin D3 supplements may be more beneficial for most individuals over vitamin D2.”

[…]

Further research into the different functionalities of vitamin D2 and D3 should be a priority in deciding whether vitamin D3 should be the first-line choice of vitamin D supplement, subject to individual requirements.

[…]

Story Source:

Materials provided by University of Surrey. Note: Content may be edited for style and length.

Journal Reference:

  1. Emily I G Brown, Andrea L Darling, Tracey M Robertson, Kathryn H Hart, Jie Li, Cathie Martin, Martin J Warren, Colin P Smith, Susan A Lanham-New, Ruan M Elliott. Effect of Vitamin D2 Supplementation on 25-Hydroxyvitamin D3 Status: A Systematic Review and Meta-Analysis of Randomized Controlled Trials. Nutrition Reviews, 2025; DOI: 10.1093/nutrit/nuaf166

Source: The vitamin D mistake weakening your immunity | ScienceDaily

Scientists discover hidden protein that switches off hunger

Posted on by

Researchers at Leipzig University and Charité – Universitätsmedizin Berlin have discovered a key mechanism for appetite and weight control. It helps the brain to regulate feelings of hunger. In a study, scientists from Collaborative Research Centre (CRC) 1423 – Structural Dynamics of GPCR Activation and Signaling – found how a protein called MRAP2 (melanocortin 2 receptor accessory protein 2) influences the function of the brain receptor MC4R (melanocortin-4 receptor), which plays a central role in appetite control and energy balance. Their findings have just been published in the journal Nature Communications.

MC4R is an important receptor activated by the peptide hormone MSH. It plays a major role in Collaborative Research Centre 1423, where it is being characterised both structurally and functionally. Mutations in MC4R are among the most common genetic causes of severe obesity.

[…]

Setmelanotide, an approved drug, activates this receptor and specifically reduces feelings of hunger. “We are proud that CRC 1423 has now also contributed to understanding receptor transport and availability,” says Professor Annette Beck-Sickinger, spokesperson for CRC 1423 and co-author of the study. A total of five projects within the Collaborative Research Centre were involved in this interdisciplinary research.

Using modern fluorescence microscopy and single-cell imaging, the team demonstrated that the protein MRAP2 fundamentally alters the localisation and behaviour of the brain receptor MC4R within cells. Fluorescent biosensors and confocal imaging showed that MRAP2 is essential for transporting MC4R to the cell surface, where it can transmit appetite-suppressing signals more effectively.

By uncovering this new level of regulation, the study points to therapeutic strategies that mimic or modulate MRAP2 and hold the potential to combat obesity and related metabolic disorders.

[…]

Story Source:

Materials provided by Universität Leipzig. Note: Content may be edited for style and length.

Journal Reference:

  1. Iqra Sohail, Suli-Anne Laurin, Gunnar Kleinau, Vidicha Chunilal, Andrew Morton, Alfonso Brenlla, Zeynep Cansu Uretmen Kagiali, Marie-José Blouin, Javier A. Tello, Annette G. Beck-Sickinger, Martin J. Lohse, Patrick Scheerer, Michel Bouvier, Peter McCormick, Paolo Annibale, Heike Biebermann. MRAP2 modifies the signaling and oligomerization state of the melanocortin-4 receptor. Nature Communications, 2025; 16 (1) DOI: 10.1038/s41467-025-63988-w

Source: Scientists discover hidden protein that switches off hunger | ScienceDaily

Outrage That NL Tax and Customs Authorities will give all data to US by switching to MS 365: ‘Insult to Parliament’

Posted on by

‘An insult not only to the House of Representatives, but also to Dutch and European businesses’, says GroenLinks-PvdA MP Barbara Kathmann about the switch of government services to Microsoft. Earlier today, outgoing State Secretary for Taxation Eugène Heijnen (BBB) informed the House of Representatives about the switch of the Tax Authorities, the Allowances department, and Customs to Microsoft 365. This means that these services will become dependent on this American software giant for their daily work.

Outrage over Tax Authorities’ switch to Microsoft: ‘An insult to the House of Representatives’

Over the past year, there have been frequent debates about the digital independence of the Netherlands, and the call to become independent from American companies is growing louder. The fact that the State Secretary is now announcing that three government services will still switch to Microsoft is causing a lot of anger among Kathmann. ‘They are essentially just ushering us into the American cloud during this caretaker period, and that is really not necessary.’ Bert Hubert, former supervisor of the intelligence services, previously stated that Dutch tax data could end up on American servers via email contact.

Cluster of European companies

Kathmann emphasizes that it would be naive to think that we could be independent of Microsoft tomorrow, but that Dutch and European businesses are capable of a lot.

[…]

According to the State Secretary, this is not possible because there are no comparable European alternatives. Kathmann explains that the intention is precisely not to become dependent on one supplier.

[…]

Stimulate development

Last week, caretaker Prime Minister Dick Schoof called on executives of large companies to become independent from non-European suppliers. Schoof also emphasized in the House two days ago that this is a priority.

[…]

the government can play an important role in stimulating the development of European and Dutch technology. ‘The government is the largest IT buyer in the Netherlands. If it becomes the largest buyer of European Dutch products, then it will really take off.’

[…]

Source: Kagi Translate

It really is amazing how at a time when everyone is talking about digital sovereignty, the Tax people – responsible for handling extremely sensitive data – decide to give it all to an increasingly untrustworthy ally.

Signal threatens to exit Germany over Chat Control vote – 14th of October we know if Denmark has managed to turn the EU into a Stazi surveillance state.

Posted on by

The Signal Foundation announced on October 3, 2025, that it would withdraw its encrypted messaging service from Germany and potentially all of Europe if the European Union’s Chat Control proposal passes in an upcoming vote. According to Signal President Meredith Whittaker, the messaging platform faces an existential choice between compromising its encryption integrity and leaving European markets entirely.

The German government holds a decisive position in the October 14, 2025 vote on the Chat Control regulation, which aims to combat child sexual abuse material but requires mass scanning of every message, photo, and video on users’ devices.

[…]

The Chat Control proposal mandates that messaging services like Signal, WhatsApp, Telegram, and Threema scan files on smartphones and end devices without suspicion to detect child sexual abuse material. This scanning would occur before encryption, according to technical documentation from the European Commission’s September 2020 draft on detecting such content in end-to-end encrypted communications.

[…]

The Chat Control vote reveals deep divisions among EU member states on digital privacy and surveillance. Fifteen countries support the proposal, eight oppose it, and several remain undecided as the October 14 deadline approaches.

[…]

Germany’s position remains critical and undecided. Despite expressing concerns about breaking end-to-end encryption at a September 12 Law Enforcement Working Party meeting, the government refrained from taking a definitive stance. This indecision makes Germany’s vote potentially decisive for the proposal’s fate.

Belgium, Italy, and Latvia remain undecided as of September 23, 2025. These countries express desire to reach agreement given the expiring interim regulation, with all three expressing support for the proposal’s goals while remaining formally uncommitted. Italy specifically voices doubts concerning inclusion of new child sexual abuse material in the scope of application. Latvia assesses the text positively but faces uncertainty about political support.

Poland and Austria share the desire for solutions but maintain skepticism about the current proposal’s approach. Greece’s position remains unclear, with the government evaluating technical implementation details. Sweden continues examining the compromise text and working on a position. Slovakia appears in both opposition and undecided categories depending on sources, reflecting the fluid nature of negotiations.

The arithmetic suggests that Germany’s decision could determine whether the required majority materializes. With 15 states supporting and 8 opposing, the undecided nations hold the balance.

[…]

Technical experts have warned that client-side scanning fundamentally undermines encryption security. A comprehensive 2021 study titled “Bugs in Our Pockets: The Risks of Client-Side Scanning,” authored by 14 security researchers including cryptography pioneers Whitfield Diffie and Ronald Rivest, concluded that such systems create serious security and privacy risks for all society.

The researchers explained that scanning every message—whether performed before or after encryption—negates the premise of end-to-end encryption. Instead of breaking Signal’s encryption protocol directly, hostile actors would only need to exploit access granted to the scanning system itself. Intelligence agencies have acknowledged this threat would prove catastrophic for national security, according to the technical consensus outlined in the research paper.

[…]

Germany’s historical experience with mass surveillance through the Stasi secret police informs current privacy advocacy. The country maintained principled opposition to Chat Control during the previous coalition government, though this position became uncertain after the current government took office

[…]

Denmark assumed the EU Council Presidency on July 1, 2025, and immediately reintroduced Chat Control as a legislative priority. Lawmakers targeted the October 14 adoption date if member states reach consensus. France, which previously opposed the measure, shifted to support the proposal by July 28, 2025, creating momentum for the 15 member states now backing the regulation.

[…]

Source: Signal threatens to exit Germany over Chat Control vote

Senators Cruz and Cornyn Want To Steal Space Shuttle Discovery from Smithsonian and Chop it Up to Move it.

Posted on by

Keith’s note: I just got an update from KeepTheShuttle. OMB wants NASA and the Smithsonian to figure out how to cut Space Shuttle Discovery apart into pieces to move it. As you will recall that option was ruled out when Space Shuttle Endeavour was moved to Los Angeles on the now-defunct 747 carrier and then moved through the streets where utilities were moved and trees were cut down. Every effort was taken to preserve the integrity of this historic space ship. Now Texas Senators Ted Cruz and John Cornyn are only interested in snagging a tourist attraction – not a precious historic relic that deserves to be preserved – and certainly not chopped up like a leftover exhibit from a state fair and tossed on a flatbed. Full statement below.

[…]

This development is unprecedented and alarming. NASA did not design the shuttle orbiters to be disassembled, and complicating factors include the shuttle’s aluminum frame, ~24,000 delicate ceramic tiles that coat the shuttle’s underside (the black part), and ~2,000 thermal insulation fabric blankets that coat the rest of the shuttle (the white part). Disassembling Discovery would cause significant and irreparable damage to these and other portions of the shuttle.

Discovery also holds particular value, as the shuttle was specially preserved to serve as a future reference for researchers. To quote Dennis Jenkins, who was the director of NASA’s program to retire the shuttle fleet “We spent a lot of time and money to preserve Discovery in as near to flight condition as we could to put it in the national collection, so that any future engineer or historian has a reference vehicle to look at, measure or do whatever they need”. The process that the White House is now asking the Smithsonian and NASA to explore would permanently ruin this work and significantly hamper the ability of future generations to study and learn from Discovery.

The letter also references that NASA and the Smithsonian are in agreement that the cost to move Discovery to Houston would, at minimum, be between $120 million and $150 million, exclusive of the cost of building a new exhibit in Houston. This number significantly exceeds the $85 million authorized for the relocation and a new exhibit by the OBBBA, and indicates that additional taxpayer funding will be necessary. A

[…]

Letter from the Smithsonian to Congressional Authorizing & Appropriating Committees:

“The Smithsonian has been asked by OMB to work with NASA to prepare to move the Discovery space shuttle to Houston, TX, within the 18 months specified in the reconciliation bill signed into law on July 4, 2025. The bill does not specifically mention Discovery as the designated vehicle for relocation, and its terms could include any number of space vehicles, but the administration is interpreting the law as sufficiently specific to move forward with the transfer of Discovery. The Smithsonian and NASA have been asked to begin by verifying the actual costs associated with the move.

While an engineering study will be necessary due to the size and weight of the space vehicle, both NASA and the Smithsonian believe that Discovery will have to undergo significant disassembly to be moved.

[…]

NASA transferred “all rights, title, interest and ownership” of the shuttle to the Smithsonian. We remain concerned about the unprecedented nature of a removal of an object from the national collection, and that we would be causing damage to the most intact orbiter from the space shuttle program

[…]

Source: Senators Cruz and Cornyn Want To Chop Up Space Shuttle Discovery – NASA Watch