An anonymous reader quotes a report from BleepingComputer: The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. Redis (short for Remote Dictionary Server) is an open-source data structure store used in approximately 75% of cloud environments, functioning like a database, cache, and message broker, and storing data in RAM for ultra-fast access. The security flaw (tracked as CVE-2025-49844) is caused by a 13-year-old use-after-free weakness found in the Redis source code and can be exploited by authenticated threat actors using a specially crafted Lua script (a feature enabled by default). Successful exploitation enables them to escape the Lua sandbox, trigger a use-after-free, establish a reverse shell for persistent access, and achieve remote code execution on the targeted Redis hosts.

After compromising a Redis host, attackers can steal credentials, deploy malware or cryptocurrency mining tools, extract sensitive data from Redis, move laterally to other systems within the victim's network, or use stolen information to gain access to other cloud services. "This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments," said Wiz researchers, who reported the security issue at Pwn2Own Berlin in May 2025 and dubbed it RediShell.

While successful exploitation requires attackers first to gain authenticated access to a Redis instance, Wiz found around 330,000 Redis instances exposed online, with at least 60,000 of them not requiring authentication. Redis and Wiz urged admins to patch their instances immediately by applying security updates released on Friday, "prioritizing those that are exposed to the internet." To further secure their Redis instances against remote attacks, admins can also enable authentication, disable Lua scripting and other unnecessary commands, launch Redis using a non-root user account, enable Redis logging and monitoring, limit access to authorized networks only, and implement network-level access controls using firewalls and Virtual Private Clouds (VPCs).

BrianFagioli writes: Canonical has revealed the codename for Ubuntu 26.04 LTS: Resolute Raccoon. The announcement came today on X through the official @ubuntu account, continuing the tradition of pairing an adjective with an animal for each release. As an LTS version, it will be supported for five years and serve as the foundation for servers, desktops, and cloud deployments when it launches in April 2026.

While the name itself is now public, the features of Ubuntu 26.04 remain under wraps. The community will be watching closely to see which kernel it ships with, how GNOME evolves, and what improvements land for enterprise and container use. For now, fans simply have a raccoon mascot to rally around as the countdown to April begins.

European labor regulations enacted nearly a century ago now impose costs on companies that discourage investment in disruptive technologies. An American firm shedding workers incurs costs equivalent to seven months of wages per employee. In Germany the figure reaches 31 months. In France it reaches 38 months. The expense extends beyond severance pay and union negotiations. Companies retain unproductive workers they would prefer to dismiss.

New investments face delays of years as dismissed employees are gradually replaced. Olivier Coste, a former EU official turned tech entrepreneur, and economist Yann Coatanlem tracked these opaque restructuring costs and found that European firms avoid risky ventures because of them. Large companies typically finance ten risky projects where eight fail and require mass redundancies. Apple developed a self-driving car for years before abandoning the effort and firing 600 employees in 2024. The two successful projects generate profits worth many times the invested sums. This calculus works in America where failure costs remain low. In Europe the same bet becomes financially unviable.

European blue-chip firms sell products that are improved versions of what they sold in the 20th century -- turbines, shampoos, vaccines, jetliners. American star firms peddle AI chatbots, cloud computers, reusable rockets. Nvidia is worth more than the European Union's 20 biggest listed firms combined. Microsoft, Google, and Meta each fired over 10,000 staff in recent years despite thriving businesses. Satya Nadella called firing people during success the "enigma of success." Bosch and Volkswagen recently announced layoffs with timelines stretching to 2030.

OpenAI and AMD announced a multibillion-dollar partnership on Monday for AI data centers running on AMD processors. OpenAI committed to purchasing 6 gigawatts worth of AMD's MI450 chips starting next year through direct purchases or through its cloud computing partners. AMD chief Lisa Su said the deal will result in tens of billions of dollars in new revenue over the next half-decade.

OpenAI will receive warrants for up to 160 million AMD shares at 1 cent per share, representing roughly 10% of the chip company. The warrants will be awarded in phases if OpenAI hits certain deployment milestones. The partnership marks AMD's biggest win in its quest to disrupt Nvidia's dominance among AI semiconductor companies. Mizuho Securities estimates that Nvidia controls more than 70% of the market for AI chips.

"Microsoft buys a lot of GPUs from both Nvidia and AMD," writes the Register. "But moving forward, Redmond's leaders want to shift the majority of its AI workloads from GPUs to its own homegrown accelerators..." Driving the transition is a focus on performance per dollar, which for a hyperscale cloud provider is arguably the only metric that really matters. Speaking during a fireside chat moderated by CNBC on Wednesday, Microsoft CTO Kevin Scott said that up to this point, Nvidia has offered the best price-performance, but he's willing to entertain anything in order to meet demand.

Going forward, Scott suggested Microsoft hopes to use its homegrown chips for the majority of its datacenter workloads. When asked, "Is the longer term idea to have mainly Microsoft silicon in the data center?" Scott responded, "Yeah, absolutely...

Microsoft is reportedly in the process of bringing a second-generation Maia accelerator to market next year that will no doubt offer more competitive compute, memory, and interconnect performance... It should be noted that AI accelerators aren't the only custom chips Microsoft has been working on. Redmond also has its own CPU called Cobalt and a whole host of platform security silicon designed to accelerate cryptography and safeguard key exchanges across its vast datacenter domains.

An anonymous reader quotes a report from Ars Technica: As we careen toward a future in which Google has final say over what apps you can run, the company has sought to assuage the community's fears with a blog post and a casual "backstage" video. Google has said again and again since announcing the change that sideloading isn't going anywhere, but it's definitely not going to be as easy. The new information confirms app installs will be more reliant on the cloud, and devs can expect new fees, but there will be an escape hatch for hobbyists.

Confirming app verification status will be the job of a new system component called the Android Developer Verifier, which will be rolled out to devices in the next major release of Android 16. Google explains that phones must ensure each app has a package name and signing keys that have been registered with Google at the time of installation. This process may break the popular FOSS storefront F-Droid. It would be impossible for your phone to carry a database of all verified apps, so this process may require Internet access. Google plans to have a local cache of the most common sideloaded apps on devices, but for anything else, an Internet connection is required. Google suggests alternative app stores will be able to use a pre-auth token to bypass network calls, but it's still deciding how that will work.

The financial arrangement has been murky since the initial announcement, but it's getting clearer. Even though Google's largely automated verification process has been described as simple, it's still going to cost developers money. The verification process will mirror the current Google Play registration fee of $25, which Google claims will go to cover administrative costs. So anyone wishing to distribute an app on Android outside of Google's ecosystem has to pay Google to do so. What if you don't need to distribute apps widely? This is the one piece of good news as developer verification takes shape. Google will let hobbyists and students sign up with only an email for a lesser tier of verification. This won't cost anything, but there will be an unclear limit on how many times these apps can be installed. The team in the video strongly encourages everyone to go through the full verification process (and pay Google for the privilege). We've asked Google for more specifics here.

An anonymous reader shares a report from The Verge: Microsoft is getting ready to announce an ad-supported version of Xbox Cloud Gaming. Sources familiar with Microsoft's plans tell The Verge that the software maker has started testing ad-supported games streaming internally, allowing employees to play select titles free without a Game Pass subscription.

I understand that the free ad-supported version of Xbox Cloud Gaming will include the ability to stream some games you own, as well as eligible Free Play Days titles, which let Xbox players try games over a weekend. You'll also be able to stream Xbox Retro Classics games. Sources tell me the internal testing includes around two minutes of preroll ads before a game is available to stream for free through Xbox Cloud Gaming. [...] The ad-supported Xbox Cloud Gaming version will be available on PC, Xbox consoles, handheld devices, and via the web.

An anonymous reader quotes a report from The Register: New Zealand's Institute of IT Professionals has discovered it is insolvent and advised members it has no alternative but to enter liquidation. The Institute (ITP) wrote to members on Thursday and posted a document titled "Important Update on ITP's Future" that reveals it has "reached a point where the organization cannot continue. After a full review of our finances, the Board has confirmed that ITP is insolvent."

Insolvency seems to have come as something of a surprise. "These debts are historic. They go back over many years. While some of the issues were worked on in more recent times, the full scale of the problem only became visible during the leadership change in 2025," the Update states. "Once the Board understood the full picture, it was clear that there was no responsible way forward other than liquidation." [...]

ITP's constitution requires its members to formally resolve to wind up the organization, so as one of its final acts the group has called a Special General Meeting (SGM) for 23 October 2025 to confirm liquidation and appoint a liquidator. This situation impacts more than ITP's ~10,000 members, because the organization offers assessment services that assess whether IT professionals' skills and qualifications make them eligible to move to New Zealand for work. ITP also certifies IT degrees at New Zealand universities, and oversees the NZ Cloud Computing Code of Practice. ITP also conducted educational and advocacy activities aimed at growing New Zealand's tech workforce.

Google has laid off over 100 employees in design-related roles, including user experience research and cloud design teams, as part of broader cost-cutting measures to prioritize AI infrastructure. CNBC reports: Earlier this week, the company laid off employees within the cloud unit's "quantitative user experience research" teams and "platform and service experience" teams, as well as some adjacent teams, according to internal documents viewed by CNBC. The roles often focus on using data, surveys and other tools to understand and implement user behaviors that inform product development and design. Google has halved some of the cloud unit's design teams, and many of those affected are U.S.-based roles. Some employees have been given until early December to find a new role within the company.

Researchers have unveiled two new hardware-based attacks, Battering RAM and Wiretap, that break Intel SGX and AMD SEV-SNP trusted enclaves by exploiting deterministic encryption and physical interposers. Ars Technica reports: In the age of cloud computing, protections baked into chips from Intel, AMD, and others are essential for ensuring confidential data and sensitive operations can't be viewed or manipulated by attackers who manage to compromise servers running inside a data center. In many cases, these protections -- which work by storing certain data and processes inside encrypted enclaves known as TEEs (Trusted Execution Enclaves) -- are essential for safeguarding secrets stored in the cloud by the likes of Signal Messenger and WhatsApp. All major cloud providers recommend that customers use it. Intel calls its protection SGX, and AMD has named it SEV-SNP.

Over the years, researchers have repeatedly broken the security and privacy promises that Intel and AMD have made about their respective protections. On Tuesday, researchers independently published two papers laying out separate attacks that further demonstrate the limitations of SGX and SEV-SNP. One attack, dubbed Battering RAM, defeats both protections and allows attackers to not only view encrypted data but also to actively manipulate it to introduce software backdoors or to corrupt data. A separate attack known as Wiretap is able to passively decrypt sensitive data protected by SGX and remain invisible at all times.

The UK government has issued a new order to Apple to create a backdoor into its cloud storage service, this time targeting only British users' data, despite US claims that Britain had abandoned all attempts to break the tech giant's encryption. Financial Times: The UK Home Office demanded in early September that Apple create a means to allow officials access to encrypted cloud backups, but stipulated that the order applied only to British citizens' data, according to people briefed on the matter.

A previous technical capability notice (TCN) issued in January sought global access to encrypted user data. That move sparked a diplomatic clash between the UK and US governments and threatened to derail the two nations' efforts to secure a trade agreement.

In February, Apple withdrew its most secure cloud storage service, iCloud Advanced Data Protection, from the UK. "Apple is still unable to offer Advanced Data Protection in the United Kingdom to new users," Apple said on Wednesday. "We are gravely disappointed that the protections provided by ADP are not available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy." It added: "As we have said many times before, we have never built a back door or master key to any of our products or services and we never will."

Microsoft has announced that Xbox Game Pass Ultimate will cost $29.99 per month, up from $19.99. The company restructured its subscription service into three tiers ahead of the October 16 launch of two Xbox ROG Ally handheld consoles. The new Essential tier offers 50-plus games for $9.99 monthly. Premium includes 200-plus games for $14.99. Ultimate subscribers gain access to more than 400 games, day-one releases, improved cloud streaming quality, and services including EA Play, Ubisoft+ Classics, and Fortnite Crew.

Game Pass generated nearly $5 billion in fiscal 2025 revenue with 34 million subscribers in 2024. Console hardware prices are also increasing, with the Xbox Series X rising $50 to $649.99 starting October 3.

An anonymous reader shared this report from Computer Weekly: Policing data hosted in Microsoft's hyperscale cloud infrastructure could be processed in more than 100 countries, but the tech giant is obfuscating this information from its customers, Computer Weekly can reveal. According to documents released by the Scottish Police Authority (SPA) under freedom of information (FoI) rules, Microsoft refused to hand over crucial information about its international data flows to the SPA and Police Scotland when asked...

The tech giant also refused to disclose its own risk assessments into the transfer of UK policing data to other jurisdictions, including China and others deemed "hostile" in the DPIA documents. This means Police Scotland and the SPA — which are jointly rolling out Office 365 — are unable to satisfy the law enforcement-specific data protection rules laid out in Part Three of the Data Protection Act 2018 (DPA18), which places strict limits on the transfer of policing data outside the UK. The same documents also contain an admission from Microsoft — given while simultaneously refusing to divulge key information about data flows — that it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure. This echoes the statements senior Microsoft representatives made to the French senate in June 2025, in which they admitted the company cannot guarantee the sovereignty of European data stored and processed in its services generally.

The revelation that Microsoft may access customer data from more than 100 countries is a result of the correspondence previously disclosed under Freedom of Information and reported on by Computer Weekly... All in all, an analysis of Microsoft's distributed documentation — conducted by independent security consultant Owen Sayers and shared with Computer Weekly — suggests that Microsoft personnel or contractors can remotely access the data from 105 different countries, using 148 different sub-processors. Despite technically being public, Sayers highlighted how this information is not transparently laid out for Microsoft customers, and is distributed across different documents contained in non-indexed webpages.... "[A]ny normal amount of due diligence — even if it is conducted by skilled persons will likely fail to see the full scope of offshoring in play," he said...

Microsoft did not contest the accuracy of the remote access location figures cited by Computer Weekly in this story.

MacStadium's inaugural CIO survey shows Apple devices gaining major ground in U.S. enterprises, with 96% of CIOs expecting Mac fleets to expand in the next two years and Macs already representing an average of 65% of enterprise endpoints. "The results show rapid Mac deployment across US business in the last two years, with 93% of CIOs claiming increased use, and 59% claiming a significant increase in use of all Apple devices," adds Computerworld. From the report: "As the adoption of Apple hardware continues to rise with both consumers and business users, and Apple Silicon is emerging as a secure and energy-efficient option for AI workloads, Apple is turning its sights to the enterprise," [MacStadium CEO Ken Tacelli] said in an interview. Among the specifics:

- 93% of CIOs report increased Apple device usage over the past two years.
- 45% of CIOs describe their leadership's view of Macs as a strategic investment, reflecting growing executive-level buy-in.
- The top drivers for Apple adoption are security and privacy (59%), employee preference (59%), and hardware performance (54%).
- Perhaps most importantly, 65% of CIOs say Macs are easier to manage than Windows or Linux devices.

In addition to those factors, the unique technical capabilities of Apple's kit (53%) play a role. Businesses are buying Macs because they're cheaper to run, last longer, allow employees to be more productive, and are both more private and more secure. The survey also shows that AI has become a leading reason to choose Macs. Apple Silicon is highly performant and energy efficient, enabling Macs to run on-device, secure AI, and to access cloud-based AI services.

An anonymous reader quotes a report from CNN: A team of suspected Chinese hackers has infiltrated US software developers and law firms in a sophisticated campaign to collect intelligence that could help Beijing in its ongoing trade fight with Washington, cybersecurity firm Mandiant said Wednesday. The hackers have been rampant in recent weeks, hitting the cloud-computing firms that numerous American companies rely on to store key data, Mandiant, which is owned by Google, said. In a sign of how important China's hacking army is in the race for tech supremacy, the hackers have also stolen US tech firms' proprietary software and used it to find new vulnerabilities to burrow deeper into networks, according to Mandiant.

[...] In some cases, the hackers have lurked undetected in the US corporate networks for over a year, quietly collecting intelligence, Mandiant said. The disclosure comes after the Trump administration escalated America's trade war with China this spring by slapping unprecedented tariffs on Chinese exports to the United States. The tit-for-tat tariffs set off a scramble in both governments to understand each other's positions. Mandiant analysts said the fallout from the breaches -- the task of kicking out the hackers and assessing the damage -- could last many months. They described it as a milestone hack, comparable in severity and sophistication to Russia's use of SolarWinds software to infiltrate US government agencies in 2020.

Longtime Slashdot reader hackingbear writes: President Donald Trump signed an executive order Thursday that he says will allow TikTok to continue operating in the United States in a way that meets national security concerns. Trump's order will enable an American-led of group of investors to "buy the app" (up to 80% ownership) from China's ByteDance, though the deal is not yet finalized and also requires China's approval. However, much about the deal is still unknown. So, did the U.S. successfully snatch TikTok from ByteDance? It is probably up to individual's interpretation.

As with any deals between U.S. and China, the devil is in the details. According Shen Yi, an internet influencer and a professor at Shanghai's Fudan University, what the U.S. investor will eventually take control of is an entity known as TikTok U.S. Data Security Company ("USDS"), which is a subsidiary of TikTok U.S. and is exclusively responsible to handle data security in the U.S.. ByteDance will continue, through its U.S. subsidiary "ByteDance TikTok U.S. Company," to operate business and other related activities (such as e-commerce, advertising for brands, and cross-border commercial activities). It is important to stress that "Byte TikTok U.S. Company" remains 100% owned by ByteDance through its global TikTok subsidiary -- this arrangement has not changed. The TikTok algorithm remains the property of ByteDance, only licensed to USDS for use. This point was in fact explicitly clarified by a relevant official of China's Cyberspace Administration at the press conference following the Madrid talks.

After reaching the TikTok deal, Beijing and Washington are now selling it to their respective domestic audience, each highlighting the part of the deal that it can characterize as a win. Shen's details are not in conflict with the widely-reported account given by Karoline Leavitt, the White House Press Secretary, who emphasized "a new board with six American directors out of seven." Observers can also find the TikTok arrangement being very similar to that of Apple's iCloud operation in China being run by GCBD (AIPO Cloud (Guizhou) Technology Co. Ltd.) while Apple retain controls of the brand and business.

Microsoft has disabled the Israeli Defense Ministry's access to certain services and subscriptions, after finding evidence that the ministry used the tech company's cloud services to surveil Gaza citizens. WSJ adds: The software company made the move after an internal investigation indicated Israel's Defense Ministry used Microsoft's Azure cloud services for surveillance, according to a person familiar with the matter. The company probe is ongoing. "As employees, we all have a shared interest in privacy protection, given the business value it creates by ensuring our customers can rely on our services with rock solid trust," Microsoft President Brad Smith said in a blog post Thursday on Microsoft's company website.

Smith said Microsoft's investigation was guided by the company's "longstanding protection of privacy as a fundamental right." Microsoft opened the probe after the Guardian, the British news organization, reported in August that Israel used Azure to store data on Gaza civilians and surveil them. The issue has been the source of protests at the company.

The Shai-Hulud malware campaign impacted hundreds of npm packages across multiple maintainers, reports Koi Security, including popular libraries like @ctrl/tinycolor and some packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows.
Koi Security created a table of packages identified as compromised, promising it's "continuously updated" (and showing the last compromise detected Tuesday). Nearly all of the compromised packages have a status of "removed from NPM". Attackers published malicious versions of @ctrl/tinycolor and other npm packages, injecting a large obfuscated script (bundle.js) that executes automatically during installation. This payload repackages and republishes maintainer projects, enabling the malware to spread laterally across related packages without direct developer involvement. As a result, the compromise quickly scaled beyond its initial entry point, impacting not only widely used open-source libraries but also CrowdStrike's npm packages.

The injected script performs credential harvesting and persistence operations. It runs TruffleHog to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for AWS, GCP, and Azure. It also writes a hidden GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) that exfiltrates secrets during CI/CD runs, ensuring long-term access even after the initial infection. This dual focus on endpoint secret theft and backdoors makes Shai-Hulud one of the most dangerous campaigns ever compared to previous compromises.
"The malicious code also attempts to leak data on GitHub by making private repositories public," according to a Tuesday blog post from security systems provider Sysdig: The Sysdig Threat Research Team (TRT) has been monitoring this worm's progress since its discovery. Due to quick response times, the number of new packages being compromised has slowed considerably. No new packages have been seen in several hours at the time...
Their blog post concludes "Supply chain attacks are increasing in frequency. It is more important than ever to monitor third-party packages for malicious activity."

Some context from Tom's Hardware: To be clear: This campaign is distinct from the incident that we covered on Sept. 9, which saw multiple npm packages with billions of weekly downloads compromised in a bid to steal cryptocurrency. The ecosystem is the same — attackers have clearly realized the GitHub-owned npm package registry for the Node.js ecosystem is a valuable target — but whoever's behind the Shai-Hulud campaign is after more than just some Bitcoin.

alternative_right writes: Austria's armed forces have switched from Microsoft's Office programs to the open-source LibreOffice package. The reason for this is not to save on software license fees for around 16,000 workstations. "It was very important for us to show that we are doing this primarily (...) to strengthen our digital sovereignty, to maintain our independence in terms of ICT infrastructure and (...) to ensure that data is only processed in-house," emphasizes Michael Hillebrand from the Austrian Armed Forces' Directorate 6 ICT and Cyber.

This is because processing data in external clouds is out of the question for the Austrian Armed Forces, as Hillebrand explained on ORF radio station O1. It was already apparent five years ago that Microsoft Office would move to the cloud. Back then, in 2020, the decision-making process for the switch began and was completed in 2021.

BrianFagioli shares a report from NERDS.xyz: The Fedora Project has announced Fedora Linux 43 Beta, giving users and developers the opportunity to test the distribution ahead of its final release. This beta introduces improvements across installation, system tools, and programming languages while continuing Fedora's pattern of cleaning out older components. The beta can be downloaded in Workstation, KDE Plasma, Server, IoT, and Cloud editions. Spins and Labs are also available, though Mate and i3 are not provided in some builds. Existing systems can be upgraded with DNF system-upgrade. Fedora CoreOS will follow one week later through its "next" stream. The beta brings enhancements to its Anaconda WebUI, moves to Python 3.14, and supports Wayland-only GNOME, among many other changes. A full list of improvements and system enhancements can be found here.

The official release should be available in late October or early November.