prisoninmate shares a report from 9to5Linux: Dubbed Questing Quokka, Ubuntu 25.10 is powered by the latest and greatest Linux 6.17 kernel series for top-notch hardware support and ships with the latest GNOME 49 desktop environment, defaulting to a Wayland-only session for the Ubuntu Desktop flavor, meaning there's no other session to choose from the login screen. Ubuntu Desktop also ships with two new apps, namely GNOME's Loupe instead of Eye of GNOME as the default image viewer, as well as Ptyxis instead of GNOME Terminal as the default terminal emulator. Also, there's a new update notification that will be shown with options to open Software Updater or install updates directly.'

Other highlights of Ubuntu 25.10 include sudo-rs as the default implementation of sudo, Dracut as the default initramfs-tools, Chrony as the default NTP (Network Time Protocol) client, Rust Coreutils as the default implementation of GNU Core Utilities, and TPM-backed FDE (Full Disk Encryption) recovery key management. Moreover, Ubuntu 25.10 adds NVIDIA Dynamic Boost support and enables suspend-resume support in the proprietary NVIDIA graphics driver to prevent corruption and freezes when waking an NVIDIA desktop. For Intel users, Ubuntu 25.10 introduces support for new Intel integrated and discrete GPUs. Ubuntu 25.10 is available for download here.

An anonymous reader shares a report: In another loss for early smart home adopters, Logitech has announced that it will brick all Pop switches on October 15.

In August of 2016, Logitech launched Pop switches, which provide quick access to a range of smart home actions, including third-party gadgets. For example, people could set their Pop buttons to launch Philips Hue or Insteon lighting presets, play a playlist from their Sonos speaker, or control Lutron smart blinds. Each button could store three actions, worked by identifying smart home devices on a shared Wi-Fi network, and was controllable via a dedicated Android or iOS app. The Pop Home Switch Starter Pack launched at $100, and individual Pop Add-on Home Switches debuted at $40 each.

A company spokesperson told Ars Technica that Logitech informed customers on September 29 that their Pop switches would soon become e-waste.

Synology has released an update to its Disk Station Manager software that removes verified drive requirements from its 2025 model-year Plus, Value and J-series DiskStation network-attached storage devices. The change allows users to install non-validated third-party drives and create storage pools without restrictions.

The company had expanded its verified drive policy to the entire Plus line a few months earlier. Synology-branded drives carried substantial price premiums over commodity hardware. The HAT5310 enterprise SATA drive costs $299 for 8TB compared to $220 for an identically sized Seagate Exos disk. Users who installed non-verified drives in affected models faced reduced functionality and persistent warning messages in the DSM interface.

Synology said today it is collaborating with third-party drive manufacturers to accelerate testing and verification of additional storage drives. Pool and cache creation on M.2 disks still requires drives from the hardware compatibility list. Synology did not clarify whether the policy change applies to previous-generation products.

NBC is developing a game show based on the New York Times' Wordle puzzle, with Today anchor Savannah Guthrie set to host and Jimmy Fallon executive producing through his company, Electric Hot Dog. The Times is also a production partner. From the Hollywood Reporter: Wordle, which the Times acquired in 2022 and logs billions of plays from the paper's games site annually, gives players six tries to guess a five-letter word, revealing only if letters are in the right place (via a green background) or part of the word but in the wrong place (with a gold background). Should it go forward, the Wordle show would join another Fallon-produced game show, Password, on NBC's unscripted roster. The Tonight Show emcee also executive produces and hosts the network's On Brand, a competition series that revolves around advertising and marketing.

A now-fixed security flaw in India's income tax e-filing portal exposed millions of taxpayers' personal and financial data due to a basic IDOR vulnerability that let users view others' records by swapping PAN numbers. "The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India," reports TechCrunch. "The data also exposed citizens' Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services." From the report: The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else's sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads. This could be done using publicly available tools like Postman or Burp Suite (or using the web browser's in-built developer tools) and with knowledge of someone else's PAN, the researchers told TechCrunch.

The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department's back-end servers were not properly checking who was allowed to access a person's sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.

"This is an extremely low-hanging thing, but one that has a very severe consequence," the researchers told TechCrunch. In addition to the data of individuals, the researchers said that the bug also exposed data associated with companies who were registered with the e-Filing portal. [...] It remains unclear how long the vulnerability has existed or whether any malicious actors have accessed the exposed data.

Paramount has acquired The Free Press, Bari Weiss's Substack-born media outlet, for $150 million and appointed Weiss as editor-in-chief of CBS News. The move effectively places a conservative-leaning Substack writer at the helm of a legacy news network, following the FCC's approval of the Skydance-Paramount merger, which required CBS to feature a broader "diversity of viewpoints from across the political and ideological spectrum." The Verge reports: Before starting The Free Press, Weiss worked as an op-ed and book review editor at The Wall Street Journal from 2013 to 2017 and later became an op-ed editor and writer at The New York Times to expand the publication's stable of conservative columnists during Donald Trump's first term. She resigned from the NYT in 2020, citing an "illiberal environment."

Weiss started a Substack newsletter in 2021, called Common Sense, which later evolved into The Free Press, touting itself as a media company "built on the ideals that were once the bedrock of great American journalism." As noted in the press release, The Free Press has grown its revenue 82 percent over the past year, while subscribers increased 86 percent to 1.5 million, 170,000 of which are paid subscriptions.

An anonymous reader quotes a report from BleepingComputer: The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. Redis (short for Remote Dictionary Server) is an open-source data structure store used in approximately 75% of cloud environments, functioning like a database, cache, and message broker, and storing data in RAM for ultra-fast access. The security flaw (tracked as CVE-2025-49844) is caused by a 13-year-old use-after-free weakness found in the Redis source code and can be exploited by authenticated threat actors using a specially crafted Lua script (a feature enabled by default). Successful exploitation enables them to escape the Lua sandbox, trigger a use-after-free, establish a reverse shell for persistent access, and achieve remote code execution on the targeted Redis hosts.

After compromising a Redis host, attackers can steal credentials, deploy malware or cryptocurrency mining tools, extract sensitive data from Redis, move laterally to other systems within the victim's network, or use stolen information to gain access to other cloud services. "This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments," said Wiz researchers, who reported the security issue at Pwn2Own Berlin in May 2025 and dubbed it RediShell.

While successful exploitation requires attackers first to gain authenticated access to a Redis instance, Wiz found around 330,000 Redis instances exposed online, with at least 60,000 of them not requiring authentication. Redis and Wiz urged admins to patch their instances immediately by applying security updates released on Friday, "prioritizing those that are exposed to the internet." To further secure their Redis instances against remote attacks, admins can also enable authentication, disable Lua scripting and other unnecessary commands, launch Redis using a non-root user account, enable Redis logging and monitoring, limit access to authorized networks only, and implement network-level access controls using firewalls and Virtual Private Clouds (VPCs).

An anonymous reader quotes a report from Ars Technica: As we careen toward a future in which Google has final say over what apps you can run, the company has sought to assuage the community's fears with a blog post and a casual "backstage" video. Google has said again and again since announcing the change that sideloading isn't going anywhere, but it's definitely not going to be as easy. The new information confirms app installs will be more reliant on the cloud, and devs can expect new fees, but there will be an escape hatch for hobbyists.

Confirming app verification status will be the job of a new system component called the Android Developer Verifier, which will be rolled out to devices in the next major release of Android 16. Google explains that phones must ensure each app has a package name and signing keys that have been registered with Google at the time of installation. This process may break the popular FOSS storefront F-Droid. It would be impossible for your phone to carry a database of all verified apps, so this process may require Internet access. Google plans to have a local cache of the most common sideloaded apps on devices, but for anything else, an Internet connection is required. Google suggests alternative app stores will be able to use a pre-auth token to bypass network calls, but it's still deciding how that will work.

The financial arrangement has been murky since the initial announcement, but it's getting clearer. Even though Google's largely automated verification process has been described as simple, it's still going to cost developers money. The verification process will mirror the current Google Play registration fee of $25, which Google claims will go to cover administrative costs. So anyone wishing to distribute an app on Android outside of Google's ecosystem has to pay Google to do so. What if you don't need to distribute apps widely? This is the one piece of good news as developer verification takes shape. Google will let hobbyists and students sign up with only an email for a lesser tier of verification. This won't cost anything, but there will be an unclear limit on how many times these apps can be installed. The team in the video strongly encourages everyone to go through the full verification process (and pay Google for the privilege). We've asked Google for more specifics here.

The blackout that left Spain without power last April was the most severe incident to hit European networks in two decades and the first of its kind, according to the European Network of Transmission System Operators for Electricity. Damian Cortinas, the organization's chairman, said the April 28 outage was Europe's first blackout linked to cascading voltages. More than 50 million people lost electricity for several hours.

A preliminary report published in July attributed the outage to a chain of power generation disconnections and abnormal voltage surges. The final assessment will be released in the first quarter of next year and presented to the European Commission and member states. A government probe in June found that grid operator Red Electrica failed to replace one of 10 planned thermal plants, reducing reserve capacity. Spain spent only $0.3 on its grid for every dollar invested in renewables between 2020 and 2024, the lowest ratio among European countries and well below the $0.7 average.

Walmart plans to deploy sensors across its 4,600 US stores by the end of 2026 to track 90 million pallets of groceries shipped annually [Editor's note: non-paywalled source]. The retailer and technology vendor Wiliot announced the expansion Thursday. The sensors will monitor the location, condition and temperature of perishables as they move from warehouses to stores. Walmart started testing Wiliot's sensors at a Texas warehouse in 2023 and has expanded to 500 locations. The full rollout will cover the retailer's US store network and 40 distribution centers.

The microchips measure 0.7 square millimeters and are embedded in shipping labels. They use Bluetooth to transmit real-time data about pallets. Walmart previously relied on manual scanning and paper checks by employees. The Arkansas-based company employs 2.1 million people but increased revenues by $150 billion over five years without adding workers. Walmart accounts for more than a fifth of US grocery sales.

An anonymous reader shares a report: It's not the vibes; Earth is literally getting darker. Scientists have discovered that our planet has been reflecting less light in both hemispheres, with a more pronounced darkening in the Northern hemisphere, according to a study published on Monday in Proceedings of the National Academy of Sciences.

The new trend upends longstanding symmetry in the surface albedo, or reflectivity, of the Northern and Southern hemispheres. In other words, clouds circulate in a way that equalizes hemispheric differences, such as the uneven distribution of land, so that the albedos roughly match -- though nobody knows why. "There are all kinds of things that people have noticed in observations and simulations that tend to suggest that you have this hemispheric symmetry as a kind of fundamental property of the climate system, but nobody's really come up with a theoretical framework or explanation for it," said Norman Loeb, a physical scientist at NASA's Langley Research Center, who led the new study. "It's always been something that we've observed, but we haven't really explained it fully."

To study this mystery, Loeb and his colleagues analyzed 24 years of observations captured since 2000 by the Clouds and the Earth's Radiant Energy System (CERES), a network of instruments placed on several NOAA and NASA satellites. Instead of an explanation for the strange symmetry, the results revealed an emerging asymmetry in hemispheric albedo; though both hemispheres are darkening, the Northern hemisphere shows more pronounced changes which challenges "the hypothesis that hemispheric symmetry in albedo is a fundamental property of Earth," according to the study.

Major health insurers are threatening to drop renowned cancer centers from their networks during contract negotiations, Memorial Sloan Kettering Cancer Center's president and CEO Selwyn M. Vickers and chairman Scott M. Stuart wrote in a story published by WSJ. Memorial Sloan Kettering Cancer Center reported that both Anthem Blue Cross Blue Shield and UnitedHealthcare prepared to terminate network agreements while patients underwent active cancer treatment. FTI Consulting found that 45% of 133 provider-payer disputes in 2024 failed to reach timely agreements. The disruptions have affected tens of thousands of patients.

Research published in the Journal of the National Cancer Institute found that care disruptions lead to more advanced-stage diagnoses and worse outcomes. Similar contract disputes involved Mayo Clinic, Johns Hopkins University and University of North Carolina Health. New York lawmakers introduced legislation this year requiring insurers to maintain coverage for cancer patients during negotiations and until treatment concludes. Memorial Sloan Kettering's leadership described the practice as using patients as bargaining chips despite record insurer profits.

Researchers have unveiled two new hardware-based attacks, Battering RAM and Wiretap, that break Intel SGX and AMD SEV-SNP trusted enclaves by exploiting deterministic encryption and physical interposers. Ars Technica reports: In the age of cloud computing, protections baked into chips from Intel, AMD, and others are essential for ensuring confidential data and sensitive operations can't be viewed or manipulated by attackers who manage to compromise servers running inside a data center. In many cases, these protections -- which work by storing certain data and processes inside encrypted enclaves known as TEEs (Trusted Execution Enclaves) -- are essential for safeguarding secrets stored in the cloud by the likes of Signal Messenger and WhatsApp. All major cloud providers recommend that customers use it. Intel calls its protection SGX, and AMD has named it SEV-SNP.

Over the years, researchers have repeatedly broken the security and privacy promises that Intel and AMD have made about their respective protections. On Tuesday, researchers independently published two papers laying out separate attacks that further demonstrate the limitations of SGX and SEV-SNP. One attack, dubbed Battering RAM, defeats both protections and allows attackers to not only view encrypted data but also to actively manipulate it to introduce software backdoors or to corrupt data. A separate attack known as Wiretap is able to passively decrypt sensitive data protected by SGX and remain invisible at all times.

Starting in November, Venmo and PayPal users will finally be able to send money directly to each other, ending years of workarounds despite Venmo being owned by PayPal. TechCrunch reports: This change means that PayPal users will now be able to find Venmo users by inputting their phone numbers, and later, their email addresses. If you don't want PayPal users to be able to find you, you can update your settings in the Venmo app by navigating to Settings - Privacy - Find me... and while you're at it, you might as well default your Venmo transactions to private via Settings > Privacy. You'll thank me in the long run.

PayPal announced that it would broaden its network of payment systems in July, starting with Venmo, but the companies did not confirm the date of the update until now. This collection of partnerships, which PayPal has named PayPal World, will also work with Mercado Pago, NPCI International Payments Limited, and Tenpay Global. This will help users send money internationally without barriers and fees. Combined, Venmo and PayPal have 2 billion global users, according to PayPal.

Camembert writes: In a move that is sure to make Ripple nervous, traditional financial network Swift announced yesterday that it is partnering with Consensys and more than 30 global banks to build a blockchain based network that will run in parallel with its traditional network. Interestingly, unlike XRP, there is no native coin, rather it aims for interoperability (probably using Chainlink with whom the company did case studies for a few years already). There is also a strong focus on regulatory compliance. There are several news articles and opinion pieces on this event; I linked the Reuters article.

An anonymous reader writes: Landlords are using a service that logs into a potential renter's employer systems and scrapes their paystubs and other information en masse, potentially in violation of U.S. hacking laws, according to screenshots of the tool shared with 404 Media.

The screenshots highlight the intrusive methods some landlords use when screening potential tenants, taking information they may not need, or legally be entitled to, to assess a renter.

"This is a statewide consumer-finance abuse that forces renters to surrender payroll and bank logins or face homelessness," one renter who was forced to use the tool and who saw it taking more data than was necessary for their apartment application told 404 Media. 404 Media granted the person anonymity to protect them from retaliation from their landlord or the services used.

[...] "Argyle hijacked my live Workday session, stayed hidden from view, and downloaded every pay stub plus all W-4s back to 2024, each PDF seconds apart," they said. "Workday audit logs show dozens of 'Print' events from two IPs from a MAC which I do not use," they added, referring to a MAC address, a unique identifier assigned to each device on a network.

Six months ago California had 48% more public and "shared" private EV chargers than gasoline nozzles. (In March California had 178,000 public and shared private EV chargers, versus about 120,000 gas nozzles.)

Since then they've added 23,000 more public/shared charging ports — and announced this week that there's now 68% more EV charger ports than the number of gasoline nozzles statewide. "Thanks to the state's ever-expanding charger network, 94% of Californians live within 10 minutes of an EV charger," according to the announcement from the state's energy policy agency. And the California Energy Commission staff told CleanTechnica they expect more chargers in the future. "We are watching increased private investment by consortiums like IONNA and OEMs like Rivian, Ford, and others that are actively installing EV charging stations throughout the state."

Clean Technica notes in 2019, the state had roughly 42,000 charging ports and now there are a little over 200,000. (And today there's about 800,000 home EV chargers.)

This week California announced another milestone: that in 2024 nearly 23% of all the state's new truck sales — that's trucks, buses, and vans — were zero-emission vehicles. (The state subsidizes electric trucks — $200 million was requested on the program's first day.) Greenhouse gas emissions in California are down 20% since 2000 — even as the state's GDP increased 78% in that same time period all while becoming the world's fourth largest economy.

The state also continues to set clean energy records. California was powered by two-thirds clean energy in 2023, the latest year for which data is available — the largest economy in the world to achieve this level of clean energy. The state has run on 100% clean electricity for some part of the day almost every day this year.
"Last year, California ran on 100% clean electricity for the equivalent of 51 days," notes another announcement, which points out California has 15,763 MW of battery storage capacity — roughly a third of the amount projected to be needed by 2045.

Friday the security researchers at Arctic Wolf Labs wrote: In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation.

This campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025.
More from Cybersecurity News: SonicWall has linked these malicious logins to CVE-2024-40766, an improper access control vulnerability disclosed in 2024. The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched. This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.

Once inside a network, the attackers operate with remarkable speed. The time from initial access to ransomware deployment, known as "dwell time," is often measured in hours, with some intrusions taking as little as 55 minutes, Arctic Wolf said. This extremely short window for response makes early detection critical.
"Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled..." notes Artic Wolf Labs: The threats described in this campaign demand early detection and a rapid response to avoid catastrophic impact to organizations. To facilitate this process, we recommend monitoring for VPN logins originating from untrusted hosting infrastructure. Equally important is ensuring visibility into internal networks, since lateral movement and ransomware encryption can occur within hours or even minutes of initial access. Monitoring for anomalous SMB activity indicative of Impacket use provides an additional early detection opportunity.

When firewalls are confirmed to be running firmware versions vulnerable to credential access or full configuration export, patching alone is not enough. In such situations, credentials must be reset wherever possible, including MFA-related secrets that might otherwise be thought of as secure, and Active Directory credentials with VPN access. These considerations are best practices that apply regardless of which firewall products are in use.
Thanks to Slashdot reader Mirnotoriety for suggesting this story.

Cloudflare announced plans Thursday to launch NET Dollar, a U.S. dollar-backed stablecoin designed to enable autonomous AI agents to conduct instant financial transactions. The company says the stablecoin will support microtransactions and pay-per-use models as AI agents take over tasks like booking flights and ordering groceries. BrianFagioli comments: A U.S. dollar-backed cryptocurrency from Cloudflare feels unusual to me, and I'm still surprised by it. The decision shows just how much the Internet is shifting in response to artificial intelligence.

CEO Matthew Prince said, "For decades, the business model of the Internet ran on ad platforms and bank transfers. The Internet's next business model will be powered by pay-per-use, fractional payments, and microtransactions -- "tools that shift incentives toward original, creative content that actually adds value." He added that by using its global network, Cloudflare aims to "help modernize the financial rails needed to move money at the speed of the Internet."

Cloudflare blocked the largest-ever DDoS attack against a European network infrastructure company, which peaked at 22.2 Tbps and 10.6 Bpps. The hyper-volumetric attack has been linked to the Aisuru botnet and lasted just 40 seconds, but was double the size of the previous record. SecurityWeek reports: Cloudflare told SecurityWeek that the attack was aimed at a single IP address of an unnamed European network infrastructure company. Cloudflare has yet to determine who was behind the attack, but believes it may have been powered by the Aisuru botnet, which was also linked earlier this year to a massive 6.3 Tbps attack on the website of cybersecurity blogger Brian Krebs. Aisuru has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities.

According to Cloudflare, the 22 Tbps attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. "Based on internal analysis using a proprietary system, the source IPs were not spoofed," the company explained. The security firm described it as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47k ports, all of a single IP address. Cloudflare revealed in July that the number of DDoS attacks it blocked in the first half of 2025 had already exceeded all the attacks mitigated in 2024.