An anonymous reader shared this report from Tom's Hardware: According to German news outlet Heise, notable progress has been made regarding the counterfeit Seagate hard drive case. Just like something out of an action movie, security teams from Seagate's Singapore and Malaysian offices, in conjunction with local Malaysian authorities, conducted a raid on a warehouse in May that was engaged in cooking up counterfeit Seagate hard drives, situated outside Kuala Lumpur.

During the raid, authorities reportedly uncovered approximately 700 counterfeit Seagate hard drives, with SMART values that had been reset to facilitate their sale as new... However, Seagate-branded drives were not the only items involved, as authorities also discovered drives from Kioxia and Western Digital. Seagate suspects that the used hard drives originated from China during the Chia [cryptocurrency] boom. Following the cryptocurrency's downfall, numerous miners sold these used drives to workshops where many were illicitly repurposed to appear new. This bust may represent only the tip of the iceberg, as Heise estimates that at least one million of these Chia drives are circulating, although the exact number that have been recycled remains uncertain.

The clandestine workshop, likely one of many establishments in operation, reportedly employed six workers. Their responsibilities included resetting the hard drives' SMART values, cleaning, relabeling, and repackaging them for distribution and sale via local e-commerce platforms.

A Chinese storage manufacturer has developed a solid-state drive smaller than a U.S. penny that delivers sequential read speeds of 3,700 megabytes per second, according to The Verge.

The "Mini SSD" by Biwin measures 15mm x 17mm x 1.4mm thick and connects via PCIe 4x2, offering 512GB to 2TB capacities. The drive inserts into devices using a SIM card-style tray mechanism and claims IP68 water resistance plus three-meter drop protection. Two gaming portables announced at ChinaJoy will include slots for the drives: GPD's Win 5 handheld and OneNetbook's OneXPlayer Super X hybrid laptop/tablet, both powered by AMD's Strix Halo processors. The Mini SSD outpaces MicroSD Express cards used in Nintendo Switch 2 by nearly four times, though full-size M.2 drives remain faster at up to 14,000MB/s.

One of America's largest solar + battery storage projects "is now fully online in Mojave, California," reports Electrek: Arevon Energy's Eland Solar-plus-Storage Project combines 758 megawatts (MWdc) of solar with 300 MW/1,200 megawatt hours of battery storage. Eland 1 reached commercial operation in December 2024, and Eland 2 recently commenced full operation. The two combined comprise 1.36 million solar panels and 172 lithium iron phosphate batteries (LFP). Combined, the Eland 1 & 2 projects will be able to power more than 266,000 homes annually, and overall, can provide 7% of the total electricity requirements for the city of Los Angeles. "Arevon's Eland Solar-plus-Storage Project alone will ... push the city's clean energy share above 60%, a major milestone in LA's transition to being powered by 100% clean energy by 2035," said Los Angeles Mayor Karen Bass. Eland 1 & 2 created around 1,000 jobs to construct the project, and it's expected to disburse more than $36 million in local government payments throughout its lifetime.
The article points out that Arevon Energy "has more than 4,500 MW of solar and battery storage projects operating across 17 states — and more than 6 GW of new projects in its pipeline."

In 2023 a 13-year-old girl "made an offensive joke while chatting online with her classmates," reports the Associated Press.

But when the school's surveillance software spotted that joke, "Before the morning was even over, the Tennessee eighth grader was under arrest. She was interrogated, strip-searched and spent the night in a jail cell, her mother says." Her parents filed a lawsuit against the school system, according to the article (which points out the girl wasn't allowed to talk to her parents until the next day). "A court ordered eight weeks of house arrest, a psychological evaluation and 20 days at an alternative school for the girl." Gaggle's CEO, Jeff Patterson, said in an interview that the school system did not use Gaggle the way it is intended. The purpose is to find early warning signs and intervene before problems escalate to law enforcement, he said. "I wish that was treated as a teachable moment, not a law enforcement moment," said Patterson.
But that's just one example, the article points out. "Surveillance systems in American schools increasingly monitor everything students write on school accounts and devices." Thousands of school districts across the country use software like Gaggle and Lightspeed Alert to track kids' online activities, looking for signs they might hurt themselves or others. With the help of artificial intelligence, technology can dip into online conversations and immediately notify both school officials and law enforcement... In a country weary of school shootings, several states have taken a harder line on threats to schools. Among them is Tennessee, which passed a 2023 zero-tolerance law requiring any threat of mass violence against a school to be reported immediately to law enforcement....

Students who think they are chatting privately among friends often do not realize they are under constant surveillance, said Shahar Pasch, an education lawyer in Florida. One teenage girl she represented made a joke about school shootings on a private Snapchat story. Snapchat's automated detection software picked up the comment, the company alerted the FBI, and the girl was arrested on school grounds within hours... The technology can also involve law enforcement in responses to mental health crises. In Florida's Polk County Schools, a district of more than 100,000 students, the school safety program received nearly 500 Gaggle alerts over four years, officers said in public Board of Education meetings. This led to 72 involuntary hospitalization cases under the Baker Act, a state law that allows authorities to require mental health evaluations for people against their will if they pose a risk to themselves or others...

Information that could allow schools to assess the software's effectiveness, such as the rate of false alerts, is closely held by technology companies and unavailable publicly unless schools track the data themselves. Students in one photography class were called to the principal's office over concerns Gaggle had detected nudity. The photos had been automatically deleted from the students' Google Drives, but students who had backups of the flagged images on their own devices showed it was a false alarm. District officials said they later adjusted the software's settings to reduce false alerts. Natasha Torkzaban, who graduated in 2024, said she was flagged for editing a friend's college essay because it had the words "mental health...."

School officials have said they take concerns about Gaggle seriously, but also say the technology has detected dozens of imminent threats of suicide or violence. "Sometimes you have to look at the trade for the greater good," said Board of Education member Anne Costello in a July 2024 board meeting.

"California's biggest electric utilities pulled off a record-breaking test..." reports Semafor, "during the 7pm-9pm window that is typically its time of peak demand as people come home from work." Pacific Gas & Electric and other top California power companies switched on residential batteries in more than 100,000 homes and drew power from them into the broader statewide grid. The purpose of the test — the largest ever in the state, which has by far the most home battery capacity in the U.S. — was to see just how much power is really there for the utility to tap, and to ensure it could be switched on, effectively running the grid in reverse, without causing a crash.

The result, which the research firm Brattle published this week, was 535 megawatts, equal to adding a big hydro dam or a half-sized nuclear reactor at a fraction of the cost. "Four years ago this capacity didn't even exist," Kendrick Li, PG&E's director of clean energy programs, told Semafor. "Now it's a really attractive option for us. It would be silly not to harness what our customers have installed...." Last week's test proved that in times of peak demand, PG&E can lean on its customers' batteries rather than turn on a gas-fired peaker plant or risk a blackout, Li said.

Virtual power plants (VPPs) also facilitate the addition of more solar energy on the grid: At the moment, California has so much solar generation at peak hours that it can push the wholesale power price close to or even below zero, a headache for grid managers and a disincentive for renewable project developers. The careful manipulation of networked residential batteries smooths out the timing disparity between peak sunshine at midday and peak demand in the evening, allowing the excess to be soaked up and redeployed when it's actually needed, and making power cheaper for everyone. The expanded use of VPPs shouldn't be noticeable to battery owners, Li said, except for the money back on their power bill; nothing about the process prevents them from running their AC or dishwasher while their battery is being tapped. The network can also run in reverse, with the utility taking excess power from the grid at times of low demand and sending it into home batteries for storage.

California could easily reach over a gigawatt of VPP capacity within five years, Li said. Nationwide, a Department of Energy study during the Biden administration forecast that VPP capacity could reach up to 160 gigawatts by 2030, essentially negating the need for dozens of new fossil fuel power plants, with no emissions and at a far lower cost. In 2024, utilities in 34 states moved to initiate or expand VPP networks, according to the advocacy group VP3.
Even with a reduction in federal credits, virtual power plants "offer a way for residential solar-plus-storage systems to remain economically attractive for homeowners — who get paid for the withdrawn power," the article points out — and "a way to make better use of clean energy resources that have already been built."

Sunrun's distributed battery fleet "delivered more than two-thirds of the energy," notes Electrek, "In total, the event pumped an average of 535 megawatts (MW) onto the grid — enough to power over half of San Francisco... This isn't a one-off. Sunrun's fleet already helped drop peak demand earlier this summer, delivering 325 MW during a similar event on June 24.

"The company compensates customers up to $150 per battery per season for participating."

An anonymous reader quotes a report from Ars Technica: AI industry groups are urging an appeals court to block what they say is the largest copyright class action ever certified. They've warned that a single lawsuit raised by three authors over Anthropic's AI training now threatens to "financially ruin" the entire AI industry if up to 7 million claimants end up joining the litigation and forcing a settlement. Last week, Anthropic petitioned (PDF) to appeal the class certification, urging the court to weigh questions that the district court judge, William Alsup, seemingly did not. Alsup allegedly failed to conduct a "rigorous analysis" of the potential class and instead based his judgment on his "50 years" of experience, Anthropic said.

If the appeals court denies the petition, Anthropic argued, the emerging company may be doomed. As Anthropic argued, it now "faces hundreds of billions of dollars in potential damages liability at trial in four months" based on a class certification rushed at "warp speed" that involves "up to seven million potential claimants, whose works span a century of publishing history," each possibly triggering a $150,000 fine. Confronted with such extreme potential damages, Anthropic may lose its rights to raise valid defenses of its AI training, deciding it would be more prudent to settle, the company argued. And that could set an alarming precedent, considering all the other lawsuits generative AI (GenAI) companies face over training on copyrighted materials, Anthropic argued. "One district court's errors should not be allowed to decide the fate of a transformational GenAI company like Anthropic or so heavily influence the future of the GenAI industry generally," Anthropic wrote. "This Court can and should intervene now."

In a court filing Thursday, the Consumer Technology Association and the Computer and Communications Industry Association backed Anthropic, warning the appeals court that "the district court's erroneous class certification" would threaten "immense harm not only to a single AI company, but to the entire fledgling AI industry and to America's global technological competitiveness." According to the groups, allowing copyright class actions in AI training cases will result in a future where copyright questions remain unresolved and the risk of "emboldened" claimants forcing enormous settlements will chill investments in AI. "Such potential liability in this case exerts incredibly coercive settlement pressure for Anthropic," industry groups argued, concluding that "as generative AI begins to shape the trajectory of the global economy, the technology industry cannot withstand such devastating litigation. The United States currently may be the global leader in AI development, but that could change if litigation stymies investment by imposing excessive damages on AI companies."

An anonymous reader quotes a report from 404 Media: Some of the first reviews ever written for the original Legend of Zelda and Super Mario Bros. have been digitized and published by the Video Game History Foundation. The reviews appeared in Computer Entertainer, an early video game magazine that ran from 1982 to 1990. The archivists at the Foundation tracked down the magazine's entire run and have published it all online under a Creative Commons license.

A San Francisco jury ruled that Meta violated the California Invasion of Privacy Act by collecting sensitive data from users of the Flo period-tracking app without consent. "The plaintiff's lawyers who sued Meta are calling this a 'landmark' victory -- the tech company contends that the jury got it all wrong," reports SFGATE. From the report: The case goes back to 2021, when eight women sued Flo and a group of other tech companies, including Google and Facebook, now known as Meta. The stakes were extremely personal. Flo asked users about their sex lives, mental health and diets, and guided them through menstruation and pregnancy. Then, the women alleged, Flo shared pieces of that data with other companies. The claims were largely based on a 2019 Wall Street Journal story and a 2021 Federal Trade Commission investigation. Google, Flo and the analytics company Flurry, which was also part of the lawsuit, reached settlements with the plaintiffs, as is common in class action lawsuits about tech privacy. But Meta stuck it out through the entire trial and lost.

The case against Meta focused on its Facebook software development kit, which Flo added to its app and which is generally used for analytics and advertising services. The women alleged that between June 2016 and February 2019, Flo sent Facebook, through that kit, various records of "Custom App Events" -- such as a user clicking a particular button in the "wanting to get pregnant" section of the app. Their complaint also pointed to Facebook's terms for its business tools, which said the company used so-called "event data" to personalize ads and content.

In a 2022 filing (PDF), the tech giant admitted that Flo used Facebook's kit during this period and that the app sent data connected to "App Events." But Meta denied receiving intimate information about users' health. Nonetheless, the jury ruled (PDF) against Meta. Along with the eavesdropping decision, the group determined that Flo's users had a reasonable expectation they weren't being overheard or recorded, as well as ruling that Meta didn't have consent to eavesdrop or record. The unanimous verdict was that the massive company violated the California Invasion of Privacy Act. The jury's ruling could impact over 3.7 million U.S. users who registered between November 2016 and February 2019, with updates to be shared via email and a case website. The exact compensation from the trial or potential settlements remains uncertain.

An anonymous reader quotes a report from Ars Technica: Apple released a new developer beta build of macOS 26 Tahoe today, and it came with another big update for a familiar icon. The old Macintosh HD hard drive icon, for years represented by a facsimile of an old spinning hard drive, has been replaced with something clearly intended to resemble a solid-state drive (the SSD in your Mac actually looks like a handful of chips soldered to a circuit board, but we'll forgive the creative license).

The Macintosh HD icon became less visible a few years back, when new macOS installs stopped showing your internal disk on the desktop by default. It has also been many years since Apple shifted to SSDs as the primary boot media for new Macs. It's not clear why the icon is being replaced now, instead of years ago -- maybe the icon had started clicking, and Apple just wanted to replace it before it suffered from catastrophic icon failure -- but regardless, the switch is logical (this is a computer storage pun). Apple's iconic Macintosh HD hard drive icon was first introduced in a 2000 Mac OS X beta and remained largely unchanged for over two decades, with only subtle updates in 2012 and 2014.

The first SSD-equipped Mac was in 2008, "when the original MacBook Air came out," notes Ars. "By the time 'Retina' Macs began arriving in the early 2010s, SSDs had become the primary boot disk for most of them; laptops tended to be all-SSD, while desktops could be configured with an SSD or a hybrid Fusion Drive that used an SSD as boot media and an HDD for mass storage. Apple stopped shipping spinning hard drives entirely when the last of the Intel iMacs went away."

Standard DDR4 DRAM prices doubled between May and June 2025, with 8-gigabit units reaching $4.12 and 4-gigabit units hitting $3.14 -- the latter's highest level since July 2021, according to electronics trading companies cited by Nikkei Asia. The unprecedented single-month doubling follows speculation that Chinese manufacturer ChangXin Memory Technologies has halted DDR4 production to shift factories toward DDR5 memory for AI applications.

DDR4 currently comprises 60% of desktop PC memory while DDR5 accounts for 40%, per Tokyo-based BCN research. Samsung Electronics, SK Hynix, and Micron Technology controlled 90% of the global DRAM market in Q2 2025.

Major cloud storage providers maintain unclear policies about deleting user data after subscription cancellations, Wired reports, with deletion timelines ranging from six months to indefinite preservation.

Apple reserves the right to delete iCloud backups after 180 days of device inactivity but does not specify what happens to general file storage. Google may delete content after users exceed free storage limits for extended periods, though files remain safe for two years after cancellation.

Microsoft may delete OneDrive files after six months of non-payment, while Dropbox preserves files indefinitely without expiration dates. All providers revert users to limited free storage tiers upon cancellation with Apple and Microsoft offering 5GB, Google providing 15GB, and Dropbox allowing 2GB.

The Washington Post reports: In early July, a wasp nest with a radiation level 10 times what is allowed by federal regulations was found inside the grounds of a sprawling Cold War-era nuclear site in South Carolina that today partly serves as a storage area for radioactive liquid waste. Federal officials said Friday that at least three more contaminated wasp nests were found within the 310-square-mile Savannah River Site, which encompasses an area more than four times the size of the District of Columbia...

[F]ederal authorities said that the discoveries were not cause for alarm and experts noted that the discovery of radioactivity in wildlife near nuclear facilities did not necessarily indicate the likelihood of a major leak... In a statement sent to reporters, Edwin Deshong, manager of the Savannah River Site's Office of Environmental Management, said the wasp nests had "very low levels of radioactive contamination" and did not pose health risks to the site's workers, nearby residents or the environment... The Savannah River Site's 43 active underground waste tanks have more than 34 million gallons of radioactive liquid waste. The oldest tanks have previously "developed small hairline cracks" that led to small-volume leaks, the Savannah River Site says on its website.
A July report after the first nest was found said there was "no impact" from the contaminated nest, the Post reports, with the nest's high radioactivity level due to "on-site legacy radioactive contamination" rather than "a loss of contamination control." More from the Associated Press: The tank farm is well inside the boundaries of the site and wasps generally fly just a few hundred yards from their nests, so there is no danger they are outside the facility, according to a statement from Savannah River Mission Completion which now oversees the site. If there had been wasps found, they would have significantly lower levels of radiation than their nests, according to the statement which was given to the Aiken Standard.
Thanks to long-time Slashdot reader sandbagger for sharing the news.

Longtime Slashdot reader AmiMoJo shares a report from Electrek: Peak Energy shipped out its first sodium-ion battery energy storage system, and the New York-based company says it's achieved a first in three ways: the US's first grid-scale sodium-ion battery storage system; the largest sodium-ion phosphate pyrophosphate (NFPP) battery system in the world; and the first megawatt-hour scale battery to run entirely on passive cooling -- no fans, pumps, or vents. That's significant because removing moving parts and ditching active cooling systems eliminates fire risk.

According to the Electric Power Research Institute, 89% of battery fires in the US trace back to thermal management issues. Peak's design doesn't have those issues because it doesn't have those systems. Instead, the 3.5 MWh system uses a patent-pending passive cooling architecture that's simpler, more reliable, and cheaper to run and maintain. The company says its technology slashes auxiliary power needs by up to 90%, saves about $1 million annually per gigawatt hour of storage, and cuts battery degradation by 33% over a 20-year lifespan. [...]

Peak is working with nine utility and independent power producer (IPP) customers on a shared pilot this summer. That deployment unlocks nearly 1 GWh of future commercial contracts now under negotiation. The company plans to ship hundreds of megawatt hours of its new system over the next two years, and it's building its first US cell factory, which is set to start production in 2026.

alternative_right shares a report from Phys.org: Researchers have created a microphone that listens with light instead of sound. Unlike traditional microphones, this visual microphone captures tiny vibrations on the surfaces of objects caused by sound waves and turns them into audible signals. In the journal Optics Express, the researchers describe the new approach, which applies single-pixel imaging to sound detection for the first time. Using an optical setup without any expensive components, they demonstrate that the technique can recover sound by using the vibrations on the surfaces of everyday objects such as leaves and pieces of paper. [...]

To demonstrate the new visual microphone, the researchers tested its ability to reconstruct Chinese and English pronunciations of numbers as well as a segment from Beethoven's Fur Elise. They used a paper card and a leaf as vibration targets, placing them 0.5 meters away from the objects while a nearby speaker played the audio. The system was able to successfully reconstruct clear and intelligible audio, with the paper card producing better results than the leaf. Low-frequency sounds (1 kHz) showed slight distortion that improved when a signal processing filter was applied. Tests of the system's data rate showed it produced 4 MB/s, a rate sufficiently low to minimize storage demands and allow for long-term recording. "Currently, this technology still only exists in the laboratory and can be used in special scenarios where traditional microphones fail to work," said research team leader Xu-Ri Yao from Beijing Institute of Technology in China. "We aim to expand the system into other vibration measurement applications, including human pulse and heart rate detection, leveraging its multifunctional information sensing capabilities."

Google today announced AlphaEarth Foundations, a new AI model that processes terabytes of daily satellite data to track environmental changes across the planet. The system, part of Google's broader Earth AI initiative, uses machine learning to compress satellite imagery into color-coded maps showing material properties, vegetation types, groundwater sources, and human constructions down to 10-meter resolution.

The model uses a technique called "embeddings" that reduces storage requirements by 16 times compared to other AI tools Google tested, while delivering 23.9% higher accuracy than similar systems. AlphaEarth has already mapped complex Antarctic terrain and identified variations in Canadian agricultural land use invisible to direct observation.

The technology currently powers flood and wildfire alerts in Google Search and Maps. Research organizations including Brazil's MayBiomas and the Global Ecosystems Atlas are using the system to analyze rainforests, deserts, and wetlands. The model integrates with Google Earth Engine, providing agencies like NASA and the Forest Service access to over one trillion annual data points for environmental monitoring and mapping applications.

A software developer who built his own home server in response to Amazon's removal of Kindle book downloads now argues that self-hosting "is NOT the future we should be fighting for." Drew Lyton constructed a home server running open-source alternatives to Google Drive, Google Photos, Audible, Kindle, and Netflix after Amazon announced that "Kindle users would no longer be able to download and back up their book libraries to their computers."

The change prompted Amazon to update Kindle store language to say "users are purchasing licenses -- not books." Lyton's setup involved a Lenovo P520 with 128GB RAM, multiple hard drives, and Docker containers running applications like Immich for photo storage and Jellyfin for media streaming. The technical complexity required "138 words to describe but took me the better part of two weeks to actually do."

The implementation was successful but Lyton concluded that self-hosting "assumes isolated, independent systems are virtuous. But in reality, this simply makes them hugely inconvenient." He proposes "publicly funded, accessible, at cost cloud-services" as an alternative, suggesting libraries could provide "100GB of encrypted file storage, photo-sharing and document collaboration tools, and media streaming services -- all for free."

ZDNet's Steven Vaughan-Nichols shares his list of "what's new and improved" in the latest Linux 6.16 kernel. An anonymous reader shares an excerpt from the report: First, the Rust language is continuing to become more well-integrated into the kernel. At the top of my list is that the kernel now boasts Rust bindings for the driver core and PCI device subsystem. This approach will make it easier to add new Rust-based hardware drivers to Linux. Additionally, new Rust abstractions have been integrated into the Direct Rendering Manager (DRM), particularly for ioctl handling, file/GEM memory management, and driver/device infrastructure for major GPU vendors, such as AMD, Nvidia, and Intel. These changes should reduce vulnerabilities and optimize graphics performance. This will make gamers and AI/ML developers happier.

Linux 6.16 also brings general improvements to Rust crate support. Crate is Rust's packaging format. This will make it easier to build, maintain, and integrate Rust kernel modules into the kernel. For those of you who still love C, don't worry. The vast majority of kernel code remains in C, and Rust is unlikely to replace C soon. In a decade, we may be telling another story. Beyond Rust, this latest release also comes with several major file system improvements. For starters, the XFS filesystem now supports large atomic writes. This capability means that large multi-block write operations are 'atomic,' meaning all blocks are updated or none. This enhances data integrity and prevents data write errors. This move is significant for companies that use XFS for databases and large-scale storage.

Perhaps the most popular Linux file system, Ext4, is also getting many improvements. These boosts include faster commit paths, large folio support, and atomic multi-fsblock writes for bigalloc filesystems. What these improvements mean, if you're not a file-system nerd, is that we should see speedups of up to 37% for sequential I/O workloads. If your Linux laptop doubles as a music player, another nice new feature is that you can now stream your audio over USB even while the rest of your system is asleep. That capability's been available in Android for a while, but now it's part of mainline Linux.

If security is a top priority for you, the 6.16 kernel now supports Intel Trusted Execution Technology (TXT) and Intel Trusted Domain Extensions (TDX). This addition, along with Linux's improved support for AMD Secure Encrypted Virtualization and Secure Memory Encryption (SEV-SNP), enables you to encrypt your software's memory in what's known as confidential computing. This feature improves cloud security by encrypting a user's virtual machine memory, meaning someone who cracks a cloud can't access your data. Linux 6.16 also delivers several chip-related upgrades. It introduces support for Intel's Advanced Performance Extensions (APX), doubling x86 general-purpose registers from 16 to 32 and boosting performance on next-gen CPUs like Lunar Lake and Granite Rapids Xeon. Additionally, the new CONFIG_X86_NATIVE_CPU option allows users to build processor-optimized kernels for greater efficiency.

Support for Nvidia's AI-focused Blackwell GPUs has also been improved, and updates to TCP/IP with DMABUF help offload networking tasks to GPUs and accelerators. While these changes may go unnoticed by everyday users, high-performance systems will see gains and OpenVPN users may finally experience speeds that challenge WireGuard.

An anonymous reader quotes a report from SFGATE: During the 2010s' boom in on-demand services such as Uber and DoorDash, Wag staked a claim to the market for dog walking. It became a buzzy, high-flying company, at one point gaining a valuation of around $650 million, and grew to offer a whole range of tech products for pet care. But as the years passed, struggles mounted and profits remained elusive. On July 21, Wag filed (PDF) for bankruptcy. To stay alive, the San Francisco-headquartered company is now using bankruptcy court to restructure in what's known as a Chapter 11 process. Its lines of business -- including gig-work dog walking and sitting, pet insurance, and the veterinary tool "Furscription" -- will remain open, according to a news release. If a judge approves Wag's restructuring plan, it will take the company off the public markets and into the private hands of a company called Retriever.

On the same day of the bankruptcy filing, Wag's chief financial officer, Alec Davidian, submitted a document (PDF) supporting and explaining the move. He wrote that Wag's "monthly revenues declined rapidly after March 2020 as a result of the COVID-19 pandemic" and pointed to $69.5 million in losses from 2022 through 2024. The losses weren't Wag's only problem. The company had taken out debt in 2022 when it went public, and in that loan agreement, it had set a minimum level of cash Wag would need to have on hand at all times. This year, Wag dropped below that amount, Davidian wrote. Wag also failed to find a third-party deal to get more money, the CFO noted, and its debt obligations are set to mature in August, meaning the company was "facing a dire liquidity crisis." So, Wag opted for the bankruptcy proceeding, in which it plans to eliminate the 2022 debt, which is currently held by Retriever. "Through the Restructuring," Davidian wrote, "[Wag] will emerge from these Chapter 11 Cases a stronger company, with a more sustainable capital structure that is better aligned with [Wag's] present and future operating prospects."

A second, far more recent data breach at women's dating safety app Tea has exposed over a million sensitive user messages -- including discussions about abortions, infidelity, and shared contact info. This vulnerability not only compromised private conversations but also made it easy to unmask anonymous users. 404 Media reports: Despite Tea's initial statement that "the incident involved a legacy data storage system containing information from over two years ago," the second issue impacting a separate database is much more recent, affecting messages up until last week, according to the researcher's findings that 404 Media verified. The researcher said they also found the ability to send a push notification to all of Tea's users.

It's hard to overstate how sensitive this data is and how it could put Tea's users at risk if it fell into the wrong hands. When signing up, Tea encourages users to choose an anonymous screenname, but it was trivial for 404 Media to find the real world identities of some users given the nature of their messages, which Tea has led them to believe were private. Users could be easily found via their social media handles, phone numbers, and real names that they shared in these chats. These conversations also frequently make damning accusations against people who are also named in the private messages and in some cases are easy to identify. It is unclear who else may have discovered the security issue and downloaded any data from the more recent database. Members of 4chan found the first exposed database last week and made tens of thousands of images of Tea users available for download. Tea told 404 Media it has contacted law enforcement. [...]

This new data exposure is due to any Tea user being able to use their own API key to access a more recent database of user data, Rahjerdi said. The researcher says that this issue existed until late last week. That exposure included a mass of Tea users' private messages. In some cases, the women exchange phone numbers so they can continue the conversation off platform. The first breach was due to an exposed instance of app development platform Firebase, and impacted tens of thousands of selfie and driver license images. At the time, Tea said in a statement "there is no evidence to suggest that current or additional user data was affected." The second database includes a data field called "sent_at," with many of those messages being marked as recent as last week.

This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts.

It includes automation to derive declarative build definitions, new "build observability and verification tools" for security teams, and even "infrastructure definitions" to help organizations rebuild, sign, and distribute provenance by running their own OSS Rebuild instances. (And as part of the initiative, the team also published SLSA Provenance attestations "for thousands of packages across our supported ecosystems.") Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository. Our rebuild platform unlocks this transparency by utilizing a declarative build process, build instrumentation, and network monitoring capabilities which, within the SLSA Build framework, produces fine-grained, durable, trustworthy security metadata. Building on the hosted infrastructure model that we pioneered with OSS Fuzz for memory issue detection, OSS Rebuild similarly seeks to use hosted resources to address security challenges in open source, this time aimed at securing the software supply chain... We are committed to bringing supply chain transparency and security to all open source software development. Our initial support for the PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries — providing rebuild provenance for many of their most popular packages — is just the beginning of our journey...

OSS Rebuild helps detect several classes of supply chain compromise:

- Unsubmitted Source Code: When published packages contain code not present in the public source repository, OSS Rebuild will not attest to the artifact.

- Build Environment Compromise: By creating standardized, minimal build environments with comprehensive monitoring, OSS Rebuild can detect suspicious build activity or avoid exposure to compromised components altogether.

- Stealthy Backdoors: Even sophisticated backdoors like xz often exhibit anomalous behavioral patterns during builds. OSS Rebuild's dynamic analysis capabilities can detect unusual execution paths or suspicious operations that are otherwise impractical to identify through manual review.


For enterprises and security professionals, OSS Rebuild can...

— Enhance metadata without changing registries by enriching data for upstream packages. No need to maintain custom registries or migrate to a new package ecosystem.

— Augment SBOMs by adding detailed build observability information to existing Software Bills of Materials, creating a more complete security picture...

- Accelerate vulnerability response by providing a path to vendor, patch, and re-host upstream packages using our verifiable build definitions...


The easiest (but not only!) way to access OSS Rebuild attestations is to use the provided Go-based command-line interface.
"With OSS Rebuild's existing automation for PyPI, npm, and Crates.io, most packages obtain protection effortlessly without user or maintainer intervention."