LinuxWebLog.com

Immutable Linux delivers serious security - here are your 5 best options  ZDNET

Roughly 200,000 Linux-based Framework laptops shipped with a signed UEFI shell command (mm) that can be abused to bypass Secure Boot protections -- allowing attackers to load persistent bootkits like BlackLotus or HybridPetya. Framework has begun patching affected models, though some fixes and DBX updates are still pending. BleepingComputer reports: According to firmware security company Eclypsium, the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems. The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules. The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.

Read more of this story at Slashdot.

Roughly 200,000 Linux-based Framework laptops shipped with a signed UEFI shell command (mm) that can be abused to bypass Secure Boot protections -- allowing attackers to load persistent bootkits like BlackLotus or HybridPetya. Framework has begun patching affected models, though some fixes and DBX updates are still pending. BleepingComputer reports: According to firmware security company Eclypsium, the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems. The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules. The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.

Read more of this story at Slashdot.

BrianFagioli shares a report from NERDS.xyz: NordVPN has open sourced its Linux GUI on GitHub, giving the community full access to the code behind its graphical client. The move follows a 70 percent surge in daily active Linux users since the GUI's debut earlier this year, showing clear demand for a user friendly VPN experience on the platform. Alongside the previously open sourced command line tool, the GUI codebase is now available for anyone to audit, modify, and contribute to. While NordVPN's core backend infrastructure remains proprietary, the company says the open source release reflects its commitment to transparency and collaboration with the Linux community. The GUI can also now be installed with a single command using Snap, simplifying setup and ensuring automatic updates across distributions.

Read more of this story at Slashdot.

BrianFagioli shares a report from NERDS.xyz: NordVPN has open sourced its Linux GUI on GitHub, giving the community full access to the code behind its graphical client. The move follows a 70 percent surge in daily active Linux users since the GUI's debut earlier this year, showing clear demand for a user friendly VPN experience on the platform. Alongside the previously open sourced command line tool, the GUI codebase is now available for anyone to audit, modify, and contribute to. While NordVPN's core backend infrastructure remains proprietary, the company says the open source release reflects its commitment to transparency and collaboration with the Linux community. The GUI can also now be installed with a single command using Snap, simplifying setup and ensuring automatic updates across distributions.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Associated Press: Google announced on Tuesday that it will invest $15 billion in India over the next five years to establish its first artificial intelligence hub in the country. Located in the southern city of Visakhapatnam, the hub will be one of Google's largest globally. It will feature gigawatt-scale data center operations, extensive energy infrastructure and an expanded fiber-optic network, the company said in a statement. The investment underscores Google's growing reliance on India as a key technology and talent base in the global race for AI dominance. For India, it brings in high-value infrastructure and foreign investment at a scale that can accelerate its digital transformation ambitions. Google said its AI hub investment will include construction of a new international subsea gateway that would connect to the company's more than 2 million miles (3.2 million kilometers) of existing terrestrial and subsea cables. "The initiative creates substantial economic and societal opportunities for both India and the United States, while pioneering a generational shift in AI capability," the company's statement said.

Read more of this story at Slashdot.

Longtime Slashdot reader Gadi Evron writes: Bruce Schneier and Barath Raghavan say agentic AI is already broken at the core. In their IEEE Security & Privacy essay, they argue that AI agents run on untrusted data, use unverified tools, and make decisions in hostile environments. Every part of the OODA loop (observe, orient, decide, act) is open to attack. Prompt injection, data poisoning, and tool misuse corrupt the system from the inside. The model's strength, treating all input as equal, also makes it exploitable. They call this the AI security trilemma: fast, smart, or secure. Pick two. Integrity isn't a feature you bolt on later. It has to be built in from the start. "Computer security has evolved over the decades," the authors wrote. "We addressed availability despite failures through replication and decentralization. We addressed confidentiality despite breaches using authenticated encryption. Now we need to address integrity despite corruption." "Trustworthy AI agents require integrity because we can't build reliable systems on unreliable foundations. The question isn't whether we can add integrity to AI but whether the architecture permits integrity at all."

Read more of this story at Slashdot.

Walmart announced a new partnership with OpenAI that will let customers shop using ChatGPT. "For many years now, eCommerce shopping experiences have consisted of a search bar and a long list of item responses. That is about to change," Walmart CEO Doug McMillon said in a statement. NBC News reports: It was unclear Tuesday what the terms of the Walmart-AI partnership would be. The announcement also did not say when shoppers can expect to see ChatGPT integrated with their Walmart online shopping experiences, only that it's coming "soon." The OpenAI announcement is part of a broader push by Walmart, the biggest private employer in the U.S., to incorporate AI into its daily operations. "We're excited to partner with Walmart to make everyday purchases a little simpler. It's just one way AI will help people every day under our work together," Sam Altman, the co-founder and CEO of OpenAI, said in a statement. The partnership could also serve OpenAI by introducing ChatGPT to a massive set of consumers who may not be as accustomed to using AI chats in their shopping as OpenAI's core user base. "There is a native AI experience coming that is multi-media, personalized and contextual," said Walmart's McMillon.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Today is the official end-of-support date for Microsoft's Windows 10. That doesn't mean these PCs will suddenly stop working, but if you don't take action, it does mean your PC has received its last regular security patches and that Microsoft is washing its hands of technical support. This end-of-support date comes about a decade after the initial release of Windows 10, which is typical for most Windows versions. But it comes just four years after Windows 10 was replaced by Windows 11, a version with stricter system requirements that left many older-but-still-functional PCs with no officially supported upgrade path. As a result, Windows 10 still runs on roughly 40 percent of the world's Windows PCs (or around a third of US-based PCs), according to StatCounter data. But this end-of-support date also isn't set in stone. Home users with Windows 10 PCs can enroll in Microsoft's Extended Security Updates (ESU) program, which extends the support timeline by another year. [...] Home users can only get a one-year stay of execution for Windows 10, but IT administrators and other institutions with fleets of Windows 10 PCs can also pay for up to three years of ESUs, which is also roughly the amount of time users can expect new Microsoft Defender antivirus updates and updates for core apps like Microsoft Edge. Obviously, Microsoft's preferred upgrade path would be either an upgrade to Windows 11 for PCs that meet the requirements or an upgrade to a new PC that does support Windows 11. It's also still possible, at least for now, to install and run Windows 11 on unsupported PCs. Your day-to-day experience will generally be pretty good, though installing Microsoft's major yearly updates (like the upcoming Windows 11 25H2 update) can be a bit of a pain.

Read more of this story at Slashdot.

Framework flame war erupts over support of politically polarizing Linux projects  theregister.com

Salesforce says it's saving about $100 million a year by using AI tools in the software company's customer service operations. From a report: The company is working to sell AI features that can handle work such as customer service or early-stage sales. To illustrate the value of the Agentforce product to business clients, Salesforce has been vocal about its own use of the technology. Chief Executive Officer Marc Benioff announced the statistic on Salesforce's savings during a speech Tuesday at the annual Dreamforce conference in San Francisco. The company said more than 12,000 customers are using Agentforce. For example, Reddit was able to cut customer support resolution time by 84%, Salesforce said.

Read more of this story at Slashdot.

DirecTV wants to use AI to put you, your family, and your pets inside a custom TV screensaver. From a report: If that's not uncanny enough, you'll find items you can shop for within that AI environment, whether it's a piece of clothing similar to the one your AI likeness is wearing or a piece of furniture that pops up alongside it. The satellite TV giant is partnering with the AI company Glance to roll out this experience to DirecTV Gemini devices starting next year. "We are making television a lean-in experience versus lean back," Rajat Wanchoo, the group vice president of commercial partnerships at Glance, tells The Verge. "We want to give users a chance to use the advancements that have happened in generative AI to create a ChatGPT moment for themselves, but on TV." Glance is owned by InMobi, the same company that injected ecommerce bloatware into Motorola's budget phones.

Read more of this story at Slashdot.

An anonymous reader shares a report: An attorney in a New York Supreme Court commercial case got caught using AI in his filings, and then got caught using AI again in the brief where he had to explain why he used AI, according to court documents filed earlier this month. New York Supreme Court Judge Joel Cohen wrote in a decision granting the plaintiff's attorneys' request for sanctions that the defendant's counsel, Michael Fourte's law offices, not only submitted AI-hallucinated citations and quotations in the summary judgment brief that led to the filing of the plaintiff's motion for sanctions, but also included "multiple new AI-hallucinated citations and quotations" in the process of opposing the motion. "In other words," the judge wrote, "counsel relied upon unvetted AI -- in his telling, via inadequately supervised colleagues -- to defend his use of unvetted AI." The case itself centers on a dispute between family members and a defaulted loan. The details of the case involve a fairly run-of-the-mill domestic money beef, but Fourte's office allegedly using AI that generated fake citations, and then inserting nonexistent citations into the opposition brief, has become the bigger story.

Read more of this story at Slashdot.

Indonesia's film industry has started using generative AI tools to produce films at a fraction of Hollywood budgets. The country's filmmakers are deploying ChatGPT for scriptwriting, Midjourney for image generation, and Runway for video storyboarding. VFX artist Amilio Garcia Leonard told Rest of World that AI has reduced his draft editing time by 70%. The Indonesian Film Producer Association supports the technology. Indonesian films typically cost 10 billion rupiah ($602,500), less than 1% of major Hollywood productions. The sector employed about 40,000 people in 2020 and generated over $400 million in box office sales in 2023. Jobs for storyboarders, VFX artists, and voice actors are disappearing.

Read more of this story at Slashdot.

The United Nations Food and Agriculture Organization projects record production of global cereal crops in the 2025-26 farming season. The forecast covers wheat, corn and rice, and comes as the global stocks-to-use ratio stands around 30.6% -- the world is producing nearly a third more of these foundational crops than it currently uses. The U.S. Department of Agriculture reported in August that American farmers would harvest a record corn crop at record yield per acre. The FAO Food Price Index has risen slightly this year but remains nearly 20% below its peak during the early months of the war in Ukraine. Average calories available per person worldwide have climbed from roughly 2,100 to 2,200 kilocalories daily in the early nineteen-sixties to just under 3,000 kilocalories daily by 2022. Cereal yields have roughly tripled since 1961. Yet the World Bank estimates around 2.6 billion people cannot afford a healthy diet, and current famines in Gaza and Sudan stem from political failures rather than crop failures.

Read more of this story at Slashdot.

Windows 10 PC can't be upgraded? You have 5 options - and must act now  ZDNET

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The Zorin OS distribution has a new update and a new look. Zorin OS 18 features new themes, new layouts, OneDrive integration, and includes a Web Apps tool to integrate web-based software into the desktop. Zorin OS 18 also includes a new, improved way to tile application windows:....

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The Linux Mint project has announced the release of Linux Mint Debian Edition 7, codename "Gigi". The new release is based on Debian 13 "Trixie" and includes the same Cinnamon desktop and applications as the regular, Ubuntu-based Linux Mint edition. "The team is proud to announce the release....

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. A new version of FunOS, an Ubuntu-based Linux distribution featuring the lightweight JWM window manager, is now available. FunOS 25.10 is based on Ubuntu 25.10 and it brings Linux kernel 6.17, new wallpapers and splash screen, and Rust-based system components: "FunOS 25.10 is the latest release of the....

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The developers of Peppermint OS, a minimalist, Debian-based Linux distribution with Xfce as the preferred desktop, have announced the release of a new Peppermint OS build, now based on Debian 13: "We are very happy to announce the release of Peppermint OS 'Flagship' based on Debian 'Trixie'. The....