Feed aggregator

Article URL: https://securityaffairs.com/174822/breaking-news/serbian-student-activists-phone-hacked-using-cellebrite-zero-day-exploit.html

Comments URL: https://news.ycombinator.com/item?id=43719024

Points: 4

# Comments: 0

Article URL: https://www.nfx.com/post/network-bonding-theory

Comments URL: https://news.ycombinator.com/item?id=43719009

Points: 1

# Comments: 0

Article URL: https://www.poshenloh.com/e/

Comments URL: https://news.ycombinator.com/item?id=43718988

Points: 1

# Comments: 0

Comments URL: https://news.ycombinator.com/item?id=43718960

Points: 1

# Comments: 0

Article URL: https://www.honeybadger.io/blog/rails-no-paas/

Comments URL: https://news.ycombinator.com/item?id=43718954

Points: 2

# Comments: 0

Article URL: https://arstechnica.com/science/2025/04/looking-at-the-universes-dark-ages-from-the-far-side-of-the-moon/

Comments URL: https://news.ycombinator.com/item?id=43718952

Points: 1

# Comments: 0

Article URL: https://eponline.com/articles/2025/04/16/startup-faces-scrutiny-over-sulfur-dioxide-balloons.aspx

Comments URL: https://news.ycombinator.com/item?id=43718908

Points: 2

# Comments: 0

Article URL: https://www.theverge.com/news/649851/figma-dev-mode-trademark-loveable-dispute

Comments URL: https://news.ycombinator.com/item?id=43718898

Points: 5

# Comments: 2

Article URL: https://github.com/lllyasviel/FramePack

Comments URL: https://news.ycombinator.com/item?id=43718892

Points: 1

# Comments: 0

Over the past two years, I’ve developed a toolkit for helping dozens of clients improve their LLM-powered products, which I'm now open-sourcing.

First up: a library to bring product analytics to conversational AI.

One of the biggest challenges I see clients face is understanding how their assistants are performing in production. Evals are great for catching regressions, but they can’t surface the blind spots in your AI’s behavior.

This gets even more challenging for conversational AI products that don’t have a single “correct” answer. Different users cohorts want different experiences. That makes measurement tricky.

Coming from a product analytics background, my default instinct is always: “instrument the product!” However, tracking generic events like user_sent_message doesn’t tell you much.

What you really want are insights like:

- How frequently do users request to speak with a human when interacting with a customer support agent? - Which user journeys trigger self-reflection during a session with an AI therapist?

- What percentage of the time does an AI tutor's explanation leave the student confused?

This new library enables these types of insights through the following workflow:

Analyzes your conversation transcripts

Auto-generates a rich event schema

Tags each message with relevant events and event properties

Sends the events to your analytics tool (currently supports Amplitude and PostHog)

Any thoughts or feedback would be greatly appreciated!

Comments URL: https://news.ycombinator.com/item?id=43718886

Points: 1

# Comments: 0

Article URL: https://sfstandard.com/2025/04/08/she-left-salesforce-for-a-hot-defense-tech-company-then-faced-a-culture-of-sex-drugs-and-abuse/

Comments URL: https://news.ycombinator.com/item?id=43718866

Points: 1

# Comments: 0

Article URL: http://www.echoworld.com/B04/B0402/B0402Wunderk.htm

Comments URL: https://news.ycombinator.com/item?id=43718861

Points: 1

# Comments: 0

Cybersecurity is one of the top risks facing businesses. Organizations are struggling to navigate the ever-evolving cyberthreat landscape in which 600 million identity attacks are carried out daily.1 The median time for a cyberattacker to access private data from phishing is 1 hour and 12 minutes, and nation-state cyberattacks are on the rise.2 Organizations also face unprecedented complexity, making security jobs harder—57% of organizations are using more than 40 security tools, which requires significant resourcing and effort to integrate workflows and data.3 These challenges are magnified by the global security talent shortage organizations are facing and there are more than 4 million security jobs unfilled worldwide, rising insider risks, and the rapidly evolving regulatory landscape today.4 These cybersecurity challenges can not only increase significant business disruptions, they can also create devastating economic damages—the cost of cybercrime is expected to grow at 15% year over year, reaching $15.6 trillion by 2029.5 

Get the latest Secure Future Initiative updates

In November 2023, to address the evolution of the digital and regulatory landscape, and the unprecedented changes in the cyberthreat landscape, we announced the Microsoft Secure Future Initiative. The Secure Future Initiative (SFI) is a multiyear effort to revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards. SFI is our commitment to improve Microsoft’s security posture, thereby improving the security posture of all our customers, and to work with governments and industry to improve the security posture of the entire ecosystem.

Last year, the Cybersecurity and Infrastructure Security Agency (CISA), through its “Secure by Design” pledge, called on the technology industry to prioritize security at every stage of product development and deployment. This approach of embedding cybersecurity in digital delivery from the outset is also reflected in the United Kingdom’s Government’s Cyber Security Strategy as well as in the Australian Cyber Security Centre (ACSC)’s “Essential Eight” mitigation strategies to protect against cyberthreats. Throughout this blog post, the term “Secure by Design” encompasses both “secure by design” and “secure by default.”

Read CISA’s Secure by Design pledge

Microsoft committed to work towards key goals across a spectrum of Secure by Design principles advocated by numerous government agencies around the world. These goals aim to enhance security outcomes for customers by embedding robust cybersecurity practices throughout the product lifecycle. We continue to take our learnings, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale. Our SFI updates provide examples of Microsoft’s progress in implementing secure by design, secure by default, and secure in operations principles, and provide best practices based on Microsoft’s own experience, demonstrating our dedication to improving security for customers.

Keep reading to learn about the initiatives Microsoft has undertaken over the past 18 months to support secure by design objectives as part of our SFI initiative. It is organized around our SFI principles to provide our customers and partners with an understanding of the robust security measures we are implementing to safeguard their digital environments.

Enhancing security with multifactor authentication and default password management

Phishing-resistant multifactor authentication provides the most robust defense against password-based cyberattacks, including credential stuffing and password theft. This includes promoting multifactor authentication among customers, implementing it as a default requirement for access, and participating in efforts to establish long-term standards in authentication.

In October 2024, Microsoft implemented mandatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. Since then, Microsoft has worked with our customers to reduce extensions and rapidly advance multifactor authentication adoption. A key achievement is our progress in eliminating passwords across products. Microsoft has introduced enhancements to streamline authentication and improve sign-in experiences, emphasizing usability and security. Users can now remove passwords from their accounts and use passkeys instead, addressing vulnerabilities and preventing unauthorized access.

On March 26, 2025, Microsoft launched a new sign-in experience for more than 1 billion users. By the end of April 2025, most Microsoft account users will see updated sign-in and sign-up user experience flows for web and mobile apps. This new user experience is optimized for a passwordless and passkey-first experience. Microsoft is also updating the account sign-in logic to make passkey the default sign-in choice whenever possible.

Additional examples of Microsoft improving authentication and how customers can learn from Microsoft’s approach and solutions include:

• Microsoft recommendations for organizations to get started deploying phishing-resistant passwordless authentication using Microsoft Entra ID.
• Security defaults make it easier to help protect against identity-related cyberattacks like password spray, replay, and phishing common in today’s environments. Learn more about preconfigured security settings available in Microsoft Entra ID.
• Microsoft’s Conditional Access uses identity-driven signals as part of access control decisions.
• To help prevent phishing, Microsoft added additional hardening to Windows Hello, which is the multifactor authentication solution built-in to Windows. Windows Hello has also been extended to support passkeys, which are an industry standard, and which we continue to evolve. With Hello and passkeys, on Windows, it means much of the web can be protected with multifactor authentication, and people no longer need to choose between a simple sign-in and a safe sign-in. 
• Learn how Microsoft is advancing decentralized identity standards and verifiable credentials.
• Following GitHub’s April 2024 update on a year of progress in pushing multifactor authentication adoption, further cohorts requiring multifactor authentication enablement have been rolled out in the past year. This effort continues to drive multifactor authentication utilization with almost 50% of contributing GitHub users having multifactor authentication enabled. Of those, more than 38% of users have two or more methods of two-factor authentication enabled and more than 3.6 million users have a passkey enabled on their account. Additionally, GitHub has pushed for best practices in multifactor authentication methods, and in November 2024 shipped enhancements to the management of multifactor authentication settings for organizations and enterprises that allow the restriction of insecure methods of multifactor authentication such as text messaging.

Reducing entire classes of vulnerabilities

Most exploited vulnerabilities today stem from types that can often be mitigated on a large scale, such as SQL injection, cross-site scripting, and memory safety language vulnerabilities. Governments aim to reduce these by encouraging companies to adopt practices like eliminating authorization validation logic mistakes, enabling the use of memory-safe languages, creating secure firmware architectures, and implementing secure administrative protections. The goal is to minimize exploitation risks by addressing systemic vulnerabilities at their root.

Our introduction of mandatory use of the Microsoft Authentication Library (MSAL) across all Microsoft applications helps ensure that advanced identity defenses, such as token binding, continuous access evaluation, and advanced application attack detections, are consistently implemented. This standardizes secure authentication processes, making it significantly harder for attackers to exploit identity-related vulnerabilities. MSAL enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. 

Read the updated Windows Security book and stay secure with Windows

Microsoft is also committed to adopting memory-safe languages, such as Rust, for developing new products and transitioning existing ones. This approach addresses common vulnerabilities related to memory safety. Microsoft is investing heavily into safe language to enhance the safety of our code, and we are applying this new approach to our security platform and other key areas like Microsoft Surface and Pluton security firmware.   

In Windows 11, we’ve applied a secure by design strategy from the very first line of code. We have established a Hardware Security Baseline, which helps to ensure every Windows 11 PC has consistent hardware security forming a secure foundation. Windows 11 has secure by default settings and stronger controls for what apps and drivers are allowed to run. This is important as unverified apps and drivers lead to malware and script attacks. And most malware and ransomware apps are unsigned, which means they can be authored and distributed without being provably safe. For consumers and smaller organizations, Smart App Control is a new feature that uses cloud AI to enable millions of known safe apps to run, regardless of where you got them. For larger organizations, IT admins can layer on App Control for Business policies and deploy them using Intune.  

With Windows powering business critical solutions across a wide variety of customers, we are committed to helping ensure that Windows remains the most secure and reliable platform. At Microsoft Ignite in 2024, we announced the Windows Resilience Initiative focused on enhancing the security and resilience of the Windows operating system. This involves implementing advanced security features, improving threat detection and response capabilities, and to help ensure that Windows can withstand and recover from cyberattacks. As part of the Windows Resilience Initiative, we are working to protect against common cyberattacks in addition to strengthening identity protection mentioned above.  

As part of this we are addressing the long-standing challenge of overprivileged users and applications, which create significant risk. Yet many people do not want to give up admin control of their PC. To help strike the balance of admin privileges and security we are introducing Administrator protection (currently in Windows Insiders). Admin protection gives you the protection of standard user permissions by default, and when needed you can securely authorize a just-in-time system change using Windows Hello. Once the process has completed, the temporary admin token is destroyed. This means admin privileges do not persist.  Admin protection will be disruptive to cyberattackers, as they no longer have elevated privileges by default, which will help organizations ensure they remain in control of Windows. 

We are also collaborating with endpoint security partners to adopt safe deployment practices. This means all security product updates will be gradual, minimizing deployment risks and monitoring to help ensure any negative impact is kept to a minimum. Additionally, we are developing new Windows capabilities that allow security product developers to build their products outside of kernel mode, reducing the impact to Windows in the event of a security product crash. 

Another key development is our secure by design user experience (UX) toolkit. Human error causes the majority of security breaches. The UX toolkit helps build more secure software and improve user security experiences. This toolkit represents a new way of thinking—where design and security aren’t siloed but are working together from the very beginning. Adopted internally and shared externally, the toolkit helps other software organizations in enhancing their security practices.

Other activities Microsoft has worked on to eliminate classes of vulnerabilities include:

• Continued support to enable developers to use the memory safe language Rust on Windows.
• Taking steps to mitigate Windows NT LAN (NTLM) Relay Attacks by default against Exchange Service, Active Directory Certificate Services and Lightweight Directory Access Protocol (LDAP).
• Zero Trust Domain Name System (DNS) preview expanded to include Windows 11 enterprise customers. This feature helps lock down devices to only access-approved network destinations.
• Surface embedded firmware products use of a common firmware architecture.
• Launch of the Windows 365 Link, which is the first Cloud PC device for Windows 365. Windows 365 Link eliminates local data and apps and has no local admin users and provides employees a way to more securely stream their Windows 365 Cloud PC.
• GitHub released CodeQL support for GitHub Actions workflow files. This new static analysis capability identifies common continuous integration and continuous delivery (CI/CD) flaws both in existing code bases and before they are introduced to help eliminate this class of vulnerabilities. Using this new feature, the GitHub Security Lab was able to help secure more than 75 GitHub Actions workflows in open source projects, disclosing more than 90 different vulnerabilities.

Boosting patch application rates

Timely and effective patch management is necessary for cybersecurity, as this is how we can reduce the window of opportunity for malicious actors to exploit software flaws.

Microsoft has made measurable increases in the installation of security patches, which we achieved by enabling automatic installation of software patches when possible and enabling this functionality by default, as well as by offering widespread support for these patches.

Microsoft continues to roll out major security updates on the second Tuesday of each month, known as Patch Tuesday. This regular schedule ensures that all systems receive timely updates to address critical vulnerabilities, thereby reducing the risk of exploitation by cyberattackers.

Building on this foundation, Microsoft has made significant strides in improving the update process with Windows 11. By reducing the number of required system restarts from 12 to four per year through the use of Hotpatch updates, we have further streamlined operations and encouraged organizations to remain compliant with patching requirements.

Other examples of our efforts in to boost patch and security update rates include:

• Windows Hotpatch: Announced at Microsoft Ignite 2024, this provides a 60% reduction in time to adopt security updates, assisted by applying updates seamlessly without system restarts.
• Microsoft has emphasized the importance of clearly communicating the expected lifespan of products at the time of sale and investing in provisioning capabilities to ease customer transitions to supported versions when products reach the end of their lifecycle. This strategy ensures that customers are well-informed and can smoothly adapt to new technologies.

Adopting a Vulnerability Disclosure Policy (VDP) and Common Vulnerabilities and Exposures (CVE) 

Coordinated vulnerability disclosure, a practice Microsoft adopted more than a decade ago, benefits both security researchers and software manufacturers by enabling collaboration to enhance product security. A VDP that authorizes public testing of products, commits to refraining from legal action against those who follow the VDP in good faith, provides a clear channel for reporting vulnerabilities, and permits public disclosure of vulnerabilities according to coordinated vulnerability disclosure best practices and international standards makes a real difference for cybersecurity. Additionally, manufacturers can demonstrate transparency by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for the manufacturer’s products.

Our adoption of the CWE and CPE standards in every CVE record for its products is an important achievement. This transparency facilitates accurate and detailed information about vulnerabilities, facilitating timely and effective remediation. By issuing CVEs promptly for all critical or high-impact vulnerabilities, Microsoft demonstrates its commitment to maintaining a secure environment and protecting its customers from potential cyberthreats.

Another notable highlight is the publication of a machine-readable CSAF files, which provide a clear channel for reporting vulnerabilities and authorizes public testing of Microsoft products. This fosters collaboration between security researchers and software manufacturers, enabling the identification and mitigation of vulnerabilities in a coordinated manner.

Other activities Microsoft has worked on to adopt VDP and CVE include:

• Microsoft has published a security.txt file with links to different aspects of our VDP CVE related blogs generally.
• Microsoft is now issuing CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.
• Microsoft has begun to publish root cause data for Microsoft CVEs using the CWE industry standard. By adopting CWE, more effective community discussion about discovering and mitigating weaknesses in existing software and hardware can be facilitated.
• Microsoft added a new standard machine-readable format, called Common Security Advisory Framework (CSAF), to all Microsoft CVE information to help customer accelerate CVE response and remediation.

Empowering customers to detect and document intrusions

Organizations should do more to detect cybersecurity incidents and understand their impact. To ensure they can do that, manufacturers should provide artifacts and evidence-gathering tools, like audit logs.

An example of Microsoft’s commitment in this area is our implementation of robust sensors and logs, enhancing detection of cyberthreats. This initiative provides customers with actionable insights into potential intrusions, enabling swift responses and risk mitigation.

Other activities Microsoft has worked on to empower customers to detect and document inclusions include:

• Microsoft Purview has expanded its audit logging and retention periods, among other security enhancements, to increase security visibility and incident response capabilities for cloud-based services.
• Microsoft Security Copilot offers prebuilt promptbooks to automate security-related tasks, such as incident investigations, user analysis, and threat intelligence assessments, enhancing efficiency and accuracy in cybersecurity operations.
• Microsoft has provided detailed guidance on implementing the United States Department of Defense (DoD) Zero Trust Strategy, with activities categorized into target and advanced phases to achieve full Zero Trust adoption by 2032.
• Microsoft’s Expanded Cloud Logs Implementation Playbook provides detailed guidance on operationalizing new logging capabilities in Microsoft Purview Audit (Standard).
• Microsoft has published a whitepaper on lessons learned from red teaming more than 100 generative AI products at Microsoft. The whitepaper highlights the importance of understanding AI systems, breaking them without computing gradients, and the necessity of human involvement in AI red teaming, among other topics.

GitHub shipped enhanced capabilities to the GitHub audit log to provide customers with increased visibility of API events and features to enable enterprise management, automation, and integration.

Read the latest SFI updates

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Microsoft Digital Defense Report 2024.

2Microsoft Digital Defense Report 2022.

3IDC North America Tools and Vendors Consolidation Survey, 2023.

42024 ISC2 Cybersecurity Workforce Study.

5Global cybercrime estimated cost 2029.

The post Microsoft’s Secure by Design journey: One year of success appeared first on Microsoft Security Blog.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Both vulnerabilities allowed an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Update available Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

• CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution due to a memory corruption issue which was addressed with improved bounds checking.
• CVE-2025-31201: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. This issue was addressed by removing the vulnerable code.

Given that both vulnerabilities were flagged as used in extremely sophisticated attacks and are patched simultaneously, it stands to reason that they were chained for a successful exploitation.

This deserves a bit of an explanation. Apple’s Pointer Authentication (PA) is a hardware security feature designed to detect and prevent tampering with critical pointers (like function addresses or return addresses) in memory. Computers use memory to store and provide information that software programs use as they run.

When creating a pointer (like a return address), the system adds a cryptographic signature (PAC) using secret keys. Before using the pointer, the system checks if the signature still matches.

A memory corruption issue can give an attacker the option to make a change in the device’s memory, but it’s often limited to a very small portion of the memory.

What could have happened here is that the attacker was able to use that ample space to create a pointer that was able to bypass the Pointer Authentication and use this ability to point from a legitimate application to their malicious code.

In the past researchers have already found bypass scenarios for attackers that already have full memory control.

What exactly happened is unknown, because, as a protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Which is also why it’s important to update before other criminals are using the same exploits in less targeted and more widespread attacks. To help with this, the Malwarebytes iOS app will guide you through “how to fix” and assist with similar cases in the future.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Minh Phuong Ngoc Vong pleaded guilty to defrauding US companies of roughly $1 million in a fake IT worker scheme.

The post Man Helped Chinese Nationals Get Jobs Involving Sensitive US Government Projects appeared first on SecurityWeek.

These are our favorite laptops that we've tested and reviewed in the past year, spanning all types, sizes and prices.

Nintendo still hasn't explained why it's charging more for the game.

Article URL: https://www.maximepeabody.com/blog/mcp-missing-ui

Comments URL: https://news.ycombinator.com/item?id=43718273

Points: 1

# Comments: 0

Article URL: https://www.reuters.com/technology/us-judge-finds-google-holds-illegal-online-ad-tech-monopolies-2025-04-17/

Comments URL: https://news.ycombinator.com/item?id=43718265

Points: 1

# Comments: 0