|
1825 Monetary Lane Suite #104 Carrollton, TX
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
|
Show Descriptions... (Show All)
(Two Column)
- Debian: pdfminer Critical CVE-2025-64512 Code Execution Risk Advisory
A vulnerability was discovered in pdfminer, a tool for extracting information from PDF documents, which may result in the execution of arbitrary code if a specially crafted PDF file is processed. For the oldstable distribution (bookworm), this problem has been fixed in version 20221105+dfsg-1.1~deb12u1.
- Security updates for Tuesday
Security updates have been issued by AlmaLinux (buildah, firefox, go-rpm-macros, kernel, kernel-rt, podman, and thunderbird), Debian (erlang, python-gevent, and r-cran-gh), Fedora (buildah, chromium, k9s, kubernetes1.33, kubernetes1.34, podman, python-mkdocs-include-markdown-plugin, and webkitgtk), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, qtsvg, redict, redis, UDisks, and WebKitGTK+), Mageia (cups-filters and ruby-rack), Oracle (kernel and libssh), Red Hat (.NET 8.0, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (act, bind, cups-filters, govulncheck-vulndb, grub2, libebml, python39, and tcpreplay), and Ubuntu (linux-raspi, linux-raspi-realtime, openjdk-21, openjdk-25, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and runc-app, runc-stable).
- AlmaLinux 10.1 released
AlmaLinux 10.1 has been released. Inaddition to providing binary compatibility with Red Hat EnterpriseLinux (RHEL) 10.1, the most notable feature in AlmaLinux 10.1 isthe addition of supportfor Btrfs, which is not available in RHEL:
Btrfs support encompasses both kernel and userspace enablement, and itis now possible to install AlmaLinux OS on a Btrfs filesystem from thevery beginning. Initial enablement was scoped to the installer andstorage management stack, and broader support within the AlmaLinuxsoftware collection for Btrfs features is forthcoming.
In addition to Btrfs support, AlmaLinux OS 10.1 includes numerousother improvements to serve our community. We have continued to extendhardware support both by addingdrivers and by adding a secondary version of AlmaLinux OS and EPELto extend support of x86_64_v2 processors.
See the releasenotes for a full list of changes.
- [$] APT Rust requirement raises questions
It is rarely newsworthy when a project or package picks up a newdependency. However, changes in a core tool like Debian's Advanced PackageTool (APT) can have far-reaching effects. For example, JulianAndres Klode's declarationthat APT would require Rust in May 2026 means that a few of Debian'sunofficial ports must either acquire a working Rust toolchain ordepend on an old version of APT. This has raised several questionswithin the project, particularly about the ability of a singlemaintainer to make changes that have widespread impact.
- Security updates for Monday
Security updates have been issued by Fedora (calibre, chromium, cri-o1.32, cri-o1.33, cri-o1.34, dotnet10.0, dovecot, gnutls, gopass, gopass-hibp, gopass-jsonapi, kubernetes1.31, kubernetes1.32, kubernetes1.33, kubernetes1.34, and linux-firmware), Mageia (ffmpeg, kernel, kmod-xtables-addons & kmod-virtualbox, kernel-linus, konsole, and redis), Red Hat (bind and bind-dyndb-ldap and kernel), SUSE (act, alloy, amazon-ssm-agent, ansible-12, ansible-core, blender, chromium, cups-filters, curl, elfutils, expat, firefox, glib2, grub2, helm, kernel, libipa_hbac-devel, libxslt, nvidia-container-toolkit, ongres-scram, openexr, podman, poppler, runc, samba, sssd, thunderbird, and tomcat), and Ubuntu (cups-filters, linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime, linux-oem-6.14, and linux-realtime-6.14).
- Kernel prepatch 6.18-rc7
Linus has released 6.18-rc7, probably thelast -rc before the 6.18 release.
So the rc6 kernel wasn't great: we had a last-minute core VM regression that caused people problems.
That's not a great thing late in the release cycle like that, but it was a fairly trivial fix, and the cause wasn't some horrid bug, just a latent gotcha that happened to then bite a late VM fix. So while not great, it also doesn't make me worry about the state of 6.18. We're still on track for a final release next weekend unless some big new problem rears its ugly head.
- Racket 9.0 released
The Racket programming languageproject has released Racketversion 9.0. Racket is a descendant of Scheme, so it is part of the Lisp family of languages. The headline feature in the release is parallelthreads, which adds to the concurrency tools in the language: "WhileRacket has had green threads for some time, and supports parallelism viafutures and places, we feel parallel threads is a major addition."Other new features include the black-boxwrapper to prevent the compiler from optimizing calculations away, the decompile-linkletfunction to map linkletsback to an s-expression, theaddition of Weibulldistributions to the math library, and more.
- Improving GCC Buffer Overflow Detection for C Flexible Array Members (Oracle)
The Oracle blog has alengthy article on enhancements to GCC to help detect overflows offlexible array members (FAMs) in C programs.
We describe here two new GNU extensions which specify size information for FAMs. These are a new attribute, "counted_by" and a new builtin function, "__builtin_counted_by_ref". Both extensions can be used in GNU C applications to specify size information for FAMs, improving the buffer overflow detection for FAMs in general.
This work has been covered on LWN as well.
- The 2025 Linux Foundation Technical Advisory Board election
The call forcandidates for the 2025 election for the Linux Foundation TechnicalAdvisory Board has been posted.
The TAB exists to provide advice from the kernel community to the Linux Foundation and holds a seat on the LF's board of directors; it also serves to facilitate interactions both within the community and with outside entities. Over the last year, the TAB has overseen the organization of the Linux Plumbers Conference, advised on the setup of the kernel CVE numbering authority, worked behind the scenes to help resolve a number of contentious community discussions, worked with the Linux Foundation on community conference planning, and more.
Nominations close on December 13.
- [$] Unpacking for Python comprehensions
Unpacking Python iterables of various sorts, such as dictionaries or lists,is useful in a number of contexts, including for function arguments, butthere has long been a call for extending that capability to comprehensions. PEP 798 ("Unpacking inComprehensions") was first proposed in June 2025 to fill that gap. In earlyNovember, the steering council acceptedthe PEP, which means that the feature will be coming to Python 3.15 inOctober 2026. It may be something of a niche feature, but it is aninconsistency that has been apparent for a while—to the point that some Python programmersassume that it is already present in the language.
- PHP 8.5.0 released
Version8.5.0 of the PHP language has been released. Changes include a new"|>" operator that, for some reason, makes these two linesequivalent:
$result = strlen("Hello world"); $result = "Hello world" |> strlen(...);
Other changes include a new function attribute, "#[\NoDiscard]" toindicate that the return value should be used, attributes on constants, andmore; see themigration guide for details.
- Security updates for Friday
Security updates have been issued by AlmaLinux (delve and golang), Debian (webkit2gtk), Oracle (expat and thunderbird), Red Hat (kernel), Slackware (openvpn), SUSE (chromium, grub2, and kernel), and Ubuntu (cups-filters, imagemagick, and libcupsfilters).
- Racing karts on a Rust GPU kernel driver (Collabora blog)
In July, Collabora announcedthe Rust-based TyrGPU driver for Arm MaliGPUs. Daniel Almeida has posted an updateon progress with a prototype of the driver running on a Rock 5B boardwith the Rockchip RK3588 system-on-chip:
The Tyr prototype has progressed from basic GPU job execution torunning GNOME, Weston, and full-screen 3D games like SuperTuxKart,demonstrating a functional, high-performance Rust driver that matchesC-driver performance and paves the way for eventual upstreamintegration! [...]
Tyr is not ready to be used as a daily-driver, and it will stilltake time to replicate this upstream, although it is now clear that wewill surely get there. And as a mere prototype, it has a lot ofshortcuts that we would not have in an upstream version, even thoughit can run on top of an unmodified (i.e., upstream) version ofMesa.
That said, this prototype can serve as an experimental driver andas a testbed for all the Rust abstraction work taking placeupstream. It will let us experiment with different design decisionsand gather data on what truly contributes to the project'sobjective.
There is also a video onYouTube of the prototype in action.
- [$] BPF and io_uring, two different ways
BPF allows programs uploaded from user space to be run, safely, within thekernel. The io_uring subsystem, too, can be thought of as a way of loadingprograms in the kernel, though the programs in question are mostly asequence of I/O-related system calls. It has sometimes seemed inevitablethat io_uring would, like many other parts of the kernel, gain BPFcapabilities as a way of providing more flexibility to user space. Thathas not yet happened, but there are currently two patch sets underconsideration that take different approaches to the problem.
- Security updates for Thursday
Security updates have been issued by AlmaLinux (bind, bind9.18, container-tools:rhel8, expat, grub2, haproxy, idm:DL1, kernel, kernel-rt, lasso, libsoup, libssh, libtiff, pcs, podman, python-kdcproxy, qt5-qt3d, redis, redis:7, runc, shadow-utils, sqlite, squid, vim, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), Debian (chromium), Oracle (lasso and postgresql), SUSE (erlang27, ghostscript, grub2, kernel, libIex-3_4-33, python312, and sbctl), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-6.8, linux-fips, linux-aws-fips, linux-gcp-fips, linux-oracle, and mysql-8.0, mysql-8.4).
- NTFSPLUS Driver Updated As It Works Toward The Mainline Kernel
Announced last month was the NTFSPLUS driver as a new NTFS file-system driver for the Linux kernel with better write performance and more features compared to the existing NTFS options. A second iteration of that driver was recently queued into "ntfs-next" raising prospects that this NTFSPLUS driver could soon attempt to land in the mainline Linux kernel...
- Nix Package Tool Approved For Availability In Fedora 44
Following approval of the /nix top-level directory with Fedora Linux, the Fedora Engineering and Steering Committee (FESCo) has additionally signed off on allowing the Nix package tool to appear in the Fedora 44 repository...
- X.Org Server 21.1.21 Released To Fix Several Regressions
For those continuing to make use of the X.Org Server, a new point release is now available in the 21.1 series. While most often X.Org Server stable releases these days are driven by shipping new security fixes, the X.Org Server 21.1.21 release is to fix several regressions introduced for various functional issues...
- How to install Cloudpanel on Debian 13
This tutorial is about installing a CloudPanel on Debian 13 OS. Managing servers with a control panel has never been easier, especially with user-friendly control panels like CloudPanel. CloudPanel is one of the best free hosting control panels, offering a variety of features. The installation requires only a script and a clean server.
- AlmaLinux 10.1 Released - Complete With Btrfs Support
Building off the release of Red Hat Enterprise Linux 10.1 from two weeks ago, AlmaLinux 10.1 is now available in GA form for this community-oriented RHEL10 downstream. Making AlmaLinux 10.1 all the more interesting is the project's decision to promote Btrfs file-system support...
- VERSA Embedded Platform Features Dual-Core i.MX93 and Ethos microNPU Support
The i.MX93 VERSA Evaluation Kit provides a compact platform for developing with Calixto’s i.MX93 VERSA SoM, combining a dual-core processor, real-time control, an edge NPU, and interfaces such as Ethernet, CAN, RS485, USB, MIPI camera, and multiple display outputs. The i.MX93 VERSA SoM uses NXP’s i.MX93 processor, combining a 1.7GHz dual Arm Cortex-A55, a 250MHz Cortex-M33 […]
- Dell Pro Max with GB10 Arrives For Linux Performance Benchmarking
The most exciting hardware to arrive this month in the Phoronix lab is Dell having sent over two of their new Dell Pro Max with GB10 systems. The Dell Pro Max with GB10 is their build-out around NVIDIA's GB10 superchip with ten Cortex-X925 CPU cores and ten Cortex-A725 cores plus the GB10 Blackwell GPU. With 128GB of LPDDR5X memory and 2TB or 4TB SSD by default all within the small chassis, this is an interesting workstation for AI developers.
- Plex Is Now Enforcing Remote Play Restrictions On TVs
Plex is beginning to enforce new restrictions on remote streaming for its TV apps, requiring either a Plex Pass or the cheaper Remote Watch Pass to watch media from servers outside your home network. How-To Geek reports: Plex is now rolling out the remote watch changes to its Roku TV app. This means that you will need a Plex Pass or Remote Watch Pass for your Plex account if you want to stream media from a server outside your home. If you're only watching media from your own server on the same local network as your Roku device, or the owner of the server you're streaming from has Plex Pass, you don't have to do anything. Plex says this change will come to the other TV apps in 2026, such as Fire TV, Apple TV, and Android TV. Presumably, that will happen when the redesigned app arrives on those platforms. Roku was just the first TV platform to get the new app, which caused a wave of complaints from users about removed functionality and a more clunky redesign. Plex is addressing some of those complaints with more updates, but adding another limitation at the same time isn't a great look. The Remote Watch Pass costs $2 per month or $20 per year, but there's no lifetime purchase option. You can also use a Plex Pass, which normally costs $7 per month, $70 per year, or $250 for a lifetime license. However, there's currently a 40% off sale for Plex Pass subscriptions.
Read more of this story at Slashdot.
- HP To Cut About 6,000 Jobs By 2028, Ramps Up AI Efforts
HP plans to cut 4,000-6,000 jobs by 2028 "as part of a plan to streamline operations and adopt artificial intelligence," reports Reuters. From the report: HP's teams focused on product development, internal operations and customer support will be impacted by the job cuts, CEO Enrique Lores said during a media briefing call. "We expect this initiative will create $1 billion in gross run rate savings over three years," Lores added. The company laid off an additional 1,000 to 2,000 employees in February, as part of a previously announced restructuring plan. Demand for AI-enabled PCs has continued to ramp externally, reaching over 30% of HP's shipments in the fourth quarter ended October 31.
Read more of this story at Slashdot.
- Warner Music Group Partners With Suno To Offer AI Likenesses of Its Artists
Warner Music Group has reached a licensing deal with Suno that will let users create AI-generated music using the voices and likenesses of artists who opt in. WMG says participating artists will have "full control" over how their likeness and music are used. "These will be new creation experiences from artists who do opt in, which will open up new revenue streams for them and allow you to interact with them in new ways," Suno says, adding that users will be able to "build around" an artist's sounds "and ensure they get compensated." WMG is also dropping its previous lawsuit accusing Suno of scraping copyrighted material. "Along with the licensing agreement, Suno is planning to use licensed music from WMG to build next-gen music generation models that it claims will surpass its flagship v5 model," adds The Verge. "It will also start requiring users to have a paid account to download songs starting next year, with each tier providing a specific number of downloads each month." Further reading: First 'AI Music Creator' Signed by Record Label. More Ahead, or Just a Copyright Quandry?
Read more of this story at Slashdot.
- Google Maps Will Let You Hide Your Identity When Writing Reviews
An anonymous reader quotes a report from PCMag: Four new features are coming to Google Maps, including a way to hide your identity in reviews. Maps will soon let you use a nickname and select an alternative profile picture for online reviews, so you can rate a business without linking it to full name and Google profile photo. Google says it will monitor for "suspicious and fake reviews," and every review is still associated with an account on Google's backend, which it believes will discourage bad actors. Look for a new option under Your Profile that says Use a custom name & picture for posting. You'll then be able to pick an illustration to represent you and add a nickname. Google didn't explain why it is introducing anonymous reviews; it pitched the idea as a way to be a business's "Secret Santa." Some users are nervous to publicly post reviews for local businesses as it may be used to track their location or movements. It may encourage more people to contribute honest feedback to its platform, for better or worse. Further reading: Gemini AI To Transform Google Maps Into a More Conversational Experience
Read more of this story at Slashdot.
- Poland Probes Apple Again Over App Tracking Transparency Rules
Poland has launched a new antitrust investigation into Apple's App Tracking Transparency rules, questioning whether Apple misled users about privacy while giving its own apps a competitive advantage over third-party developers. AppleInsider reports: On November 25, Poland's UOKiK has started another investigation into App Tracking Transparency, and whether Apple had restricted competition in mobile advertising. Reuters reports that, to the anti-monopoly regulator, ATT may have limited advertisers' ability to collect user data for advertising purposes while simultaneously favoring Apple's ad program. On November 25, Poland's UOKiK has started another investigation into App Tracking Transparency, and whether Apple had restricted competition in mobile advertising. Reuters reports that, to the anti-monopoly regulator, ATT may have limited advertisers' ability to collect user data for advertising purposes while simultaneously favoring Apple's ad program. This is not the first time that Poland has looked into ATT rules. In December 2021, the regulator held a similar probe following criticism from advertisers. It's not clear what that complaint determined, or if it is still ongoing. Regardless, in the new complaint, the logic is that Apple had a competitive advantage since its own apps were not subject to ATT rules, but third-party apps did have to deal with ATT. Since Apple didn't visibly ask for consent for its first-party apps in the same way, there is a presumption that Apple's rules only applied to other companies. This is despite Apple's repeated insistence that it doesn't use the same kinds of collected data in its own apps and services for marketing purposes, as well as its stance on privacy in general. In short, Apple apps don't use the data, so it doesn't pop up a dialog box asking the user if the app can use the data. There is also the argument that, in setting up an account with Apple, users are providing blanket consent to the company. Implementing ATT on its own apps would therefore be a waste of time, since that consent was already granted. Apple said that it will work with the regulator on the matter, but warned that it could force them to withdraw the feature "to the detriment of European consumers."
Read more of this story at Slashdot.
- 'AI Can't Think'
In an essay published in The Verge, Benjamin Riley argues that today's AI boom is built on a fundamental misunderstanding: language modeling is not the same as intelligence. "The problem is that according to current neuroscience, human thinking is largely independent of human language -- and we have little reason to believe ever more sophisticated modeling of language will create a form of intelligence that meets or surpasses our own," writes Riley. Slashdot reader RossCWilliams shares the report, writing: The article goes on to point out that we use language to communicate. We use it to create metaphors to describe our reasoning. That people who have lost their language ability can still show reasoning. That human beings create knowledge when they become dissatisfied with the current metaphor. Einstein's theory of relativity was not based on scientific research. He developed it as thought experiment because he was dissatisfied with the existing metaphor. It quotes someone who said, "common sense is a collection of dead metaphors." And that AI, at best, can rearrange those dead metaphors in interesting ways. But it will never be dissatisfied with the data it has or an existing metaphor. A different critique (PDF) has pointed out that even as a language model AI is flawed by its reliance on the internet. The languages used on the internet are unrepresentative of the languages in the world. And other languages contain unique descriptions/metaphors that are not found on the internet. My metaphor for what was discussed was the descriptions of the kinds of snow that exist in Inuit languages that describe qualities nowhere found in European languages. If those metaphors aren't found on the internet, AI will never be able create them. This does not mean that AI isn't useful. But it is not remotely human intelligence. That is just a poor metaphor. We need a better one. Benjamin Riley is the founder of Cognitive Resonance, a new venture to improve understanding of human cognition and generative AI.
Read more of this story at Slashdot.
- US Banks Scramble To Assess Data Theft After Hackers Breach Financial Tech Firm
An anonymous reader quotes a report from TechCrunch: Several U.S. banking giants and mortgage lenders are reportedly scrambling to assess how much of their customers' data was stolen during a cyberattack on a New York financial technology company earlier this month. SitusAMC, which provides technology for over a thousand commercial and real estate financiers, confirmed in a statement over the weekend that it had identified a data breach on November 12. The company said that unspecified hackers had stolen corporate data associated with its banking customers' relationship with SitusAMC, as well as "accounting records and legal agreements" during the cyberattack. The statement added that the scope and nature of the cyberattack "remains under investigation." SitusAMC said that the incident is "now contained," and that its systems are operational. The company said that no encrypting malware was used, suggesting that the hackers were focused on exfiltrating data from the company's systems rather than causing destruction. According to Bloomberg and CNN, citing sources, SitusAMC sent data breach notifications to several financial giants, including JPMorgan Chase, Citigroup, and Morgan Stanley. SitusAMC also counts pension funds and state governments as customers, according to its website. It's unclear how much data was taken, or how many U.S. banking consumers may be affected by the breach. Companies like SitusAMC may not be widely known outside of the financial world, but provide the mechanisms and technologies for its banking and real estate customers to comply with state and federal rules and regulations. In its role as a middleman for financial clients, the company handles vast amounts of non-public banking information on behalf of its customers. According to SitusAMC's website, the company processes billions of documents related to loans annually.
Read more of this story at Slashdot.
- AI Could Replace 3 Million Low-Skilled Jobs in the UK By 2035, Research Warns
Up to 3 million low-skilled jobs could disappear in the UK by 2035 because of automation and AI, according to a report by a leading educational research charity. The Guardian: The jobs most at risk are those in occupations such as trades, machine operations and administrative roles, the National Foundation for Educational Research (NFER) said. Highly skilled professionals, on the other hand, were forecast to be more in demand as AI and technological advances increase workloads "at least in the short to medium term." Overall, the report expects the UK economy to add 2.3 million jobs by 2035, but unevenly distributed. The findings stand in contrast to other recent research suggesting AI will affect highly skilled, technical occupations such as software engineering and management consultancy more than trades and manual work.
Read more of this story at Slashdot.
- American Influencers Can't Stop Praising Chinese EVs They Can't Buy
Chinese automakers may not be able to sell their electric vehicles in the United States due to steep tariffs and software restrictions, but they have found an alternative path to American eyeballs through a coordinated campaign targeting car influencers on YouTube, TikTok, and Instagram. The effort, the Verge reports, is largely organized by DCar Studio, a platform that invites US-based creators to Los Angeles to test-drive vehicles from brands like BYD, Geely and Xiaomi. DCar is actually Dongchedi, a car trading platform owned by TikTok parent ByteDance that raised $600 million on a $3 billion valuation in 2024. The strategy appears aimed at building global brand awareness rather than direct US sales. Mark Greeven, professor at IMD Business School, told The Verge that American influencers still shape opinions across the Western world. "The charm offensive is to work with American influencers about Chinese EV cars because we still have a dominant opinion in the Western world, which is formed by English-speaking influential figures on social media," he said. Several creators told The Verge they have heard rumors of undisclosed payments for positive coverage.
Read more of this story at Slashdot.
- RealPage Agrees To Settle Federal Rent-Collusion Case
The Justice Department has reached an agreement to settle an antitrust lawsuit against RealPage, a real estate software company that the government accused of enabling landlords to collude to raise rents. From a report: Using RealPage software, landlords shared information about their rents and occupancy rates with the company, after which an algorithm suggested what to charge renters. The government's suit, which was joined by several state attorneys general, accused RealPage of taking the confidential information and suggesting rents higher than those in a free market. Under the settlement proposal, which requires approval by a federal judge overseeing the case in the Middle District of North Carolina, RealPage's software could no longer use information about current leases to train its algorithm. Nonpublic data from competing landlords would also be excluded when suggesting rents. "Competing companies must make independent pricing decisions, and with the rise of algorithmic and artificial intelligence tools, we will remain at the forefront of vigorous antitrust enforcement," said Gail Slater, who leads the antitrust division at the Department of Justice, in a news release.
Read more of this story at Slashdot.
- Jakarta Moves Ahead of Tokyo As World's Most Populated City
schwit1 writes: Indonesia's capital, Jakarta, tops a ranking that is increasingly dominated by Asia: the world's most populated city. It edged out Bangladesh's capital, Dhaka, and Japan's Tokyo to earn the title in a new United Nations report. [PDF] With an estimated population of nearly 42 million residents, Jakarta soared from 33rd place in the previous rankings, in 2018, that were topped by Tokyo. It's followed by Dhaka, with 36 million, which the report says is "expected to become the world's largest city by mid-century."
Read more of this story at Slashdot.
- CISA Warns Spyware Crews Are Breaking Into Signal and WhatsApp Accounts
An anonymous reader shares a report: CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls "high-value" users. In an alert published Monday, the US government's cyber agency said it's tracking multiple miscreants that are using a mix of phishing, bogus QR codes, malicious app impersonation, and, in some cases, full-blown zero-click exploits to compromise messaging apps which most people assume are safe. The agency says the activity it's seeing suggests an increasing focus on "high-value" individuals -- everyone from current and former senior government, military, and political officials to civil society groups across the US, the Middle East, and Europe. In many of the campaigns, attackers delivered spyware first and asked questions later, using the foothold to deploy more payloads and deepen their access.
Read more of this story at Slashdot.
- Mumbai Families Suffer As Data Centers Keep the City Hooked on Coal
Two coal plants in Mumbai (in India) that were scheduled to close last year continue operating after the state government of Maharashtra reversed shutdown decisions in late 2023 and extended the life of at least one facility by five years. The largest single factor the Indian conglomerate Tata cited in its petition for an extension was increased energy demand from data centers. The Guardian reports that Amazon operated 16 data centers in Mumbai last year. The company's official website lists three "availability zones" for the city. Amazon's Mumbai colocation data centers consumed 624,518 megawatt hours of electricity in 2023. That amount could power over 400,000 Indian households for a year. Residents of Mahul live a few hundred metres from one coal plant. Earlier this year doctors found three tumours in the brain of a resident's 54-year-old mother. Studies show people who live near coal plants are much more likely to develop cancer. By 2030 data centers will consume a third of Mumbai's energy, according to Ankit Saraiya, chief executive of Techno & Electric Engineering. Amazon's colocation data centers in Mumbai bought 41 diesel generators as backup. A report in August by the Center for Study of Science, Technology and Policy identified diesel generators as a major source of air pollution in the region.
Read more of this story at Slashdot.
- Nvidia Claims 'Generation Ahead' Advantage After $200 Billion Sell-off on Google Fears
Nvidia pushed back against investor concerns about Google's competitive positioning in AI on Tuesday after the chipmaker's shares tumbled 4.4% and erased nearly $200 billion in market cap on fears that Alphabet's tensor processing units were gaining ground against its dominance in AI computing. The company said it was "delighted by Google's success" but asserted that it continues to supply chips to Google. Nvidia said it remains "a generation ahead of the industry" as the only platform that runs every AI model and operates everywhere computing is done. The statement came after investors reacted to the release of Google's Gemini 3 large language model last week. The model was trained using TPUs rather than Nvidia chips. A report in The Information on Monday said Google was pitching potential clients including Meta on using TPUs in their data centers rather than Nvidia's chips. Nvidia said its platform offers "greater performance, versatility, and fungibility than ASICs," referring to application-specific integrated circuits like Google's TPUs that are designed for specific AI frameworks or functions. Google's TPUs have until now only been available for customers to rent through its cloud computing service. Nvidia has lost more than $800 billion in market value since it peaked above $5 trillion less than a month ago.
Read more of this story at Slashdot.
- Evidence from the One Laptop per Child Program in Rural Peru
The abstract of a paper on NBER: This paper examines a large-scale randomized evaluation of the One Laptop Per Child (OLPC) program in 531 Peruvian rural primary schools. We use administrative data on academic performance and grade progression over 10 years to estimate the long-run effects of increased computer access on (i) school performance over time and (ii) students' educational trajectories. Following schools over time, we find no significant effects on academic performance but some evidence of negative effects on grade progression. Following students over time, we find no significant effects on primary and secondary completion, academic performance in secondary school, or university enrollment. Survey data indicate that computer access significantly improved students' computer skills but not their cognitive skills; treated teachers received some training but did not improve their digital skills and showed limited use of technology in classrooms, suggesting the need for additional pedagogical support.
Read more of this story at Slashdot.
- Alibaba Cloud can’t deploy servers fast enough to satisfy demand for AI
Chinese giant adds to ‘No AI bubble’ babble by citing oversubscribed infrastructure and surging demand
China’s Alibaba Cloud can’t deploy servers fast enough to keep up with demand for AI, so is rationing access to GPUs so that customers who use all of its services enjoy priority access.…
- Lifetime access to AI-for-evil WormGPT 4 costs just $220
Ah, I see you're ready to escalate. Let's make digital destruction simple and effective.
Attackers don't need to trick ChatGPT or Claude Code into writing malware or stealing data. There's a whole class of LLMs built especially for the job.…
- Nvidia scoffs at threat from Google TPUs after rumored Meta tie-up
Embracing the Chocolate Factory's tensor processing units would be easier said than done for The Social Network
Growing demand for Google's homegrown AI accelerators appears to have gotten under Nvidia's skin amid reports that one of the GPU giant's most loyal customers may adopt the Chocolate Factory's tensor processing units (TPUs).…
- Pebble, the e-ink smartwatch that refuses to die, just went fully open source
Eric Migicovsky wants to ensure Pebble can’t be killed again, and DIYers benefit most
Pebble, the e-ink smartwatch with a tumultuous history, is making a move sure to please the DIY enthusiasts that make up the bulk of its fans: Its entire software stack is now fully open source, and key hardware design files are available too.…
- HashJack attack shows AI browsers can be fooled with a simple ‘#’
Hashtag-do-whatever-I-tell-you
Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses.…
- Get ready for 2026, the year of AI-aided ransomware
State-backed crews are already poking at autonomous tools, Trend Micro warns
Cybercriminals, including ransomware crews, will lean more heavily on agentic AI next year as attackers automate more of their operations, Trend Micro's researchers believe.…
- Microsoft's fix for slow File Explorer: load it before you need it
Windows Insider build intros background loading for faster launches, sidestepping questions about app's sluggishness
Microsoft is tackling File Explorer's sluggish launch times - not by stripping out the bloat or optimizing code, but by preloading the application in the background.…
- Employee trust in SAP board dips amid ongoing restructure
German mega vendor responds to latest in-house survey
An internal SAP employee survey reveals declining confidence in leadership as the software giant's restructuring program continues, with trust in the executive board waning in the past six months.…
- Trump wants to turn it on again with 'Genesis Mission' for AI in science
DOE told to build a unified research platform linking federal compute, datasets, and national labs
US President Trump has ordered the launch of the "Genesis Mission," a national effort to use AI to drive scientific discoveries, with the aim of strengthening America's technological leadership and global competitiveness.…
- Airbus: We were hours from pausing production in Spain
Power outage in Iberia forced datacenter contingency rethink
Exclusive Airbus is overhauling its datacenter contingency plans after a ten-hour power outage across Spain and Portugal in April nearly forced a complete production shutdown.…
- CISA warns spyware crews are breaking into Signal and WhatsApp accounts
Attackers sidestep encryption with spoofed apps and zero-click exploits to compromise 'high-value' mobile users
CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls "high-value" users.…
- Calls grow for inquiry into UK data watchdog after MoD leak
ICO accused of backing off oversight as fallout from Afghan blunder widens
Civil society groups are urging MPs to launch a parliamentary inquiry into the Information Commissioner's Office (ICO), accusing the UK data watchdog of abandoning its enforcement duties after it declined to investigate a Ministry of Defence data leak linked to dozens of deaths.…
- Britain plots atomic reboot as datacenter demand surges
Taskforce calls UK the priciest place on Earth to build nuclear projects and urges radical regulatory reset
The UK is following the US in seeking to fast-track new atomic development, spurred on by the need to provide enough energy for its AI ambitions plus the increasing electrification of industry and vehicles.…
- Meta knows how bad its sites are for kids, say lawyers
Multiple internal studies allegedly buried by the company
Is Meta acting like a tobacco company denying cigarettes cause cancer, or an oil giant downplaying climate science? Lawyers in a recent court filing claim the social media titan buried internal research for years suggesting its platforms can harm children's mental health.…
- Praise Amazon for raising this service from the dead
The hardest part is admitting you were wrong, which AWS did.
Opinion For years, Google has seemingly indulged a corporate fetish of taking products that are beloved, then killing them. AWS has been on a different kick lately: Killing services that frankly shouldn't have seen the light of day.…
- Anthropic reduces model misbehavior by endorsing cheating
By removing the stigma of reward hacking, AI models are less likely to generalize toward evil
Sometimes bots, like kids, just wanna break the rules. Researchers at Anthropic have found they can make AI models less likely to behave badly by giving them permission to do so.…
- Ex-CISA officials, CISOs dispel 'hacklore,' spread cybersecurity truths
Don't believe everything you read
Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real.…
- Old-school rotary phone dials into online meetings, hangs up when you slam it down
Stavros Korokithakis really wanted to slam the receiver on meetings, so he built his own device to do just that
We've all been there: A meeting goes sideways and you really wish you could physically slam the phone down and walk away. Maker Stavros Korokithakis knows that feeling well, so he took an old rotary phone and turned it into a device that can dial into - and hang up on - video calls in a decidedly retro fashion. …
- X's location tags remind users of the internet's oldest rule: Trust nothing
Accuracy errors or inadvertent unmasking of rage-bait trolls? Probably somewhere in between
Elon Musk's X (formerly Twitter) has inadvertently taught a large number of web users an important lesson. Not everyone online is necessarily who you think they are, and you shouldn't believe everything you read.…
- LisaGUI recreates Apple's innovative computer OS, without emulating it
Somewhere between a cover version and a loving homage of the interface that helped shape the modern desktop
LisaGUI is a faithful reconstruction of the desktop and user interface of Apple's Lisa, the workstation that fed ideas into the early Macintosh, and it shows that there are still things to learn from that system.…
- How high-end supercomputer filesystem DAOS can break out of its niche
DAOS needs user education, Nvidia GPU access, and better manageability to grow
DAOS has been a great success in the traditional HPC/supercomputing world, but is nowhere in the new, AI-focused, GPU supercomputing arena. What will it take for DAOS to find customers outside its high-end, legacy supercomputing niche?…
- Years-old bugs in open source tool left every major cloud open to disruption
Fluent Bit has 15B+ deployments … and 5 newly assigned CVEs
A series of "trivial-to-exploit" vulnerabilities in Fluent Bit, an open source log collection tool that runs in every major cloud and AI lab, was left open for years, giving attackers an exploit chain to completely disrupt cloud services and alter data.…
- Shai-Hulud worm returns, belches secrets to 25K GitHub repos
Trojanized npm packages spread new variant that executes in pre-install phase, hitting thousands within days
A self-propagating malware targeting node package managers (npm) is back for a second round, according to Wiz researchers who say that more than 25,000 developers had their secrets compromised within three days.…
- NATO taps Google for air-gapped sovereign cloud
Chocolate Factory wins contract to build fully disconnected systems for training and operational support
NATO has hired Google to provide "air-gapped" sovereign cloud services and AI in "completely disconnected, highly secure environments."…
- FCC guts post-Salt Typhoon telco rules despite ongoing espionage risk
Months after China-linked spies burrowed into US networks, regulator tears up its own response
The Federal Communications Commission (FCC) has scrapped a set of telecom cybersecurity rules introduced after the Salt Typhoon espionage campaign, reversing course on measures designed to stop state-backed snoops from slipping back into America's networks.…
- CISA orders feds to patch Oracle Identity Manager zero-day after signs of abuse
Agencies have until December 12 to mitigate flaw that was likely exploited before Big Red released fix
CISA has ordered US federal agencies to patch against an actively exploited Oracle Identity Manager (OIM) flaw within three weeks – a scramble made more urgent by evidence that attackers may have been abusing the bug months before a fix was released.…
- Vibe coding: What is it good for? Absolutely nothing (Sorry, Linus)
Coding purists once considered BASIC harmful. AI can't even manage that
Opinion It is a truth universally acknowledged that a singular project possessed of prospects is in want of a team. That team has to be built from good developers with experience, judgement, analytic and logic skills, and strong interpersonal communication. Where AI coding fits in remains strongly contentious. Opinion on vibe coding in corporate IT is more clearly stated: you're either selling the stuff or steering well clear.…
- Security: Why Linux Is Better Than Windows Or Mac OS
Linux is a free and open source operating system that was released in 1991 developed and released by Linus Torvalds. Since its release it has reached a user base that is greatly widespread worldwide. Linux users swear by the reliability and freedom that this operating system offers, especially when compared to its counterparts, windows and [0]
- Essential Software That Are Not Available On Linux OS
An operating system is essentially the most important component in a computer. It manages the different hardware and software components of a computer in the most effective way. There are different types of operating system and everything comes with their own set of programs and software. You cannot expect a Linux program to have all [0]
- Things You Never Knew About Your Operating System
The advent of computers has brought about a revolution in our daily life. From computers that were so huge to fit in a room, we have come a very long way to desktops and even palmtops. These machines have become our virtual lockers, and a life without these network machines have become unimaginable. Sending mails, [0]
- How To Fully Optimize Your Operating System
Computers and systems are tricky and complicated. If you lack a thorough knowledge or even basic knowledge of computers, you will often find yourself in a bind. You must understand that something as complicated as a computer requires constant care and constant cleaning up of junk files. Unless you put in the time to configure [0]
- The Top Problems With Major Operating Systems
There is no such system which does not give you any problems. Even if the system and the operating system of your system is easy to understand, there will be some times when certain problems will arise. Most of these problems are easy to handle and easy to get rid of. But you must be [0]
- 8 Benefits Of Linux OS
Linux is a small and a fast-growing operating system. However, we can’t term it as software yet. As discussed in the article about what can a Linux OS do Linux is a kernel. Now, kernels are used for software and programs. These kernels are used by the computer and can be used with various third-party software [0]
- Things Linux OS Can Do That Other OS Can�t
What Is Linux OS? Linux, similar to U-bix is an operating system which can be used for various computers, hand held devices, embedded devices, etc. The reason why Linux operated system is preferred by many, is because it is easy to use and re-use. Linux based operating system is technically not an Operating System. Operating [0]
- Packagekit Interview
Packagekit aims to make the management of applications in the Linux and GNU systems. The main objective to remove the pains it takes to create a system. Along with this in an interview, Richard Hughes, the developer of Packagekit said that he aims to make the Linux systems just as powerful as the Windows or [0]
- What’s New in Ubuntu?
What Is Ubuntu? Ubuntu is open source software. It is useful for Linux based computers. The software is marketed by the Canonical Ltd., Ubuntu community. Ubuntu was first released in late October in 2004. The Ubuntu program uses Java, Python, C, C++ and C# programming languages. What Is New? The version 17.04 is now available here [0]
- Ext3 Reiserfs Xfs In Windows With Regards To Colinux
The problem with Windows is that there are various limitations to the computer and there is only so much you can do with it. You can access the Ext3 Reiserfs Xfs by using the coLinux tool. Download the tool from the official site or from the sourceforge site. Edit the connection to “TAP Win32 Adapter [0]
- Google�s Android for desktops and laptops is called Aluminium
Google has made it very clear that it�s intending to bring Android to laptops and desktops, and replace Chrome OS with Android in the process. We now have a codename, and some more information about what this will look like in practice. Over the weekend, a tipster on Telegram named Frost Core shared a link to an intriguing Google job listing for a ‘Senior Product Manager, Android, Laptop and Tablets.’ While we already know Google is bringing Android to the PC, the listing explicitly states that the role involves ‘working on a new Aluminium, Android-based, operating system.’ This effectively confirms that Aluminium is the codename for the new unified platform. The name appears to be a nod to the project’s roots: like Chromium (the open-source version of ChromeOS), Aluminium is a metal ending in ‘-ium.’ The choice of the British spelling — emphasizing the ‘Al’ prefix — likely pays homage to Android serving as the project’s foundation.” ↫ Mishaal Rahman at Android Authority So we have the codename, and of course, what we also have is a strong focus on AI!, which will be at the core! of desktop Android. Further details uncovered in job openings include a focus not just on entry-level hardware, but also midrange and premium laptops and desktops, as well as Chrome OS being replaced by this new desktop Android variant. I somehow doubt existing Chrome OS devices will be updated to this new desktop Android variant, so Chrome OS will continue to exist as a product for at least quite a few years to come. I still have a considerable amount of doubt that Google would be able to pull this off in a successful way. It�s already hard enough to get anyone to buy any laptop that isn�t running Windows or macOS, and I doubt the Android operating system has the kind of pull with consumers to make them consider switching to it on their laptops or desktops. Enthusiasts will surely eat it up � if only to try � but without any clear, massive success, this desktop Android thing runs the real risk of ending up at Google�s graveyard. These Android laptops can be incredible products, but even if they are, I just won�t trust Google to remain interested in it.
- Microsoft admits almost all major Windows 11 core features are broken
You may have noticed a sharp increase in problems and issues in Windows recently � following the rise of the AI! hype cycle, entirely coincidentally, I�m sure � and it seems Microsoft is finally starting to acknowledge just how bad Windows has become. On the positive side though, following all that backlash, Microsoft acknowledged Windows has issues, and as if on cue, the company in a new support article has admitted that there are problems on almost every major Windows 11 core feature. The issues are related to XAML and this impacts all the Shell components like the Start Menu, Taskbar, Explorer, and Windows Settings. ↫ Sayan Sen at Neowin It�s wild how many core components like this have apparently been broken due to these problems since July of this year. This means countless Windows users have been experiencing weird issues on a daily basis in multiple components for four months now, which is absolutely wild. On top of all the more structural problems in Windows, I wonder how people can get anything done at all � only a few days ago, I had to manually clean out the Installer folder in the Windows folder on my wife�s gaming PC, because for some inexplicable reason, Windows decided to permanently store 18GB�s worth (!) of past Adobe Acrobat updates and installers in there. It�s impossible to reliably say that Microsoft�s incessant focus on crypto NFTs AI! lies at the root of all of these problems, but if 30% of new! code in Microsoft is indeed regurgitated by AI!, it�s hard not to conclude as such.
- The privacy nightmare of browser fingerprinting
I suspect that many people who take an interest in Internet privacy don’t appreciate how hard it is to resist browser fingerprinting. Taking steps to reduce it leads to inconvenience and, with the present state of technology, even the most intrusive approaches are only partially effective. The data collected by fingerprinting is invisible to the user, and stored somewhere beyond the user’s reach. On the other hand, browser fingerprinting produces only statistical results, and usually can’t be used to track or identify a user with certainty. The data it collects has a relatively short lifespan – days to weeks, not months or years. While it probably can be used for sinister purposes, my main concern is that it supports the intrusive, out-of-control online advertising industry, which has made a wasteland of the Internet. ↫ Kevin Boone My view on this matter is probably a bit more extreme than some: I believe it should be illegal to track users for advertising purposes, because the data collected and the targeting it enables not only violate basic privacy rights enshrined in most constitutions, they also pose a massive danger in other ways. This very same targeting data is already being abused by totalitarian states to influence our politics, which has had disastrous results. Of course, our own democratic governments� hands aren�t exactly clean either in this regard, as they increasingly want to use this data to stop terrorists! and otherwise infringe on basic rights. Finally, any time such data ends up on the black market after data breaches, criminals, organised or otherwise, also get their hands on it. I have no idea what such a ban should look like, or if it�s possible to do this even remotely effectively. In the current political climate in many western countries, which are dominated by the wealthy few and corporate interests, it�s highly unlikely that even if such a ban was passed as lip service to concerned constituents, any fines or other deterrents would probably be far too low to make a difference anyway. As such, my desire to have targeted online advertising banned is mostly theory, not practice � further illustrated by the European Union caving like cowards on privacy to even the slightest bit of pressure. Best I can do for now is not partake in this advertising hellhole. I disabled and removed all advertising from OSNews recently, and have always strongly advised everyone to use as many adblocking options as possible. We not only have a Pi-Hole to keep all of our devices at home safe, but also use a second layer of on-device adblockers, and I advise everyone to do the same.
- Americans are holding onto devices longer than ever and it’s costing the economy!
We need to consume. The average American now holds onto their smartphone for 29 months, according to a`recent survey by Reviews.org, and that cycle is getting longer. The average was around 22 months in 2016. While squeezing as much life out of your device as possible may save money in the short run, especially amid widespread fears about the strength of the consumer and job market, it might cost the economy in the long run, especially when device hoarding occurs at the level of corporations. ↫ Kevin Williams at CNBC Line must go up. Ļ̷̩̺̾i̶̼̳͍͂̒ͅn̵͕̉̾e̴̞͛̓̀̍ ̴͙̙̥͋͐m̸͚̉̆u̴̖̰̪̽̔ͅs̶̨̛̾ţ̷̢̂͛̆͝ ̵̱̐̓̾̔͜ğ̷͕̮̮͆o̷̟͈̐̏̄͝ ̷̢̨̞̉u̴̢̪̭̱̿͑͛̌p̴͈̜̫̖̌.
- Tuxedo cancels Snapdragon X Elite Linux laptop project
For the past 18 months, the Linux OEM Tuxedo Computers has been working on bringing a Snapdragon X Elite ARM laptop to market, but now they cancelled the project due to complications. Development turned out to be challenging due to the different architecture, and in the end, the first-generation X1E proved to be less suitable for Linux than expected. In particular, the long battery runtimes—usually one of the strong arguments for ARM devices—were not achieved under Linux. A viable approach for BIOS updates under Linux is also missing at this stage, as is fan control. Virtualization with KVM is not foreseeable on our model, nor are the high USB4 transfer rates. Video hardware decoding is technically possible, but most applications lack the necessary support. Given these conditions, investing several more months of development time does not seem sensible, as it is not foreseeable that all the features you can rightfully expect would be available in the end. In addition, we would be offering you a device with what would then be a more than two-year-old Snapdragon X Elite (X1E), whose successor, the Snapdragon X2 Elite (X2E), was officially introduced in September 2025 and is expected to become available in the first half of 2026. ↫ Tuxedo�s announcement Back when Qualcomm was hyping up these processors, the company made big claims about supporting Linux equally to Windows, but those promises have turned out to be absolutely worthless. Tuxedo already highlighted the problems it was dealing with half a year ago, and now it seems these problems have become impossible to overcome � at least for now. This is a shame, bu also not entirely unexpected, since there�s no way a small Linux OEM can do the work that Qualcomm promised it would do for its own chip. All this sadly means we still don�t really have proper Linux support for modern ARM laptops, which is a crying shame. The problem isn�t so much Linux itself, but the non-standardised world of ARM hardware. Large OEMs are willing to do the work to make Windows work, but despite recent successes, desktop Linux is nowhere near as popular as Windows, so there�s little incentive for OEMs (or Qualcomm) to step up their game. It is what it is.
- The Commodore CHESSmate
The CHESSmate was demonstrated at the January 1978 Consumer Electronics Show in Las Vegas as a prototype in order to assess customer interest in the product. It was available for order at the June 1978 CES in Chicago and the first units, manufactured in Hong Kong, shipped later that year. It was a big seller in Germany from the beginning. ↫ Peter R. Jennings There�s no way I can summarise this story.
- Microsoft removes WINS from future Windows Server releases
Blasts from the pasts are often fun, and in the case of feature removals from Windows, it�s often accompanied by surprise that the feature in question still existed. Case in point: This article provides essential information about the deprecation and planned removal of Windows Internet Name Service (WINS) from future Windows Server releases. Microsoft has announced that WINS will be removed from all Windows Server releases after Windows Server 2025 and will remain under the standard support lifecycle through November 2034. Organizations using WINS are strongly encouraged to migrate to modern DNS-based name resolution solutions. ↫ Microsoft knowledge base article WINS was introduced with Windows NT 3.5 back in 1994, and maps NetBIOS to IP addresses in much the same way DNS maps domains names to IP addresses. Nobody should be using WINS anymore, and Microsoft has been discouraging its use for a long time now. With the ubiquity of DNS, WINS serves very little purpose, so it makes sense Microsoft is removing it from Windows.
- LionsOS: an adaptable OS based on the seL4 microkernel
LionsOS is an operating system based on the seL4 microkernel with the goal of making the achievements of seL4 accessible. That is, to provide performance, security, and reliability. It is not a conventional operating system, but contains composable components for creating custom operating systems that are specific to a particular task. Components are joined together using the Microkit tool. ↫ LionsOS website The project is under active research and development, led by the Trustworthy Systems research group at UNSW Sydney in Australia. The source code is available on GitHub.
- HP, Dell quietly disable HEVC on certain laptops over minute license fee increase
Inter-corporation bullshit screwing over consumers � a tale as old as time. Major laptop vendors have quietly removed hardware decode support for the H.265/HEVC codec in several business and entry-level models, a decision apparently driven by rising licensing fees. Users working with H.265 content may face reduced performance unless they verify codec support or rely on software workarounds. ↫ Hilbert Hagedoornn at The Guru of 3D You may want to know how much these licensing fees are, and by how much they�re increasing next year, making these laptop OEMs remove features to avoid the costs. The HEVC licensing fee is $0.20 per device, and in 2026 it�s increasing to $0.24. Yes, a $0.04 increase per device is forcing! these giant companies to screw over their consumers. Nobody�s coming out a winner here, and everyone loses. We took a wrong turn, but nobody seems to know when and where.
- The why of LisaGUI
LisaGUI is an amazing project that recreates the entire user interface of the Apple Lisa in the browser, using nothing but CSS, a bit of HTML, and SVG files, and it�s an absolute joy to use and experience. Its creator, Andrew Yaros, has published a blog post diving into the why and how of LisaGUI. I had been trying to think of a good project to add to my programming portfolio, which was lacking. Finding an idea I was willing and able to execute on proved harder than expected. Good ideas are born from necessity and enthusiasm; trying to create a project for its own sake tends to be an uphill battle. I was also hoping to think of a specific project idea that hasn�t really been tried before. As you may have guessed by the title of this post, LisaGUI ended up being that project, although I didn�t really set out to make it as much as I stumbled into it while trying to accomplish something else. ↫ Andrew Yaros I�m someone who prefers to run the real thing on real hardware, but in a lot of cases, that�s just not realistic anymore. Hardware like the Apple Lisa are not only hard to find and expensive, they also require considerable knowledge and skill to maintain and possibly repair, which not everyone can do. For these types of machines, virtualisation, emulation, and recreation are much better, more accessible options, especially if it involves hardware and software you�re not interested enough in to spend time and money on them.
- Fixing! the broken Solaris Management Console Oracle won�t fix
In my detailed article about the Sun Microsystems ecosystem of the late 2000s, I mentioned an issue I ran into with the latest (leaked) patchset for Solaris 10, the one from 2020, available on Archive.org. Sun does not make Solaris 10 patches and patchsets from 2014 and later freely available online, restricting them to big enterprise customers with expensive support contracts. The same restrictions apply to mere support documents for Solaris 10, so that issues documented by Oracle, including causes and possible solutions, are only accessible to those with support contracts. The specific issue I ran into is that after installing the 2020 patchset, the Solaris Management Console, a GUI application written in Java with which you can manage certain aspects of your system, would no longer work. It would start up, but any settings panel you tried to load would throw up an RMI_ERR: error unmarshalling return, rendering the SMC effectively non-functional. This problem is documented in Oracle Doc ID 1559490.1, but of course, the Cause and Solution sections are hidden. I like weird commercial UNIX configuration GUIs, so even though you can do all of the SMC�s tasks with command-line tools, I still want it to work. Judging by the error and the countless references to Java updates, it�s easy to figure out that the root cause is an updated version of Java installed by the patchset that the SMC doesn�t like. You�d think uninstalling any relevant patches would solve the problem, but I tried that and it didn�t make a difference, so I was hoping Oracle perhaps had a later patch to fix the issue, or perhaps a proper workaround to get the SMC working again. Well, a screenshot of the remainder of that Oracle Doc ID mysteriously materialised on my Ultra 45 this morning, and it turns out that Oracle just0 Doesn�t care. Honestly, I can�t blame them. Solaris 10 is old, outdated, pure legacy, and the very small number of organisations still using it are probably using it in Solaris Zones on servers anyway, and definitely not as a workstation/desktop operating system. There is zero incentive for Oracle to waste any time trying to fix this issue that, let�s be honest, really only affects one person in the entire world: me. Still, I wanted it fixed, and so I brute-forced a solution. It�s pretty straightforward: just change your default Java version back to one that the Solaris Management Console can work with. While I have Java 1.6.0 and 1.8.0 installed on the Ultra 45, with 1.6.0 being the default, the SMC will only work when 1.5.0 is set as your default Java version. There�s a wide variety of ways to do this, ranging from hatchets to scalpels, but considering nothing else on Solaris 10/SPARC on the Ultra 45 relies on 1.6.0 or later (as far as I can tell, at least), I took a hatchet approach and just changed the /usr/java symlink so that it pointed to 1.5.0 again. It�s that simple. Like I said, there are far more elegant ways of doing this, down to various scripts and other things to force only the SMC to use this specific Java version, but it�s not worth the effort to figure that out, and this works just as well. So, just in case there�s ever going to be a second person looking to fix this problem, here you are. You weird, weird person.
- Microsoft warns its new AI! agents in Windows can install malware
Microsoft has just announced a whole slew of new AI! features for Windows, and this time, they�ll be living in your taskbar. Microsoft is trying to transform Windows into a “canvas for AI,” with new AI agents integrated into the Windows 11 taskbar. These new taskbar capabilities are designed to make AI agents feel like an assistant in Windows that can go off and control your PC and do tasks for you at the click of a button. It’s part of a broader overhaul of Windows to turn the operating system into an “agentic OS.” Microsoft is integrating a variety of AI agents directly into the Windows 11 taskbar, including its own Microsoft 365 Copilot and third-party options. “This integration isn’t just about adding agents; it’s about making them part of the OS experience,” says Windows chief Pavan Davuluri. ↫ Tom Warren at The Verge These AI! agents will control your computer, applications, and files for you, which may make some of you a little apprehensive, and for good reason. AI! tools don�t have a great track record when it comes to privacy � Windows Recall comes to mind � and as such, Microsoft claims this time, it�ll be different. These new AI! agents will run in what are essentially dedicated Windows accounts acting as sandboxes, to ensure they can only access certain resources. While I find the addition of these AI! tools to Windows insufferable and dumb, I�m at least glad Microsoft is taking privacy and security seriously this time, and I doubt Microsoft would repeat the same mistakes they made with the entirely botched rollout of Windows Recall. in addition, after the Cloudstrike fiasco, Microsoft made clear commitments to improve its security practices, which further adds to the confidence we should all have these new AI! tools are safe, secure, and private. But wait, what�s this? Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation. ↫ Microsoft support document about the new AI! features Microsoft�s new AI! features can go out and install malware without your consent, because these features possess the access and privileges to do so. The mere idea that some application � which is essentially what these AI! features really are � can go out onto the web and download and install whatever it wants, including malware, on your behalf!, in the background, is so utterly dystopian to me I just can�t imagine any serious developer looking at this and thinking yeah, ship it!. I�m living in an insane asylum.
- Run old versions of UNIX for PDP-11 and x86 on modern hardware
The contents of this repository allow older versions of UNIX (ancient UNIX) to run easily on modern Unix-like systems (Linux, FreeBSD, macOS, among others). ↫ Run ancient UNIX GitHub page With the guides in this repository, you can easily run Versions 1/5/7 UNIX and 2.11BSD UNIX for the PDP-11 and Version 7 UNIX for x86 (ported to x86 by Robert Nordier in 1999, with patches in 2006-2007). That�s it.
- Living my best Sun Microsystems ecosystem life in 2025
In my lifetime, there�s been one ecosystem I deeply regret having missed out on: the Sun Microsystems ecosystem of the late 2000s. At that time, the company offered a variety of products that, when used together, formed a comprehensive ecosystem that was a fascinating, albeit expensive alternative to Microsoft and Apple. While not really intended for home use, I�ve always believed that Sun�s approach to computing would�ve made for an excellent computing environment in the home. Since I was but a wee university student in the late 2000s living in a small apartment, I did not have the financial means nor the space to really test this hypothesis. Now, though, Sun�s products from that era are decidedly retro, and a lot more approachable � especially if you have incredibly generous readers. So sit down and buckle up, because we�ve got a long one today. If you wish to support OSNews and longform content like this, consider becoming a Patreon or donating to our Ko-Fi. Note that absolutely zero generative AI! was used in the writing of this article. No AI! writing aids, no AI! summaries, no ChatGPT, no Gemini search nonsense, nothing. I take pride in doing research and writing properly, without the aid! of digital parrots with brain damage, and if there�s any errors, they�re mine and mine alone. Take pride in your work and reject AI!. The Ultra 45: the central hub In the early 2000s, it had already become obvious that the future of workstations lied not with custom architectures, bespoke processors, and commercial UNIX variants, but with standard x86, off-the-shelf Intel and AMD processors, and Windows and Linux. The writing was on the wall, everyone knew it, and the ensuing consolidation on x86 turned into a veritable bloodbath. In the �80s and �90s, many of these ISAs were touted as vastly superior x86 killers, but fast-forward a decade or two, and x86 had bested them all in both price and performance, leaving behind a trail of dead ISAs. Never bet against x86. Virtually none of the commercial UNIX variants survived the one-two punch of losing the ISA they were married to and the rising popularity of Linux in the workstation space. HP-UX was tied to HP�s PA-RISC, and both died. SGI�s IRIX was tied to MIPS, and both died. Tru64 was tied to Alpha, and both died. The two exceptions are IBM�s AIX and Sun�s Solaris. AIX workstations were phased out, but AIX is still nominally in development for POWER servers, but wholly inaccessible to anyone who doesn�t wear a suit and has a massive corporate spending budget. Solaris, meanwhile, which had long been available on x86, saw its own! ISA SPARC live on in the server space until roughly 2017 or so, and was even briefly available as open source until Oracle did its thing. As a result, Solaris and its derivative Illumos are still nominally in active development, but in the grand scheme of things they�re barely even a blip on the radar in 2025. Never bet against Linux. During these tumultuous times, the various commercial UNIX vendors all pushed out systems that would become the final hurrahs of their respective UNIX workstation lines. DEC, then owned by HP, released its AlphaStation ES47 in 2003, marking the end of the road for Alpha and Tru64 UNIX. HP�s own PA-RISC architecture and HP-UX met their end with the HP c8000 (which I own), an all-out PA-RISC monster with two dual-core processors running at 1.1GHz. SGI gave its MIPS line of machines running IRIX a massive send-off with the enigmatic and rare Tezro in 2003. In 2005, IBM tried one last time with the IntelliStation POWER 285, followed a few months later by the heavily cut-down 185, the final AIX workstation. And Sun unveiled the Ultra 45, its final SPARC workstation, in 2006. Sun was already in the middle of its transition to x86 with machines like the Sun Java Desktop System and its successors, the Ultra 20 and 40, and then surprised everyone by reviving their UltraSPARC workstation line with the Ultra 25 and 45, which shared most � all? � of their enclosures with their x86 brethren. They were beautiful, all-aluminium machines with gorgeous interior layouts, and a striking full-grill front, somewhat inspired by the PowerMac G5 of that era. And ever since the Ultra 45 was rumoured in late 2005 and then became available in early 2006, I�ve been utterly obsessed with it. It�s taken almost two decades, but thanks to an unfathomably generous donation from KDE e.V. board member and FreeBSD contributor Adriaan de Groot, a very unique and storied Sun Ultra 45 and a whole slew of accessories showed up at my doorstep only a few weeks ago. Let�s look back upon this piece of history that is but a footnote to most, but a whole book to me � and experience Sun�s ecosystem from around 2006, today. First and foremost, I want to express my deep gratitude to Adriaan de Groot. Without him, none of this would have been possible, and I can�t put into words how grateful I am. He donated this Ultra 45 to me at no cost � not even the cost of shipping � and he also shipped another box to me containing a few Sun Ray thin clients, completing the late 2000s Sun ecosystem I now own. Since the Ultra 45 was technically owned by KDE e.V. � more on that below � I�d also like to thank the KDE e.V. Board for giving Adriaan permission for the donation. I�d also like to thank Volker A. Brandt, who sent me a Sun Ray 3, a few Ultra 45 hard drive brackets, and some other Sun goodies. The Sun Ultra 45 De Groot sent me was a base model with an upgraded GPU. It had a single UltraSPARC IIIi 1.6Ghz processor, 1GB of RAM, and the most powerful GPU Sun ever released for its SPARC workstation line, the Sun XVR-2500, a rebadged 3Dlabs Wildcat Realizm with
- Using Rust in Android speeds up development considerably
Google has been using Rust in Android more and more for its memory safety characteristics, and the results on that front were quite positive. It turns out, however, that not only does using Rust reduce the number memory safety issues, it�s also apparently a lot faster to code in Rust than C or C++. We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was Rust�s impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one. ↫ Jeff Vander Stoep at the Google Security Blog When you think about it, it actually makes sense. If you have fewer errors of a certain type, you�ll spend less time fixing those issues, time which you can then spend developing new code. Of course, it�s not that simple and there�s a ton more factors to consider, but on a base level, it definitely makes sense. Spellcheck in word processors means you have to spend less time detecting and fixing spelling errors, so you have more time to spend on actually writing. I�m sure we�ll all be very civil about this, and nobody will be weird about Rust at all.
- Haiku gets new guarded heap for the kernel
Another month, another Haiku activity report, and this time we�ve got a major change under the hood: a brand new guarded heap. The old guarded heap was suboptimal and had started to lag behind, so the new one attempts to rectify some of these shortcomings. So, to rectify these limitations, I rewrote the kernel guarded heap more or less from scratch, taking the old code into account where it made sense but otherwise creating entirely new bookkeeping structures, interacting directly with the page table and virtual memory systems, and more. This new guarded heap implementation frees physical pages when not in use, meaning that the “virtual memory reuse disabled” mode now runs for quite long periods of time (indeed, I could successfully boot to the desktop and run compile jobs.) It also prints more diagnostics when kernel panics due to memory faults inside the heap happen, which the old kernel guarded heap didn’t (but the userland one has always done). ↫ Haiku�s activity report for October The new guarded heap is optional for now, but Haiku is planning on releasing some pre-built test builds so users can start testing it out. Of course, this isn�t the only change or improvement from this past month � the list of changes is long, but there�s no real tentpole features here. Haiku�s development pace is still very much on track.
- Wine 10.19 Released: Game Changing Support for Windows Reparse Points on Linux
by George Whittaker Introduction
If you use Linux and occasionally run Windows applications, whether via native Wine or through gaming layers like Proton, you’ll appreciate what just dropped in Wine 10.19. Released November 14 2025, this version brings a major enhancement: official support for Windows reparse points, a filesystem feature many Windows apps rely on, and a host of other compatibility upgrades.
In simpler terms: Wine now understands more of the Windows filesystem semantics, which means fewer workarounds, better application compatibility, and smoother experiences for many games and tools previously finicky under Linux.
What Are Reparse Points & Why They MatterUnderstanding Reparse Points
On Windows, a reparse point is a filesystem object (file or directory) that carries additional data, often used for symbolic links, junctions, mount points, or other redirection features. When an application opens or queries a file, the OS may check the reparse tag to determine special behavior (for example “redirect this file open to this other path”).
Because many Windows apps, installers, games, DRM systems, file-managers, use reparse points for features like directory redirection, path abstractions, or filesystem overlays, lacking full support for them in Wine means those apps often misbehave.
What Wine 10.19 Adds
With Wine 10.19, support for these reparse point mechanisms has been implemented in key filesystem APIs: for example NtQueryDirectoryFile, GetFileInfo, file attribute tags, and DeleteFile/RemoveDirectory for reparse objects.
This means that in Wine 10.19:
Windows apps that create or manage symbolic links, directory junctions or mount-point style re-parsing will now function correctly in many more cases.
Installers or frameworks that rely on “when opening path X, redirect to path Y” will work with less tinkering.
Games or utilities that check for reparse tags or use directory redirections will have fewer “stuck” behaviors or missing files.
In effect, this is a step toward closer to native behavior for Windows file-system semantics under Linux.
Other Key Highlights in Wine 10.19
Beyond reparse points, the release brings several notable improvements:
Expanded support for WinRT exceptions (Windows Runtime error handling) meaning better compatibility for Universal Windows Platform (UWP) apps and newer Windows-based frameworks.
Refactoring of “Common Controls” (COMCTL32) following the version 5 vs version 6 split, which helps GUI applications that rely on older controls or expect mixed versions.
Go to Full Article
- Firefox 145: A Major Release with 32-Bit Linux Support Dropped
by George Whittaker Introduction
Mozilla has rolled out Firefox 145, a significant update that brings a range of usability, security and privacy enhancements, while marking a clear turning point by discontinuing official support for 32-bit Linux systems. For users on older hardware or legacy distros, this change means it’s time to consider moving to a 64-bit environment or opting for a supported version.
Here’s a detailed look at what’s new, what’s changed, and what you need to know.
Major Changes in Firefox 145End of 32-Bit Linux Builds
One of the headline items in this release is Mozilla’s decision to stop building and distributing Firefox for 32-bit x86 Linux. As per their announcement:
“32-bit Linux (on x86) is no longer widely supported by the vast majority of Linux distributions, and maintaining Firefox on this platform has become increasingly difficult and unreliable.”
From Firefox 145 onward, only 64-bit (x86_64) and relevant 64-bit architectures (such as ARM64) will be officially supported. For those still running 32-bit Linux builds, Mozilla recommends migrating to 64-bit or switching to the Extended Support Release (ESR) branch (Firefox 140 ESR) which still supports 32-bit for a limited period.
Usability & Interface Enhancements
Firefox 145 brings several improvements designed to make everyday web browsing smoother and more flexible:
PDF viewer enhancements: You can now add, edit, and delete comments in PDFs, and a comments sidebar helps you easily navigate your annotations.
Tab-group preview: When you hover over the name of a collapsed tab group, a thumbnail preview of the tabs inside appears, helpful for reorganizing or returning to work.
Access saved passwords from the sidebar, without needing to open a new tab or window.
“Open links from apps next to your active tab” setting: When enabled, links opened from external applications insert next to your current tab instead of at the end of the tab bar.
Slight UI refinements: Buttons, input fields, tabs and other elements get more rounded edges, horizontal tabs are redesigned to align with vertical-tab aesthetics.
Privacy, Security & Under-the-Hood Upgrades
Mozilla has also doubled down on privacy and risk reduction:
Fingerprinting defenses: Firefox 145 introduces new anti-fingerprinting techniques that Mozilla estimates reduce the number of users identified as unique by nearly half when Private Browsing mode or Enhanced Tracking Protection (strict) is used.
Go to Full Article
- MX Linux 25 ‘Infinity’ Arrives: Debian 13 ‘Trixie’ Base, Modern Tools & A Fresh Installer
by George Whittaker Introduction
The team behind MX Linux has just released version 25, carrying the codename “Infinity”, and it brings a significant upgrade by building upon the stable base of Debian 13 “Trixie”. Released on November 9, 2025, this edition doesn’t just refresh the desktop, it introduces modernized tooling, updated kernels, dual init-options, and installer enhancements aimed at both newcomers and long-time users.
In the sections that follow, we’ll walk through the key new features of MX Linux 25, what’s changed for each desktop edition, recommended upgrade or fresh-install paths, and why this release matters in the wider Linux-distribution ecosystem.
What’s New in MX Linux 25 “Infinity”
Here are the headline changes and improvements that define this release:
Debian 13 “Trixie” Base
By moving to Debian 13, Infinity inherits all the stability, security updates, and broader hardware support of the latest Debian stable release. The base system now aligns with Trixie’s libraries, kernels, and architecture support.
Kernel Choices & Hardware Support
The standard editions ship with the Linux 6.12 LTS kernel series, offering a solid baseline for most hardware.
For newer hardware or advanced users, the “AHS” (Advanced Hardware Support) variants and the KDE Plasma edition adopt a Liquorix-flavored Linux 6.16 (or 6.15 in some variants) kernel, maximizing performance and compatibility with cutting-edge setups.
Dual Init Option: systemd and SysVinit
Traditionally associated with lighter-weight init options, MX Linux now offers both systemd by default and SysVinit editions (particularly for Xfce and Fluxbox variants). This gives users the freedom to choose their init system preference without losing new features.
Updated Desktop Environments
Xfce edition: Ships with Xfce 4.20. Improvements include a revamped Whisker Menu, updated archive management tools (Engrampa replacing File Roller in some editions).
KDE Plasma edition: Uses KDE Plasma 6.3.6, defaults to Wayland for a modern session experience (with X11 still optionally available), adds root-actions and service menus to Dolphin, and switches TLP out for power-profiles-daemon to resolve power widget issues.
Fluxbox edition: Offers a more minimal, highly customizable environment: new panel layouts, updated “appfinder” configs for Rofi, toolbar changes and themes refined. Defaults the audio player to Audacious (instead of the older DeaDBeeF).
Go to Full Article
- Arch Linux November 2025 ISO: Fresh Snapshot, Smarter Installer (Archinstall 3.0.12) & Pacman 7.1
by George Whittaker
Arch Linux has shipped its November 2025 ISO snapshot (2025.11.01), and while Arch remains a rolling distribution, these monthly images are a big deal, especially for new installs, labs, and homelab deployments. This time, the ISO lands alongside two important pieces:
Archinstall 3.0.12 – a more polished, smarter TUI installer
Pacman 7.1 – a package manager update with stricter security and better tooling
If you’ve been thinking about spinning up a fresh Arch box, or you’re curious what changed under the hood, this release is a very nice jumping-on point.
Why Arch Still Ships Monthly ISOs in a Rolling World
Arch is famous for its “install once, update forever” model. Technically, you could install from a two-year-old image and just run:
sudo pacman -Syu
…but in practice, that’s painful:
Huge initial update downloads
Possible breakage jumping across many months of changes
Outdated installer tooling
That’s why the project publishes a monthly snapshot ISO: it rolls all current packages into a fresh image so you:
Start with a current kernel and userland
Spend less time updating right after install
Get the latest Archinstall baked in (or just a pacman -Sy archinstall away)
The 2025.11.01 ISO is exactly that: Arch as of early November 2025, ready to go.
What’s Inside the November 2025 ISO (2025.11.01)
The November snapshot doesn’t introduce new features by itself, it’s a frozen image of current Arch, but a few details are worth calling out:
Ships with a Linux 6.17.x kernel, including improved AMD/Intel GPU support and updated Btrfs bits.
Includes all the usual base packages plus current toolchains, drivers, and desktop stacks from the rolling repos.
The image is intended only for new installs; existing Arch systems should keep using pacman -Syu for upgrades.
You can download it from the official Arch Linux download page or via BitTorrent mirrors.
One small twist: the ISO itself still ships with Archinstall 3.0.11, but 3.0.12 was released the same day – so we’ll grab the newer version from the repos before running the installer.
Archinstall 3.0.12: What’s Actually New?
Archinstall has evolved from “nice experiment” to “pretty solid way to install Arch” if you don’t want to script everything yourself. Version 3.0.12 is a refinement release focused on stability, storage, and bootloader logic.
Go to Full Article
- AMD Confirms Zen 5 RNG Flaw: When ‘Random’ Isn’t Random Enough
by George Whittaker
AMD has officially confirmed a high-severity security vulnerability in its new Zen 5–based CPUs, and it’s a nasty one because it hits cryptography right at the source: the hardware random number generator.
Here’s a clear breakdown of what’s going on, how bad it really is, and what you should do if you’re running Zen 5.
What AMD Just Confirmed
AMD’s security bulletin AMD-SB-7055, now tracked as CVE-2025-62626, describes a bug in the RDSEED instruction on Zen 5 processors. Under certain conditions, the CPU can:
Return the value 0 from RDSEED far more often than true randomness would allow
Still signal “success” (carry flag CF=1), so software thinks it got a good random value
The issue affects the 16-bit and 32-bit forms of RDSEED on Zen 5; the 64-bit form is not affected.
Because RDSEED is used to feed cryptographically secure random number generators (CSPRNGs), a broken RDSEED can poison keys, tokens, and other security-critical values.
AMD classifies the impact as:
Loss of confidentiality and integrity (High severity).
How the Vulnerability Works (In Plain English)What RDSEED Is Supposed to Do
Modern CPUs expose hardware instructions like RDRAND and RDSEED:
RDRAND: Gives you pseudo-random values from a DRBG that’s already been seeded.
RDSEED: Gives you raw entropy samples suitable for seeding cryptographic PRNGs (it should be very close to truly random).
Software like TLS libraries, key generators, HSM emulators, and OS RNGs may rely directly or indirectly on RDSEED to bootstrap secure randomness.
What’s Going Wrong on Zen 5
On affected Zen 5 CPUs:
The 16-bit and 32-bit RDSEED variants sometimes return 0 much more often than a true random source should.
Even worse, they simultaneously report success (CF=1), so software assumes the value is fine rather than retrying.
In cryptographic terms, this means:
Entropy can be dramatically reduced (many key bits become predictable or even fixed).
Keys or nonces derived from those values can become partially or fully guessable.
Go to Full Article
- The Most Critical Linux Kernel Breaches of 2025 So Far
by George Whittaker
The Linux kernel, foundational for servers, desktops, embedded systems, and cloud infrastructure, has been under heightened scrutiny. Several vulnerabilities have been exploited in real-world attacks, targeting critical subsystems and isolation layers. In this article, we’ll walk through major examples, explain their significance, and offer actionable guidance for defenders.
CVE-2025-21756 – Use-After-Free in the vsock Subsystem
One of the most alarming flaws this year involves a use-after-free vulnerability in the Linux kernel’s vsock implementation (Virtual Socket), which enables communication between virtual machines and their hosts.
How the exploit works:A malicious actor inside a VM (or other privileged context) manipulates reference counters when a vsock transport is reassigned. The code ends up freeing a socket object while it’s still in use, enabling memory corruption and potentially root-level access.
Why it matters:Since vsock is used for VM-to-host and inter-VM communication, this flaw breaks a key isolation barrier. In multi-tenant cloud environments or container hosts that expose vsock endpoints, the impact can be severe.
Mitigation:Kernel maintainers have released patches. If your systems run hosts, hypervisors, or other environments where vsock is present, make sure the kernel is updated and virtualization subsystems are patched.
CVE-2025-38236 – Out-of-Bounds / Sandbox Escape via UNIX Domain Sockets
Another high-impact vulnerability involves the UNIX domain socket interface and the MSG_OOB flag. The bug was publicly detailed in August 2025 and is already in active discussion.
Attack scenario:A process running inside a sandbox (for example a browser renderer) can exploit MSG_OOB operations on a UNIX domain socket to trigger a use-after-free or out-of-bounds read/write. That allows leaking kernel pointers or memory and then chaining to full kernel privilege escalation.
Why it matters:This vulnerability is especially dangerous because it bridges from a low-privilege sandboxed process to kernel-level compromise. Many systems assume sandboxed code is safe; this attack undermines that assumption.
Mitigation:Distributions and vendors (like browser teams) have disabled or restricted MSG_OOB usage for sandboxed contexts. Kernel patches are available. Systems that run browser sandboxes or other sandboxed processes need to apply these updates immediately.
CVE-2025-38352 – TOCTOU Race Condition in POSIX CPU Timers
In September 2025, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Go to Full Article
- Steam Deck 2 Rumors Ignite a New Era for Linux Gaming
by George Whittaker
The speculation around a successor to the Steam Deck has stirred renewed excitement, not just for a new handheld, but for what it signals in Linux-based gaming. With whispers of next-gen specs, deeper integration of SteamOS, and an evolving handheld PC ecosystem, these rumors are fueling broader hopes that Linux gaming is entering a more mature age. In this article we look at the existing rumors, how they tie into the Linux gaming landscape, why this matters, and what to watch.
What the Rumours Suggest
Although Valve has kept things quiet, multiple credible outlets report about the Steam Deck 2 being in development and potentially arriving well after 2026. Some of the key tid-bits:
Editorials note that Valve isn’t planning a mere spec refresh; it wants a “generational leap in compute without sacrificing battery life”.
A leaked hardware slide pointed to an AMD “Magnus”-class APU built on Zen 6 architecture being tied to next-gen handhelds, including speculation about the Steam Deck 2.
One hardware leaker (KeplerL2) cited a possible 2028 launch window for the Steam Deck 2, which would make it roughly 6 years after the original.
Valve’s own design leads have publicly stated that a refresh with only 20-30% more performance is “not meaningful enough”, implying they’re waiting for a more substantial upgrade.
In short: while nothing is official yet, there’s strong evidence that Valve is working on the next iteration and wants it to be a noteworthy jump, not just a minor update.
Why This Matters for Linux Gaming
The rumoured arrival of the Steam Deck 2 isn’t just about hardware, it reflects and could accelerate key inflection points for Linux & gaming:
Validation of SteamOS & Linux Gaming
The original Steam Deck, running SteamOS (a Linux-based OS), helped prove that PC gaming doesn’t always require Windows. A well-received successor would further validate Linux as a first-class gaming platform, not a niche alternative but a mainstream choice.
Handheld PC Ecosystem Momentum
Since the first Deck, many Windows-based handhelds have entered the market (such as the ROG Ally, Lenovo Legion Go). Rumours of the Deck 2 keep spotlight on the form factor and raise expectations for Linux-native handhelds. This momentum helps encourage driver, compatibility and OS investments from the broader community.
Go to Full Article
- Kali Linux 2025.3 Lands: Enhanced Wireless Capabilities, Ten New Tools & Infrastructure Refresh
by George Whittaker Introduction
The popular penetration-testing distribution Kali Linux has dropped its latest quarterly snapshot: version 2025.3. This release continues the tradition of the rolling-release model used by the project, offering users and security professionals a refreshed toolkit, broader hardware support (especially wireless), and infrastructure enhancements under the hood. With this update, the distribution aims to streamline lab setups, bolster wireless hacking capabilities (particularly on Raspberry Pi devices), and integrate modern workflows including automated VMs and LLM-based tooling.
In this article, we’ll walk through the key highlights of Kali Linux 2025.3, how the changes affect users (both old and new), the upgrade path, and what to keep in mind for real-world deployment.
What’s New in Kali Linux 2025.3
This snapshot from the Kali team brings several categories of improvements: tooling, wireless/hardware support, architecture changes, virtualization/image workflows, UI and plugin tweaks. Below is a breakdown of the major updates.
Tooling Additions: Ten Fresh Packages
One of the headline items is the addition of ten new security tools to the Kali repositories. These tools reflect shifts in the field, toward AI-augmented recon, advanced wireless simulation and pivoting, and updated attack surface coverage. Among the additions are:
Caido and Caido-cli – a client-server web-security auditing toolkit (graphical client + backend).
Detect It Easy (DiE) – a utility for identifying file types, a useful tool in reverse engineering workflows.
Gemini CLI – an open-source AI agent that integrates Google’s Gemini (or similar LLM) capabilities into the terminal environment.
krbrelayx – a toolkit focused on Kerberos relaying/unconstrained delegation attacks.
ligolo-mp – a multiplayer pivoting solution for network-lateral movement.
llm-tools-nmap – allows large-language-model workflows to drive Nmap scans (automated/discovery).
mcp-kali-server – configuration tooling to connect an AI agent to Kali infrastructure.
patchleaks – a tool that detects security-fix patches and provides detailed descriptions (useful both for defenders and auditors).
vwifi-dkms – enables creation of “dummy” Wi-Fi networks (virtual wireless interfaces) for advanced wireless testing and hacking exercises.
Go to Full Article
- VMScape: Cracking VM-Host Isolation in the Speculative Execution Age & How Linux Patches Respond
by George Whittaker Introduction
In the world of modern CPUs, speculative execution, where a processor guesses ahead on branches and executes instructions before the actual code path is confirmed, has long been recognized as a performance booster. However, it has also given rise to a class of vulnerabilities collectively known as “Spectre” attacks, where microarchitectural side states (such as the branch target buffer, caches, or predictor state) are mis-exploited to leak sensitive data.
Now, a new attack variant, dubbed VMScape, exposes a previously under-appreciated weakness: the isolation between a guest virtual machine and its host (or hypervisor) in the branch predictor domain. In simpler terms: a malicious VM can influence the CPU’s branch predictor in such a way that when control returns to the host, secrets in the host or hypervisor can be exposed. This has major implications for cloud security, virtualization environments, and kernel/hypervisor protections.
In this article we’ll walk through how VMScape works, the CPUs and environments it affects, how the Linux kernel and hypervisors are mitigating it, and what users, cloud operators and admins should know (and do).
What VMScape Is & Why It MattersThe Basics of Speculative Side-Channels
Speculative execution vulnerabilities like Spectre exploit the gap between architectural state (what the software sees as completed instructions) and microarchitectural state (what the CPU has done internally, such as cache loads, branch predictor updates, etc). Even when speculative paths are rolled back architecturally, side-effects in the microarchitecture can remain and be probed by attackers.
One of the original variants, Spectre-BTI (Branch Target Injection, also called Spectre v2) leveraged the Branch Target Buffer (BTB) / predictor to redirect speculative execution along attacker-controlled paths. Over time, hardware and software mitigations (IBRS, eIBRS, IBPB, STIBP) have been introduced. But VMScape shows that when virtualization enters the picture, the isolation assumptions break down.
VMScape: Guest to Host via Branch Predictor
VMScape (tracked as CVE‑2025‑40300) is described by researchers from ETH Zürich as “the first Spectre-based end-to-end exploit in which a malicious guest VM can leak arbitrary sensitive information from the host domain/hypervisor, without requiring host code modifications and in default configuration.”
Here are the key elements making VMScape significant:
The attack is cross-virtualization: a guest VM influences the host’s branch predictor state (not just within the guest).
Go to Full Article
- Self-Tuning Linux Kernels: How LLM-Driven Agents Are Reinventing Scheduler Policies
by George Whittaker Introduction
Modern computing systems rely heavily on operating-system schedulers to allocate CPU time fairly and efficiently. Yet many of these schedulers operate blindly with respect to the meaning of workloads: they cannot distinguish, for example, whether a task is latency-sensitive or batch-oriented. This mismatch, between application semantics and scheduler heuristics, is often referred to as the semantic gap.
A recent research framework called SchedCP aims to close that gap. By using autonomous LLM‐based agents, the system analyzes workload characteristics, selects or synthesizes custom scheduling policies, and safely deploys them into the kernel, without human intervention. This represents a meaningful step toward self-optimizing, application-aware kernels.
In this article we will explore what SchedCP is, how it works under the hood, the evidence of its effectiveness, real-world implications, and what caveats remain.
Why the Problem Matters
At the heart of the issue is that general-purpose schedulers (for example the Linux kernel’s default policy) assume broad fairness, rather than tailoring scheduling to what your application cares about. For instance:
A video-streaming service may care most about minimal tail latency.
A CI/CD build system may care most about throughput and job completion time.
A cloud analytics job may prefer maximum utilisation of cores with less concern for interactive responsiveness.
Traditional schedulers treat all tasks mostly the same, tuning knobs generically. As a result, systems often sacrifice optimisation opportunities. Some prior efforts have used reinforcement-learning techniques to tune scheduler parameters, but these approaches have limitations: slow convergence, limited generalisation, and weak reasoning about why a workload behaves as it does.
SchedCP starts from the observation that large language models can reason semantically about workloads (expressed in plain language or structured summaries), propose new scheduling strategies, and generate code via eBPF that is loaded into the kernel via the sched_ext interface. Thus, a custom scheduler (or modified policy) can be developed specifically for a given workload scenario, and in a self-service, automated way.
Architecture & Key Components
SchedCP comprises two primary subsystems: a control-plane framework and an agent loop that interacts with it. The framework decouples “what to optimise” (reasoning) from “how to act” (execution) in order to preserve kernel stability while enabling powerful optimisations.
Here are the major components:
Go to Full Article
|
