The White House says it's investigating how a personal-finance YouTuber's livestream briefly appeared on the White House's official live video page. The creator says he has no idea how his video ended up there. The Associated Press reports: The livestream appeared for at least eight minutes late Thursday on whitehouse.gov/live, where the White House usually streams live video of the president speaking. It's unclear if the website was breached or the video was linked accidentally by someone in the government. The White House said in a statement that it was "aware and looking into what happened." The video that appeared on the government-run website featured some of a more than two-hour livestream from Matt Farley, who posts as @RealMattMoney, as he answered financial questions. Farley told The Associated Press on Friday that he had no idea what happened and learned about it after the fact. He said he had not been contacted by the government and didn't have any theories about how his livestream ended up on the website. He joked that he hoped President Donald Trump and his youngest son, Barron Trump, "are watching my streams and taking advice." "Had I known it would have been on the White House website, I probably would have had other things to talk about than personal finance," Farley said. When asked what other things he would discuss, Farley responded with a laugh and said: "What would you talk about with the world for eight minutes if you had an opportunity? I'm just some guy making YouTube videos about stocks."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: At this point, most competitive online multiplayer games on the PC come with some kind of kernel-level anti-cheat software. As we've written before, this is software that runs with more elevated privileges than most other apps and games you run on your PC, allowing it to load in earlier and detect advanced methods of cheating. More recently, anti-cheat software has started to require more Windows security features like Secure Boot, a TPM 2.0 module, and virtualization-based memory integrity protection. Riot Games, best known for titles like Valorant and League of Legends and the Vanguard anti-cheat software, has often been one of the earliest to implement new anti-cheat requirements. There's already a long list of checks that systems need to clear before they'll be allowed to play Riot's games online, and now the studio is announcing a new one: a BIOS update requirement that will be imposed on "certain players" following Riot's discovery of a UEFI bug that could allow especially dedicated and motivated cheaters to circumvent certain memory protections. In short, the bug affects the input-output memory management unit (IOMMU) "on some UEFI-based motherboards from multiple vendors." One feature of the IOMMU is to protect system memory from direct access during boot by external hardware devices, which otherwise might manipulate the contents of your PC's memory in ways that could enable cheating. The patch for these security vulnerabilities (CVE-2025-11901, CVE-202514302, CVE-2025-14303, and CVE-2025-14304) fixes a problem where this pre-boot direct memory access (DMA) protection could be disabled even if it was marked as enabled in the BIOS, creating a small window during the boot process where DMA devices could gain access to RAM. The relative obscurity and complexity of this hardware exploit means that Vanguard isn't going to be enforcing these BIOS requirements on every single player of its games. For now, it will just apply to "restricted" players of Valorant whose systems, for one reason or another, are "too similar to cheaters who get around security features in order to become undetectable to Vanguard." But Riot says it's considering rolling the BIOS requirement out to all players in Valorant's highest competitive ranking tiers (Ascendant, Immortal, and Radiant), where there's more to be gained from working around the anti-cheat software. And Riot anti-cheat analyst Mohamed Al-Sharifi says the same restrictions could be turned on for League of Legends, though they aren't currently. If users are blocked from playing by Vanguard, they'll need to download and install the latest BIOS update for their motherboard before they'll be allowed to launch the game. Riot's new anti-cheat change could create problems for older PCs if the new anti-cheat change is expanded, notes Ars. The update relies on a BIOS patch to fix a UEFI flaw, and many older motherboards, especially Intel 300-series and AMD AM4 boards, may never receive that update. If Riot flags a system and the manufacturer doesn't provide a patched BIOS, players could be locked out of games despite having otherwise capable hardware.

Read more of this story at Slashdot.

Microsoft's latest holiday ad for its Copilot AI assistant features a 30-second montage of users seamlessly syncing smart home lights to music, scaling recipes for large gatherings, and parsing HOA guidelines -- none of which the software can actually perform reliably when put to the test. The Verge methodically tested each prompt shown in the ad and found that Copilot repeatedly hallucinated interface elements that didn't exist, claimed to highlight on-screen buttons when it hadn't, and abandoned calculations midway through. The smart home interface shown in the ad belongs to "Relecloud," a fictional company Microsoft uses in internal case studies. A Microsoft spokesperson confirmed that both the HOA document and the inflatable reindeer photo were fabricated for the advertisement. The ad closes with Santa Claus asking Copilot why toy production is behind schedule. Further reading: Talking To Windows' Copilot AI Makes a Computer Feel Incompetent.

Read more of this story at Slashdot.

President Trump's closure of the de minimis customs loophole in May -- which previously allowed Chinese packages valued under $800 to enter the U.S. duty-free -- has redirected a flood of cheap goods toward Europe, where similar exemptions for packages under $175.8 in the EU and $180 in the UK remain intact. The shift has been swift: exports of low-value Chinese packages to the U.S. have dropped more than 40% since May, according to Chinese customs data, and the EU has this year overtaken the U.S. as the largest market for China's roughly $100 billion cheap package trade. Shipments to Hungary and Denmark have quadrupled, and those to Germany, France, and the UK have risen 50% or more. Temu has recorded seven straight months of double-digit U.S. sales declines, per Consumer Edge data tracking credit and debit card transactions. Its European sales, on the other hand: up 56% in the EU and 46% in the UK since May compared to a year ago. The EU agreed last week to impose a $3.5 fee on imported small packages starting in July and to close the de minimis exemption entirely by 2028. The UK plans to follow in 2029.

Read more of this story at Slashdot.

alternative_right writes: Grocery delivery service Instacart will refund $60 million to settle FTC claims that it misled customers with false advertising and unlawfully enrolled them in paid subscriptions. Instacart partners with over 1,800 retailers to provide online shopping, delivery, and pickup services from nearly 100,000 stores across North America. Its platform serves millions of customers and is also used by roughly 600,000 independent shoppers across thousands of cities in Canada and the United States. In a complaint filed on Thursday, the FTC claimed Instacart engaged in multiple deceptive tactics that raised costs for customers, including failing to provide advertised refunds and falsely advertising "free delivery" while still charging mandatory service fees that added up to 15% to order costs. The FTC said Instacart also advertised a "100% satisfaction guarantee," but typically offered only small credits toward future orders rather than full refunds to customers experiencing problems with deliveries or service. The company allegedly hid refund options from "self-service" menus, leading customers to believe credits were their only option.

Read more of this story at Slashdot.

Microsoft AI CEO Mustafa Suleyman estimates that staying competitive in frontier AI development will require "hundreds of billions of dollars" over the next five to ten years, a sum that doesn't even account for the high salaries companies are paying individual researchers and technical staff. Speaking on a podcast, Suleyman compared Microsoft to a "modern construction company" where hundreds of thousands of workers are building gigawatts of CPUs and AI accelerators. There's "a structural advantage by being inside a big company," he said. When asked whether startups could compete with Big Tech, Suleyman said "it's hard to say," adding that "the ambiguity is what's driving the frothiness of the valuations." Meta CEO Mark Zuckerberg said in September he'd rather risk "misspending a couple of hundred billion" than fall behind in superintelligence.

Read more of this story at Slashdot.

The television industry's brightness war may have hit its inflection point in 2025, the year TCL and Hisense released the first consumer TVs capable of 5,000 nits under specific settings -- a figure that would have seemed absurd not long ago when manufacturers struggled to reach 2,000 nits. LG introduced Primary RGB Tandem OLED technology, moving from a three-stack panel design to a four-stack red-blue-green-blue configuration that the company claims can achieve 4,000 nits. The technology appears in the LG G5, Panasonic Z95B and Philips OLED950 and OLED910. RGB mini-LED also emerged as a new category. The technology uses individual small red, green and blue LED backlights instead of white or blue LEDs paired with quantum dots. Hisense demonstrated it at CES 2025, TCL announced its Q10M for China, and Samsung unveiled its own version called micro-RGB. These sets range from $12,000 to $30,000. Sony has confirmed it will debut RGB TV technology in spring 2026. HDR content is currently mastered at a maximum of 4,000 nits. The situation echoes the audio industry's loudness war, The Verge points out, which peaked with Metallica's heavily compressed Death Magnetic in 2008.

Read more of this story at Slashdot.

Uber is hiring more engineers rather than fewer because AI tools have made them "superhumans," CEO Dara Khosrowshahi said, pushing back against the industry trend of using productivity gains to justify headcount cuts. Speaking on the "On with Kara Swisher" podcast, Khosrowshahi noted that other tech executives see AI making engineers 20% to 30% more productive and conclude they need 20% to 30% fewer engineers. His view: every engineer has become more valuable. Between 80% and 90% of Uber's developers now use AI tools, according to Khosrowshahi. The company no longer keeps scores of engineers on call to diagnose issues because AI agents are constantly monitoring systems, he said. The latest AI models are producing "hundreds of millions of dollars of benefit" for Uber, he said, describing the company as an "applied AI" business that harnesses the technology for pricing, payments, matching, routing, identification and customer complaints.

Read more of this story at Slashdot.

iRobot, the Bedford, Massachusetts-based company that brought the Roomba vacuum cleaner into American homes over its 35-year history, filed for bankruptcy on Sunday and will be acquired by Picea, its Chinese contract manufacturer that also produces competing household devices. The Wall Street Journal's editorial board placed blame for the company's demise on the Federal Trade Commission under Chair Lina Khan, which opposed Amazon's $1.7 billion bid to acquire iRobot. That deal collapsed in January 2024 amid regulatory pressure from both the FTC and European antitrust authorities. Senator Elizabeth Warren and other progressives had urged Khan to block the acquisition, arguing in a September 2022 letter that Amazon is "'almost universally recognized' as the leader in warehouse and fulfillment robotics space" and that the deal "would open up a new market to Amazon's abuses." After the deal fell through, iRobot cut 31% of its workforce and moved "non-core engineering functions to lower-cost regions." The company had shifted production to Vietnam to reduce its exposure to China but was hit by tariffs under Trump's Liberation Day trade measures -- initially 46%, later reduced to 20%. iRobot said the trade uncertainty made it difficult to operate.

Read more of this story at Slashdot.

The Association for Computing Machinery, the world's largest society of computing professionals, announced that all publications and related artifacts in the ACM Digital Library will become freely available to everyone starting January 2026. Authors will retain full copyright to their published work under the new arrangement, and ACM has committed to defending those works against copyright and integrity-related violations. The transition follows what ACM described as extensive dialogue with authors, Special Interest Group leaders, editorial boards, libraries, and research institutions globally. Students, educators, and researchers at institutions of all sizes -- from well-resourced universities to emerging research communities -- will gain unrestricted access to the full catalog of ACM-published work. The Digital Library houses decades of computing research across journals, magazines, conference proceedings, and books.

Read more of this story at Slashdot.

Marcario joined the board in 2021, and will maintain her position as chair overseeing the Rivian Foundation, which made its first grants last year.

Investors at TechCrunch Disrupt explained their focus on artificial intelligence and offered advice to founders on how to stand out in a crowded AI field.

Graphite is an AI code review assistant that was last valued at $290 million.

The decision brings to a close a years-long court battle that irked Musk so much he moved Tesla's incorporation from Delaware to Texas.

Given NGL's track record of dubious growth hacking, this partnership with Mode Mobile seems like a good match.

Cisco warned that Chinese government hackers are exploiting a zero-day in some of its products. Researchers now say there are hundreds of vulnerable Cisco customers.

Renowned AI scientist Yann LeCun confirmed on Thursday the worst-kept secret in the tech world: that he had indeed launched a new startup. Although he did say he will not be running the new company as its CEO.

Netflix is making exclusive deals with podcast studios to compete with YouTube, but podcasters have mixed feelings.

OpenAI updated its guidelines for how its AI models should behave with users under 18, and published new AI literacy resources for teens and parents. Still, questions remain about how well policies translate into practice.

In its test phase in San Francisco, Known said it observed 80% of its introductions led to physical dates, which is much higher than swipe-based dating apps.

Anthropic is finally letting more people use Claude in Google Chrome. The company's AI browser plugin is expanding beyond $200-per-month Max subscribers and is now available to anyone who pays for a Claude subscription.

The Claude Chrome plugin allows for easy access to Anthropic's AI regardless of where you are on the web, but its real draw is how it lets Claude navigate and use websites on your behalf. Anthropic says that Claude can fill out forms, manage your calendar and email and complete multi-step workflows based on a prompt. The latest version of the plugin also features integration with Claude Code, Anthropic's AI coding tool, and allows users to record a workflow and "teach" Claude how to do what they want it to do.

Claude in Chrome is now available to all paid plans.
We’ve also shipped an integration with Claude Code. pic.twitter.com/VLpB1qCntT

— Claude (@claudeai) December 18, 2025

Before agents were the buzzword du jour, "computer use," the ability for AI models to understand and interact with computer interfaces, was a major focus at Anthropic and other AI companies. Now computer use is just one tool in the larger tool bag for agents, but that understanding of what digital buttons to click and how to click them is what makes Claude's Chrome plugin possible.

OpenAI and Perplexity offer similar agentic capabilities in their respective ChatGPT Atlas and Comet browsers. At this point the only AI company not fully setting its AI models loose on a browser is Google. You can access Gemini in Google Chrome and ask questions about a webpage, but Google hasn't yet let its AI model navigate or use the web on a user's behalf. Those features, first demoed in Project Mariner, are presumably on the way.

This article originally appeared on Engadget at https://www.engadget.com/ai/claudes-chrome-plugin-is-now-available-to-all-paid-users-221024295.html?src=rss

Behold Mark Zuckerberg: man of principle. Witness the Meta CEO's dedication to the most high-minded of causes: "currying favor with whoever's in charge." In 2013, when Barack Obama was president, Zuckerberg co-founded FWD.us, a pro-immigration advocacy group. For years, he vocally supported providing paths to citizenship for "the most talented and hardest-working people, no matter where they were born." Now, in 2025, with Donald Trump back in power and pushing draconian immigration policies, Zuckerberg's philanthropy organization has officially cut ties with the group. Who says Big Tech executives don't stand for anything?

On Friday, Bloomberg reported on the Chan Zuckerberg Initiative (CZI) severing its ties with FWD.us. Zuckerberg's group provided no funding to the advocacy group for the first time this year. Up to that point, over half of the roughly $400 million donated to the nonprofit since 2013 had come from CZI.

In addition, CZI's chief of staff, Jordan Fox, resigned from the FWD.us board. No one else at CZI will fill the vacant slot, another first for the pro-immigration and justice reform advocacy group.

In a statement to Engadget, a spokesperson for CZI said the change had been in the works for several years. “Nearly five years ago, we shared that we were focusing on our core work in science, education, and supporting our local communities,” the spokesperson said. “As part of that transition, we committed foundational funding to FWD.us to continue their bipartisan work. We have fulfilled that financial commitment and wound down our social advocacy funding.” She added that the couple’s Biohub initiative is currently their “primary philanthropy.”

Mark Zuckerberg listens attentively to Stephen Miller at Trump's January inaugurationBRENDAN SMIALOWSKI via Getty Images

In late 2024, Zuckerberg met with Trump adviser Stephen Miller, who reacts to brown-skinned humans being sent to foreign gulags the way my dog responds to a juicy steak. Among other topics during the exchange, Miller reportedly questioned Zuckerberg's ties to FWD.us.

Apparently, his words resonated with Zuckerberg’s principles. In January, before Trump was sworn in for his second term, Meta unleashed an overhaul that reads like a Miller wishlist. The company ended its diversity, equity and inclusion (DEI) programs. That same month, it ditched third-party fact-checkers, calling them "too politically biased." It also changed its policies to allow for "insulting language" on topics of immigration and LGBTQ+ issues. The company even added Trump backer Dana White to its board.

It fits a broader pattern of Big Tech bending the knee to Trump.

"We're in the middle of a pretty rapidly changing policy and regulatory landscape that views any policy that might advantage any one group of people over another as something that is unlawful," Zuckerberg told the New York Times in January. "Because of that, we and every other institution out there are going to need to adjust."

"We now have a US administration that is proud of our leading companies, prioritizes American technology winning and that will defend our values and interests abroad," Zuckerberg said in a January investor call. "I am optimistic about the progress and innovation that this can unlock, so this is going to be a big year."

What a big year indeed.

US Chief Border Patrol Agent, Gregory Bovino and masked ICE agents in New OrleansRyan Murphy via Getty Images

Now witness the contrasting words of one of Zuckerberg's chief rivals in Silicon Valley. "When you meet these [immigrant] children who are really talented, and they've grown up in America, and they really don't know any other country besides that, but they don't have the opportunities that we all enjoy, it's really heartbreaking, right?" the tech executive said. "That seems like it's one of the biggest civil rights issues of our time."

That "rival," of course, was Obama-era Mark Zuckerberg in 2013.

Despite the funding setback, thanks to our principled hero, FWD.us will press forward. "We're thankful to our donors, past and present, and so grateful to the many new donors who have stepped up in the past few years — and particularly the influx of new supporters we have seen this year," FWD.us President Todd Schulte said in a statement. "This allows us to fight for immigrants under attack today and to build a better approach to immigration and criminal justice reform for many, many years to come."

Update, December 19, 2025, 1:19PM PT: This story was updated to include a statement from a spokesperson for the Chan Zuckerberg Initiative.

This article originally appeared on Engadget at https://www.engadget.com/big-tech/mark-zuckerbergs-nonprofit-cuts-ties-with-the-immigration-advocacy-group-he-co-founded-183447900.html?src=rss

Netflix is acquiring Estonian startup Ready Player Me, a company creating "cross-game avatar tech" that allows players to bring their digital personas with them to different games, the company's CEO Timmu Tõke shared in a LinkedIn post. The acquisition is part of Netflix's new games strategy, which puts an emphasis on approachable multiplayer titles and adaptations of the streaming service's IP.

Ready Player Me's team of around 20 employees will be incorporated into Netflix's staff, TechCrunch writes, though Tõke is the only one of the startup's four founders who will continue on after the acquisition. Neither company has shared when the avatar tech will be incorporated into Netflix's games or what games will support the feature when they do.

Besides designing its avatar system to be easy for developers to implement in their games, Ready Player Me's big pitch for their system is using AI to automatically redesign avatars for different games' art styles and "automatically fit assets to any avatar rig or topology without manual work."

Netflix has taken multiple different approaches to games in the last few years, but lately, the company has actively retreated from AAA development and its more ambitious projects. Other than the premiere of its take on HQ Trivia, Netflix's last few game announcements of 2025 were focused on a collection of streamable party games, and a partnership with FIFA to release a new soccer sim in 2026. All of those projects could support avatars in one form or another, now Netflix just needs to decide how.

This article originally appeared on Engadget at https://www.engadget.com/gaming/netflix-is-acquiring-game-avatar-maker-ready-player-me-204443001.html?src=rss

It looks like the holidays aren't a bad time to shop for a VPN subscription. ExpressVPN, Engadget's pick for the best premium provider, currently has a less premium price. This deal gives you two years of the Advanced plan (with a bonus of four free months) for only $101. When it isn't on sale, the same subscription would cost $392.

Engadget's VPN guru, Sam Chapman, praised ExpressVPN's service. He described it as "high-performing" and having "very few flaws." The service received high marks for its speeds, easy-to-use interface and global network availability. The only significant mark against it was its relatively high standard pricing. But with this holiday sale, that criticism is (temporarily) null and void.

ExpressVPN recently switched to a multi-tier pricing structure. (That previously mentioned Advanced plan is the mid-range one.) There's a cheaper Basic plan that allows 10 simultaneous devices (compared to the Advanced plan's 12) and doesn't include perks like a password manager. You can also choose the highest-priced Pro plan. It allows for 14 simultaneous devices and adds several extras. You can compare plans on ExpressVPN's website.

When buying a two-year plan, the Basic tier is available for $2.79 per month (78 percent off). The Advanced plan is $3.59 per month (74 percent off). And the Pro plan is $5.99 per month (70 percent off). All three include the bonus of four additional months, giving you 28 total.

Follow @EngadgetDeals on X for the latest tech deals and buying advice.

This article originally appeared on Engadget at https://www.engadget.com/deals/get-up-to-78-percent-off-expressvpn-two-year-plans-for-the-holidays-194912043.html?src=rss

The iPad, of course, isn't the only tablet computer out there — it wasn't even the first — but Apple's version redefined the category. In our opinion, it's the best tablet you can buy and these slates consistently earn high scores in our reviews. That doesn't mean you should have to pay full price for your next iPad. We are continually on the hunt for good deals on iPads (and other Apple gear while we're at it) and each week, we round them up right there.
Current discounts include the iPad mini and the 11-inch iPad Pro, each for $100 off the list price. Beyond iPads, are a few other Apple deals are going around, such as the latest AirPods Pro 3 for the lowest price yet at $199 and certain colors of the Apple Watch Series 11 for $299. Here are the best Apple deals we found this week.

Best iPad deals

Apple iPad Air (M3, 11-inch) for $499 ($100 off): The iPad Air is the top overall pick in our guide to the best iPads. Yes, it’s pricier than the entry-level iPad (A16), but its faster chip, extra RAM, laminated and more color-rich display, better speakers and superior accessory support add up to a more pleasant experience in day-to-day use. This isn't the lowest price we've tracked — the price went as low as $450 just after Black Friday, but this is still $100 cheaper than buying directly from Apple.

Apple iPad Pro (11-inch, M5) for $899 ($100 off): The latest iPad Pro is still more tablet than most people will ever need, but its class-leading OLED display, impressively thin design and super-powerful M5 chip make it a luxury experience for those who can afford it. The device was only released in October, so this deal ties its lowest price to date. Also at Best Buy and B&H.

Apple iPad Pro (13-inch, M5) for $1,199 ($100 off): It’s not a massive discount, but this matches the lowest price so far for the larger iPad Pro, which may be worthwhile if you’ve got cash to burn and want to use an iPad as your main computer. We gave it a score of 85 in our review. Also at B&H.

Best Apple deals

Apple AirTags (4-pack) for $65 ($34 off): These are the best Bluetooth trackers for iPhone users thanks to their vast finding network and accurate ultra-wideband features for locating your things when they’re close by. Just attach them to your keys, wallet or bag with the right AirTag holder and keep track of everything in the Find My app.

Apple AirPods 4 for $74 ($55 off): If you don't need active noise cancellation and hate the feeling of headphones that just into your ear canal, the standard AirPods 4 remain a good buy. They lack built-in volume controls, and no open-style earbuds can produce the same level of bass as typical in-ear headphones, but they generally sound more pleasant than most pairs along these lines and still offer the usual array of Apple-friendly features. This discount is only $5 more than the all-time low we saw around Black Friday. Also at Best Buy for $85 if that runs out of stock.

Apple Watch SE 3 for $199 ($50 off): This discount has been around for a few weeks, but it’s the lowest price to date for Apple’s newest entry-level smartwatch. We gave the SE 3 a score of 90 in our review last month: The big upgrade is an always-on display, which makes it so you no longer have to wake the watch to check the time or notifications. It still includes most of the essential health and fitness features beyond that, plus it now runs on the same chipset as the higher-end Apple Watch Series 11. Also at Walmart.

Apple Pencil Pro for $95 ($34 off): The Pencil Pro is Apple’s most feature-rich stylus, offering pressure sensitivity, wireless charging, haptic feedback and unique gesture controls compared to the standard USB-C model (which isn’t significantly discounted). Just note that it’s not compatible with the entry-level iPad and other older models. While this discount is only $5 below the device’s usual street price, it’s still the largest discount we’ve seen this year. Also at Walmart.

Apple MacBook Air (15-inch, M4) for $949 ($250 off): The 15-inch MacBook Air is nearly identical to the smaller version; apart from its roomier display, it adds better speakers and a more spacious trackpad. This deal matches the all-time low, and other configurations are similarly discounted.

Apple MacBook Pro (M5, 14-inch, 512GB) for $1,350 ($249 off): Apple’s most recent M-series chip is the M5, and only comes equipped on the 14-inch MacBook Pro and the iPad Pro. When the M5 MacBook Pro M5 came out in October, we promptly reviewed it and awarded it a 92. The new chip gives the laptop an impressive graphics upgrade, which only adds to the Pro's known qualities: a sturdy build, excellent trackpad and speakser paired with an impressively long battery life — we clocked 34 hours in a video run-down test. Also at Walmart. It's $1,399 at Best Buy and B&H.

Apple Mac mini (M4) for $479 ($120 off): The latest iteration of Apple’s tiny desktop PC has a smaller footprint, a faster M4 chip, 16GB of RAM by default, two front-facing USB-C ports and an extra Thunderbolt 4 port. It can also drive three external displays, though it lacks USB-A ports entirely. We gave a higher-end model with Apple’s M4 Pro chip a score of 90 in our review. This deal on the base model with an M4 chip, 16GB of RAM and 256GB of storage is $10 more than the best deal we've seen but $20 less than the config's typical street price.

Apple MagSafe cable 25W for $24 ($15 off): With this puck, the iPhone 17 can wirelessly recharge at 25-watt speeds. You can also get those speeds with iPhone 16 handsets that have updated to the latest OS 26 version. Just note that you’ll need to plug it into at least a 30 watt adapter, which isn’t included. This is the lowest price we've tracked.

Apple USB-C Magic Mouse for $68 ($11 off): This isn't a record-low price for Apple's popular mouse — it went for $60 in October. It's lightweight, supports multi-touch features including scroll and the battery life is fairly long — just note that the charging port is on the bottom so you can't use it while it refills. The discount only applies to the white model.

Read more Apple coverage:

• The best AirPods
• The best Apple Watches
• The best MacBooks
• The best iPhones
• The best iPads

Follow @EngadgetDeals on X for the latest tech deals and buying advice.

This article originally appeared on Engadget at https://www.engadget.com/deals/the-best-ipad-deals-this-week-include-the-ipad-mini-for-100-off-150020342.html?src=rss

Amazon is selling Apple's USB-C Magic Mouse for $68, which is a discount of 14 percent. This isn't a record-low price, but it's darned close. The mouse typically sells for $79, though today's sale only applies to the white model.

It's rare for official Apple accessories to go on sale, and the USB-C Magic Mouse is pretty much a must-have for those working on desktop computers. It's also fairly handy when combined with a laptop, letting folks avoid the trackpad.

As the name suggests, this mouse charges via USB-C. Apple stuck with replaceable AA batteries for way too long, so this change was much appreciated. A charge should power the mouse for around a month, a metric I find to be more-or-less accurate depending on usage.

This is a good mouse, and a great option for Apple devotees, but it's not without its flaws. The biggest one is port placement. The USB-C port is underneath the mouse, rendering it unusable while charging. Bloomberg recently reported that a major redesign is coming for Apple's wireless mouse that should address that issue.

Follow @EngadgetDeals on X for the latest tech deals and buying advice.

This article originally appeared on Engadget at https://www.engadget.com/deals/apples-usb-c-magic-mouse-is-back-on-sale-for-68-175424709.html?src=rss

Secret Santa gift exchanges can be chaotic in the best way. One minute you’re drawing a name from a hat, the next you’re scrambling to figure out what they’d actually like. The trick is finding something that’s thoughtful, gets a laugh or feels useful without going over budget. Luckily there are plenty of gifts that do exactly that, whether you’re shopping for the office exchange, a family swap or a friend group tradition. From clever gadgets to playful desk toys and little luxuries, these ideas prove you can spend less than $50 and still land the perfect Secret Santa present.

Best Secret Santa gift ideas

Check out the rest of our gift ideas here.

This article originally appeared on Engadget at https://www.engadget.com/the-best-secret-santa-gift-ideas-for-2025-affordable-gifts-you-can-still-get-from-lego-apple-yeti-and-more-130014284.html?src=rss

TikTok has signed a deal to spin off its American business, according to reporting from Associated Press and others. This should keep the popular social media app available in the US for good, capping off years of drama.

We now have some new data as to the specifics of the deal. Nearly 50 percent of assets will be split between three companies. Oracle, Silver Lake and MGX will each control around 15 percent of the newly-formed entity. It's worth noting that MGX isn't an American company at all, but rather Abu Dhabi’s state-owned investment firm.

The rest will remain in the hands of affiliates of TikTok's parent company, ByteDance. That company will also take a direct ownership stake of around 20 percent. US platform operations will be managed by a seven-member board of directors. The majority of this board will be Americans.

US data will be stored under a system operated by Oracle. That company is run by Larry Ellison, a long-time ally of President Trump who once brainstormed ideas on how to overturn the 2020 presidential election. Oracle has been trying to get its mitts on TikTok since at least 2020. As for Silver Lake, it has deep ties to Trump allies like Michael Dell and his son-in-law Jared Kushner.

The deal is expected to close on January 22, according to an internal memo shared by TikTok CEO Shou Chew. "With these agreements in place, our focus must stay where it’s always been — firmly on delivering for our users, creators, businesses and the global TikTok community," he wrote to employees.

If a deal is truly finalized by next month, it will come just over a year after Trump's first executive order to delay a law that required a sale of the app to prevent a ban. He has signed several other extensions since.

This article originally appeared on Engadget at https://www.engadget.com/social-media/we-have-more-details-on-the-tiktok-deal-including-some-ownership-statistics-163003507.html?src=rss

If you have a resolution in the new year to get more acquainted with your finances, a good budgeting app can help with that. One of our favorites is a bit cheaper to sign up for right now: Monarch Money is offering 50 percent off annual subscriptions for new users. Use the code MONARCHVIP at checkout to get half off, so you'll pay just $50 for one year of access.

Monarch Money was the runner-up in our guide to the best budgeting apps in 2025, and it was definitely a grower. Initially we found the experience of using the app to be needlessly complicated compared to some of its rivals, but get over that hurdle and it’s impressively fully-featured. There are plenty of customization options, a helpful “goals” feature and a thorough month-in-review recap that beats out similar features from some of its competitors. We also like how you can grant account access to others.

Besides the steep learning curve, we also noted that the mobile app is less intuitive to use than the web version, which might pose a problem if you were hoping to do most of your accounting on the go. We also had some issues with the app failing to distinguish between bills and other recurring expenses, as well as a few bugs along the way.

All things considered, Monarch is definitely one of our favorite budgeting apps, only being beaten out by Quicken Simplifi. As you might expect, the biggest strength of Simplifi is its simplicity, and how it eases you into using its various features. If you value that kind of user experience, it might be a better choice for you, but there’s unfortunately no free trial to take advantage of.

Follow @EngadgetDeals on X for the latest tech deals and buying advice.

This article originally appeared on Engadget at https://www.engadget.com/deals/one-of-our-favorite-budgeting-apps-is-50-percent-off-right-now-154056703.html?src=rss

From indies like Silksong, to AAAs like Ghost of Yotei, and everything in between, 2025 truly had it all, and is likely to go down in the history books as one of the best years in gaming. But these are the games that felt truly special to the Engadget team.

Arc Raiders

I’m genuinely shocked by how much I love ARC Raiders. I’ve never been very interested in the whole PvE (Player vs. Environment) genre, aside from some brief stints with Destiny, but ARC Raiders's sci-fi post-apocalyptic vibe just works for me. I love the Blade Runner/anime-like aesthetic of its environments, enemies and outfits. I’m a sucker for its synthy soundtrack and immersive soundscape. And somehow, I’ve just fallen for the game’s loop, which involves running out for resources and missions, and hopefully making it back home safe.

Sure, I’ve had a few runs where I’ve lost all my gear, thanks to random online jerks. But even those setbacks kept me motivated to play. You can always head out into the world with free gear, so if you fail, all you really lose is a bit of time. ARC Raiders reminds me of playing Phantasy Star Online on the Dreamcast decades ago, an early multiplayer experience that’s genuinely been hard for me to replicate since then.

I sometimes explore maps just to soak up their architecture and environmental sounds. Sometimes I jump in to help other players, especially when they’re being harassed by others. Through success or failure, I can’t wait to head back in.

— Devindra Hardawar, Senior Editor

Avowed

Obsidian kicked off 2025 with a bang, introducing a fresh and deeply engaging fantasy RPG universe in Avowed. It’s an expertly crafted and narratively rich adventure through mystical lands blighted by a mysterious fungus, set against a backdrop of political scheming, spiritual manipulation, colonization and resistance. The writing is stellar throughout, though the sidequests that reveal your companions’ backstories are particularly poignant. Avowed is gorgeous, its combat systems are fully customizable, its characters are intriguing and its encumbrance limit is generous. There’s a real sense of magic about the entire game — and no, that’s not just the mind-altering mushrooms talking.

— Jessica Conditt, Senior Reporter

Baby Steps

Baby Steps is a true walking simulator: Your left trigger controls your left leg, and your right trigger controls your right. At first, you'll be stumbling and comically falling every few paces, and it’s easy to write the game off as some sort of Octodad affair, where half the fun is dealing with the jank of basic navigation. But before long, you’ll find the rhythm and confidently pace through the game’s open world.

Of course, the challenge ramps up with your skill. Baby Steps has incredibly tight mechanics and a rewarding if punishing difficulty curve. Various surfaces and steeper inclines are introduced, and the game ends with a truly horrific mountain pass. Through it all, you’ll be treated to a light but touching story full of comedic improvisation from the game’s developers, who voice most of the characters themselves.

— Aaron Souppouris, Editor-in-chief

Ball X Pit

I don’t usually go in for roguelike-style games, but my colleague Kris Holt convinced me to try Ball X Pit and, in doing so, ruined my autumn. This is, quite simply, one of the most addictive games I’ve ever played. The base gameplay is rooted in classic Brick Breaker-style games from the ‘80s. Balls bounce from the bottom to the top of the screen, but instead of hitting and breaking bricks you’re bouncing them off a massive series of demonic enemies. There are eight levels and over a dozen different playable characters, each with their own distinct strengths and play styles, and the vast combination of upgrades you can unlock means no run will ever be quite the same.

Perhaps the most fun thing about it is unlocking the different fusions and evolutions you can find along the way. Beyond the basic balls that your character shoots, you have slots for special balls that do things like freeze enemies, deal extra damage or blind enemies so they can’t accurately attack you. You can combine those special balls into even more powerful weapons, and finding the best evolutions that work with each character and each level adds yet another layer to the madness. While you can easily pick it up and play for 20 or 30 minutes, I’ve found it pretty difficult to end a session without whiling away multiple hours. Think carefully about whether you’re ready to ruin your productivity for a few weeks (or months) before you dive into Ball X Pit.

— Nathan Ingraham, Deputy Editor

Blue Prince

My absolute favorite experience in all of gaming is when I'm several hours into a puzzle game and I discover there's more going on than meets the eye. It's the moment where I realize an already-good game is in fact an excellent one, and I want to simultaneously curse the creators' evil brains and applaud their brilliance. I feel fortunate if I have that reaction once during a playthrough. Blue Prince provided me with that experience of total delight many times over.

The biggest downside to a game like Blue Prince is that it's hard to talk about. For starters, it defies categorization. Sure, there are some roguelike elements and obviously plenty of puzzles, but playing it goes beyond a single genre tag. And more importantly, the journey of uncovering its surprises is a big reason why this game is so special. If you haven't tried it yet, I strongly suggest you do so and that you read as little about it as possible before diving in. All you need to know is that if you enjoy burrowing ever deeper into a rabbit hole of mysteries and problem-solving, you must play this game. Blue Prince is a real masterpiece by creative lead Tonda Ros and the whole Dogubomb team. It earns all the hype it gets.

— Anna Washenko, Contributing Reporter

Citizen Sleeper 2: Starward Vector

No game I played this year has stuck with me the way Citizen Sleeper 2: Starward Vector did. At a time when it feels like our governments are failing us and corporate greed is destroying the world, Citizen Sleeper 2 tells a critical story about finding hope and purpose in the people and communities around you. And as great as the original Citizen Sleeper was, the new one is an even better game, with more polished systems that do a great job of reinforcing its narrative themes.

There's a good chance many of you missed Citizen Sleeper 2, seeing as it arrived at the start of the year, but if you're feeling down about the state of the world, I can't recommend it enough. It will change your perspective.

— Igor Bonifacic, Senior Reporter

Clair Obscur: Expedition 33

Clair Obscur made a striking impression when we first glimpsed it in 2024, with its French dark fantasy aesthetic, its wild concept of a god-like Paintress and a turn-based combat system that seemed uniquely cinematic. It instantly became my most anticipated game of 2025. Thankfully, the game itself lived up to my expectations, with a thrilling story, memorable characters and some of the most beautiful visuals I’ve ever seen in a game. Sure, its twists and turns might not feel entirely surprising if you’re an RPG connoisseur, but no other game captures such a specific vibe. It may not fully stick the landing, but Clair Obscur was certainly one of the most fulfilling narrative experiences I experienced this year.

— D.H.

Date Everything!

This dating sim is witty as heck. That's the first reason I loved Date Everything. The writing is equal parts sharp and sensitive, silly and sincere, with a dose of pointed social commentary in between bouts of flirtation with anthropomorphized household items. Even the artwork is witty, transforming everything from a toaster to a treadmill into attractive humans in wildly clever and creative ways.

The second and most important reason I loved this game is that Date Everything is a cavalcade of virtuoso voice acting that must be heard to be appreciated. I've played a bunch of visual novels without voiceover where the writing alone wasn't strong enough to make the characters pop, as well as voiced ones where middling performances detracted from the story. Date Everything's cast of 100 of the best in the business make their dialogue shine (and like I said, the dialogue is really damn good).

There are some endearingly obvious casting choices. The horny clothes dryer? Yeah, it's Neil Newbon, who probably charmed your pants off as Astarion in Baldur's Gate 3. Your D&D dice set? It couldn't be anyone but Matt Mercer. On the flip side, Cherami Lee as perky Chairemi (yep, your chairs) was unrecognizable from her stellar turn as V in Cyberpunk 2077. Laura Bailey has voiced countless heroines over the years, so the last place I expected to hear her was screaming her lungs out as one half of the toxic relationship playing out in your laundry room. Whether you're looking for love or laughs, Date Everything is a marvelous showcase of talents that often go underappreciated in gaming.

— A.W.

Despelote

Having grown up with grandparents from South America, I'm familiar with a flavor of soccer fanaticism that hasn't quite taken root in the US. What makes Despelote so moving to play in 2025 is how it makes that sports fandom universal. The semi-autobiographical game lets you play your way through narrative vignettes, rendered in a stunning mix of filtered, photorealistic backgrounds and almost comics-inspired characters, primarily with a soccer ball at your feet. There's more to the game than kicking, however.

Despelote asks players to walk, run and kick through the life of the game's lead developer Julian Cordero as he recounts his memories of Ecuador's historic attempt to win the World Cup. It's a personal history and national one, and by the end of the game, not quite what it seems. To put it another way: Despelote is melancholy, humorous and quite possibly the first game to capture what soccer means rather just than what it feels like to play.

— Ian Carlos Campbell, Contributing Reporter

Dispatch

If you miss the heyday of Telltale's multiple choice narratives, like The Walking Dead and The Wolf Among Us, and you aren't tired of superheroes yet, you'll love Dispatch. Developed by AdHoc Studio, which was formed by former Telltale alum, it's essentially a workplace dramedy for superheroes. But the mechanics don't matter as much as the characters, who are all uniquely intriguing, sad and hilarious.

You play as Robert Robertson III, AKA Mecha Man, a former Iron Man-esque hero who can no longer fight crime on his own. He decides to manage a group of former villains for SDN (the Superhero Dispatch Network), hoping to imbue them with his own ideals of heroism. By day, you assign them to deal with crimes around Los Angeles, but through conversations and crucial Telltale decisions, you also encourage them to work as a team and hopefully become better people (or mutants). Buoyed by strong voice acting (including actors like Aaron Paul as the lead, and Jeffrey Wright in a hilarious supporting role), AdHoc's sharp writing, and excellent animation, Dispatch is a reminder of just how powerful adventure games can be.

— D.H.

Donkey Kong Bananza

The Switch 2 had a decent enough first year, but there's only one true killer app so far in my mind. Donkey Kong Bananza is the primary reason to pony up for Nintendo's new console. It's a 3D platforming classic up there with any Mario game, which makes sense given that the team behind Super Mario Odyssey made this one.

It actually reinvents the formula by adding wanton destruction into the mix. Donkey Kong can destroy just about everything in the game and that's not hyperbole. You can literally spend hours absolutely pummelling entire game worlds into dust. This isn't just a stress reliever, as it leads to new kinds of puzzles and platforming ideas. As a bonus, DK is joined by a young Pauline, making this the cutest riff on The Last of Us ever.

— Lawrence Bonk, Contributing Reporter

Fast Fusion

Fast Fusion is a sci-fi arcade racer that wants little more than to bring the old Wipeout and 3D F-Zero games into modern times. Those games ruled. So does this one.

As the name implies, it is seriously fast, and it commits to enhancing that sense of speed with every choice it makes. Whooshing lines drag from the back of your hard-angled, anti-grav ships. Their engines wheeze. The backgrounds blur. Each course is littered with boost pads, and there’s a boost meter you can keep persistently charged by taking turns just right. Because this is what some may call a “video game-ass video game,” you can also make your ship jump, skipping entire turns or launching into a fiery wreck in equal measure.

The courses here aren’t as thematically consistent as those in Mario Kart World. One minute you’re dashing through an Endor-style forest, the next you’re dodging tornadoes on a rainy highway. There are no cute mascots, either. But the tracks are spectacles, and they always give room to keep up your pace. When there is an obstacle to dodge, you tend to just whiz by, furthering the sense of threading the needle. In a year unusually loaded with high-profile arcade racers, few are better than Fast Fusion at keeping you engaged. It makes blinking feel risky.

— Jeff Dunn, Senior Reporter

Ghost of Yōtei

Sucker Punch Productions' return to a feudal Japan setting is another triumph for the studio. In Ghost of Yōtei, the developer crafted a world that I happily got lost in for hours, doing everything and anything but the main story missions until I absolutely had to. There was something to do around almost every corner and some of the game's many secrets were well-hidden. That's not to say the game's plot is anything to sniff at: this is a brutal tale of revenge, featuring rich writing and performances.

The open-world format is a little at odds with protagonist Atsu’s steely desire for vengeance, but Ghost of Yōtei is beautifully orchestrated enough for that to be a minor complaint. The combat is stellar — to be most effective, you’ll need to swap between weapons to counter what your current opponent is wielding. Still, I couldn’t help but use the kusarigama whenever possible, especially to carry out stealthy assassinations from a distance. Strengthening Atsu’s bond with a wild wolf that becomes an ally in combat is also a highlight, while the deeply customizable difficulty settings are very welcome.

Like its predecessor, Ghost of Tsushima, this is a technical masterpiece. Sucker Punch created another lush game that will surely be the source of countless desktop backgrounds. Blood-stained snow has rarely looked this good, especially if you enable the Miike Mode (named after director Takashi Miike and his gory films) to really paint the landscape red.

— Kris Holt, Contributing Reporter

Hades 2

The first thing to know about Hades II is that it's more Hades. It's the standard roguelite RNG grindfest, but with charm and enough detail-oriented flourishes to disguise what is essentially cranking the arm on a slot machine. The second thing to know is that you are no longer Zagreus, but Melinoë, princess of the underworld, and if you are a gay woman this game exists to roast you mercilessly.

Zag was a lovable himbo engaged in a petty dispute against his father and free to romance a variety of Greek gods along the way. By contrast the world around Mel is coming apart at the seams, and her dating options are considerably less satisfying. Several of her in-game relationships with women are written to be warm and reciprocal, but of course they're with the found family of deities who support her. Nemesis and Eris, her two options for romance, seem to actively hate her and, after dozens of runs, are never interested in anything beyond a threadbare situationship.

Juggling two different mission paths with their own distinct enemies and biomes is a treat — as are the new, sometimes brutally hard bosses. If only the rest didn't so closely resemble the indignities of dating in your 30s.

— Avery Ellis, Deputy Editor

Is This Seat Taken?

Every incurable people pleaser has been told, at some point in their life, “you can’t make everyone happy.” Perhaps not in life. But in the sweetly cozy, zero-pressure, logic-puzzle indie game Is This Seat Taken? making people happy is not only possible, it’s the entire point.

The game is set in a line-drawn, sepia-toned Barcelona and other cities. You act as a set of pinching fingers that lifts and places shape-people in their preferred seats — on the bus, in a restaurant, at a movie theater and so on. Each person has preferences (window seat, no bad smells, wants to read) and attributes (forgot to shower, plays loud music) that mesh or conflict.

Tiny accessories and icons not only make each shape more adorable, they help keep track of some of their proclivities. Bubbly smiles or heartbreaking frowns tell you whether you’ve met a seated shape’s needs, and tapping on them tells you exactly what they want. A simple story involving a few of the shapes and an indie film takes form as you advance levels, but for the most part, you’re just checking in on what people want and arranging them to optimize happiness.

I obsessively plowed through the game, soothed by the strummy music, delighted by the plops, bloops and chatters of the sound effects. As more people get on the bus (show up to the coworking space, arrive at the restaurant) it gets increasingly tougher to satisfy everyone — more than once I had to clear everyone off the train and start from scratch — but achieving 100 percent contentment is always possible. And if that’s not true IRL, then at least it is here.

— Amy Skorheim, Senior Reporter

Keeper

Keeper is a surprisingly quiet and soul-soothing experience from Double Fine Productions, a studio best known for sassy, cartoon-style games like Costume Quest, Psychonauts and Brütal Legend. Keeper is a gorgeous and dialogue-free adventure through fantastical lands of deep shadows and vivid pastels, presented in a claymation-like art style that’s a joy to interact with. The game follows a sentient, walking lighthouse and its bird companion as they attempt to reach a mountaintop and cleanse the land of a nasty parasitic presence. Keeper only lasts about four hours tops, but its striking visuals, smooth mechanics and heartwarming story leave a lasting impression.

— J.C.

Kingdom Come: Deliverance II

Kingdom Come: Deliverance II is a modern-day Morrowind. I mean that as a compliment. It's a game built on a series of complex, interlocking systems that work together to create one of the most immersive worlds I've had a chance to experience in recent years.

As I guided my version of Henry of Skalitz through Warhorse Studios' beautiful recreation of 15th century Bohemia, I spent dozens of hours doing mundane things like blacksmithing, playing dice, foraging for herbs and concocting potions. Each of these activities feels like it could be a game on its own, and they work together to create an experience that feels refreshingly old-school. No one is making RPGs like Warhorse anymore — not even Bethesda — and that's what makes this game feel so special. It's the kind of experience studios used to make when games didn't need to appeal to everyone to recoup their development costs.

— I.B.

Look Outside

Months after its release, Look Outside is still the game I can't shut up about, and it probably will continue to be for the foreseeable future. In Look Outside, your character wakes up to discover that an apocalyptic event has taken place, and anyone who looks outside to observe it is transformed into some sort of abomination. You have to survive two weeks inside your apartment building, gathering resources and, if you're trusting, accumulating allies to fight by your side. There are monsters everywhere, and their designs are wildly creative. It's a joy encountering all of the freakish creatures for the first time.

There are tons of choices to make in Look Outside that will affect the course of your playthrough, and there are both moments of gut-wrenching bleakness and sheer absurdity. It's in a league of its own, blending a multitude of horrors — survival horror, cosmic horror, body horror, psychological horror — and captivating artwork (not to mention an S-tier soundtrack) into a gripping RPG that has enough substance to justify playing it again and again.

— Cheyenne MacDonald, Weekend Editor

Lonely Mountains: Snow Riders

Most games involving mountains are about a heroic climb. Lonely Mountains: Snow Riders is about a series of humbling descents. This is a physics-driven downhill skiing game that, like its predecessor, starts you at the top of various summits and tasks you with racing to the goal in one piece. The way down is filled with interweaving routes and shortcuts, but there are no directional markers to guide you. Nor is there any music to pump you up, just the sounds of skis cutting into powder, winds whipping, birds chirping, nature being nature.

The result is a game that pits you against yourself. You rush down to beat a target time, but you’re always fighting gravity and cold, hard earth. So you crash, again and again, until you manage to survive that one clean run. The mountain becomes something to respect, not conquer. It’s fast, thrilling and total slapstick: Steering your low-poly, literally blockheaded avatar into a tree or off a cliff is always good for a laugh. (Seeing others do it in multiplayer is even better.) It’s also gorgeous, all glistening snow, intimate sounds and serene vistas. More than an enjoyably tense sports game, Snow Riders is a vivid expression of our relationship with nature. Think of it like a more contemplative SSX.

— J.D.

Metroid Prime 4: Beyond

Metroid Prime 4: Beyond is not a perfect game. The story barely hangs together at times, the addition of a squad of companions can really disrupt the atmospheric isolation the series is known for, there are a few unfair difficulty ramps and the open-world desert is a bit of a slog. And yet, it also does so many things right. As with most Metroid games, there are varying biomes to explore, each with a distinct identity and various flora and fauna that do not like intruders. As with most Nintendo games, the design of these levels are excellent across the board, with clever challenges and puzzles that reward continued exploration.

But for me, seeing a Metroid Prime game in 4K was worth the price of admission alone. Beyond doesn’t reinvent the wheel, but it presents an absolutely gorgeous and immersive spectacle the likes of which we haven’t seen in a Metroid game before. Given that Metroid Prime 3: Corruption came out in 2007 on the Wii, a console that maxed out at 480p, seeing the series’ impeccable art style brought to life on modern hardware was a delight. It may have some issues, but Metroid Prime 4: Beyond is still worth experiencing.

— N.I.

Ninja Gaiden Ragebound

I'd somehow never played a single Ninja Gaiden game until this year, but I could hardly have had a better introduction to the series. The Game Kitchen's Ninja Gaiden Ragebound is an old-school, hack-and-slash platformer with top-notch pixel art, an excellent score and slick level design.

The combat helps ensure that everything hangs together. Dual protagonists Kinji Monzu and Kumori (whose souls fuse together) have distinct abilities that work in harmony, and using the right tools to tackle each enemy helps charge up a powerful hyper attack. Ragebound isn't necessarily easy, but it isn't frustrating either — unless you're trying to put it down and do something else, because this is a very absorbing, entertaining game.

— K.H.

Peak

Peak perfectly captures the delightful, simultaneous disasters that can happen when multiple people make stupid decisions at the same time. Ostensibly a multiplayer game about child scouts who crash land on a deserted island and are forced to climb to the top of a mountain to get rescued, Peak's multitude of dangerous biomes, status-affecting consumables and hidden secrets make it fun to get you and your friends killed. The game is an awkward first-person platformer where it's sometimes easier to shoot someone out of a cannon than it is to get them to toddle up a hill, but those obstacles feel good to overcome because the game lets you talk to people while you do it.

The term "friendslop" was coined following the popularity of Peak and games like it, a burgeoning micro-genre where games with deceptively simple virtual tasks are paired with proximity-based voice chat. Unsurprisingly, it's fun to play video games with your friends, but Peak stands out because the ongoing support of developers Aggro Crab and Landfall has managed to keep things interesting in the game for nearly half the year.

— I.C.C.

Oblivion Remaster

There's a comfort in knowing exactly what you're going to get from a game. The Elder Scrolls 4: Oblivion Remastered delivers all the things I love about Bethesda creations. It's a world I want to get lost in, where the detours are the true point of the journey. I become a stealth archer cat person who can cause chaos or save the day. And I can enjoy the studio's signature open-world RPG experience without suffering through the wonky design ideas that made the original game frustrating. For Bethesda fans, this remaster is a joy whether it's your first time playing Oblivion or your fiftieth.

— A.W.

Öoo

I have a deep appreciation for games that give you a limited set of tools and many ways to use them. Puzzle-platformer Öoo is a brilliantly constructed example of that. It's so thoughtfully crafted that even the name is perfect. The large Ö looks like the caterpillar character you control and the smaller characters resemble the two bombs that you drag around and use to solve a variety of conundrums. Öoo is also the noise I involuntarily made when I solved some of the puzzles.

Nama Takahashi (who made Öoo with help from Tiny Cactus Studio and Tsuyomi) uses deeply clever level design to teach you how to use the bombs and move forward. Takahashi clearly wants you to succeed. Checkpoints are everywhere, so if you die while trying to find a puzzle solution, there's no lengthy runback to worry about. The developer (who previously created ElecHead) even made his own walkthrough video to help you get to the end.

Öoo — which you can complete in a single sitting — respects your time. It looks and sounds wonderful too. The music reminds me a lot of the outstanding Poinpy. While I remain sad that it's not currently possible to play that game, I'm more than happy to have Öoo to return to.

— K.H.

Silksong

It’s such a relief to know that, finally, this is probably the last time I’ll write about Silksong. (Oh no, more is coming.) Seven years in the making, from DLC to standalone game to Reddit meme, Silksong arrived across pretty much every mainstream gaming platform.

The Hollow Knight sequel swaps to a new protagonist, Hornet, who was a recurring boss in the original. She’s faster, she can attack in diagonal dives, and just plays pretty differently from the Knight. Off the back of the slowburn hit of Hollow Knight, Team Cherry have lavished more attention, more fun and more diverse boss battles, ensuring this feels like a better (although possibly more challenging) game.

I prefer the faster, risk-and-reward playstyle too. Hornet uses silk to heal, which, like soul in Hollow Knight, you build up by attacking enemies. However, Hornet does this in bulk, healing three hearts at once. When you die, you’ll leave a bounty of silk behind, making for a tempting health top-up you can grab mid-boss fight. If you don’t die before then.

You can equip Hornet with different weapon and subweapon loadouts, adding a little more variety in this sequel. Heavy, slower weapon swings, or relentless strikes with a much shorter range? Your choice.

When it launched, half the Engadget team were sharing tales of bottlenecks and seemingly impossible boss fights, and we were all exploring the world of Silksong in entirely different directions. That’s the blessing and the curse of a Hollow Knight game.

— Mat Smith, UK Bureau Chief

Silent Hill f

It’s a rare and special thing when a horror game lives up to the gruesome promises of its cinematic teaser trailer, and Silent Hill f accomplishes this and more. Silent Hill f is a heart-pounding survival-horror game set in a rural Japanese village in the 1960s and starring Hinako, a high school student with crappy friends and a tormented home life. Hinako’s town is ravaged by demonic creatures and an infectious botanical fungus, and she has to fight her way through it, shifting among realities and encountering a cast of untrustworthy peers and fox worshippers. The combat starts out great and only gets better as Hinako sacrifices her flesh in the name of salvation, meaning the body horror steadily ramps up as the game progresses. Hinako’s world is filled with terrifying mannequin minions, bulbous pus monsters and disturbing, trypophobic visuals. It’s beautiful.

— J.C.

Subway Builder

Subway BuilderAaron Souppouris

Subway Builder is an indie transport sim like no other. Creator Colin Miller combined OpenStreet maps of large cities with government data about where people live and work. This creates a complex web of nodes representing residents and workplaces for you to connect. You’ll start with no public transport infrastructure and try to build out a profitable network. In dense cities like New York this is incredibly easy, but freeing even 20 percent of Phoenix's endless sprawl from cars without going bust is very challenging.

The game scratches the same itch for me as Mini Metro, only instead of cutesy vector graphics you're basically working in Google Maps. It's also expanding at a rapid pace: When I first played in October, there were maybe 15 locations, and as of writing there are now 29 US cities and, most recently, five UK options. I spent the first 35 years of my life bouncing around Croydon and Lewisham in London; giving South Londoners a proper tube network (while ignoring anything north of Highbury) has been a real treat.

— A.S.

Sword of the Sea

While the game might always be evoked in the same breath as Journey, the PlayStation classic with which it shares a key creative, Sword of the Sea is more than just another beautiful trek towards a mountain. Combining delectable traversal mechanics from The Pathless and beautiful sea creatures like those in Abzu, the game is a culmination of everything developer Giant Squid is good at. More importantly, though, Sword of the Sea's surfing mechanic just looks and feels damn cool.

I don't know that I ever mastered how to surf on a sword during Sword of the Sea's silent and surprisingly brief narrative, but I do know it didn't take long to care. Carving through sand and snow immediately came easy enough that getting to any of the game's intriguing landmarks and collectibles was a matter of how, not if. That's not to discredit the game's other charms, like a score from Austin Wintory and a photo mode that's perfect for capturing close encounters with dolphins, whales and sharks. If you need a reason to play Sword of the Sea, though, let it be the surfing. It tells you more about the game and what it wants you to feel than any piece of dialogue could.

— I.C.C.

Sworn

Let's get one thing out of the way. Yes, Sworn is a Hades clone, but it's a darned good one. This game swaps out the Olympian gods for characters sourced from Arthurian legend, but the nuts and bolts gameplay is pretty much the same. So why was this one of my favorite games in a year when Hades 2 set the world on fire? The combat is extremely addictive and there are multiple character classes that truly change how everything plays.

Some characters are for up close combat and others are better at dropping turrets and related items that do damage over time. It's super fun to litter a bunch of poison-soaked cannons in a level and just let them do their thing. It also has four-player co-op, which is chaotic in all the best ways. The story is totally forgettable when compared to Hades, but that's not why I play roguelites.

— L.B.

This article originally appeared on Engadget at https://www.engadget.com/gaming/engadgets-favorite-games-of-2025-153000109.html?src=rss

hands on Infinite Machine, a New York-based electric vehicle startup, began with a stolen Vespa. ...

Latest charges join the mountain of indictments facing alleged Tren de Aragua members

A Venezuelan gang described by US officials as "a ruthless terrorist organization" faces charges over alleged deployment of malware on ATMs across the country, illegally siphoning millions of dollars....

But not Phil Collins, sadly

The US Department of Energy (DOE) has a Christmas gift for the AI industry in the shape of agreements for collaboration in the Trump administration's Genesis Mission, which aims to use AI to drive scientific discoveries....

Newly disclosed vulnerability already being abused, users urged to lock down exposed firewalls

WatchGuard is in emergency patch mode after confirming that a critical remote code execution flaw in its Firebox firewalls is under active attack....

Attackers helped themselves to historical personal info on 27K people

The University of Sydney is ringing around thousands of current and former staff and students after admitting attackers helped themselves to historical personal data stashed inside one of its online code repositories....

UK state-owned bank admits revised plan runs beyond contract end with Atos

Already £1.4 billion over budget and four years late, a tech transformation project at a UK state-owned bank is outside HM Treasury spending limits and timetable under a revised plan from systems integrator Capgemini....

Revived distro returns on Arch with KDE Plasma, global menus, and a familiar macOS-style sheen

The new pearOS distro is a Romanian project that picks up the concepts behind the original Pear Linux from 2011 and updates them. It's not going to turn the distro world upside down, but it's fun, interesting, and a showcase for the versatility and customizability of the Linux desktop....

Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform

Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt....

Virgin Media the last to go as users of older mobiles warned to upgrade

Britain is set to become a post-3G nation as Virgin Media O2 (VMO2) prepares to be the last of the country's mobile networks to switch off its 3G service, although it may linger for a while at a few sites....

Tech exec admits not dead cert it'll find the right solution

Exclusive Airbus is preparing to tender a major contract to migrate mission-critical workloads to a digitally sovereign European cloud – but estimates only an 80/20 chance of finding a suitable provider....

Here are some hints and the answers for the NYT Connections puzzle for Dec. 20 #923.

Here are hints and the answer for today's Wordle for Dec. 20, No. 1,645.

Here are hints and answers for the NYT Strands puzzle for Dec. 20, No. 657.

Are you assessing your current mobile plan as a new year approaches? Let us help by reviewing our favorite plans with unlimited data from AT&T, T-Mobile and Verizon.

One of the biggest open-world games is now available on your phone, and if you have Netflix, you don't need to pay extra for it.

Deep within the planet, carbon clouds can condense and form diamonds, NASA says.

Don't wait to get that new laptop or desktop you've been eyeing. Rising RAM prices are going to make things more expensive soon.

These 3D printer accessories will make your life easier no matter what you're creating. I've put together a list of my favorites.

Last-minute shopping doesn't have to be stressful. We've sifted through hundreds of items on Amazon to find thoughtful, standout gifts that beat the shipping cutoff.

Stop what you're doing and sign up for these perks for Netflix, Hulu and other streamers.

Ants with lots of workers tend to put less energy into making them armored.

Inin suggests new low-cost options allowed it to "recalculate production" for full cartridge.

LG says it'll let people delete the Copilot icon. But TV chatbots aren't going away.

BIOS checks will only affect a limited subset of Valorant players for now.

You get quite a lot of EV for the Equinox's sub-$35,000 starting price.

Chris Wright declared an energy “emergency” in the Pacific Northwest.

The grocery app will also stop hiding refund options and obscuring delivery costs.

Strava’s most viral feature is suddenly locked away.

How do four modern LLMs do at re-creating a simple Windows gaming classic?

"Russia, meanwhile, will be left to carry on the legacy of the ISS, with all its problems."

In this episode, we look back at 2025 and look ahead to what's happening in 2026—including what’s in store for Uncanny Valley.

Forced by an act of Congress, the Justice Department has released “hundreds of thousands” of pages of documents related to Epstein—but not everything, as is required by law.

From dead crabs to shredded bed sheets, fraudsters are using fake photos and videos to get their money back from ecommerce sites.

Merge Labs, a brain-computer interface startup that seeks to read brain activity using ultrasound, is being spun out of Forest Neurotech, a Los Angeles nonprofit.

The JBL Flip 7 is our top tried-and-tested Bluetooth speaker, and we haven't seen it sell for less than it is right now.

Could the AI industry be on the verge of its first major layoffs? Will China spread propaganda to slow the US data-center building boom? Where are AI agents headed?

This year’s bumper crop looks at salsa, salads, drinking culture, home baking, and Italian cuisine.

I've tested smart home gear and high-tech party gadgets at every holiday party I've hosted so far this year. Here’s how to automate your party so you can actually enjoy the holiday season.

With prices at new lows and an incoming memory shortage, here's our advice on which MacBook you should buy.

Tote your photo and video gear around in style. We tested more than 80 packs and rounded up our favorites.

Brick is one of the few new devices that positively changed my daily content consumption. It would be a great gift for the phone-addicted friend this holiday.

Pebblebee's Clip 5 finder tag attaches to a key ring, works with both iOS and Android devices, and makes a loud sound.

Outlaw Audio's retro stereo receiver delivers high-quality sound, even though it's considerably cheaper than most professional equipment.

If you're looking for great sound without breaking the bank, the Creative Stage Pro is a budget-friendly option worth considering.

Your Samsung, LG, and even Sony TV comes with privacy risks. Here's how to avoid one of the biggest with just a few steps.

With a gorgeous OLED screen and powerful hardware, the Yoga Pro 9i Aura Edition is a high-performance device that many should consider.

How can merchants trust agentic transactions? Visa and Akamai's partnership is here to help.

LG has announced a series of new speakers and soundbars, all of which support the brand's new Sound Suite and Dolby Atmos Flex tech.

Here's how to use Google Gemini to detect certain AI-generated videos.

Samsung offers everything from high-end OLED TVs to budget-friendly options, and we've tested them all to help you find the best fit for your home theater.

Rising AI demand is driving up DRAM prices, pushing smartphone costs higher and reducing supply as early as 2026, according to new Counterpoint research.

The post AI Chip Shortage Could Raise Smartphone Prices in 2026 appeared first on TechRepublic.

Trump Media announces a $6 billion merger with fusion startup TAE Technologies, signaling a pivot from social media to clean energy and AI infrastructure.

The post Trump Media Announces $6 Billion Merger With Fusion Power Developer TAE appeared first on TechRepublic.

These aren't simple chatbots anymore—these AI agents access data and tools and carry out tasks, making them infinitely more capable and dangerous.

The post OWASP Drops First AI Agent Risk List appeared first on TechRepublic.

The government stopped short of directly attributing the attack to Chinese operatives or the Chinese state.

The post UK Foreign Office Cyber Breach Exposed Diplomatic Secrets appeared first on TechRepublic.

Vibe coding firm has closed a $330 million Series B funding round, catapulting the Swedish company to a $6.6 billion valuation.

The post Nvidia and Google Back $6.6B AI Startup Lovable appeared first on TechRepublic.

Oracle, Silver Lake, and MGX each secured 15% stakes in the newly formed JV, while ByteDance retains 19.9% ownership of what was once their crown jewel.

The post TikTok Strikes Deal to Offload US Operations appeared first on TechRepublic.

French intelligence agencies uncovered what appears to be a coordinated foreign interference operation targeting the GNV Fantastic.

The post Italian Ferry Malware Attack Sparks International Probe appeared first on TechRepublic.

Google rolls out a surprise second Pixel update to millions of users, sparking speculation about a critical fix and hinting at an upcoming pocket dial solution.

The post Google Pushes Surprise Pixel Update That Could Affect Millions of Users appeared first on TechRepublic.

Five standout last-minute Amazon Prime deals for holiday shopping: Echo Show 8, Kindle Paperwhite, Fire TV Stick 4K Max, Belkin charger, and smart home essentials.

The post Last-Minute Amazon Prime Deals for Holiday Shopping appeared first on TechRepublic.

China is testing a secret EUV lithography prototype, a step toward chip self-reliance amid tightening export controls and surging AI demand.

The post Inside China’s ‘Manhattan Project’: China Moves Closer to Chip Self-Reliance With Secret EUV Prototype appeared first on TechRepublic.

Smart Secret Santa picks These Secret Santa gift ideas balance fun, practicality, and thoughtfulness—without the stress.

India’s quiet tech shift Cashify explains how 2025 transformed India’s re-commerce ecosystem, driving nationwide adoption and making refurbished devices and trade-ins key to tech upgrades.

PlayStation India announces holiday sale PlayStation India’s holiday sale offers up to 60% off on games and accessories.

Built for people who hate fuss The OnePlus 15R focuses on smooth performance, strong battery life, and clean software, delivering a reliable, no-frills smartphone experience.

Realme 16 Pro series teased Realme 16 Pro series is set to launch in India early next month.

Annual Pixel upgrades made easy! Google’s Pixel Upgrade Program in India offers no-cost EMI and hassle-free upgrades.

ChatGPT expands app integrations ChatGPT now integrates Apple Music for music discovery and playlist creation.

Gemini app gets smarter! Gemini now lets users draw to edit images and detect AI-generated videos.

Tune in for TikTok's big night!

The 2025 TikTok Awards are getting under way Thursday night. The social platform is set to honor its biggest creators for the time in the U.S.

Don't worry: Mashable is covering everything you need to know. We've got staff inside the venue, and we're updating our live blog ...

Meta adds Telugu, Kannada support to AI smart glasses Meta has rolled out Telugu and Kannada language support for its AI-powered Ray-Ban Meta and Oakley Meta smart glasses in India. The update expands hands-free voice features beyond English and Hindi, marking a key step toward making AI glasses more practical for everyday use.

Starbucks has named longtime Amazon executive Anand Varadarajan as its new chief technology officer, tapping a veteran of the tech giant’s grocery and supply chain operations as the coffee chain pushes to modernize technology in its stores. Read More

Microsoft and NASA say they’re applying artificial intelligence to a challenge that has become increasingly urgent: how to cope with… Read More

Nintex CEO Amit Mathradas is set to depart for Five9; Raikes Foundation names a new leader; and a Qualtrics exec is now at Workday. Read More

Darrell Lowe, a 30-year law enforcement veteran, views Redmond as the ideal staging ground for a new era of policing that capitalizes on technological advancements. Read More

The company's technology can complete tasks in a matter of weeks that previously required three to six months, said founder and CEO Javier Tordable. Read More

RentSpree, which got its start in Los Angeles but is now headquartered in Seattle, has built a profitable business helping landlords and real estate agents screen tenants, collect rent, sign leases, and manage rentals online. Read More

In a remarkable pivot, Athira Pharma has a deal to test a promising breast cancer drug and landed $90 million in upfront funding from investors. Read More

Since launching its flagship product earlier this year, the Seattle startup quickly went "viral," sold out its first two production runs and built a near-six-figure waitlist. Read More

German engineer Michaela Benthaus and five other crew members are waiting to take a suborbital space trip offered by Jeff Bezos' space venture. Read More

Amazon has quietly started rolling out Alexa.com, bringing its AI-powered Alexa+ assistant to the desktop browser for the first time and completing a long-missing piece of its consumer AI strategy. The web portal offers point-and-click control over reminders, files, and smart home devices — a level of precision that voice commands can't match. Read More

The headlines might be gloomy, but CEO Gary Cohen argues the outlook for iRobot is sunny.

HP’s 1972 GPIB bus finally receives stable Linux support, allowing vintage lab instruments to connect seamlessly with contemporary systems.

The Mixx Analog+ is a turntable with a top-loading CD player in the center of it

SantaStealer is a rebranded infostealer using modular data theft, modest pricing, and limited stealth, with no confirmed large-scale deployment yet.

Payroll-focused social engineering attacks target help desk staff, redirect employee salaries, and show how human factors can bypass traditional technical protections.

Chrome's new Split View Tabs feature, introduced in the November update, is a game-changer that allows users to view two browser tabs simultaneously.

Several hundred machines across a diverse set of organizations already compromised, Microsoft says.

Yet again, we're being graced with a report stressing the importance of a solid data foundation to get the most out of AI.

Save $20 / £12 off an annual subscription before the new year

Two Chinese-nexus groups have been exploiting a newly discovered flaw to establish persistence and launch backdoors.

Burgers kunnen straks zelf via StopID online hun paspoort en identiteitskaart ongeldig verklaren. Minister Frank Rijkaart van ...

De EU-landen hebben vandaag een akkoord over de digitale euro gesloten. Volgens het ministerie van Financiën verschijnt de ...

De Belastingdienst, Microsoft, de politie, Clinical Diagnostics en de Vereniging van Nederlandse Gemeenten (VNG) zijn ...

Gladinet CentreStack file servers zijn het doelwit van ransomware-aanvallen, zo stelt securitybedrijf Curated Intelligence. De ...

Het demissionaire kabinet verwacht dat de supercomputer van de 'AI-fabriek' die in Groningen zal worden gebouwd eind 2027 of ...

Zeker 25.000 Fortinet-apparaten met FortiCloud SSO, waarvan bijna vierhonderd in Nederland, zijn toegankelijk vanaf het ...

Firewall-leverancier WatchGuard waarschuwt voor een actief misbruikte kwetsbaarheid in de firewalls die het levert. Er zijn ...

Het advertentiebedrijf Mobius heeft van de Franse privacytoezichthouder CNIL een boete van 1 miljoen euro gekregen omdat het de ...

Het demissionaire kabinet kan niet uitsluiten dat via Zivver uitgewisselde gegevens in de Verenigde Staten terechtkomen, zo ...

Twee medewerkers van cybersecuritybedrijven hebben bekend dat ze ransomware-aanvallen op organisaties hebben uitgevoerd, ...

The White House says it's investigating how a personal-finance YouTuber's livestream briefly appeared on the White House's official live video page. The creator says he has no idea how his video ended up there. The Associated Press reports: The livestream appeared for at least eight minutes late Thursday on whitehouse.gov/live, where the White House usually streams live video of the president speaking. It's unclear if the website was breached or the video was linked accidentally by someone in the government. The White House said in a statement that it was "aware and looking into what happened." The video that appeared on the government-run website featured some of a more than two-hour livestream from Matt Farley, who posts as @RealMattMoney, as he answered financial questions. Farley told The Associated Press on Friday that he had no idea what happened and learned about it after the fact. He said he had not been contacted by the government and didn't have any theories about how his livestream ended up on the website. He joked that he hoped President Donald Trump and his youngest son, Barron Trump, "are watching my streams and taking advice." "Had I known it would have been on the White House website, I probably would have had other things to talk about than personal finance," Farley said. When asked what other things he would discuss, Farley responded with a laugh and said: "What would you talk about with the world for eight minutes if you had an opportunity? I'm just some guy making YouTube videos about stocks."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: At this point, most competitive online multiplayer games on the PC come with some kind of kernel-level anti-cheat software. As we've written before, this is software that runs with more elevated privileges than most other apps and games you run on your PC, allowing it to load in earlier and detect advanced methods of cheating. More recently, anti-cheat software has started to require more Windows security features like Secure Boot, a TPM 2.0 module, and virtualization-based memory integrity protection. Riot Games, best known for titles like Valorant and League of Legends and the Vanguard anti-cheat software, has often been one of the earliest to implement new anti-cheat requirements. There's already a long list of checks that systems need to clear before they'll be allowed to play Riot's games online, and now the studio is announcing a new one: a BIOS update requirement that will be imposed on "certain players" following Riot's discovery of a UEFI bug that could allow especially dedicated and motivated cheaters to circumvent certain memory protections. In short, the bug affects the input-output memory management unit (IOMMU) "on some UEFI-based motherboards from multiple vendors." One feature of the IOMMU is to protect system memory from direct access during boot by external hardware devices, which otherwise might manipulate the contents of your PC's memory in ways that could enable cheating. The patch for these security vulnerabilities (CVE-2025-11901, CVE-202514302, CVE-2025-14303, and CVE-2025-14304) fixes a problem where this pre-boot direct memory access (DMA) protection could be disabled even if it was marked as enabled in the BIOS, creating a small window during the boot process where DMA devices could gain access to RAM. The relative obscurity and complexity of this hardware exploit means that Vanguard isn't going to be enforcing these BIOS requirements on every single player of its games. For now, it will just apply to "restricted" players of Valorant whose systems, for one reason or another, are "too similar to cheaters who get around security features in order to become undetectable to Vanguard." But Riot says it's considering rolling the BIOS requirement out to all players in Valorant's highest competitive ranking tiers (Ascendant, Immortal, and Radiant), where there's more to be gained from working around the anti-cheat software. And Riot anti-cheat analyst Mohamed Al-Sharifi says the same restrictions could be turned on for League of Legends, though they aren't currently. If users are blocked from playing by Vanguard, they'll need to download and install the latest BIOS update for their motherboard before they'll be allowed to launch the game. Riot's new anti-cheat change could create problems for older PCs if the new anti-cheat change is expanded, notes Ars. The update relies on a BIOS patch to fix a UEFI flaw, and many older motherboards, especially Intel 300-series and AMD AM4 boards, may never receive that update. If Riot flags a system and the manufacturer doesn't provide a patched BIOS, players could be locked out of games despite having otherwise capable hardware.

Read more of this story at Slashdot.

Microsoft's latest holiday ad for its Copilot AI assistant features a 30-second montage of users seamlessly syncing smart home lights to music, scaling recipes for large gatherings, and parsing HOA guidelines -- none of which the software can actually perform reliably when put to the test. The Verge methodically tested each prompt shown in the ad and found that Copilot repeatedly hallucinated interface elements that didn't exist, claimed to highlight on-screen buttons when it hadn't, and abandoned calculations midway through. The smart home interface shown in the ad belongs to "Relecloud," a fictional company Microsoft uses in internal case studies. A Microsoft spokesperson confirmed that both the HOA document and the inflatable reindeer photo were fabricated for the advertisement. The ad closes with Santa Claus asking Copilot why toy production is behind schedule. Further reading: Talking To Windows' Copilot AI Makes a Computer Feel Incompetent.

Read more of this story at Slashdot.

President Trump's closure of the de minimis customs loophole in May -- which previously allowed Chinese packages valued under $800 to enter the U.S. duty-free -- has redirected a flood of cheap goods toward Europe, where similar exemptions for packages under $175.8 in the EU and $180 in the UK remain intact. The shift has been swift: exports of low-value Chinese packages to the U.S. have dropped more than 40% since May, according to Chinese customs data, and the EU has this year overtaken the U.S. as the largest market for China's roughly $100 billion cheap package trade. Shipments to Hungary and Denmark have quadrupled, and those to Germany, France, and the UK have risen 50% or more. Temu has recorded seven straight months of double-digit U.S. sales declines, per Consumer Edge data tracking credit and debit card transactions. Its European sales, on the other hand: up 56% in the EU and 46% in the UK since May compared to a year ago. The EU agreed last week to impose a $3.5 fee on imported small packages starting in July and to close the de minimis exemption entirely by 2028. The UK plans to follow in 2029.

Read more of this story at Slashdot.

alternative_right writes: Grocery delivery service Instacart will refund $60 million to settle FTC claims that it misled customers with false advertising and unlawfully enrolled them in paid subscriptions. Instacart partners with over 1,800 retailers to provide online shopping, delivery, and pickup services from nearly 100,000 stores across North America. Its platform serves millions of customers and is also used by roughly 600,000 independent shoppers across thousands of cities in Canada and the United States. In a complaint filed on Thursday, the FTC claimed Instacart engaged in multiple deceptive tactics that raised costs for customers, including failing to provide advertised refunds and falsely advertising "free delivery" while still charging mandatory service fees that added up to 15% to order costs. The FTC said Instacart also advertised a "100% satisfaction guarantee," but typically offered only small credits toward future orders rather than full refunds to customers experiencing problems with deliveries or service. The company allegedly hid refund options from "self-service" menus, leading customers to believe credits were their only option.

Read more of this story at Slashdot.

Microsoft AI CEO Mustafa Suleyman estimates that staying competitive in frontier AI development will require "hundreds of billions of dollars" over the next five to ten years, a sum that doesn't even account for the high salaries companies are paying individual researchers and technical staff. Speaking on a podcast, Suleyman compared Microsoft to a "modern construction company" where hundreds of thousands of workers are building gigawatts of CPUs and AI accelerators. There's "a structural advantage by being inside a big company," he said. When asked whether startups could compete with Big Tech, Suleyman said "it's hard to say," adding that "the ambiguity is what's driving the frothiness of the valuations." Meta CEO Mark Zuckerberg said in September he'd rather risk "misspending a couple of hundred billion" than fall behind in superintelligence.

Read more of this story at Slashdot.

The television industry's brightness war may have hit its inflection point in 2025, the year TCL and Hisense released the first consumer TVs capable of 5,000 nits under specific settings -- a figure that would have seemed absurd not long ago when manufacturers struggled to reach 2,000 nits. LG introduced Primary RGB Tandem OLED technology, moving from a three-stack panel design to a four-stack red-blue-green-blue configuration that the company claims can achieve 4,000 nits. The technology appears in the LG G5, Panasonic Z95B and Philips OLED950 and OLED910. RGB mini-LED also emerged as a new category. The technology uses individual small red, green and blue LED backlights instead of white or blue LEDs paired with quantum dots. Hisense demonstrated it at CES 2025, TCL announced its Q10M for China, and Samsung unveiled its own version called micro-RGB. These sets range from $12,000 to $30,000. Sony has confirmed it will debut RGB TV technology in spring 2026. HDR content is currently mastered at a maximum of 4,000 nits. The situation echoes the audio industry's loudness war, The Verge points out, which peaked with Metallica's heavily compressed Death Magnetic in 2008.

Read more of this story at Slashdot.

Uber is hiring more engineers rather than fewer because AI tools have made them "superhumans," CEO Dara Khosrowshahi said, pushing back against the industry trend of using productivity gains to justify headcount cuts. Speaking on the "On with Kara Swisher" podcast, Khosrowshahi noted that other tech executives see AI making engineers 20% to 30% more productive and conclude they need 20% to 30% fewer engineers. His view: every engineer has become more valuable. Between 80% and 90% of Uber's developers now use AI tools, according to Khosrowshahi. The company no longer keeps scores of engineers on call to diagnose issues because AI agents are constantly monitoring systems, he said. The latest AI models are producing "hundreds of millions of dollars of benefit" for Uber, he said, describing the company as an "applied AI" business that harnesses the technology for pricing, payments, matching, routing, identification and customer complaints.

Read more of this story at Slashdot.

iRobot, the Bedford, Massachusetts-based company that brought the Roomba vacuum cleaner into American homes over its 35-year history, filed for bankruptcy on Sunday and will be acquired by Picea, its Chinese contract manufacturer that also produces competing household devices. The Wall Street Journal's editorial board placed blame for the company's demise on the Federal Trade Commission under Chair Lina Khan, which opposed Amazon's $1.7 billion bid to acquire iRobot. That deal collapsed in January 2024 amid regulatory pressure from both the FTC and European antitrust authorities. Senator Elizabeth Warren and other progressives had urged Khan to block the acquisition, arguing in a September 2022 letter that Amazon is "'almost universally recognized' as the leader in warehouse and fulfillment robotics space" and that the deal "would open up a new market to Amazon's abuses." After the deal fell through, iRobot cut 31% of its workforce and moved "non-core engineering functions to lower-cost regions." The company had shifted production to Vietnam to reduce its exposure to China but was hit by tariffs under Trump's Liberation Day trade measures -- initially 46%, later reduced to 20%. iRobot said the trade uncertainty made it difficult to operate.

Read more of this story at Slashdot.

The Association for Computing Machinery, the world's largest society of computing professionals, announced that all publications and related artifacts in the ACM Digital Library will become freely available to everyone starting January 2026. Authors will retain full copyright to their published work under the new arrangement, and ACM has committed to defending those works against copyright and integrity-related violations. The transition follows what ACM described as extensive dialogue with authors, Special Interest Group leaders, editorial boards, libraries, and research institutions globally. Students, educators, and researchers at institutions of all sizes -- from well-resourced universities to emerging research communities -- will gain unrestricted access to the full catalog of ACM-published work. The Digital Library houses decades of computing research across journals, magazines, conference proceedings, and books.

Read more of this story at Slashdot.

Latest charges join the mountain of indictments facing alleged Tren de Aragua members

A Venezuelan gang described by US officials as "a ruthless terrorist organization" faces charges over alleged deployment of malware on ATMs across the country, illegally siphoning millions of dollars....

Newly disclosed vulnerability already being abused, users urged to lock down exposed firewalls

WatchGuard is in emergency patch mode after confirming that a critical remote code execution flaw in its Firebox firewalls is under active attack....

Attackers helped themselves to historical personal info on 27K people

The University of Sydney is ringing around thousands of current and former staff and students after admitting attackers helped themselves to historical personal data stashed inside one of its online code repositories....

Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform

Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt....

Officials admit 'there certainly has been a hack,' but refuse to confirm China link or data theft

The UK's Foreign Office is investigating a confirmed cyberattack it learned about in October, senior ministers say....

Ofcom survey finds 18-34s increasingly see life online as bad for society and their mental health

Young Brits are souring on the internet, with increasing numbers seeing it as damaging to society and their mental health, according to latest research published by Ofcom....

Practical lessons on securing AI and using AI to strengthen defence

Sponsored Post AI is moving from experimentation to everyday use inside the enterprise. That shift brings new opportunities, but it also changes the security equation. Attacks are becoming faster and more convincing, while organizations are simultaneously trying to protect new assets like models, prompts, agent workflows, and the sensitive data those systems can access....

Beijing wants to 'seize the initiative in the international competition in cyberspace'

Chinese authorities on Thursday certified the China Environment for Network Innovation (CENI), a vast research network that Beijing hopes will propel the country to the forefront of networking research....

Plus: Lazarus Group has a brand new BeaverTail

Even Amazon isn't immune to North Korean scammers who try to score remote jobs at tech companies so they can funnel their wages to Kim Jong Un's coffers....

Study finds built-in browsers across gadgets often ship years out of date

Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isn't the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities....

NCEES explains why licensure matters for engineers and answers your top questions about the FE and PE exams. Source Views: 10

La entrada Thinking About Becoming a Licensed Engineer? Start Here. se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

View our compilation of online stories and resources highlighting the Hispanic community and their contributions to STEM. Source Views: 7

La entrada Celebrate Hispanic Heritage Month With SWE se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.cyberdefensemagazine.com – Author: News team Software supply chain attacks have emerged as a serious threat in the rapidly evolving field of cybersecurity, especially in medical devices. As these devices become more and more interconnected and dependent on complex software ecosystems, the potential for exploitation through the supply chain has grown exponentially. One powerful tool […]

La entrada The Critical Role of Sboms (Software Bill of Materials) In Defending Medtech From Software Supply Chain Threats – Source: www.cyberdefensemagazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.cyberdefensemagazine.com – Author: News team It’s common knowledge in the cybersecurity industry that ransomware is on the rise, with median demands rising 20% year-over-year across virtually all industries. But it’s not only the ransom sums themselves that are escalating; threat actors are engaging in increasingly aggressive tactics and techniques to extort their victims. It’s […]

La entrada Ransomware Tactics Are Shifting. Here’s How to Keep Up – Source: www.cyberdefensemagazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.darkreading.com – Author: Rob Wright CERT-FR’s advisory follows last month’s disclosure of a zero-day flaw Apple said was used in “sophisticated” attacks against targeted individuals. Original Post URL: https://www.darkreading.com/vulnerabilities-threats/french-sheds-light-apple-spyware-activity Category & Tags: – Views: 5

La entrada French Advisory Sheds Light on Apple Spyware Activity – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.darkreading.com – Author: Riaz Lakhani Together, we can foster a culture of collaboration and vigilance, ensuring that we are not just waiting for a hero to save us, but actively working to protect ourselves and our communities. Original Post URL: https://www.darkreading.com/cyberattacks-data-breaches/without-federal-help-cyber-defense-cisa Category & Tags: – Views: 13

La entrada Without Federal Help, Cyber Defense Is Up to the Rest of Us – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityboulevard.com – Author: Gaurav Banga Here’s a scenario security teams increasingly face. A user—or an attacker pretending to be one—types something like: This is how many prompt injection attempts begin. The phrase looks harmless, but it’s a red flag: the user is telling the AI to forget its built‐in rules. What follows is often […]

La entrada Safer Conversational AI for Cybersecurity: The BIX Approach – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityboulevard.com – Author: Sofia Naer Introduction On July 16, 2025, Europol revealed the details of Operation Eastwood, a coordinated international strike against one of the most active pro-Russian cybercrime groups, NoName057(016). The announcement promised a major disruption to the group’s activities. In this blog, we explore whether Operation Eastwood had any real impact on […]

La entrada Operation Eastwood: Measuring the Real Impact on NoName057(16) – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityboulevard.com – Author: Jeffrey Burt Five months after the future of the CVE program was thrown in doubt, CISA this week released a roadmap that calls for steps to take for its new “quality era,” which includes public sponsorship, expanded public-private partnership, and modernization. The post CISA Lays Out Roadmap for CVE Program’s ‘Quality […]

La entrada CISA Lays Out Roadmap for CVE Program’s ‘Quality Era’ – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityboulevard.com – Author: Marc Handelman via the comic artistry and dry wit of Randall Munroe, creator of XKCD Permalink The post Randall Munroe’s XKCD ‘Dual Roomba’ appeared first on Security Boulevard. Original Post URL: https://securityboulevard.com/2025/09/randall-munroes-xkcd-dual-roomba/?utm_source=rss&utm_medium=rss&utm_campaign=randall-munroes-xkcd-dual-roomba Category & Tags: Humor,Security Bloggers Network,Randall Munroe,Sarcasm,satire,XKCD – Humor,Security Bloggers Network,Randall Munroe,Sarcasm,satire,XKCD Views: 8

La entrada Randall Munroe’s XKCD ‘Dual Roomba’ – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Amazon Security Chief explains how a subtle keyboard delay exposed a North Korean impostor. Read about the laptop farm scheme and how 110 milliseconds of lag ended a major corporate infiltration.

Torrance, United States / California, 19th December 2025, CyberNewsWire

Pillar Security has identified a critical indirect prompt injection vulnerability in Docker’s ‘Ask Gordon’ assistant. By poisoning metadata on Docker Hub, attackers could bypass security to exfiltrate private build logs and chat history. Discover how the "lethal trifecta" enabled this attack and why updating to Docker Desktop 4.50.0 is essential for developer security.

Crypto’s public image lagged reality. Stablecoins, tokenization, and regulation now power a blockchain backend settling global finance at institutional scale.

Cary, North Carolina, USA, 18th December 2025, CyberNewsWire

North Korea’s Lazarus Group deploys a new BeaverTail variant to steal credentials and crypto using fake job lures, dev tools, and smart contracts.

SafeBreach reports the resurgence of the Iranian APT group Prince of Persia (Infy). Discover how these state-sponsored hackers are now using Telegram bots and Thunder and Lightning malware to target victims globally across Europe, India, and Canada.

Cybersecurity planning continues to advance as organisations integrate new software, cloud platforms, and digital tools into nearly every…

The FBI and international police have shut down E-Note, a cryptocurrency exchange that laundered over $70 million for cybercriminals. Read about the indictment of a Russian and how the global task force ended his decade-long operation.

France confirms a cyberattack on its Interior Ministry as a 22-year-old is arrested. Hacker claims access to police, tax, and criminal record systems.

A vulnerability was found in ActFax 10.10 and classified as problematic. This vulnerability affects unknown code of the file ActSrvNT.exe of the component ActiveFaxServiceNT Service. Such manipulation leads to unquoted search path. This vulnerability is referenced as CVE-2023-53954. The attack can only be performed from a local environment. Furthermore, an exploit is available.

A vulnerability has been found in WebsiteBaker 2.13.3 and classified as problematic. This affects an unknown part. This manipulation causes cross site scripting. The identification of this vulnerability is CVE-2023-53953. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, was found in AspEmail up to 5.6.0.2. Affected by this issue is some unknown functionality of the component Persits Software EmailAgent Service. The manipulation results in incorrect permission assignment. This vulnerability was named CVE-2023-53949. The attack needs to be approached locally. In addition, an exploit is available.

A vulnerability, which was classified as problematic, has been found in oscinventory OCS Inventory NG up to 2.3.0.0. Affected by this vulnerability is an unknown functionality. The manipulation leads to unquoted search path. This vulnerability is uniquely identified as CVE-2023-53947. Local access is required to approach this attack. Moreover, an exploit is present.

A vulnerability classified as problematic was found in Arcsoft PhotoStudio up to 6.0.0.172. Affected is an unknown function of the component Exchange Service. Executing manipulation can lead to unquoted search path. This vulnerability is handled as CVE-2023-53946. It is possible to launch the attack on the local host. Additionally, an exploit exists.

A vulnerability classified as critical has been found in fastapi-users FastAPI up to 15.0.1. This impacts the function generate_state_token of the file /authorize. Performing manipulation results in improper authorization. This vulnerability is known as CVE-2025-68481. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability described as problematic has been identified in Esri ArcGIS Web AppBuilder Developer Edition up to 2.29. This affects an unknown function. Such manipulation leads to cross site scripting. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is traded as CVE-2025-67712. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability marked as critical has been reported in Ever Gauzy 0.281.9. The impacted element is an unknown function. This manipulation causes improper verification of cryptographic signature. This vulnerability appears as CVE-2023-53951. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability labeled as critical has been found in Dotclear 2.25.3. The affected element is an unknown function of the component Blog Post Creation Interface. The manipulation results in unrestricted upload. This vulnerability is reported as CVE-2023-53952. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability identified as critical has been detected in ltb-project LDAP Tool Box Self Service Password 1.5.2. Impacted is an unknown function of the component HTTP Header Handler. The manipulation of the argument Host leads to weak password recovery. This vulnerability is documented as CVE-2023-53958. The attack can be initiated remotely. Additionally, an exploit exists.

https://security-tracker.debian.org/tracker/DSA-6084-1

https://security-tracker.debian.org/tracker/DSA-6083-1

https://security-tracker.debian.org/tracker/DSA-6082-1

https://security-tracker.debian.org/tracker/DSA-6081-1

https://security-tracker.debian.org/tracker/DSA-6080-1

https://security-tracker.debian.org/tracker/DSA-6079-1

https://security-tracker.debian.org/tracker/DSA-6078-1

https://security-tracker.debian.org/tracker/DSA-6077-1

https://security-tracker.debian.org/tracker/DSA-6076-1

https://security-tracker.debian.org/tracker/DSA-6075-1

Information published.

Information published.

Information published.

Information published.

Information published.

Information published.

Information published.

Information published.

Information published.

Information published.

Er is een kwetsbaarheid verholpen in WatchGuard Fireware OS. Er is een kwetsbaarheid verholpen in WatchGuard Fireware OS. De kwetsbaarheid CVE-2025-14733 betreft een out-of-bounds write in het iked-proces van Fireware OS en treft zowel de Mobile User VPN (IKEv2) als de Branch Office VPN (IKEv2) wanneer deze is geconfigureerd met een dynamische gateway-peer. De kwetsbaarheid stelt een niet-geauthenticeerde aanvaller op afstand in staat om willekeurige code uit te voeren. Als de WatchGuard Firebox eerder is geconfigureerd met een Mobile User VPN (IKEv2) of Branch Office VPN (IKEv2) naar een dynamische gateway-peer, en beide configuraties inmiddels zijn verwijderd, kan het systeem alsnog kwetsbaar zijn indien er nog steeds een Branch Office VPN naar een statische gateway-peer is geconfigureerd. WatchGuard heeft pogingen tot misbruik van de kwetsbaarheid waargenomen.

HPE heeft een kwetsbaarheid verholpen in de HPE OneView Software. De kwetsbaarheid bevindt zich in de manier waarop de OneView Software omgaat met externe verzoeken. Als HPE OneView Software via het internet toegangbaar is kunnen ongeauthenticeerde gebruikers op afstand code uitvoeren. Dit kan aanvallers in staat stellen controle te verkrijgen over de getroffen omgevingen.

Cisco heeft een kwetsbaarheid in Cisco AsyncOS. De kwetsbaarheid bevindt zich in apparaten die gebruik maken van Cisco AsyncOS-software in combinatie met Cisco Secure Email Gateway en Cisco Secure Email en Web Manager. Voor uitbuiting is het noodzakelijk dat de service toegankelijk is vanaf het internet en de Spam Quarantine functie actief is, wat niet gebruikelijk is voor deze configuratie.

Fortinet heeft kwetsbaarheden verholpen in FortiOS, FortiProxy, FortiWeb en FortiSwitchManager. De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot de systemen door gebruik te maken van verschillende technieken, waaronder het omzeilen van FortiCloud SSO-login authenticatie via speciaal vervaardigde SAML-berichten, het behouden van actieve SSLVPN-sessies ondanks een wachtwoordwijziging, en het uitvoeren van ongeautoriseerde operaties via vervalste HTTP- of HTTPS-verzoeken. Dit kan leiden tot ongeautoriseerde toegang tot gevoelige API-gegevens en andere netwerkbronnen. **update**: Onderzoekers melden actief misbruik waar te nemen van de kwetsbaarheden met kenmerk CVE-2025-59718 en CVE-59719. Deze kwetsbaarheden stellen kwaadwillenden in staat om de Single Sign On te omzeilen en zo toegang te krijgen tot de kwetsbare systemen. De onderzoekers hebben Indicators of Compromise (IoC's) gepubliceerd om misbruik te kunnen onderzoeken. Het NCSC adviseert zo spoedig mogelijk de updates van Fortinet in te zetten, indien dit nog niet is gedaan, eventueel de mitigerende maatregelen in te zetten en middels de gepubliceerde IoC's te onderzoeken of misbruik heeft plaatsgevonden en op basis daarvan de administrator accounts het password van te roteren. Het NCSC adviseert aanvullend om te overwegen de open sessies van administrators te sluiten na inzet van de updates. Zie voor detailinformatie van de IoC's: https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/

Apple heeft kwetsbaarheden verholpen in iOS en iPadOS (versies 18.7.3 en 26.2) De kwetsbaarheden omvatten onder andere een use-after-free probleem, een geheugenbeschadiging, en een logboekprobleem dat ongeautoriseerde toegang tot gevoelige gebruikersdata mogelijk maakte. Deze kwetsbaarheden konden worden uitgebuit door kwaadwillenden via speciaal vervaardigde gegevens of door misbruik van de loggingmechanismen. De fixes omvatten verbeterde geheugenbeheerpraktijken en strengere controles om de integriteit van gebruikersgegevens te waarborgen. Voor succesvol misbruik moet de kwaadwillende het slachtoffer misleiden een malafide app te installeren, een malafide bestand te openen of link te volgen.

Apple heeft kwetsbaarheden verholpen in macOS Sonoma (14.8.3), macOS Sequoia (15.7.3) en macOS Tahoe (26.2). De kwetsbaarheden omvatten een breed scala aan problemen, waaronder geheugenbeschadiging, logboekproblemen, en ongeoorloofde toegang tot gevoelige gebruikersgegevens. Deze kwetsbaarheden konden worden misbruikt door kwaadwillenden om ongeautoriseerde toegang te verkrijgen of om de stabiliteit van het systeem in gevaar te brengen. Voor succesvol misbruik moet de kwaadwillende het slachtoffer misleiden een malafide app te installeren of bestand te openen.

Meta heeft kwetsbaarheden verholpen in React Server Components Parcel, Turbopack en Webpack. De kwetsbaarheden zijn gerelateerd aan onveilige deserialisatie van HTTP-verzoekpayloads, wat kan leiden tot Denial-of-Service-aanvallen en serverhangen. Dit heeft invloed op de beschikbaarheid van applicaties die gebruikmaken van deze versies. Daarnaast is er een informatielek dat kan resulteren in het blootleggen van de broncode van Server Functions onder specifieke omstandigheden. Deze kwetsbaarheden zijn kritiek voor server-side rendering in React-applicaties.

SAP heeft meerdere kwetsbaarheden verholpen in verschillende producten, waaronder SAP Solution Manager, SAP jConnect, SAP Web Dispatcher, SAP NetWeaver, SAP S/4 HANA Private Cloud, en SAP BusinessObjects. De kwetsbaarheden omvatten onder andere code-injectie, deserialisatie, en onvoldoende invoervalidatie, die kunnen leiden tot ongeautoriseerde toegang, gegevensverlies, en verstoring van de beschikbaarheid van systemen. Aangevallen systemen kunnen ernstige gevolgen ondervinden, zoals het uitvoeren van kwaadaardige code door geauthenticeerde aanvallers, en het risico op gegevenslekken door onvoldoende autorisatiecontroles. De impact op de vertrouwelijkheid, integriteit en beschikbaarheid van de systemen is aanzienlijk, met name voor de SAP producten die kwetsbaar zijn voor Denial-of-Service aanvallen en andere exploitatievormen.

OSGeo heeft een kwetsbaarheid verholpen in GeoServer. De kwetsbaarheid bevindt zich in de wijze waarop GeoServer XML-input verwerkt, specifiek via de `/geoserver/wms` GetMap-operatie. Onjuiste sanitatie van XML-input stelt aanvallers in staat om gevoelige bestanden openbaar te maken of Denial-of-Service-aanvallen uit te voeren met behulp van op maat gemaakte XML-input. Er zijn gevallen van actief misbruik van deze kwetsbaarheid bekend.

Barracuda heeft een kwetsbaarheid verholpen in Barracuda Service Center (Specifiek voor RMM oplossingen, versies voor 2025.1.1). De kwetsbaarheid bevindt zich in de inadequate URL-verificatie in WSDL-bestanden die door aanvallers kunnen worden gemanipuleerd. Dit kan leiden tot het (over)schrijven van willekeurige bestanden en externe code-executie, wat een ernstige bedreiging vormt voor de integriteit en beveiliging van de getroffen systemen.

Er is een kwetsbaarheid in Notepad++ gevonden waarmee het mogelijk is om malafide updates naar gebruikers te pushen. Momenteel zijn voor zover bekend uitsluitend organisaties met belangen in Oost-Azië slachtoffer van gerichte aanvallen. Het NCSC heeft vooralsnog geen aanwijzing dat ook in Nederland actief misbruik heeft plaatsgevonden.

Op 3 december 2025 heeft React een blog gepubliceerd over een kritieke kwetsbaarheid met kenmerk CVE-2025-55182. Het NCSC heeft naar aanleiding van deze blog een HIGH/HIGH beveiligingsadvies uitgebracht met handelingsperspectief. NCSC roept organisaties die gebruik maken van deze software met klem op dit advies op te volgen.

De Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV) heeft het Cybersecuritybeeld Nederland 2025 (CSBN) gepubliceerd. Het CSBN schetst een beeld van een digitaal dreigingslandschap dat steeds complexer en onvoorspelbaarder wordt. Cyberaanvallen worden geavanceerder terwijl digitale systemen onderling sterk van elkaar afhankelijk zijn. Deze ontwikkeling vraagt om een brede, proactieve aanpak om digitale weerbaarheid te vergroten. In dit bericht belichten we de belangrijkste aandachtspunten uit het CSBN voor Nederlandse organisaties en bedrijven.

Op dinsdag 18 november organiseerden het NCSC, de NCTV en RDI een webinar over de aankomende Cyberbeveiligingswet voor Cbw-organisaties.

Vandaag heeft het NCSC samen met 27 partijen het convenant samenwerking Cyclotron ondertekend op de ONE Conference. De ondertekenaars zijn een groot aantal private partijen en daarnaast ook de AIVD, MIVD, Politie en het NCTV. De ondertekening is een volgende belangrijke stap in de samenwerking met als doel om het beeld op cyberdreigingen en incidenten te versterken door het structureel delen van informatie, het gezamenlijk analyseren van informatie en het verstrekken van informatie uit die analyses aan belanghebbende organisaties. Hiermee wordt de digitale weerbaarheid van Nederland verhoogd.

Voor kleine bedrijven die een financiële drempel ervaren bij het (laten) uitvoeren van cybermaatregelen, is tijdelijk een subsidie beschikbaar: Mijn Cyberweerbare Zaak. Deze subsidie dekt 50% van de kosten van diverse cybermaatregelen, tot een maximum van € 1.250. Kleinere bedrijven met 1 tot en met 50 medewerkers voor wie cybersecurity vaak niet een kerntaak is, kunnen nu met deze subsidie van het ministerie van Economische Zaken de nodige stappen zetten om hun bedrijf beter te beschermen tegen de toenemende cyberdreigingen en eisen die andere bedrijven in de bedrijfsketen stellen.

De cyberweerbaarheid van Nederland is niet langer op te vangen met losse initiatieven. Deze tijd vraagt om één samenhangend netwerk: het Cyberweerbaarheidsnetwerk, kortweg CWN. In het CWN komen publieke en private organisaties samen. Daar brengen ze hun kennis, expertise en ervaring in om gezamenlijk aan opgaven te werken die bijdragen aan de cyberweerbaarheid van alle organisaties in het Koninkrijk der Nederlanden, en daarmee ook de overzeese gebieden. Want alleen samen worden we weerbaarder.

Recentelijk kwam een wereldwijde malwareinfectie van Windows computers aan het licht dankzij software die gebruikers zelf installeerden. Het NCSC adviseert daarom toegang tot de betreffende C2-domeinen te blokkeren, te controleren op de aanwezigheid van de applicaties “Manualfinder”, “PDF-editor” en varianten daarvan, te controleren op de aanwezigheid van JavaScript bestanden met een op een GUID lijkende naam in de directory /AppData/Local/TEMP en om eindgebruikers er met klem op te wijzen om geen externe, onvertrouwde tools te installeren.

Er zijn nieuwe kwetsbaarheden in Citrix Netscaler ontdekt. Met een eerder gepubliceerd detectiescript van het NCSC kan compromittatie worden gedetecteerd.

Eefje Zents wordt met ingang van 15 september 2025 Chief Relations Officer/directeur Samenwerking Digitale weerbaarheid bij het Nationaal Cyber Security Centrum (NCSC) van het ministerie van Justitie en Veiligheid.

Ein Angreifer kann mehrere Schwachstellen in Google Chrome/Microsoft Edge ausnutzen, um nicht spezifizierte Angriffe durchzuführen, potenziell um beliebigen Code auszuführen oder einen Denial-of-Service-Zustand zu verursachen.

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in MongoDB ausnutzen, um Informationen offenzulegen.

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in WebKitGTK ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial-of-Service-Zustand zu verursachen.

Ein lokaler Angreifer kann mehrere Schwachstellen in binutils ausnutzen, um einen Denial of Service Angriff durchzuführen oder beliebigen Code auszuführen.

Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht näher beschrieben Auswirkungen zu erzielen.

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM App Connect Enterprise ausnutzen, um einen Denial of Service Angriff durchzuführen.

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in WatchGuard Firebox OS ausnutzen, um beliebigen Programmcode auszuführen.

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in ConnectWise ScreenConnect ausnutzen, um Informationen offenzulegen.

Ein lokaler Angreifer kann eine Schwachstelle in Dell PowerEdge ausnutzen, um beliebigen Programmcode auszuführen.

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Kibana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, vertrauliche Informationen offenzulegen, Daten zu manipulieren und einen Denial-of-Service-Zustand zu verursachen.

Une vulnérabilité a été découverte dans Broadcom Carbon Black Cloud. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un contournement de la politique de sécurité.

De multiples vulnérabilités ont été découvertes dans Google Chrome. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

De multiples vulnérabilités ont été découvertes dans les produits Atlassian. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

De multiples vulnérabilités ont été découvertes dans les produits Netgate. Elles permettent à un attaquant de provoquer un déni de service à distance et un contournement de la politique de sécurité.

De multiples vulnérabilités ont été découvertes dans les produits NetApp. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Une vulnérabilité a été découverte dans Microsoft Windows Admin Center. Elle permet à un attaquant de provoquer une élévation de privilèges.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.

De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Elles permettent à un attaquant de provoquer un déni de service et un problème de sécurité non spécifié par l'éditeur.

A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims' Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government

Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence

WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. "This vulnerability affects both the

Authorities in Nigeria have announced the arrest of three "high-profile internet fraud suspects" who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with

Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access (DMA) attacks across architectures that implement a Unified Extensible Firmware Interface (UEFI) and input–output memory management unit (IOMMU). UEFI and IOMMU are designed to enforce a security

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "

Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a

This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what

Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole

Within the past year, artificial intelligence copilots and agents have quietly permeated the SaaS applications businesses use every day. Tools like Zoom, Slack, Microsoft 365, Salesforce, and ServiceNow now come with built-in AI assistants or agent-like features. Virtually every major SaaS vendor has rushed to embed AI into their offerings. The result is an explosion of AI capabilities across

Palo Alto Networks and Google Cloud expand their partnership in a multibillion-dollar deal to secure AI workloads as attacks on AI infrastructure surge.

The post Palo Alto Networks, Google Cloud Expand Partnership in Multibillion-Dollar Deal appeared first on TechRepublic.

These aren't simple chatbots anymore—these AI agents access data and tools and carry out tasks, making them infinitely more capable and dangerous.

The post OWASP Drops First AI Agent Risk List appeared first on TechRepublic.

The government stopped short of directly attributing the attack to Chinese operatives or the Chinese state.

The post UK Foreign Office Cyber Breach Exposed Diplomatic Secrets appeared first on TechRepublic.

French intelligence agencies uncovered what appears to be a coordinated foreign interference operation targeting the GNV Fantastic.

The post Italian Ferry Malware Attack Sparks International Probe appeared first on TechRepublic.

The security updates delivered through KB5071546 have fundamentally broken Message Queuing (MSMQ) functionality across multiple Windows versions.

The post Microsoft December Update Breaks Critical IIS Servers appeared first on TechRepublic.

The Chinese threat group, tracked as UAT-9686, has deployed a collection of custom-built hacking tools to maintain persistent access to compromised systems.

The post Chinese Hackers Target Cisco’s Email Security Systems appeared first on TechRepublic.

The breach has already triggered widespread chaos across the platform, with users worldwide reporting connection failures and cryptic error messages.

The post SoundCloud Cyberattack Leaves 28M Users Exposed appeared first on TechRepublic.

An unsecured database exposed 4.3 billion LinkedIn-derived records, enabling large-scale phishing and identity-based attacks.

The post 4.3B LinkedIn-Style Records Found in One of the Largest Data Exposures Ever appeared first on TechRepublic.

Prepare for a successful IT career with lifetime access to expert-led courses covering CompTIA A+, Network+, Security+, and Cloud+ certification prep.

The post Master IT Fundamentals with This CompTIA Certification Prep Bundle appeared first on TechRepublic.

This marks another abrupt end to a Google service that users had come to rely on.

The post Google to Kill Popular Dark Web Report Tool appeared first on TechRepublic.

Microsoft Teams is experiencing issues, with thousands reporting problems sending messages, including delays. [...]

The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service. [...]

Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism. [...]

The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections. [...]

Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability. [...]

Criminal IP (criminalip.io), the AI-powered threat intelligence and attack surface monitoring platform developed by AI SPERA, is now officially integrated into Palo Alto Networks' Cortex XSOAR. [...]

Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, as part of Moscow's hybrid attacks against Western nations. [...]

WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls. [...]

Grocery delivery service Instacart will refund $60 million to settle FTC claims that it misled customers with false advertising and unlawfully enrolled them in paid subscriptions. [...]

This month's extended security update for Windows 11 broke Message Queuing (MSMQ), which is typically used by enterprises to manage background tasks. [...]

Financially motivated and nation-state threat groups are behind a surge in the use of device code phishing attacks that abuse Microsoft's legitimate OAuth 2.0 device authorization grant flow to trick users into giving them access to their M365 accounts, Proofpoint researchers say.

The post Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts appeared first on Security Boulevard.

NCC Group this week revealed it has allied with Qualys to expand the scope of its managed attack surface management (ASM) services to address instances of shadow IT. Amber Mitchell, lead product manager for ASM at NCC Group, said the managed security service provider (MSSP) already provides a managed attack surface service, but aligning with..

The post NCC Group Taps Qualys to Extend Managed Security Service into Shadow IT Realm appeared first on Security Boulevard.

Large enterprises today find themselves stuck in the “messy middle” of digital transformation, managing legacy on-premise firewalls from Palo Alto, Check Point, and Fortinet while simultaneously governing fast-growing cloud environments....

The post 4 Pillars of Network Risk Reduction: A Guide to Network Security Risk Management appeared first on Security Boulevard.

Strengthen NIS2 compliance by preventing weak and compromised passwords with Enzoic's continuous credential protection.

The post NIS2 Compliance: Maintaining Credential Security appeared first on Security Boulevard.

Session 6C: Sensor Attacks

Authors, Creators & Presenters: Shuguang Wang (City University of Hong Kong), Qian Zhou (City University of Hong Kong), Kui Wu (University of Victoria), Jinghuai Deng (City University of Hong Kong), Dapeng Wu (City University of Hong Kong), Wei-Bin Lee (Information Security Center, Hon Hai Research Institute), Jianping Wang (City University of Hong Kong)

PAPER
NDSS 2025 - Interventional Root Cause Analysis Of Failures In Multi-Sensor Fusion Perception Systems

Autonomous driving systems (ADS) heavily depend on multi-sensor fusion (MSF) perception systems to process sensor data and improve the accuracy of environmental perception. However, MSF cannot completely eliminate uncertainties, and faults in multiple modules will lead to perception failures. Thus, identifying the root causes of these perception failures is crucial to ensure the reliability of MSF perception systems. Traditional methods for identifying perception failures, such as anomaly detection and runtime monitoring, are limited because they do not account for causal relationships between faults in multiple modules and overall system failure. To overcome these limitations, we propose a novel approach called interventional root cause analysis (IRCA). IRCA leverages the directed acyclic graph (DAG) structure of MSF to develop a hierarchical structural causal model (H-SCM), which effectively addresses the complexities of causal relationships. Our approach uses a divide-and-conquer pruning algorithm to encompass multiple causal modules within a causal path and to pinpoint intervention targets. We implement IRCA and evaluate its performance using real fault scenarios and synthetic scenarios with injected faults in the ADS Autoware. The average F1-score of IRCA in real fault scenarios is over 95%. We also illustrate the effectiveness of IRCA on an autonomous vehicle testbed equipped with Autoware, as well as a cross-platform evaluation using Apollo. The results show that IRCA can efficiently identify the causal paths leading to failures and significantly enhance the safety of ADS.

---

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

---

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Interventional Root Cause Analysis Of Failures In Multi-Sensor Fusion Perception Systems appeared first on Security Boulevard.

The recent discovery of a cryptomining campaign targeting Amazon compute resources highlights a critical gap in traditional cloud defense. Attackers are bypassing perimeter defenses by leveraging compromised credentials to execute legitimate but privileged API calls like ec2:CreateLaunchTemplate, ecs:RegisterTaskDefinition, ec2:ModifyInstanceAttribute, and lambda:CreateFunctionUrlConfig. While detection tools identify anomalies after they occur, they do not prevent execution, lateral [...]

The post Preventing This Week’s AWS Cryptomining Attacks: Why Detection Fails and Permissions Matter appeared first on Security Boulevard.

Live from AWS re:Invent, Snir Ben Shimol makes the case that vulnerability management is at an inflection point: visibility is no longer the differentiator—remediation is. Organizations have spent two decades getting better at scanning, aggregating and reporting findings. But the uncomfortable truth is that many of today’s incidents still trace back to vulnerabilities that were..

The post Vulnerability Management’s New Mandate: Remediate What’s Real appeared first on Security Boulevard.

via the insightful artistry and dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Fifteen Years’ appeared first on Security Boulevard.

Amazon is warning organizations that a North Korean effort to impersonate IT workers is more extensive than many cybersecurity teams may realize after discovering the cloud service provider was also victimized. A North Korean imposter was uncovered working as a remote systems administrator in the U.S. after their keystroke input lag raised suspicions. Normally, keystroke..

The post Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread appeared first on Security Boulevard.

Google is shutting down its dark web report tool, which was released in 2023 to alert users when their information was found available on the darknet. However, while the report sent alerts, Google said users found it didn't give them next steps to take if their data was detected.

The post Google Shutting Down Dark Web Report Met with Mixed Reactions appeared first on Security Boulevard.

Topic: Summar Employee Portal 3.98.0 Authenticated SQL Injection Risk: Medium Text:# Exploit Title: Summar Employee Portal 3.98.0 - Authenticated SQL Injection # Google Dork: inurl:"/MemberPages/quienesquien....

Topic: dotCMS 25.07.02-1 Authenticated Blind SQL Injection Risk: Medium Text:#!/usr/bin/env python3 # Exploit Title: dotCMS 25.07.02-1 - Authenticated Blind SQL Injection # Google Dork: N/A # Date: 2...

Topic: Soosyze CMS 2.0 Brute Force Login Risk: Medium Text:# Exploit Title: Soosyze CMS 2.0 - Brute Force Login # Google Dork: N/A # Date: 2025-08-13 # Exploit Author: Beatriz Fresno ...

Topic: Windows LNK File UI Misrepresentation Remote Code Execution Risk: Medium Text:# Title: Windows LNK File UI Misrepresentation Remote Code Execution # Date: 2025-01-04 # Exploit Author: nu11secur1ty # Ven...

Topic: Microsoft Windows Media Player WMDRM 'RES://' URI Arbitrary Code Execution Vulnerability Risk: High Text:There ́s an implementation flaw that causes 'RES://' URIs to always be mapped to an 'Internet' security zone context, which all...

Topic: phpMyFAQ 3.1.7 Reflected Cross-Site Scripting (XSS) Risk: Low Text:# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS) # Date: 2025-11-25 # Exploit Author: CodeSecLab # V...

Topic: Pluck 4.7.7-dev2 PHP Code Execution Risk: High Text:# Exploit Title: Pluck 4.7.7-dev2 - PHP Code Execution # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: ...

Topic: R.s.W - Sql Injection Risk: Medium Text:********************************************************* # Exploit Title: SQL Injection – Red Spider Web CMS # Date: 2025-...

Topic: NetBT e-Fatura 'InboxProcessor' Unquoted Service Path Privilege Escalation Risk: Medium Text:# Exploit Title: NetBT e-Fatura 'InboxProcessor' Unquoted Service Path Privilege Escalation # Author: Seccops # Discovery Dat...

Topic: Mbed TLS 3.6.4 Use-After-Free Risk: High Text:/* * Exploit Title: Mbed TLS 3.6.4 - Use-After-Free * Google Dork: N/A * Date: 2025-08-29 * Exploit Author: Byte Reaper...

The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and corruption. These shifts, along with the president’s efforts to restrict free speech and freedom of the press, have come at such a rapid clip that many readers probably aren’t even aware of them all.

Direct navigation -- the act of visiting a website by manually typing a domain name in a web browser -- has never been riskier: A new study finds the vast majority of "parked" domains -- mostly expired or dormant domain names, or common misspellings of popular websites -- are now configured to redirect visitors to sites that foist scams and malware.

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious connections to a Kremlin-connected oligarch whose Russian university builds drones for Russia's war against Ukraine.

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.

A prolific cybercriminal group that calls itself "Scattered LAPSUS$ Hunters" made headlines regularly this year by stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for "Rey," the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.

On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user's network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers.

In March 2024, Mozilla said it was winding down its collaboration with Onerep -- an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites -- after KrebsOnSecurity revealed Onerep's founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later, however, Mozilla is still promoting Onerep. This week, Mozilla announced their partnership with Onerep will officially end next month.

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet's top destinations offline. Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites. But security experts say doing so may have also triggered an impromptu network penetration test for organizations that have come to rely on Cloudflare to block many types of abusive and malicious traffic.

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses patched today affect all versions of Windows, including Windows 10.

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Perhaps it's just the time of year where we all start to wind down a bit, or maybe I'm just tired after another massive 12 months, but this week's vid is way late. Ok, going away to the place that had just been breached

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

The sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day. It's not just the volume of data, but also the extent to which it replicates across criminal actors seeking to abuse it for their own gain, and to our

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Twelve years (and one day) since launching Have I Been Pwned, it's now a service that Charlotte and I live and breathe every day. From the first thing every morning to the last thing each day, from holidays to birthdays, in sickness and in heal... wait a minute

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Normally, when someone sends feedback like this, I ignore it, but it happens often enough that it deserves an explainer, because the answer is really, really simple. So simple, in fact, that it should be evident to the likes of Bruce, who decided his misunderstanding deserved a 1-star Trustpilot review

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Well, I now have the answer to how Snapchat does age verification for under-16s: they give an underage kid the ability to change their date of birth, then do a facial scan to verify. The facial scan (a third party tells me...) allows someone well under 16 to pass it

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

I gave up on the IoT water meter reader. Being technical and thinking you can solve everything with technology is both a blessing and a curse; dogged persistence has given me the life I have today, but it has also burned serious amounts of time because I never want to

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

This week, it was an absolute privilege to be at Europol in The Hague, speaking about cyber offenders and at the InterCOP conference and spending time with some of the folks involved in the Operation Endgame actions. The latter in particular gave me a new sense of just how much

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

What. A. Week. It wasn't just the preceding weeks of technical pain as we tried to work out how to get this data loaded, it was all the subsequent queries we had to deal with too. Some of them are totally understandable, whilst others just resulted in endless

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

I hate hyperbolic news headlines about data breaches, but for the "2 Billion Email Addresses" headline to be hyperbolic, it'd need to be exaggerated or overstated - and it isn't. It's rounded up from the more precise number of 1,957,476,

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

The 2 billion email address stealer log breach I talk about this week is almost ready to go at the time of writing. It's been massively time-consuming, massively expensive (we turned the cloud up to 11) and enormously frustrating. I've written about why in the draft

Video from Reddit shows what could go wrong when you try to pet a—looks like a Humboldt—squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

At least some of this is coming to light:

Doublespeed, a startup backed by Andreessen Horowitz (a16z) that uses a phone farm to manage at least hundreds of AI-generated social media accounts and promote products has been hacked. The hack reveals what products the AI-generated accounts are promoting, often without the required disclosure that these are advertisements, and allowed the hacker to take control of more than 1,000 smartphones that power the company.

The hacker, who asked for anonymity because he feared retaliation from the company, said he reported the vulnerability to Doublespeed on October 31. At the time of writing, the hacker said he still has access to the company’s backend, including the phone farm itself. ...

I’m sure there’s a story here:

Sources say the man had tailgated his way through to security screening and passed security, meaning he was not detected carrying any banned items.

The man deceived the BA check-in agent by posing as a family member who had their passports and boarding passes inspected in the usual way.

For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted “to prevent immoral activities.” No additional explanation was given. The timing couldn’t have been worse: communities still reeling from a major earthquake lost emergency communications, flights were grounded, and banking was interrupted. Afghanistan’s blackout is part of a wider pattern. Just since the end of September, there were also major nationwide internet shutdowns in ...

New report: “The Party’s AI: How China’s New AI Systems are Reshaping Human Rights.” From a summary article:

China is already the world’s largest exporter of AI powered surveillance technology; new surveillance technologies and platforms developed in China are also not likely to simply stay there. By exposing the full scope of China’s AI driven control apparatus, this report presents clear, evidence based insights for policymakers, civil society, the media and technology companies seeking to counter the rise of AI enabled repression and human rights violations, and China’s growing efforts to project that repression beyond its borders...

Cast your mind back to May of this year: Congress was in the throes of debate over the massive budget bill. Amidst the many seismic provisions, Senator Ted Cruz dropped a ticking time bomb of tech policy: a ten-year moratorium on the ability of states to regulate artificial intelligence. To many, this was catastrophic. The few massive AI companies seem to be swallowing our economy whole: their energy demands are overriding household needs, their data demands are overriding creators’ copyright, and their products are triggering mass unemployment as well as new types of clinical ...

This is a current list of where and when I am scheduled to speak:

• I’m speaking and signing books at the Chicago Public Library in Chicago, Illinois, USA, at 6:00 PM CT on February 5, 2026. Details to come.
• I’m speaking at Capricon 44 in Chicago, Illinois, USA. The convention runs February 5-8, 2026. My speaking time is TBD.
• I’m speaking at the Munich Cybersecurity Conference in Munich, Germany on February 12, 2026.
• I’m speaking at Tech Live: Cybersecurity in New York City, USA on March 11, 2026.
• I’m giving the Ross Anderson Lecture at the University of Cambridge’s Churchill College on March 19, 2026...

I have no context for this video—it’s from Reddit—but one of the commenters adds some context:

Hey everyone, squid biologist here! Wanted to add some stuff you might find interesting.

With so many people carrying around cameras, we’re getting more videos of giant squid at the surface than in previous decades. We’re also starting to notice a pattern, that around this time of year (peaking in January) we see a bunch of giant squid around Japan. We don’t know why this is happening. Maybe they gather around there to mate or something? who knows! but since so many people have cameras, those one-off monster-story encounters are now caught on video, like this one (which, btw, rips. This squid looks so healthy, it’s awesome)...

The promise of personal AI assistants rests on a dangerous assumption: that we can trust systems we haven’t made trustworthy. We can’t. And today’s versions are failing us in predictable ways: pushing us to do things against our own best interests, gaslighting us with doubt about things we are or that we know, and being unable to distinguish between who we are and who we have been. They struggle with incomplete, inaccurate, and partial context: with no standard way to move toward accuracy, no mechanism to correct sources of error, and no accountability when wrong information leads to bad decisions...

I have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature.

Here’s some interesting research on training AIs to automatically exploit smart contracts:

AI models are increasingly good at cyber tasks, as we’ve written about before. But what is the economic impact of these capabilities? In a recent MATS and Anthropic Fellows project, our scholars investigated this question by evaluating AI agents’ ability to exploit smart contracts on Smart CONtracts Exploitation benchmark (SCONE-bench)­a new benchmark they built comprising 405 contracts that were actually exploited between 2020 and 2025. On contracts exploited after the latest knowledge cutoffs (June 2025 for Opus 4.5 and March 2025 for other models), Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits collectively worth $4.6 million, establishing a concrete lower bound for the economic harm these capabilities could enable. Going beyond retrospective analysis, we evaluated both Sonnet 4.5 and GPT-5 in simulation against 2,849 recently deployed contracts without any known vulnerabilities. Both agents uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476. This demonstrates as a proof-of-concept that profitable, real-world autonomous exploitation is technically feasible, a finding that underscores the need for proactive adoption of AI for defense...

The Clop ransomware group is targeting Gladinet CentreStack file servers in a new large-scale extortion campaign. The Clop ransomware group is targeting Gladinet CentreStack file servers in a new large-scale extortion campaign aimed at stealing sensitive data from organizations worldwide. Gladinet CentreStack is a software platform that allows organizations to turn their existing file servers, […]

A new UEFI flaw exposes some ASRock, ASUS, GIGABYTE, and MSI motherboards to early-boot DMA attacks, bypassing IOMMU protections. Researchers warn of a new UEFI vulnerability that affects select ASRock, ASUS, GIGABYTE, and MSI motherboards, enabling early-boot DMA attacks that bypass IOMMU protections. UEFI (Unified Extensible Firmware Interface) is the modern firmware standard that initializes […]

Cisco disclosed a critical zero-day (CVE-2025-20393) in Secure Email Gateway and Secure Email and Web Manager, actively exploited by a China-linked group. Cisco disclosed a critical zero-day, tracked as CVE-2025-20393, in Secure Email Gateway and Secure Email/Web Manager, which is actively exploited by a China-linked threat group. Cisco reported a December 10 campaign targeting certain […]

Hewlett Packard Enterprise (HPE) fixed a critical OneView flaw that could allow attackers to achieve remote code execution. Hewlett Packard Enterprise (HPE) addressed a maximum-severity security vulnerability, tracked as CVE-2025-37164 (CVSS score of 10.0), in OneView Software. An attacker can exploit the flaw to achieve remote code execution. HPE OneView is an integrated IT management […]

Resecurity reports a Q4 2025 surge in criminal use of DIG AI on Tor, enabling scalable illicit activity and posing new risks ahead of major 2026 events. During Q4 2025, Resecurity observed a notable increase in malicious actors utilizing DIG AI, accelerating during the Winter Holidays, when illegal activity worldwide reached a new record. With […]

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple and Gladinet CentreStack and Triofox flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: Cisco reported a December 10 campaign […]

Attackers abuse WhatsApp’s device-linking feature to hijack accounts via pairing codes in the GhostPairing campaign. Attackers are exploiting WhatsApp’s device-linking feature to hijack accounts using pairing codes in a campaign dubbed GhostPairing, without requiring authentication. Gen Digital first observed the GhostPairing campaign in Czechia, but warns that it can spread globally via compromised accounts. The […]

SonicWall warned users to patch a SMA1000 AMC flaw that was exploited as a zero-day privilege escalation vulnerability in attacks. SonicWall urged customers to address a vulnerability, tracked as CVE-2025-40602, in the SMA1000 Appliance Management Console that was exploited as a zero-day in attacks in the wild. The flaw is a local privilege escalation issue […]

French prosecutors probe a suspected cyberattack on GNV ferry Fantastic, raising concerns of a possible remote hijack. French prosecutors are investigating a suspected cyberattack on the GNV ferry Fantastic, raising fears of a potential remote hijack. The ferry Fantastic sails between Sète and North Africa, and French authorities are investigating a suspected attempt to compromise […]

Askul disclosed that an October RansomHouse ransomware attack compromised over 700,000 records at the Japanese e-commerce and logistics firm. Askul is a Japanese e-commerce and logistics company best known for supplying office products, stationery, IT equipment, and everyday business consumables to companies and consumers. It operates large-scale fulfillment and delivery services across Japan and is […]

The fake human verification process led to infostealer and ransomware infections

Winter is coming – so it must be time for Sophos X-Ops’ report on this year’s MITRE ATT&CK Enterprise Evaluations

A month with no Critical-severity Windows bugs is overshadowed by a mass of Mariner mop-up

The availability of exploit code will likely lead to more widespread opportunistic attacks

#1 Ranked in 66 Global Reports

Analysis of the tradecraft evolution across 6 months and 11 incidents

A major milestone: Sophos XDR delivers 100% detection coverage in the latest ATT&CK Evaluation.

Secure by Design.

Sophos has been named one of Computerworld’s 2026 Best Places to Work in IT for the second consecutive year, earning 10th place among large organizations for its innovative, people-focused, and high-impact IT culture.

The ransomware scene gains another would-be EDR killer