PayPal has applied to become a US bank by forming a Utah-chartered industrial loan company, signaling a push to deepen its financial services "as companies rush to capitalize on a friendly regulatory environment under the Trump administration," reports Reuters. From the report: If approved, the move will help PayPal to strengthen its lending offerings to small businesses in the U.S. as well as reduce its reliance on third parties. "Securing capital remains a significant hurdle for small businesses striving to grow and scale," said PayPal CEO Alex Chriss. "Establishing PayPal Bank will strengthen our business and improve our efficiency, enabling us to better support small business growth and economic opportunities across the U.S." PayPal also plans to offer interest-bearing savings accounts to customers. The company has provided over $30 billion in loans and capital since 2013, it said. [...] PayPal has selected Mara McNeill to serve as PayPal Bank's president. She comes with over two decades of experience in banking and commercial lending, and has previously served as the CEO of Toyota Financial Savings Bank.

Read more of this story at Slashdot.

A new study warns that glaciers in the European Alps will hit their peak extinction rate within eight years, with global glacier loss accelerating toward thousands per year unless emissions are rapidly cut. "Glaciers in the western US and Canada are forecast to reach their peak year of loss less than a decade later, with more than 800 disappearing each year by then," adds the Guardian. From the report: About 200,000 glaciers remain worldwide, with about 750 disappearing each year. However, the research indicates this pace will accelerate rapidly as emissions from burning fossil fuels continue to be released into the atmosphere. Current climate action plans from governments are forecast to push global temperatures to about 2.7C above preindustrial levels, supercharging extreme weather. Under this scenario, glacier losses would peak at about 3,000 a year in 2040 and plateau at that rate until 2060. By the end of the century, 80% of today's glaciers will have gone. By contrast, rapid cuts to carbon emissions to keep global temperature rise to 1.5C would cap annual losses at about 2,000 a year in 2040, after which the rate would decline. [...] The new study, published in Nature Climate Change, analyzed more than 200,000 glaciers from a database of outlines derived from satellite images. The researchers used three global glacier models to assess their fate under different heating scenarios. Regions with the smallest and fastest-melting glaciers were found to be the most vulnerable. The study estimates the 3,200 glaciers in central Europe would shrink by 87% by 2100 -- even if global temperature rise is limited to 1.5C, rising to 97% under 2.7C of heating. In the western US and Canada, including Alaska, about 70% of today's 45,000 glaciers are projected to vanish under 1.5C of heating, and more than 90% under 2.7C. The Caucasus and southern Andes are also expected to face devastating losses. Larger glaciers take longer to melt, with those in Greenland reaching their peak extinction rate in about 2063 -- losing 40% by 2100 under 1.5C of heating and 59% under 2.7C. However, the melting is forecast to continue beyond 2100. The researchers said the peak loss dates represent more than a numerical milestone. "They mark turning points with profound implications for ecosystems, water resources and cultural heritage," they wrote. "[It is] a human story of vanishing landscapes, fading traditions and disrupted daily routines."

Read more of this story at Slashdot.

Our anonymous submitter was looking for a Microsoft partner to manage his firm's MSDN subscriptions; the pile of licenses and seats and allowed uses was complex enough to want specialists. In hopes of quickly zeroing in on a known and reputable firm, he tracked down the website of a tech consultancy that'd been used by one of his previous employers.

When he browsed to their Contact Us page, filled out the contact form, and clicked Submit, the webpage simply refreshed with no signs of actually doing anything. After staring at the screen for a moment, wondering what had gone wrong, Subby noticed the single quotes used within his message were now escaped. Clicking Submit a few more times kept adding escape characters, with no submission ever occurring. So he amended his message to remove every it's, we're, and other such contraction.

Without single quotes, the next submission was successful. It's impossible to say what was going on behind the scenes, but this seemed to suggest a SQL injection vulnerability in their form submission code. They were escaping "'" characters because they were building their query through string concatenation. But in addition to escaping the single quotes, it seemed to be rejecting any string which contained them.

A stellar first impression, to be sure. In fairness, this firm hadn't designed their own website. The name of the designer they'd contracted with, displayed in the webpage footer, looked more embarrassing than proud in light of his trouble.

An email address was listed beside the contact form. Subby sent a separate email alerting them of the bug he'd found. Hopefully, someone would acknowledge and channel it to the proper support contact.

A week passed. Subby never received a response or any confirmation that any of his messages had been received. Had that mailbox been abandoned after most, if not all, attempted contacts had mysteriously failed?

"I guess no SQL injection if it's never submitted!" Subby joked to himself.

He moved on to other prospects.

[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...] Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions. To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...] Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions. To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

Read more of this story at Slashdot.

Once a star of the self-driving hype cycle, lidar maker Luminar has filed for bankruptcy amid legal turmoil, layoffs, and a cooling autonomous-vehicle market. It plans to sell off its assets before shutting down entirely. The Verge reports: As part of its bankruptcy, Luminar is seeking permission to sell both its lidar and semiconductor businesses, the latter of which it has already agreed to sell to Quantum Computing for $110 million. The company plans to continue to operate during the bankruptcy proceedings "to minimize disruptions and maintain delivery of its LiDAR hardware and software." That said, Luminar will cease to exist once the process is complete. "As we navigate this process, our top priority is to continue delivering the same quality, reliability and service our customers have come to expect from us," CEO Paul Ricci said in a statement. After launching in 2017, Luminar muscled its way to the front of the autonomous vehicle industry as a top maker of lidar systems, a key technology that driverless cars use to sense the shapes and distances of objects around them. Luminar has sold sensors to Mercedes-Benz, Volvo, Audi, Toyota Research Institute, Caterpillar, and even Tesla, which has dismissed lidar sensors in favor of traditional cameras. The company was valued at nearly $3 billion when it went public through a reverse merger with a SPAC in 2020.

Read more of this story at Slashdot.

After introducing an AI Mode shortcut earlier this year, Google has now added a new "plus" menu to its Search homepage, highlighting options for image and file uploads. 9to5Google reports: On google.com, the Search bar now has a plus icon at the far left that replaces the magnifying glass. Clicking lets you "Upload image" or "Upload file." It very much matches the AI Mode experience. Those two capabilities aren't new, but this plus menu does help emphasize that you can use Google to accomplish tasks, and not just find information. Additionally, it helps indicate that they can be used with AI Mode and AI Overviews. This is just available on desktop web (not mobile) and is live on all the devices we checked today, including across signed-out Incognito sessions.

Read more of this story at Slashdot.

A critical React vulnerability (CVE-2025-55182) is being actively exploited at scale by Chinese, Iranian, North Korean, and criminal groups to gain remote code execution, deploy backdoors, and mine crypto. The Register reports: React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw. Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Wall Street Journal: JPMorgan Chase is joining the list of traditional financial firms seeking to bring blockchain technology to an investing staple: the money-market fund. The banking giant's $4 trillion asset-management arm is rolling out its first tokenized money-market fund on the Ethereum blockchain. JPMorgan will seed the fund with $100 million of its own capital, and then open it to outside investors on Tuesday. Called My OnChain Net Yield Fund, or "MONY," the private fund is supported by JPMorgan's tokenization platform, Kinexys Digital Assets, and will be open to qualified investors, or individuals with at least $5 million in investments and institutions with a minimum of $25 million. The fund has a $1 million investment minimum. Wall Street has waded deeper into tokenization since the passage of the Genius Act earlier this year. The landmark measure, which establishes a regulatory framework for tokenized dollars known as stablecoins, has unleashed a wave of efforts to tokenize everything from stocks and bonds to funds and real assets. "There is a massive amount of interest from clients around tokenization," said John Donohue, head of global liquidity at J.P. Morgan Asset Management. "And we expect to be a leader in this space and work with clients to make sure that we have a product lineup that allows them to have the choices that we have in traditional money-market funds on blockchain."

Read more of this story at Slashdot.

Merriam-Webster crowned "slop" its 2025 Word of the Year, reflecting growing public awareness and and fatigue around low-quality, AI-generated content flooding the internet. "It's such an illustrative word," said Greg Barlow, Merriam-Webster's president. "It's part of a transformative technology, AI, and it's something that people have found fascinating, annoying and a little bit ridiculous." The Associated Press reports: "Slop" was first used in the 1700s to mean soft mud, but it evolved more generally to mean something of little value. The definition has since expanded to mean "digital content of low quality that is produced usually in quantity by means of artificial intelligence." In other words, "you know, absurd videos, weird advertising images, cheesy propaganda, fake news that looks real, junky AI-written digital books," Barlow said. "Words like 'ubiquitous,' 'paradigm,' 'albeit,' 'irregardless,' these are always top lookups because they're words that are on the edge of our lexicon," Barlow said. "'Irregardless' is a word in the dictionary for one reason: It's used. It's been used for decades to mean 'regardless.'" The announcement can be found here.

Read more of this story at Slashdot.

Ford has effectively pulled the plug on the all-electric F-150 Lightning, pivoting away from full-size BEV pickups toward hybrids, range-extended EVs (EREVs), and even data-center battery storage. Ars Technica reports: Ford's announcements today can't be said to have come out of the blue. Rumors of the F-150's demise have been circulating for more than a month, and last week SK On ended its joint venture with Ford that was building a pair of EV battery plants in Kentucky and Tennessee. We learned then that Ford would keep the Kentucky plant and SK On gets the one in Tennessee, which would focus on the energy storage business instead. Now, we know that something similar will happen at the Kentucky plant -- Ford says it's spending $2 billion to convert the factory to make prismatic lithium iron phosphate (LFP) cells. Those aren't destined for EVs, but they are the preferred cell format for data centers, Ford says. The company says that it will bring the factory online in the next 18 months, reaching an annual output of 20 GWh. Other Ford plants are also being repurposed. With no full-size BEV pickup in the product plans, the assembly plant in Tennessee that was to produce it -- the one near the battery factory that SK On is keeping -- will instead build new gas-powered trucks, although not for another four years. Around that same time, its Ohio assembly plant will begin building new commercial vehicles. All of this will impact Ford's bottom line, to the tune of $19.5 billion over the next few years, $5.5 billion of which will be in cash. Most of that will hit in the final quarter of 2025, but will extend until 2027, Ford said.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: Several dozen people protested on Sunday in the Siberian city of Tomsk against Russia's ban on U.S. children's gaming platform Roblox, a rare show of public dissent as popular irritation over the ban gains some momentum. In wartime Russia, censorship is extensive: Moscow blocks or restricts social media platforms such as Snapchat, Facebook, Instagram, WhatsApp and YouTube while distributing its own narrative through a network of social media and Russian media. Russia's communications watchdog Roskomnadzor said on December 3 it had blocked Roblox because it was "rife with inappropriate content that can negatively impact the spiritual and moral development of children." In Tomsk, 2,900 km (1,800 miles) east of Moscow, several dozen people braved the snow to hold up hand-drawn placards reading "Hands off Roblox" and "Roblox is the victim of the digital Iron Curtain" in Vladimir Vysotsky Park, according to photographs provided by an organizer of the protest. "Bans and blocks are all you are able to do," read one placard. The photographs showed about 25 people standing in a circle in the snow, holding up placards. In Russia, the ban on Roblox has triggered a debate over censorship, child safety in relation to technology and even the effectiveness of censorship in a digitalized world where children can bypass many bans in a few clicks.

Read more of this story at Slashdot.

A Kansas man who sued Verizon in small claims court after the carrier refused to unlock his iPhone has won his case, scoring a small but meaningful victory against a company that retroactively applied a policy change to deny his unlock request. Patrick Roach bought a discounted iPhone 16e from Verizon's Straight Talk brand in February 2025, intending to pay for one month of service before switching the device to US Mobile. Under FCC rules dating back to a 2019 waiver, Verizon must unlock phones 60 days after activation on its network. Verizon refused to unlock the phone, citing a new policy implemented on April 1, 2025 requiring "60 days of paid active service." Roach had purchased his device over a month before that policy took effect. Magistrate Judge Elizabeth Henry ruled in October 2025 that applying the changed terms to Roach's earlier purchase violated the Kansas Consumer Protection Act. The court ordered Verizon to refund Roach's $410.40 purchase price plus court costs. Roach had previously rejected a $600 settlement offer because it would have required him to sign a non-disclosure agreement. He estimated spending about 20 hours on the lawsuit but said "it wasn't about" the money.

Read more of this story at Slashdot.

One of the most water-scarce regions on Earth is now experiencing a dramatic atmospheric shift that's pushing moisture onto Oman's northern coast at rates more than 1.5 times the global average, according to a Washington Post investigation of global atmospheric data [non-paywalled source]. The change has turned extreme rainfall into a recurrent source of catastrophe across the Arabian Peninsula. In the 126 years between 1881 and 2007, just six hurricane-strength storms hit Oman or came within 60 miles of the country. At least four more have made landfall in the past 15 years alone. Research from Sultan Qaboos University analyzing 8,000 storms across 69 rainfall stations found that half of all rain in Oman falls within the first 90 minutes of a 24-hour storm. These intense bursts quickly overwhelm the desert's ability to absorb water and send flash floods racing through wadis -- normally dry riverbeds where many communities are built. In response, Dubai is constructing an $8 billion underground stormwater network spanning more than 120 miles. Oman has agreements to build 58 new dams and is studying 14 major wadis that funnel to its al-Batinah coastline.

Read more of this story at Slashdot.

Cloudflare's sixth annual Year in Review report describes an internet increasingly shaped by two forces: automated traffic and government intervention, as global connectivity grew 19% year over year in 2025. Google's web crawler now dominates automated traffic, dwarfing other AI and indexing bots to become the single largest source of bot activity on the web. Nearly half of all major internet disruptions globally were linked to government actions, and civil society and non-profit organizations became the most attacked sector for the first time. Post-quantum encryption crossed a significant threshold, now protecting 52% of human internet traffic observed by Cloudflare. The company also recorded more than 25 record-breaking DDoS attacks throughout the year.

Read more of this story at Slashdot.

Google has decided to retire its free dark web monitoring tool, saying it wasn't as helpful as the company hoped. From a report: In a support page, Google announced the discontinuation of the "dark web report" tool, two years after offering it as a free perk to Gmail users before expanding it more broadly. The feature worked by scanning for your email addresses to determine whether they had appeared in data breaches, which often circulate on Dark Web marketplaces. The tool could then alert you about where the data was exposed, including any accompanying details such as dates of birth, addresses, and phone numbers.

Read more of this story at Slashdot.

The Trump administration announced Monday the United States Tech Force, a new program to recruit around 1,000 technologists for two-year government stints starting as soon as March -- less than a year after dismantling several federal technology teams and driving thousands of tech workers out of their jobs. The program will primarily recruit early-career software engineers and data scientists, paying between $150,000 and $200,000 annually. About 20 companies have signed on to participate, including Palantir, Meta, Oracle and Elon Musk's xAI. Some engineering managers will be allowed to take leaves of absence from their private-sector employers to join the program without divesting their stock holdings. The initiative follows the March closure of 18F, General Services Administration's internal tech consultancy, and the shuttering of the Social Security Administration's Office of Transformation in February. The IRS had lost over 2,000 tech workers by June.

Read more of this story at Slashdot.

For decades, Parkinson's disease research has overwhelmingly focused on genetics -- more than half of all research dollars in the past two decades flowed toward genomic studies -- but a growing body of evidence now points to something far more mundane as a primary culprit: contaminated drinking water. A landmark study by epidemiologist Sam Goldman compared Marines stationed at Camp Lejeune in North Carolina, where trichloroethylene (TCE) had contaminated the water supply for approximately 35 years, against those at Camp Pendleton in California, which has clean water. Marines exposed to TCE at Lejeune were 70% more likely to develop Parkinson's. The latest research suggests only 10 to 15 percent of Parkinson's cases can be fully explained by genetics. Parkinson's rates in the US have doubled in the past 30 years -- a pattern inconsistent with an inherited genetic disease. The EPA moved to ban TCE in December 2024. The Trump administration moved to undo the ban in January.

Read more of this story at Slashdot.

Sixty years after a team of American and Indian climbers abandoned a plutonium-powered generator on the slopes of Nanda Devi, one of the world's most forbidding Himalayan peaks, the U.S. government still refuses to acknowledge that the mission ever happened. The device, a SNAP-19C portable generator containing plutonium isotopes including Pu-239 -- the same material used in the Nagasaki bomb -- was left behind in October 1965 when a sudden blizzard forced climbers to retreat from Camp Four, just below the summit. The mission originated from a cocktail party conversation between General Curtis LeMay and National Geographic photographer Barry Bishop, who had summited Everest in 1963. China had just detonated its first atomic bomb in October 1964, and the CIA wanted to intercept radio signals from Chinese missile tests by placing an unmanned listening station atop the Himalayas. Barry Bishop recruited elite American climbers and coordinated with Indian intelligence to haul surveillance equipment up the mountain. Captain M.S. Kohli, the Indian naval officer commanding the mission, ordered climbers to secure the equipment and descend when the blizzard struck. Jim McCarthy, the last surviving American climber, recalled warning Kohli he was making a mistake. "You can't leave plutonium by a glacier feeding into the Ganges!" he recalled. "Do you know how many people depend on the Ganges?" When teams returned in spring 1966, the entire ice ledge where the gear had been stashed was gone -- sheared off by an avalanche. Search missions in 1967 and 1968 found nothing. The device remains buried somewhere in the glaciers that feed tributaries of the Ganges River.

Read more of this story at Slashdot.

Grid constraints that were once a hallmark of developing economies are now plaguing the world's richest nations, and new research from Bloomberg Economics finds that rising electricity system stress is directly hurting investment. The analysis examined all G20 countries and found that a one-standard-deviation increase in grid stress relative to a country's historical average lowers the investment share of GDP by around 0.33 percentage points -- a 1.5% to 2% hit to capital outlays. The Netherlands is a case in point: 12,000 businesses are waiting for grid connections, congestion issues are expected to persist for a decade despite $9.4 billion in annual investments, and the country is already consuming as much electricity as was projected for 2030. ASML, the chip equipment maker whose fortunes can sway the Dutch economy, has no guarantee it will secure power for a new campus planned to employ 20,000 people. Data centers are particularly affected. Google canceled plans near Berlin, a Frankfurt facility cannot expand until 2033, Microsoft has shifted investments from Ireland and the UK to the Nordics, and a Digital Realty Trust data center in Santa Clara that was applied for in 2019 may sit empty for years.

Read more of this story at Slashdot.