Editor’s Pick

Parents, students, teachers, and administrators throughout North America are smarting from what could be the biggest data breach of 2025: an intrusion into the network of a cloud-based service storing detailed data of millions of pupils and school personnel.

The hack, which came to light earlier this month, hit PowerSchool, a Folsom, California firm that provides cloud-based software to some 16,000 K–12 schools worldwide. The schools serve 60 million students and employ an unknown number of teachers. Besides providing software for administration, grades, and other functions, PowerSchool stores personal data for students and teachers, with much of that data including social security numbers, medical information, and home addresses.

On January 7, PowerSchool revealed that it had experienced a network intrusion two weeks earlier that resulted in the “unauthorized exportation of personal information” customers stored in PowerSchool’s Student Information System (SIS) through PowerSource, a customer support portal. Information stolen included individuals’ names, contact information, dates of birth, medical alert information, Social Security Numbers, and unspecified “other related information.”

Read full article

Comments

Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent.

Fabian Bräunlein and Luca Melette stumbled on their discovery largely by accident while working on what they thought would be a much different sort of hacking project. After observing a radio receiver on the streetlight poles throughout Berlin, they got to wondering: Would it be possible for someone with a central transmitter to control them en masse, and if so, could they create a city-wide light installation along the lines of Project Blinkenlights?

Images showing Project Blinkenlights throughout the years.
Credit:
Positive Security

The first Project Blinkenlights iteration occurred in 2001 in Berlin, when the lights inside a large building were synchronized to turn on and off to give the appearance of a giant, low-resolution monochrome computer screen.

Read full article

Comments

We’re only three weeks into 2025, and it’s already shaping up to be the year of Internet of Things-driven DDoSes. Reports are rolling in of threat actors infecting thousands of home and office routers, web cameras, and other Internet-connected devices.

Here is a sampling of research released since the first of the year.

Lax security, ample bandwidth

A post on Tuesday from content-delivery network Cloudflare reported on a recent distributed denial-of-service attack that delivered 5.6 terabits per second of junk traffic—a new record for the largest DDoS ever reported. The deluge, directed at an unnamed Cloudflare customer, came from 13,000 IoT devices infected by a variant of Mirai, a potent piece of malware with a long history of delivering massive DDoSes of once-unimaginable sizes.

Read full article

Comments

On Monday, Chinese AI lab DeepSeek released its new R1 model family under an open MIT license, with its largest version containing 671 billion parameters. The company claims the model performs at levels comparable to OpenAI’s o1 simulated reasoning (SR) model on several math and coding benchmarks.

Alongside the release of the main DeepSeek-R1-Zero and DeepSeek-R1 models, DeepSeek published six smaller “DeepSeek-R1-Distill” versions ranging from 1.5 billion to 70 billion parameters. These distilled models are based on existing open source architectures like Qwen and Llama, trained using data generated from the full R1 model. The smallest version can run on a laptop, while the full model requires far more substantial computing resources.

The releases immediately caught the attention of the AI community because most existing open-weights models—which can often be run and fine-tuned on local hardware—have lagged behind proprietary models like OpenAI’s o1 in so-called reasoning benchmarks. Having these capabilities available in an MIT-licensed model that anyone can study, modify, or use commercially potentially marks a shift in what’s possible with publicly available AI models.

Read full article

Comments

Microsoft has two announcements for subscribers to its Microsoft 365 Personal and Family plans today. First, you’re getting the Copilot-powered AI features that Microsoft has been rolling out to businesses and Copilot Pro subscribers, like summarizing or generating text in Word, drafting slideshows in PowerPoint based on a handful of criteria, or analyzing data in Excel. Second, you’ll be paying more for the privilege of using those features, to the tune of an extra $3 a month or $30 a year.

This raises the price of a Microsoft 365 Personal subscription from $6.99 a month or $69.99 a year to $9.99 and $99.99; a family subscription goes from $9.99 a month or $99.99 a year to $12.99 a month or $129.99 a year. For current subscribers, these prices go into effect the next time your plan renews.

Current subscribers are also being given an escape hatch “for a limited time.” “Classic” Personal and Family plans at the old prices with no Copilot features included will still be offered, but you’ll need to go to the “services & subscriptions” page of your Microsoft account and attempt to cancel your existing subscription to be offered the discounted pricing.

Read full article

Comments

For the past seven months—and likely longer—an industry-wide standard that protects Windows devices from firmware infections could be bypassed using a simple technique. On Tuesday, Microsoft finally patched the vulnerability. The status of Linux systems is still unclear.

Tracked as CVE-2024-7344, the vulnerability made it possible for attackers who had already gained privileged access to a device to run malicious firmware during bootup. These types of attacks can be particularly pernicious because infections hide inside the firmware that runs at an early stage, before even Windows or Linux has loaded. This strategic position allows the malware to evade defenses installed by the OS and gives it the ability to survive even after hard drives have been reformatted. From then on, the resulting “bootkit” controls the operating system start.

In place since 2012, Secure Boot is designed to prevent these types of attacks by creating a chain-of-trust linking each file that gets loaded. Each time a device boots, Secure Boot verifies that each firmware component is digitally signed before it’s allowed to run. It then checks the OS bootloader’s digital signature to ensure that it’s trusted by the Secure Boot policy and hasn’t been tampered with. Secure Boot is built into the UEFI—short for Unified Extensible Firmware Interface—the successor to the BIOS that’s responsible for booting modern Windows and Linux devices.

Read full article

Comments

On Monday, the US government announced a new round of regulations on global AI chip exports, dividing the world into roughly three tiers of access. The rules create quotas for about 120 countries and allow unrestricted access for 18 close US allies while maintaining existing bans on China, Russia, Iran, and North Korea.

AI-accelerating GPU chips, like those manufactured by Nvidia, currently serve as the backbone for a wide variety of AI model deployments, such as chatbots like ChatGPT, AI video generators, self-driving cars, weapons targeting systems, and much more. The Biden administration fears that those chips could be used to undermine US national security.

According to the White House, “In the wrong hands, powerful AI systems have the potential to exacerbate significant national security risks, including by enabling the development of weapons of mass destruction, supporting powerful offensive cyber operations, and aiding human rights abuses.”

Read full article

Comments

While worrying about AI takeover might seem like a modern idea that sprung from War Games or The Terminator, it turns out that a similar concern about machine dominance dates back to the time of the American Civil War, albeit from an English sheep farmer living in New Zealand. Theoretically, Abraham Lincoln could have read about AI takeover during his lifetime.

On June 13, 1863, a letter published in The Press newspaper of Christchurch warned about the potential dangers of mechanical evolution and called for the destruction of machines, foreshadowing the development of what we now call artificial intelligence—and the backlash against it from people who fear it may threaten humanity with extinction. It presented what may be the first published argument for stopping technological progress to prevent machines from dominating humanity.

Titled “Darwin among the Machines,” the letter recently popped up again on social media thanks to Peter Wildeford of the Institute for AI Policy and Strategy. The author of the letter, Samuel Butler, submitted it under the pseudonym Cellarius, but later came to publicly embrace his position. The letter drew direct parallels between Charles Darwin’s theory of evolution and the rapid development of machinery, suggesting that machines could evolve consciousness and eventually supplant humans as Earth’s dominant species.

Read full article

Comments

Microsoft is accusing three individuals of running a “hacking-as-a-service” scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content.

The foreign-based defendants developed tools specifically designed to bypass safety guardrails Microsoft has erected to prevent the creation of harmful content through its generative AI services, said Steven Masada, the assistant general counsel for Microsoft’s Digital Crimes Unit. They then compromised the legitimate accounts of paying customers. They combined those two things to create a fee-based platform people could use.

A sophisticated scheme

Microsoft is also suing seven individuals it says were customers of the service. All 10 defendants were named John Doe because Microsoft doesn’t know their identity.

Read full article

Comments

On Wednesday, the World Economic Forum (WEF) released its Future of Jobs Report 2025, with CNN immediately highlighting the finding that 40 percent of companies plan workforce reductions due to AI automation. But the report’s broader analysis paints a far more nuanced picture than CNN’s headline suggests: It finds that AI could create 170 million new jobs globally while eliminating 92 million positions, resulting in a net increase of 78 million jobs by 2030.

“Half of employers plan to re-orient their business in response to AI,” writes the WEF in the report. “Two-thirds plan to hire talent with specific AI skills, while 40% anticipate reducing their workforce where AI can automate tasks.”

The survey collected data from 1,000 companies that employ 14 million workers globally. The WEF conducts its employment analysis every two years to help policymakers, business leaders, and workers make decisions about hiring trends.

Read full article

Comments