reporter

With iOS 26.3, Apple is making it simpler for iPhone users to transition to an Android smartphone, with new built-in tools for transferring data. The new transfer tool allows an ‌iPhone‌ user to place their device next to an Android device to initiate a transfer process. With the two smartphones connected, users can opt to move over photos, messages, notes, apps, passwords, phone number, and more. Data transfers occur with no need to download and use a separate app, making the process simpler. Health data, devices paired with Bluetooth, and protected items like locked notes are not transferred over to the new device. Transferring data from an ‌iPhone‌ to an Android device wirelessly requires both devices to have the latest software, and to be connected to Wi-Fi with Bluetooth enabled. There will be an option to display a QR code on the Android device that the ‌iPhone‌ can scan to initiate the process, or there is an option to use a session ID and pairing code instead. Google has also implemented a similar feature for transferring data from an Android to an ‌iPhone‌, so it is a two-way process between the platforms. Last week, the European Commission said that Apple and Google designed and implemented the new transfer system to comply with the Digital Markets Act in the European Union, but it is not a Europe-only feature. The new setting is available worldwide in the iOS 26.3 beta, and it can be found under Settings > General > Transfer or Reset ‌iPhone‌ > Transfer to Android.Related Roundups: iOS 26, iPadOS 26Related Forum: iOS 26 This article, "iOS 26.3 Makes It Easier to Switch From iPhone to Android" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple today provided the first beta of an upcoming macOS Tahoe 26.3 update to developers for testing purposes, with the update coming three days after the launch of macOS Tahoe 26.2. Developers can download the macOS Tahoe 26.3 update by opening up the System Settings app, selecting the General category, and then choosing Software Update. Beta Updates will need to be enabled, and a free developer account is required. There's no word yet on what's included in macOS Tahoe 26.3, but we'll update this article if new Mac features are found. The beta is available to developers right now, but a public beta is expected later this week. We'll likely see Apple release macOS Tahoe 26.3 at the end of January given past launch timelines.Related Roundup: macOS Tahoe 26Related Forum: macOS Tahoe This article, "First macOS Tahoe 26.3 Beta Now Available for Developers" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple today seeded the first betas of upcoming iOS 26.3 and iPadOS 26.3 updates to developers for testing purposes, with the software coming just a few days after Apple released iOS 26.2 and iPadOS 26.2. Registered developers can download the betas from the Settings app on the iPhone or iPad by going to the General section and selecting Software Update. We don't yet know what's included in the new beta software, but because that these updates will be tested over the holiday period, Apple may be planning to focus on bug fixes and performance improvements rather than adding major new features. When we learn what's new in the updates, we'll share details. iOS 26.2 and iPadOS 26.2 are limited to developers at the current time, but Apple will likely release a public beta in the next couple of days.Related Roundups: iOS 26, iPadOS 26Related Forum: iOS 26 This article, "Apple Seeds First Betas of iOS 26.3 and iPadOS 26.3 to Developers" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple today provided developers with the first betas of upcoming watchOS 26.3, tvOS 26.3, and visionOS 26.3 betas for testing purposes. The software comes a few days after Apple launched the 26.2 versions of each platform. The software updates are available through the Settings app on each device, and because these are developer betas, a free developer account is required. We don't know what new features might be added in watchOS 26.3, visionOS 26.3, and tvOS 26.3. Apple doesn't typically provide release notes for betas, so we might not know what's new until the software updates see a public launch unless there are outward-facing changes. Apple will likely provide public beta testers with access to the tvOS 26.3 and watchOS 26.3 betas later this week, but visionOS 26.3 will remain limited to developers. The software updates will probably launch right around the end of January based on past release timelines. This article, "Apple Releases First watchOS 26.3, tvOS 26.3 and visionOS 26.3 Betas" first appeared on MacRumors.com Discuss this article in our forums View the full article

GM is adding an Apple Music app to select 2025 and newer Cadillac and Chevrolet models, allowing Apple Music content to be accessed through the vehicle's infotainment system. The ‌Apple Music‌ app will have all of the ‌Apple Music‌ features users have come to expect, such as access to curated playlists, live global radio, personalized recommendations, hands-free control with a voice assistant, and exclusive content. In supported Cadillac vehicles, Spatial Audio with Dolby Atmos is available. The native ‌Apple Music‌ app will integrate with the infotainment system, and GM says that ‌Apple Music‌ subscribers will be able to start streaming the moment they enter the car. Audio streaming is being provided as an OnStar Basics feature for all 2026 and newer vehicles sold in the U.S. and Canada. Vehicle owners will be able to access ‌Apple Music‌ and other apps with no connectivity cost for eight years, but after that eight-year period, there will be a fee. "We are bringing the Apple Music app to GM vehicles in a way that takes full advantage of our industry-leading audio capabilities," said Tim Twerdahl, GM's vice president of global product management. "It's the latest example of how we're expanding entertainment choices built directly into our vehicles." Specific Cadillac vehicles that can access the ‌Apple Music‌ app include the 2025 and 2026 CT5, the 2025 Escalade IQ, and the 2026 Vistiq. Chevy vehicles with ‌Apple Music‌ include the 2025 and 2026 Blazer EV, Equinox EV and Silverado EV, along with the 2026 Corvette, Suburban and Tahoe. GM says that the ‌Apple Music‌ app will be rolling out to additional GM vehicles and brands in the future. GM's ‌Apple Music‌ announcement comes after the company started phasing out support for CarPlay. 2024 and later electric vehicles from GM do not have CarPlay integration, with GM instead relying on its own infotainment system. In the future, GM plans to move all vehicles to its own platform.Tags: Apple Music, GM This article, "GM Adds Apple Music App to Cadillac and Chevy Models Following CarPlay Phase-Out" first appeared on MacRumors.com Discuss this article in our forums View the full article

In a support document published on Friday, Apple said that a "technical failure" in Australia prevented some older mobile phones from being able to make emergency calls by dialing 000, and it said there is a low chance that it could happen again. "In the rare event that these exceptional circumstances affecting mobile operators' networks were to happen again, some older mobile phones may still encounter the same issue reaching emergency services through an alternate available network," said Apple. The document does not provide many specific details, but there are some recent news reports about what sounds like a related issue affecting Samsung phones. Apple said the issue "impacted some Australians in regional areas who attempted to make an emergency call when their primary mobile network was unavailable, even though an alternate network was available and should have connected the call." Apple said "mobile operators are taking steps to mitigate future issues." For iPhone 12 users specifically, Apple vaguely stated that the iOS 26.2 update released last week "provides support for this scenario." "iPhone XS, iPhone XR, iPhone 11, and all iPhone models from iPhone 13 and newer are not affected," said Apple. "For iPhone 12 users, iOS 26.2 provides support for this scenario. If it is determined that any earlier iPhone models are impacted, customers will receive additional information and guidance directly from their mobile operator." To update your iPhone, open the Settings app on the device and tap General → Software Update.Related Roundups: iOS 26, iPadOS 26Related Forum: iOS 26 This article, "iPhone 12 Users in Australia Should Update to iOS 26.2, Here's Why" first appeared on MacRumors.com Discuss this article in our forums View the full article

The first foldable iPhone will feature a series of design and hardware firsts for Apple, according to details shared by the Weibo leaker known as Digital Chat Station. According to a new post, via machine translation, Apple is developing what the leaker describes as a "wide foldable" device, a term used to refer to a horizontally oriented, book-style foldable with a large internal display. The device is said to prioritize thinness, with several major design decisions reportedly made to reduce the overall thickness of the chassis. Chief among these is the use of a side-mounted Touch ID fingerprint sensor. The leaker claims Apple has chosen not to include 3D Face ID hardware or a 3D ultrasonic under-display fingerprint sensor, as both systems would add internal volume and complicate efforts to slim down the device. The post further claims that the foldable's hinge has been engineered to a particularly high standard, describing the hinge design as "very strong." While no deeper technical details are provided, this aligns with long-standing industry expectations that Apple is placing heavy emphasis on hinge durability and crease reduction, areas where foldable devices have historically faced criticism. The leaker states that the current engineering prototype features a 7.58-inch internal display equipped with an under-panel front-facing camera, often abbreviated as UPC. Under-panel camera technology allows the camera to sit beneath the display layer, eliminating visible cutouts when the camera is not in use. For the external display, the leaker claims Apple is using a 5.25-inch panel with a punch-hole camera implemented via a HIAA (Hole-In-Active-Area) design, a technique that minimizes inactive screen space around the cutout. It is unclear what will happen to the Dynamic Island in both instances. The post also claims the device will feature a dual 48-megapixel rear camera system described as having a "large base," which suggests a physically larger sensor size than pixel count alone indicates. Digital Chat Station adds that the foldable smartphone segment will be "reinvigorated" next year, implying that there will be renewed momentum after a period of slower growth and incremental updates. The leaker reiterated an earlier claim that Samsung is also evaluating a new wide-format foldable device. Digital Chat Station has a relatively good track record for Apple rumors. They accurately revealed the overall design of the iPhone Air and iPhone 17 Pro, the triple 48-megapixel rear camera system of the ‌iPhone 17 Pro‌, the iPhone 17's slimmer bezels and a larger display with ProMotion, ‌iPhone‌ 15 and ‌iPhone‌ 15 Plus's slightly smaller 48-megapixel sensor, and display panel design of the ‌iPhone‌ 12.Tags: Digital Chat Station, Foldable iPhone This article, "Leak Reveals Foldable iPhone Details" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple Fitness+ today expanded to 28 new markets in the service's largest international rollout since launch, accompanied by new language dubbing and a K-Pop music genre. The service today became available in Norway, Poland, the Philippines, Sweden, Vietnam, Chile, Hong Kong, India, the Netherlands, Singapore, Taiwan, and additional regions, with Japan scheduled to follow early next year. The expansion increases total availability to 49 countries, with a full list available at the bottom of Apple's press release. Hundreds of sessions are initially available with digitally generated voice dubbing in Spanish and German, with Japanese set to be added when the service launches in Japan. New dubbed episodes will be released weekly across all supported regions. The new dubbing system uses a generated voice modeled on each of the 28 Fitness+ trainers' real voices. Users will be able to switch audio tracks after starting a session or set a preferred language in the Fitness app, which will automatically default to the dubbed version when available. Apple has not previously offered dubbed workout content on Fitness+, instead relying on subtitles for non-English markets since the service launched in 2020. Apple is also adding a new K-Pop music genre to the service, which will be available across workout types. The new category joins existing genres such as Upbeat Anthems, Latest Hits, Hip-Hop/R&B, and Latin Grooves. Prior to today, Fitness+ was already available in Australia, Austria, Brazil, Canada, Colombia, France, Germany, Indonesia, Ireland, Italy, Malaysia, Mexico, New Zealand, Portugal, Russia, Saudi Arabia, Spain, Switzerland, the UAE, the UK, and the U.S.Tag: Apple Fitness Plus This article, "Apple Fitness+ Comes to 28 New Countries Today" first appeared on MacRumors.com Discuss this article in our forums View the full article

The free Apple Sports app shows scores, stats, standings, and more for a variety of sports and leagues, and it should eventually gain support for one more. The latest version of the Apple Sports app includes images for the men's PGA Tour and the women's LPGA hidden within the app's code, according to MacRumors contributor Aaron Perris. While users cannot yet follow the PGA Tour or LPGA in the app, the addition of the images suggests that support is coming soon. The app already supports the NFL, MLB, NBA, NHL, Premier League, NASCAR, F1, Premier League, and more, and golf will further expand the selection. Launched in 2024, the Apple Sports app is available on the iPhone only in the U.S., the U.K., Canada, France, Germany, Ireland, Italy, Portugal, Spain, the Netherlands, Sweden, Norway, Finland, Denmark, and select other European countries.Tag: Apple Sports This article, "Apple Sports App to Support Golf, Including PGA Tour" first appeared on MacRumors.com Discuss this article in our forums View the full article

Christmas is just over a week away, and it's getting more and more difficult to guarantee delivery for the holiday with each passing day. In order to aid in any last minute holiday shopping, we've put together a list of the best Apple and Apple accessory discounts you can still get with delivery in time for December 25th, available from retailers including Amazon and Best Buy. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. AirPods There aren't many AirPods deals left with guaranteed holiday delivery at this point, but Best Buy does have some options for the AirPods 4 and AirPods Max. Starting with the AirPods 4, Best Buy has the base model without ANC for $84.99, down from $129.99, which is about $15 higher compared to the record low price, but still a solid last-minute deal. You can get the USB-C AirPods Max for $449.99 this week on Best Buy, down from $549.99, with next-day delivery or same-day pickup. This isn't an all-time low price, but if you need it for Christmas it'll be your best option. $45 OFFAirPods 4 for $84.99 $100 OFFAirPods Max for $449.99Anker Anker has quite a few accessories on sale with guaranteed holiday delivery, ranging from USB-C wall chargers to MagSafe compatible portable batteries and much more. A highlight of the new sale is the 14-in-1 Thunderbolt 5 Dock for $339.99, down from $399.99. $60 OFFAnker 14-in-1 Thunderbolt 5 Dock for $339.99 Wall Chargers Nano USB-C 30W Foldable Charger - $12.19, down from $19.99 70W 3-Port USB-C Charger Block - $34.49, down from $49.99 160W 3-Port GaN Charger Block - $107.49, down from $149.99 Wireless Chargers 10,000 mAh Magnetic Power Bank - $39.99, down from $49.99 MagGo UFO 3-in-1 Charger - $61.99, down from $89.99 3-in-1 Prime Qi2 Charging Station - $160.99, down from $229.99 Portable Chargers 5,000 mAh Ultra Slim Magnetic Power Bank - $41.24, down from $54.99 10,000 mAh MagGo Qi2 Power Bank - $59.49, down from $89.99 20,000 mAh 3-Port Power Bank - $128.99, down from $179.99 Docks 14-in-1 Thunderbolt 5 Dock - $339.99, down from $399.99Apple Watch Series 11 Amazon and Best Buy this week have all-time low prices on the Apple Watch Series 11, with $100 discounts across numerous models of the smartwatch. These discounts beat the Black Friday prices we saw last month by about $30, and both retailers have delivery options that provide guaranteed arrival dates before Christmas. $100 OFFApple Watch Series 11 (42mm GPS) for $299.00 $100 OFFApple Watch Series 11 (46mm GPS) for $329.00 $100 OFFApple Watch Series 11 (42mm Cell) for $399.00 $100 OFFApple Watch Series 11 (46mm Cell) for $429.00SE 3 For the Apple Watch SE 3, you'll find $50 discounts on a few models on Amazon, with prices starting at $199.00 for the 40mm GPS model. Both sizes of the GPS model have guaranteed delivery dates before Christmas as of writing, with some same-day delivery in select locations as well. $50 OFFApple Watch SE 3 (40mm GPS) for $199.00 $50 OFFApple Watch SE 3 (44mm GPS) for $229.00HomePod Last month, Best Buy introduced one of the first discounts on the HomePod that we've seen in years, and the retailer has brought back this sale in time for Christmas. You can get the 2nd Gen HomePod for $269.99, down from $299.99, in both Midnight and White color options. $30 OFFHomePod for $269.99Apple Pencil Pro Amazon has the Apple Pencil Pro available for $94.99, down from $129.00, which is a match for the all-time low price. $34 OFFApple Pencil Pro for $94.99iPhone 17 Cases Amazon this week brought back big discounts across Apple's Clear, Silicone, and TechWoven Cases for the iPhone 17 and iPhone Air lineup. Items on sale include Clear, Silicone, and TechWoven Cases for the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and iPhone Air. UP TO 50% OFFiPhone 17 Cases at Amazon iPhone Air Clear Case - $37.99, down from $49.00 iPhone 17 Clear Case - $22.09 with on-page coupon, down from $49.00 Silicone Case - $37.99, down from $49.00 iPhone 17 Pro Clear Case - $37.99, down from $49.00 Silicone Case - $37.99, down from $49.00 TechWoven Case - $44.00, down from $59.00 iPhone 17 Pro Max Clear Case - $37.99, down from $49.00 Silicone Case - $37.99, down from $49.00 TechWoven Case - $44.00, down from $59.00 If you're on the hunt for more discounts, be sure to visit our Apple Deals roundup where we recap the best Apple-related bargains of the past week. Deals Newsletter Interested in hearing more about the best deals you can find this holiday season? Sign up for our Deals Newsletter and we'll keep you updated so you don't miss the biggest deals of the season! Related Roundup: Apple Deals This article, "All The Best Apple Deals You Can Still Get Delivered for Christmas" first appeared on MacRumors.com Discuss this article in our forums View the full article

X (Twitter) has rolled out a set of widgets for its iOS app, enabling users to add feeds to their Home screen as well as a real-time notification count to their Lock Screen. The Home screen widget offers only one kind, called "X News Highlights," which displays headlines of what's trending on the social media platform. The widget is available in three sizes. There's more to be said for the Lock Screen widgets, which all come in larger and smaller kinds. "X Notifications" shows the user's notification count, while "X Messages" displays the number of unread messages in X Chat (encrypted DMs). There are also two Grok AI widgets, one for jumping straight into chat and one for voice conversations. Apple actually teased Twitter Home screen widgets at WWDC 2020 during its iOS 14 preview, but they never came to anything, until now. X/Twitter used to be the go-to place for breaking news and real-time information, but changes to the platform brought about by owner Elon Musk have been criticised for causing feeds to be increasingly awash with fake accounts, AI slop, and misinformation. Tag: Twitter This article, "X App for iOS Now Includes Widgets for Lock Screen and Home Screen" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple released the AirPods Max on December 15, 2020, meaning the over-ear headphones launched five years ago today. While the AirPods Max were updated with a USB-C port and new color options last year, followed by support for lossless audio and ultra-low latency audio this year, the headphones lack some of the features that have been introduced for newer generations of the regular AirPods and the AirPods Pro. Fortunately, it has been rumored that Apple plans to update the AirPods Max within the next few years, and they will likely receive the following 10 changes. Earlier this year, Apple supply chain analyst Ming-Chi Kuo said he expected lighter AirPods Max to enter mass production in 2027. However, he did not outline any other planned upgrades beyond the headphones apparently weighing less. The current AirPods Max weigh 0.85 pounds, excluding the charging case, according to Apple. AirPods Max still have Apple's H1 chip from 2019, so it is very likely that a second-generation pair would be equipped with the H2 chip or newer. That should unlock at least seven upgrades, including improved sound quality, increased active noise cancellation, longer battery life, Adaptive Audio, Personalized Volume, Conversation Awareness, and the ability to use "Siri" instead of "Hey Siri." Adaptive Audio adjusts Active Noise Cancellation based on your environment — you can customize the setting to allow more or less ambient noise. Personalized Volume is a similar feature that adjusts your AirPods volume based on both your surroundings and your volume preferences. Conversation Awareness temporarily lowers your volume and enhances voices in front of you while you are talking with someone. Other likely changes include new color options for the ear cushions and headband, as well as a redesigned carrying case. Hopefully the case gains an Ultra Wideband chip, which would unlock Precision Finding in the Find My app. In the U.S., AirPods Max remain priced at $549, but they are frequently on sale for less at Amazon and other resellers. Unless you really want AirPods Max now, we are now at a point where waiting for the 2027 model is worthwhile.Related Roundup: AirPods MaxBuyer's Guide: AirPods Max (Neutral)Related Forum: AirPods This article, "AirPods Max 2 Likely to Offer These 10 New Features" first appeared on MacRumors.com Discuss this article in our forums View the full article

At one global manufacturing client, an AI model flagged a potential breach pattern that turned out to be normal behavior from a test server. The system wasn’t wrong — but the humans stopped questioning it. It took a single analyst with strong data storytelling skills to realize the oversight and prevent a full production shutdown. That’s what separates automation from understanding. The shift no security leader can ignore When I began advising CISOs and cybersecurity leaders in critical industries, the conversations were about firewalls, audit checklists and incident response playbooks. Then automation arrived — and, soon after, artificial intelligence. Suddenly, everything we thought defined technical excellence began to evolve. Today, AI has become both an equalizer and a differentiator. It accelerates detection, automates response and surfaces insights we couldn’t see before. But here’s the paradox: the smarter our tools become, the more human our differentiators need to be — with AI acting as a force multiplier for skills like critical thinking and data fluency. That’s why a new generation of power skills is emerging — the capabilities that will determine which cybersecurity professionals remain indispensable in the decade ahead. By 2030, nearly half of all cybersecurity tasks will be automated — but the leaders who thrive won’t be the ones coding faster. They’ll be the ones thinking deeper. Why traditional skill sets are no longer enough CISO action item: Run a 1-hour “AI Bias Audit” on your top 3 detection rules this quarter. Ask: “What data is missing? Who is underrepresented?” According to the World Economic Forum’s Future of Jobs Report, nearly 40% of core job skills will change by 2030, driven primarily by AI, data and automation. For security professionals, this means that expertise in network defense, forensics and patching — while still essential — is no longer enough to create value. The real impact comes from how we interpret, communicate and apply what AI enables. AI doesn’t just speed up decisions — it reshapes them. When a model identifies an anomaly, we need humans who can: Translate it into business risk, Challenge the model’s assumptions and Communicate the findings clearly to leadership. That’s not a technical ability. That’s a power skill. The 5 new power skills for the AI era 1. Data fluency and analytical thinking Cybersecurity is now inseparable from data science. Every alert, log and anomaly is a data problem first — and a security problem second. In my consulting work, I’ve seen teams fail not because their tools were weak, but because their analysts couldn’t interpret what the data truly meant. Being data fluent means questioning the data, recognizing bias in models and turning analytics into narratives that drive decisions. 2. Risk literacy and governance intelligence AI introduces new risk categories — from algorithmic bias to model transparency and explainability. Future-ready CISOs must understand these challenges, not just from a compliance angle, but as part of strategic governance. Emerging frameworks set the tone: NIST AI Risk Management Framework (AI RMF 1.0) U.S. Executive Order on Safe, Secure and Trustworthy AI Risk literacy isn’t just about security controls — it’s about anticipating where technology, ethics and law intersect. 3. Executive communication I’ve sat in boardrooms where brilliant engineers failed to influence executives because their insights were lost in translation. In the AI era, clarity equals influence. The ability to write, present and simplify complex concepts — especially when dealing with probabilistic AI outcomes — determines who gets heard and who doesn’t. Effective communication is no longer “soft.” It’s strategic. 4. Cross-functional collaboration AI doesn’t exist in silos — and neither should cybersecurity. The most successful programs today bring together: Data scientists Privacy officers Operations leaders Legal advisors Real-world impact: At a global energy provider with 40,000 endpoints, a joint AI threat modeling workshop between security and data science teams cut mean-time-to-detect (MTTD) for ransomware precursors from 14 hours to 4 hours — not through new tools, but through shared context. That’s the tangible value of collaboration. 5. Ethical foresight and creative thinking As AI blurs the line between automation and autonomy, human judgment becomes the final safeguard. Questions like “Should we?” will matter more than “Can we?”. Professionals who can anticipate unintended consequences — from biased AI outputs to over-reliance on automation — will be the ethical backbone of digital trust. Empathy and creativity, once considered “soft skills,” are now among the hardest skills to automate. The dual edge of AI in cybersecurity AI isn’t just transforming defense — it’s transforming offense. Generative models enable: Hyper-targeted phishing Automated reconnaissance Synthetic identity attacks At the same time, AI-powered detection and response tools identify shadow IT, data leaks and persistent threats at unprecedented speed. But there’s a catch: AI amplifies both strengths and weaknesses. Poor data governance → model drift Incomplete context → false positives Without ethical and human oversight → disastrous decisions That’s why building the human layer of cybersecurity — judgment, ethics and context — is now mission-critical. For years, CISOs have been judged on the absence of incidents. But AI changes that metric. When algorithms take over detection and reporting, visibility doesn’t mean accountability. The challenge is shifting from preventing breaches to proving control — not through dashboards, but through narrative and governance. The CISO’s new dilemma is this: how do you lead when the system knows more than you do? Building the future-ready security team Three actions to take this quarter: Invest in power skills — not just tools. Perform regular skill-gap analyses that include communication, governance literacy and data storytelling. AI can automate tasks, but not wisdom. Encourage continuous learning. AI evolves faster than any policy. Create programs for: Red-teaming AI systems Collaborative simulations across departments Integrate disciplines. Combine cybersecurity, data science and business strategy. This multi-lens approach strengthens both resilience and innovation. Leadership takeaways Translate technical insights into executive language. Treat AI like a team member, not a tool. Reward curiosity, not only compliance. Build trust faster than you build automation. Redefining CISO success metrics Tomorrow’s CISOs will be measured less by incident counts and more by how effectively they align AI-driven security initiatives with business outcomes. New KPIs to consider: % of AI alerts translated into executive risk briefings Cross-functional project velocity (security + data science) Ethical AI review completion rate Championing ethical innovation Make AI ethics a standing agenda item in every risk review. Transparency and accountability should be as central to cybersecurity as encryption and patching. What this means for cyber leaders The biggest myth in security is that technical mastery equals longevity. In truth, the more we automate, the more we value human differentiation. Success in the next decade won’t depend on how much code you can write — but on how effectively you can connect, translate and lead across systems and silos. When I look at the most resilient organizations today, they share one trait: They see cybersecurity not as a control function, but as a strategic enabler. And their leaders? They’re fluent in both algorithms and empathy. The future of cybersecurity belongs to those who build bridges — not just firewalls. Cybersecurity is no longer a war between humans and machines — it’s a collaboration between both. The organizations that succeed will be the ones that combine AI’s precision with human empathy and creative foresight. As AI handles scale, leaders must handle meaning. And that’s the true essence of power skills. The future of cybersecurity belongs to those who can blend AI’s precision with human expertise — and lead with both. Next steps: Start this quarter Add AI ethics to your risk committee agenda Pilot a joint security/data science sprint Measure your team’s “data storytelling” maturity This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

Amazon has added a new feature to its Kindle app on iOS that uses artificial intelligence to answers questions about the book you're reading, the company has announced. Available in the U.S. only, "Ask This Book" is described as an "expert reading assistant" that allows users to highlight any passage in what they are reading and ask questions about plot details, character relationships, and thematic elements. The feature's answers are spoiler-free, revealing information only up to the current reading position. The in-book chatbot is available in books by default, and authors cannot opt out. "The feature uses technology, including AI, to provide instant, spoiler-free answers to customers' questions about what they're reading," Amazon told PubLunch. "Ask this Book provides short answers based on factual information about the book which are accessible only to readers who have purchased or borrowed the book and are non-shareable and non-copyable." With the latest Kindle app update installed, readers in the U.S. can find the feature in the in-book menu, or simply highlight any passage and tap "Ask" in the contextual pop-up menu. Ask This Book is currently limited to English-language books. Amazon plans to add the feature to Kindle devices and Android OS next year.Tag: Amazon This article, "Kindle App Now Includes AI Assistant for Character and Plot Questions" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple's AirTag 4-Pack has dropped to $69.99 today on Amazon, down from the original price of $99.00. Prime members can get the accessory delivered today in many locations, while free shipping options put it arriving in time for Christmas, around Saturday, December 20. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. If you prefer shopping at Best Buy, you'll find a matching deal on the AirTag 4-pack this week. Overall, this is a solid second-best price on the AirTag 4-pack, and the first notable deal we've seen on the Bluetooth tracker since Black Friday. $29 OFFAirTag 4-Pack for $69.99 If you're shopping for a single AirTag, Amazon has the AirTag 1-Pack for $24.00, down from $29.00. If you're on the hunt for more discounts, be sure to visit our Apple Deals roundup where we recap the best Apple-related bargains of the past week. Deals Newsletter Interested in hearing more about the best deals you can find this holiday season? Sign up for our Deals Newsletter and we'll keep you updated so you don't miss the biggest deals of the season! Related Roundup: Apple Deals This article, "Apple's AirTag 4-Pack Is The Perfect Stocking Stuffer at $69.99 on Amazon" first appeared on MacRumors.com Discuss this article in our forums View the full article

Who is Danny – shutterstock.com Auf seiner Webseite informiert das Versicherungsunternehmen Ideal aktuell über einen Cyberangriff. Die Systeme seien vorsorglich vom Netz genommen worden und der Geschäftsbetrieb würde nur noch eingeschränkt funktionieren, heißt es. Die zur Versicherungsgruppe gehörende Ahorn AG ist demnach ebenfalls von dem IT-Ausfall betroffen. Hingegen blieb das Tochterunternehmen myLife Lebensversicherung verschont. Offenbar kein Missbrauch von Kundendaten „Unser IT-Sicherheitsteam arbeitet gemeinsam mit externen Spezialisten und den Ermittlungsbehörden daran, den Vorfall zu analysieren und betroffene Systeme schrittweise wieder herzustellen“, versichert Maximilian Beck, Vorstandsvorsitzender der Ideal Gruppe. „Die Infrastruktur unserer Vertriebs- und Geschäftspartner ist nach aktuellem Kenntnisstand nicht betroffen. Derzeit liegen auch keine Hinweise auf einen Missbrauch von Kundendaten vor.“ Einer offiziellen Mitteilung zufolge ist die berüchtigte Ransomware-Gruppe Akira für den Angriff verantwortlich. Laut Security-Experten zählt sie weltweit zu den fünf gefährlichsten Erpresserbanden. Die Hackergruppe ist vor allem durch den verheerenden Angriff auf den kommunalen Dienstleister Südwestfalen IT (SIT) bekannt geworden. View the full article

Apple's AirPods Max launched five years ago today, marking the company's first push into the high-end over-ear headphones market under its own brand name. Rumors about Apple's work on a pair of high-end headphones, at the time believed to be called the "AirPods Studio," heated up throughout 2020. They were announced abruptly via a somewhat unexpected press release on December 8, 2020 and went on sale the same day. Orders started arriving to customers one week later on Tuesday, December 15. The ‌AirPods Max‌ offer many popular AirPods features such as the H1 chip, easy pairing, Active Noise Cancellation, Transparency mode, automatic switching, and Spatial Audio with dynamic head tracking, but in a premium over-ear design for the first time. They also offer a headband made of a flexible mesh canopy, replaceable magnetic earcups, a Digital Crown for physical volume controls, a button for switching between ANC and Transparency, and a Smart Case for storage and to put the headphones into a low power state. Demand for the ‌AirPods Max‌ was high immediately after launch, with shipping estimates that stretched out several months. Initial reviews of AirPods Max were favorable, applauding the headphones for being "more than enough to compete with other high-end headphones" in terms of design and sound quality. While the recommended retail price remains at $549, the ‌AirPods Max‌ are often available with discounts of over $100. The ‌AirPods Max‌ have also been subject to criticism since their launch, including for their price relative to rival sets of high-end over-ear headphones, the design of the Smart Case, condensation inside the earcups, poor battery life (something that was later fixed via a software update), ANC strength seemingly being reduced over time, the over-head canopy's poor durability, and the long period in which the device has been left without meaningful hardware update. Last year, Apple refreshed the AirPods Max's selection of color options and swapped the Lightning port for USB-C, but there were no other changes. Since the changes were so minor, Apple does not seem to consider the "new" model a second-generation.Related Roundup: AirPods MaxBuyer's Guide: AirPods Max (Neutral)Related Forum: AirPods This article, "AirPods Max Launched Five Years Ago Today" first appeared on MacRumors.com Discuss this article in our forums View the full article

A single vessel called the Orange Star docks at Port Elizabeth in New Jersey, carrying 38,848 cubic meters of orange juice concentrate. One ship, arriving weekly, supplies orange juice used by all of the city’s major retailers. If Port Elizabeth’s systems went down tomorrow due to a cyber attack, 46 million consumers within the four-hour trucking radius would feel the impact within days. The threat is real. The recent government shutdown furloughed CISA and FEMA staff at a critical time of exposure and vulnerability. The legal framework that allowed threat intelligence sharing between government and industry? That expired on September 30th when Congress failed to reauthorize the Cybersecurity Information Sharing Act of 2015. And the malware? That’s already in place, pre-positioned by nation-state actors waiting for the right geopolitical moment to trigger it. This is what one might call the “perfect storm of vulnerability,” and it’s hitting US maritime infrastructure right now. The evidence isn’t theoretical In late 2024, hackers hit the Port of Seattle with ransomware, demanding $6 million and releasing sensitive data on the dark web when their demands weren’t met. But the real threat extends far beyond opportunistic ransomware actors. As a member of the Area Maritime Security Committee (AMSC) for Sector New York with the US Coast Guard, I see firsthand how maritime facilities are preparing for the new Title 33 CFR cybersecurity requirements that went into effect in July 2025. Some ports, like the Port Authority of New York and New Jersey, have the resources and maturity to comply. They’ve been conducting penetration tests, red team exercises and tabletop drills for years. But what about the other 2,300+ facilities regulated under the Maritime Transportation Security Act (MTSA)? Consider SeaPort Manatee in Florida — a facility that moved 11.8 million tons of cargo in 2024, generating $7.3 billion in economic impact. They spent $97,500 on a cybersecurity assessment in June 2024, with 75% funded by a DHS FEMA Port Security Grant Program. That’s one facility doing it right. But while they were still recovering from Hurricane Milton damage, how many smaller facilities were scrambling to find even that level of funding? When Japan’s Port of Nagoya was hit by ransomware in 2023, originally attributed to the Russian-affiliated LockBit gang, the central computer system was compromised and cargo operations were suspended for several days. The 2021 Suez Canal blockage by the Ever Given — a physical incident, not cyber — caused an estimated $10 billion per day in stalled trade. Now imagine that disruption triggered deliberately by malware already embedded in port systems such as gantry cranes. This is a workforce problem, not a vendor problem The new regulations require all 3,000 MTSA facilities to designate a cybersecurity officer (why the Coast Guard named them CySOs and couldn’t just call them CISOs, I do not know). Finding hundreds of qualified people who understand both operational technology in maritime environments and cybersecurity is nearly impossible. Many facilities are looking at IT professionals who will require cross-training on maritime technology systems and assets with 30+ year life cycles. This is quite different from the capital expenditure write-off of a laptop every 3–5 years. Especially concerning is the fact that thousands of CISOs are considering leaving their corporate roles because they’re tired of being used as scapegoats when breaches occur. Hopefully, some are now looking for side work as part-time contractors with maritime facilities, treating it as job-loss mitigation while doing something that gives them genuine job satisfaction. If hired, they would immediately see the benefits of their work improving the security posture of a port facility in their hometown. This is our critical infrastructure protection strategy: exhausted professionals moonlighting because facilities can’t afford full-time qualified staff. What developers and security teams can actually do If you’re reading this and thinking, “I don’t work at a port, why does this matter?” then consider your own supply chain dependencies. Your company most likely delivers services using third-party solutions, many of which depend on maritime logistics you never even think about. The systemic risk that emerges from complex systems means a port shutdown doesn’t just delay Amazon deliveries. During the pandemic, we couldn’t get toilet paper or laptops. Our supply chains were deeply disrupted by a health crisis. Now imagine that kind of pervasive disruption triggered deliberately, with government cybersecurity staff having been furloughed at a critical moment or no legal framework to safely share threat intelligence because Congress let it expire. Three concrete steps for this quarter: If you’re responsible for critical infrastructure or provide services for core supply chain systems, conduct a realistic resilience assessment of what a 72-hour maritime disruption would mean for your operations. Not a theoretical risk assessment but a practical business continuity exercise. For mid-sized facilities facing these requirements, budget between $20,000–$25,000 for penetration testing. Explore FEMA’s State and Local Cybersecurity Grant Program (SLCGP), though be aware these often have non-federal match funding requirements. Better yet, find ways for academia, private sector and public sector entities to collaborate, such as the MTS-ISAC, rather than forging ahead in isolation. If you’re a CISO considering what’s next in your career, consider that maritime facilities desperately need your expertise. This isn’t corporate security theater. This is mission-critical work protecting infrastructure that millions depend on. That you and your family depend on. The saber-rattling is getting louder The current geopolitical climate has maritime security at a heightened level of readiness for international conflict. If a nation-state wanted to discourage US intervention in some form of aggression in APAC, South America or elsewhere, the malware is already believed to be in place, ready to be triggered. In my discussions as part of the AMSC, we workshop scenarios constantly. What counts as an incident when the MARSEC (MARitime SECurity) Level needs to be elevated from 1 to 2 for a cybersecurity threat? MARSEC Level 2 requires additional protective security measures for a period of time across nautical facilities and vessels. This is the kind of thing that hasn’t happened yet, but for which we train constantly. The challenge is that anything compromising safety systems in a port would trigger a shutdown of the entire port. There’s an element of systemic risk to the complex ecosystem that ports support that includes rail, trucking, shipping, fuel or, yes, that weekly orange juice delivery. The US Coast Guard has been granted fairly large powers of authority in the event of an incident. But those powers are compromised when CISA staff have been furloughed and threat intelligence sharing has lost its legal protection. We can expect asset owners and sector agencies to continue to collaborate, but they will be doing so with additional (and avoidable) risk. Monday morning action items I lived in Manhattan during the first COVID lockdowns. I saw SWAT teams with sniper rifles taking up positions on rooftops across from grocery stores. That was contingency planning that thankfully didn’t need to be activated. But it revealed something crucial: Anything that threatens the ability to procure basic necessities will rapidly escalate in ways we’d rather not contemplate. The orange juice example isn’t about orange juice. It’s about what the Orange Star represents. A complex system held together by aging infrastructure that 3,000 facilities now need to better secure, with cybersecurity officers they don’t have, using grant funding that was stuck during the government shutdown, while the legal framework for threat sharing has expired and nation-state malware sits dormant in their systems. What you should do Monday morning: Elevate the discussion around cybersecurity risk with elected officials, boards of directors and everyday citizens. Accept the mantra of incident response: it’s not a matter of if, but rather just a matter of when. As an information security professional who has worked in this industry for 30+ years and who has given birth to major ecommerce sites in the Web 1.0 dotcom bubble, building and protecting banks and critical infrastructure in the ensuing years, I am not optimistic. Do we have the gumption and grit to do what’s needed? We must work together now with focus, conviction and verve, because the alternative is unthinkable. I mention the word “verve” because I feel there must be a creative energy to how we champion our collective resilience and how we defend our community, our democracy and our way of life. There’s no incident response plan for a perfect storm. Only preparation before it hits. This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

Apple is preparing to bring support for its Car Keys feature to Toyota vehicles, evidence uncovered by MacRumors suggests. Toyota introduced its own Digital Key feature as part of the available Remote Connect package several years ago, which allows drivers to use their smartphone as a key to access and drive the vehicle. Now, the company appears to be adding support for Apple ‌Car Keys‌, with the feature going live as of today on Apple's back end. Introduced in 2022, ‌Car Keys‌ allows an iPhone or Apple Watch to unlock a vehicle via the Wallet app. A digital version of a car key is stored in the Wallet, and unlocking can be completed by holding an Apple Watch or ‌‌iPhone‌‌ near a compatible vehicle's NFC reader. Tapping on the door handle is enough to initiate an unlock, and while Face ID authentication is a security option, Apple offers an Express Mode that eliminates the need to authenticate for an even faster unlocking process. It is unclear when Toyota will roll out support for ‌Car Keys‌ to its vehicles, and the company has not yet made any announcements related to the feature, but it is likely to be relatively soon since the feature is now live on Apple's back end. At WWDC 2025, Apple confirmed that 13 vehicle brands would "soon" add support for digital car keys, including Audi, Acura, Porsche, GMC, Cadillac, Chevrolet, Rivian, Smart, Lucid Motors, Tata Motors, Hongqi, WEY, Chery, and Voyah. Vehicles from BMW, Genesis, Kia, Hyundai, Lotus, Mercedes, Volvo, and more already offer car keys support, with a list available on MacRumors.Tags: iPhone Car Keys, Toyota This article, "Toyota to Gain Apple Car Keys Support" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple and Google will soon be "encouraged" to build nudity-detection algorithms into their software by default, as part of the UK government's strategy to tackle violence against women and girls, reports the Financial Times. According to the report, Home Office officials want device operating systems to prevent any nudity from being displayed unless users can verify that they're adults through biometric checks or official ID. The proposal is said to target mobile devices initially, but it could extend to desktops. The government reportedly explored making the controls mandatory for devices sold in the UK, but it has apparently decided against that approach for now. Apple currently offers Communication Safety tools that parents can activate and which detect nude photos and videos in apps like Messages, AirDrop, and FaceTime. However, teenagers can still view flagged images after dismissing an alert, while under-13s must enter a passcode. Google also provides parental controls through its Family Link feature and includes "sensitive content warnings" in Google Messages. But neither company offers system-wide nudity blocking that extends to third-party apps like WhatsApp. The proposal is sure to face objections from privacy and civil liberties groups, as well as questions about how effective any such measures would be. When the UK instituted age checks for porn websites earlier this year as part of the Online Safety Act, users got around restrictions using fake photos and VPN services. The proposals are expected to be officially unveiled in the coming days, according to people familiar with the matter who spoke to FT.Tags: Apple Child Safety Features, Financial Times, United Kingdom This article, "UK Wants All iPhones to Block Explicit Images Unless You Prove Age" first appeared on MacRumors.com Discuss this article in our forums View the full article

CISA is sounding the alarm over a critical vulnerability in GeoServer that is being actively exploited in the wild, ordering federal agencies to patch immediately. The flaw, tracked as CVE-2025-58360, is an unauthenticated XML External Entity (XXE) vulnerability affecting GeoServer versions 2.26.1 and earlier. When exploited, the bug lets attackers retrieve arbitrary files from vulnerable servers, allowing data theft, denial-of-service attacks, or server-side request forgery (SSRF) that can expose internal systems. GeoServer, an open-source platform for publishing and sharing geospatial data, is widely used across civilian, scientific, and defense-linked federal environments. “GeoServer is widely used across federal agencies that manage land, water, and geoscience data,” said Louis Eichenbaum, federal CTO of ColorTokens, noting that it often runs alongside ArcGIS and remains connected back to enterprise GIS systems, even in otherwise segmented or air-gapped deployments. CISA added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) catalog this week, citing active exploitation. Advisories from Wiz and the Canadian Centre for Cyber Security indicate that exploit code has circulated since late November, giving attackers a head start before coordinated patching could happen. An exposed platform with real intelligence value CVE-2025-58360 (CVSS 9.8 out of 10) stems from GeoServer’s handling of XML input using an insecurely configured XML parser that fails to properly restrict external entity references. A crafted request can force the server to fetch local files or make internal network requests, enabling unauthenticated file disclosure and potential SSRF against systems the GeoServer instance can access. While XXE bugs are a familiar class of vulnerability, researchers warn that GeoServer’s role inside government environments makes this flaw particularly sensitive. According to Shadowserver, at least 2451 IP addresses with GeoServer fingerprints are currently observable, while Shodan reports more than 14,000 GeoServer instances exposed online. “What concerns me most about CVE-2025-58360 is that GeoServer has become a strategic intelligence-collection platform for nation-state adversaries,” said Certis Foster, senior threat hunter lead at Deepwatch. “This isn’t companies tracking weather or logistics anymore; this is coordinated infrastructure reconnaissance at scale.” Foster warned that unauthenticated access through the bug could allow adversaries to extract geospatial intelligence tied directly to energy assets, weather systems, and military locations. CISA’s alert marks the third GeoServer vulnerability it has flagged as actively exploited in just over a year, following warnings in June 2024 and July 2024 related to earlier flaws. The pattern suggests GeoServer is no longer an incidental target but a recurring one. Why patching alone may not be enough While CISA has mandated patching for federal agencies, experts caution that speed is often constrained by operational realities, including asset discovery, dependency mapping, and change-management windows, that can slow even well-resourced teams. “When vulnerabilities are disclosed in widely deployed platforms like GeoServer, almost no federal agency can realistically patch fast enough,” Eichenbaum noted. “Even if they could, by the time a notice is public, the adversary may already be exploiting it.” That reality reinforces the need for “breach-ready” posture grounded in Zero Trust principles, he added. Venky Raju, field CTO at ColorTokens, echoed the concern, saying, “open-source developers are quick to respond with fixes, however, enterprises may not be able to patch servers due to internal challenges.” As an interim measure, he recommended isolating affected GeoServer instances using microsegmentation controls to restrict lateral movement, while still maintaining mission operations. While the CISA notice applied to Federal Civilian Executive Branch (FCEB) agencies, directing them to patch before December 26, 2025, it “strongly urged” all organizations to timely remediate the issue. View the full article

bluestork – shutterstock.com Cyberangriffe beschränken sich heutzutage nicht auf bestimmte Unternehmen, Produkte oder Dienstleistungen – sie finden dort statt, wo die Schwachstellen sind. Zudem werden die Attacken mit Hilfe von KI-Tools immer ausgefeilter. Vor diesem Hintergrund hat Microsoft seinen neuen Security-Ansatz „In Scope by Default“ auf der Black Hat Europe angekündigt. Demnach kommt künftig jede „kritische Schwachstelle“ mit „nachweisbaren Auswirkungen“ auf die Online-Dienste von Microsoft für eine Prämie in Frage. Dies gilt sowohl für Code, den Microsoft verwaltet, als auch für alles, was von Dritten oder über Open Source bereitgestellt wird. „Den Angreifern ist es egal, wem der Code gehört, den sie auszunutzen versuchen”, schreibt Tom Gallagher, Vice President of Engineering beim Microsoft Security Response Center, in einem Blogbeitrag. „Der gleiche Ansatz sollte auch für die Sicherheits-Community gelten, die mit uns zusammenarbeitet, um wichtige Erkenntnisse zum Schutz unserer Kunden zu liefern.” Ziel ist es, „Anreize für die Forschung zu schaffen“ Gallagher betont, dass Microsoft „alles tun wird, was nötig ist“, um aufgetretene Probleme zu beheben. Er weist darauf hin, dass das Unternehmen bereits im Jahr 2024 im Rahmen seines Bug-Bounty-Programms und seiner Live-Hacking-Events mehr als 17 Millionen Dollar ausgeschüttet hat. Die veränderte Strategie werden die Berechtigung zur Förderung noch erweitern. „Unser Ziel ist es, Anreize für die Forschung in den Bereichen mit dem höchsten Risiko zu schaffen, insbesondere in Bereichen, die von Angreifern am ehesten ausgenutzt werden“, erklärt der Microsoft-Experte. Die Förderung im Rahmen des Bug-Bounty-Programms umfasst nun: Microsoft-eigene Domains und Cloud-Dienste: Sicherheitsforscher ohne Insider-Kenntnisse bei Microsoft werden ermutigt, sich gemäß vereinbarten Regeln auf die Infrastrukturen des Unternehmens zu konzentrieren. Code von Drittanbietern, einschließlich Open Source: In Fällen, in denen es in diesem Bereich noch kein Bug-Bounty-Programm gibt, wird Microsoft nun eines anbieten. Die Identifizierung von Schwachstellen in Code von Drittanbietern kann dazu beitragen, die Messlatte für „alle, die sich auf diesen Code verlassen“, höher zu legen, so Gallagher. Forscher können ihre Ergebnisse zur Bewertung und zur koordinierten Offenlegung auf einer Online-Plattform von Microsoft einreichen. Auf diese Weise werden Schwachstellen vertraulich gemeldet, um diese Probleme zu diagnostizieren und zu beheben, bevor sie öffentlich bekannt gegeben werden. Microsoft und seine Partner befolgen die Regeln für verantwortungsbewusste Sicherheitsforschung, so Gallagher, die eine Vielzahl von Red-Teaming-Aktivitäten fördern. Dazu zählen Schwachstellenbewertungen auf virtuellen Azure-Maschinen (VMs), das Testen der Spitzenkapazität, Versuche, aus Systemgrenzen und gemeinsam genutzten Servicecontainern auszubrechen, das Testen von Sicherheitsüberwachungs- und Erkennungssystemen, sowie die Bewertung des bedingten Zugriffs. Die Regeln verbieten es Red-Teams jedoch, Zugangsdaten zu verwenden oder darauf zuzugreifen, Phishing-Angriffe gegen Microsoft-Mitarbeiter zu starten oder Denial-of-Service-Tests durchzuführen, die übermäßigen Datenverkehr verursachen. Zudem ist es nicht gestattet, mit Speicherkonten zu interagieren, die nicht im Abonnement des Benutzers enthalten sind. Vor- und Nachteile dieses Ansatzes Die Ausweitung des Anwendungsbereichs ist nicht unbedingt neu, stellt Avakian von Info-Tech fest, „obwohl Cloud-Dienstleister (CSPs), Finanzinstitute und SaaS-Unternehmen engere Formulierungen veröffentlichen und viele Fälle durch Verhandlungen hinter den Kulissen regeln.“ Dem Experten zufolge hängt jedoch vieles nach wie vor stark vom guten Willen der Forscher und internen Ermessensentscheidungen ab. „Der erweiterte Umfang von Microsoft ist etwas anders und könnte zu weniger Diskussionen führen, die Zeit kosten und zu Reibungen mit Forschern führen können“, so Avakian. „Außerdem sendet es ein besseres Signal: Wenn die Leute keine Disqualifizierung befürchten, sind sie eher bereit, Ergebnisse aus frühen Phasen einzureichen. Das ist großartig für Verteidiger und kann das Vertrauen in die Forschungsgemeinschaft stärken.“ Der Analyst räumt jedoch ein, dass es schwierig werden könnte, was die Menge[MB1] der Bug Reports betrifft. Resultat seien möglicherweise mehr Berichten von geringer Qualität und spekulative oder „nebulöse“ Ergebnisse, mahnt der Info-Tech-Spezialist. „Das Modell kann nur funktionieren, wenn die Schwere der Probleme konsequent bewertet wird“, so Avakian. Ansonsten könnten Angreifer indirekt davon profitieren, dass die Verteidigerteams überlastet sind, und potenzielle Störsignale echte Warnungen Signale übertönen.“ Letztendlich „ist der Umfang wirklich eine Frage der Unternehmensführung“, ergänzt Avakian und weist darauf hin, dass Unternehmen ins Hintertreffen geraten, wenn Schwachstellenprogramme immer noch in erster Linie darauf ausgerichtet sind, Auszahlungen zu reduzieren, Risiken zu minimieren und das Image der Marke zu schützen. „Microsoft signalisiert, dass operative Klarheit defensiver Unklarheit überlegen ist“, so Avakian. Allerdings funktioniert „standardmäßig im Geltungsbereich“ nur mit der entsprechenden organisatorischen Reife. „Wenn Sie nicht bereits über eine starke Governance, Triage-Prozesse, konsistente Schweregradmodelle und technische Verantwortlichkeit verfügen, wird es problematisch“, führt der Experte aus. „Automatisierung, Anreicherung und erfahrenes menschliches Urteilsvermögen sind hier wichtiger denn je, und Microsoft scheint eindeutig in dieses langfristige Spiel zu investieren.“ (jm) View the full article

bluestork – shutterstock.com Cyberangriffe beschränken sich heutzutage nicht auf bestimmte Unternehmen, Produkte oder Dienstleistungen – sie finden dort statt, wo die Schwachstellen sind. Zudem werden die Attacken mit Hilfe von KI-Tools immer ausgefeilter. Vor diesem Hintergrund hat Microsoft seinen neuen Security-Ansatz „In Scope by Default“ auf der Black Hat Europe angekündigt. Demnach kommt künftig jede „kritische Schwachstelle“ mit „nachweisbaren Auswirkungen“ auf die Online-Dienste von Microsoft für eine Prämie in Frage. Dies gilt sowohl für Code, den Microsoft verwaltet, als auch für alles, was von Dritten oder über Open Source bereitgestellt wird. „Den Angreifern ist es egal, wem der Code gehört, den sie auszunutzen versuchen”, schreibt Tom Gallagher, Vice President of Engineering beim Microsoft Security Response Center, in einem Blogbeitrag. „Der gleiche Ansatz sollte auch für die Sicherheits-Community gelten, die mit uns zusammenarbeitet, um wichtige Erkenntnisse zum Schutz unserer Kunden zu liefern.” Ziel ist es, „Anreize für die Forschung zu schaffen“ Gallagher betont, dass Microsoft „alles tun wird, was nötig ist“, um aufgetretene Probleme zu beheben. Er weist darauf hin, dass das Unternehmen bereits im Jahr 2024 im Rahmen seines Bug-Bounty-Programms und seiner Live-Hacking-Events mehr als 17 Millionen Dollar ausgeschüttet hat. Die veränderte Strategie werden die Berechtigung zur Förderung noch erweitern. „Unser Ziel ist es, Anreize für die Forschung in den Bereichen mit dem höchsten Risiko zu schaffen, insbesondere in Bereichen, die von Angreifern am ehesten ausgenutzt werden“, erklärt der Microsoft-Experte. Die Förderung im Rahmen des Bug-Bounty-Programms umfasst nun: Microsoft-eigene Domains und Cloud-Dienste: Sicherheitsforscher ohne Insider-Kenntnisse bei Microsoft werden ermutigt, sich gemäß vereinbarten Regeln auf die Infrastrukturen des Unternehmens zu konzentrieren. Code von Drittanbietern, einschließlich Open Source: In Fällen, in denen es in diesem Bereich noch kein Bug-Bounty-Programm gibt, wird Microsoft nun eines anbieten. Die Identifizierung von Schwachstellen in Code von Drittanbietern kann dazu beitragen, die Messlatte für „alle, die sich auf diesen Code verlassen“, höher zu legen, so Gallagher. Forscher können ihre Ergebnisse zur Bewertung und zur koordinierten Offenlegung auf einer Online-Plattform von Microsoft einreichen. Auf diese Weise werden Schwachstellen vertraulich gemeldet, um diese Probleme zu diagnostizieren und zu beheben, bevor sie öffentlich bekannt gegeben werden. Microsoft und seine Partner befolgen die Regeln für verantwortungsbewusste Sicherheitsforschung, so Gallagher, die eine Vielzahl von Red-Teaming-Aktivitäten fördern. Dazu zählen Schwachstellenbewertungen auf virtuellen Azure-Maschinen (VMs), das Testen der Spitzenkapazität, Versuche, aus Systemgrenzen und gemeinsam genutzten Servicecontainern auszubrechen, das Testen von Sicherheitsüberwachungs- und Erkennungssystemen, sowie die Bewertung des bedingten Zugriffs. Die Regeln verbieten es Red-Teams jedoch, Zugangsdaten zu verwenden oder darauf zuzugreifen, Phishing-Angriffe gegen Microsoft-Mitarbeiter zu starten oder Denial-of-Service-Tests durchzuführen, die übermäßigen Datenverkehr verursachen. Zudem ist es nicht gestattet, mit Speicherkonten zu interagieren, die nicht im Abonnement des Benutzers enthalten sind. Vor- und Nachteile dieses Ansatzes Die Ausweitung des Anwendungsbereichs ist nicht unbedingt neu, stellt Avakian von Info-Tech fest, „obwohl Cloud-Dienstleister (CSPs), Finanzinstitute und SaaS-Unternehmen engere Formulierungen veröffentlichen und viele Fälle durch Verhandlungen hinter den Kulissen regeln.“ Dem Experten zufolge hängt jedoch vieles nach wie vor stark vom guten Willen der Forscher und internen Ermessensentscheidungen ab. „Der erweiterte Umfang von Microsoft ist etwas anders und könnte zu weniger Diskussionen führen, die Zeit kosten und zu Reibungen mit Forschern führen können“, so Avakian. „Außerdem sendet es ein besseres Signal: Wenn die Leute keine Disqualifizierung befürchten, sind sie eher bereit, Ergebnisse aus frühen Phasen einzureichen. Das ist großartig für Verteidiger und kann das Vertrauen in die Forschungsgemeinschaft stärken.“ Der Analyst räumt jedoch ein, dass es schwierig werden könnte, was die Menge[MB1] der Bug Reports betrifft. Resultat seien möglicherweise mehr Berichten von geringer Qualität und spekulative oder „nebulöse“ Ergebnisse, mahnt der Info-Tech-Spezialist. „Das Modell kann nur funktionieren, wenn die Schwere der Probleme konsequent bewertet wird“, so Avakian. Ansonsten könnten Angreifer indirekt davon profitieren, dass die Verteidigerteams überlastet sind, und potenzielle Störsignale echte Warnungen Signale übertönen.“ Letztendlich „ist der Umfang wirklich eine Frage der Unternehmensführung“, ergänzt Avakian und weist darauf hin, dass Unternehmen ins Hintertreffen geraten, wenn Schwachstellenprogramme immer noch in erster Linie darauf ausgerichtet sind, Auszahlungen zu reduzieren, Risiken zu minimieren und das Image der Marke zu schützen. „Microsoft signalisiert, dass operative Klarheit defensiver Unklarheit überlegen ist“, so Avakian. Allerdings funktioniert „standardmäßig im Geltungsbereich“ nur mit der entsprechenden organisatorischen Reife. „Wenn Sie nicht bereits über eine starke Governance, Triage-Prozesse, konsistente Schweregradmodelle und technische Verantwortlichkeit verfügen, wird es problematisch“, führt der Experte aus. „Automatisierung, Anreicherung und erfahrenes menschliches Urteilsvermögen sind hier wichtiger denn je, und Microsoft scheint eindeutig in dieses langfristige Spiel zu investieren.“ (jm) View the full article

Garbage took the stage at the Sydney Opera House on Tuesday night, just hours after a devastating terrorist attack at a Hanukkah celebration at Bondi Beach claimed at least 15 lives and injured nearly 30 others. In a city still reeling, frontwoman Shirley Manson paused the band’s set to speak directly to the moment: “This has become an astoundingly frightening, violent, hateful, intolerant world,” Manson told the crowd. “And I think the only thing we can do really, as people who do not believe in all this separation and all this intolerance, is try and profess our love for one another.” “Fuck all this vile antisemitism. Fuck Islamophobia. The killing has to stop.” Reaffirming Garbage’s long-standing ethos of unity and inclusion, Manson continued: “We have always believed that we are one people under one sun. It doesn’t matter what God you worship, what colour your skin is, what your gender is, what your sexual orientation is… it’s all so fucking stupid… We have people in power telling us to hate one another, to destroy one another.” After the show, Manson shared a personal statement on Garbage’s Instagram, revealing that six close family members had been at Bondi Beach just hours before the attack. “Our hearts go out to the victims and their surviving families who are now dealing with unfathomable loss and heartbreak,” she wrote. “Fuck all this vile antisemitism. Fuck Islamophobia. The killing has to stop.” In response to the tragedy, Garbage made a last-minute change to their setlist, performing ‘Fix Me Now’ from their 1995 self-titled debut – the only time the song has appeared during the Australian leg of the tour. With lyrics reflecting fear, hope and vulnerability, the moment served as a quiet act of solidarity and reflection in the face of overwhelming grief. Our thoughts remain with the victims, their loved ones, and all communities affected by this horrific act of violence. Further Reading Garbage’s Shirley Manson Absolutely Lost It Over A Beach Ball At Good Things (And Uh… We May Have Been Involved) Garbage Announce 2025 Australian Headline Shows Garbage’s Shirley Manson Pens Powerful Op-Ed On Self-Harm The post Garbage Turn Sydney Show Into a Call for Love, Hours After Bondi Terror Attack appeared first on Music Feeds. View the full article

The Board of Inquiry issued a short statement on Friday stating that there was “probable cause to present” ACNA Archbishop Steve Wood “for trial for violation of Canon 2 of this Title.”View the full article