Friday, 17 April
19:00 EDT
NIST Limits CVE Enrichment After 263% Surge In Vulnerability Submissions [Slashdot]
NIST is narrowing how it handles CVEs in the National Vulnerability Database (NVD), saying it will only automatically enrich higher-priority vulnerabilities. "CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST," it said. "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don't expect this trend to let up anytime soon." The Hacker News reports: The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows: - CVEs appearing in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. - CVEs for software used within the federal government. - CVEs for critical software as defined by Executive Order 14028: this includes software that's designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access. Any CVE submission that doesn't meet these thresholds will be marked as "Not Scheduled." The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact. "While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," it added. [...] Changes have also been instituted for various other aspects of the NVD operations. These include: - NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score. - A modified CVE will be reanalyzed only if it "materially impacts" the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above. - All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the "Not Scheduled" category. This does not apply to CVEs that are already in the KEV catalog. - NIST has updated the CVE status labels and descriptions, as well as the NVD Dashboard, to accurately reflect the status of all CVEs and other statistics in real time.
Read more of this story at Slashdot.
18:00 EDT
US-sanctioned currency exchange says $15 million heist done by "unfriendly states" [Ars Technica - All content]
Grinex, a US-sanctioned cryptocurrency exchange registered in Kyrgyzstan, said it’s halting operations after experiencing a $13 million heist carried out by “western special services” hackers.
Researchers from TRM, which has confirmed the theft, put the value of stolen assets at $15 million after discovering roughly 70 drained addresses, about 16 more than Grinex reported. Neither TRM nor fellow blockchain research firm Elliptic has said how the attackers slipped past Grinex’s defenses. Grinex said it has been under almost constant attack attempts since incorporating 16 months ago. The latest attacks, it said, targeted Russian users of the exchange.
Damaging "Russia's financial sovereignty"
“The digital footprints and nature of the attack indicate an unprecedented level of resources and technology available exclusively to the structures of unfriendly states,” Grinex said. “According to preliminary data, the attack was coordinated with the aim of causing direct damage to Russia's financial sovereignty.”
Man with @ihackedthegovernment Instagram account tells judge, “I made a mistake" [Ars Technica - All content]
A 25-year-old Tennessee man avoided prison time after pleading guilty to accessing government systems with stolen login credentials and boasting of the deed on an Instagram account with the handle, @ihackedthegovernment.
Defendant Nicholas Moore accessed user accounts on the US Supreme Court's electronic filing system, AmeriCorps, and the Veterans Administration Health System. He then publicly posted screenshots of the users' personal information to his @ihackedthegovernment account on Instagram. It's unclear how he obtained the stolen login information.
Moore was sentenced to a year of probation today in US District Court for the District of Columbia. The US government had requested 36 months of probation for the unauthorized access that took place in 2023 from August to October. The government sentencing recommendation did not request any jail time or a fine.
Gazing Into Sam Altman's Orb Could Solve Ticket Scalping [Slashdot]
An anonymous reader quotes a report from Wired: Sam Altman's iris-scanning, humanity-verifying World project announced at an event in San Francisco on Friday that Tinder users around the globe can now put a digital badge on their profiles signaling to potential suitors that they're a real human, provided they've already stared into one of World's glossy white Orbs and allowed their eyes to be scanned. The announcement follows a pilot project for Tinder verification that World previously conducted in Japan. [...] In addition to the Tinder global expansion, Tools for Humanity, the company behind World, announced a number of other consumer and enterprise partnerships on Friday at its Lift Off event in San Francisco. The startup says Tinder users who verify with their World ID will receive five free "boosts," typically a paid feature that increases the number of users who see a profile by up to 10 times for 30 minutes. The videoconferencing platform Zoom also says that users can now require other participants to verify their identity with World before joining a call. Docusign, the contract signing software, will allow users to require World's identity verification technology. Tiago Sada, Tools for Humanity's chief product officer, tells WIRED the company sees major platform partnerships as key to helping World become a mainstream identity-verification technology. Sada said he's especially interested in working with social media companies in the future, and was encouraged to see that Reddit has started testing World as a solution to help users distinguish bots from real people. [...] World is also launching a tool called Concert Kit, which lets artists reserve concert tickets for verified humans, a pitch aimed squarely at the bot-driven scalping problem that critics say has plagued sites like TicketMaster. World will test the feature on the upcoming Bruno Mars World Tour featuring Anderson .Paak, who is scheduled to play a verified-humans-only show under his alias DJ Pee .Wee in San Francisco on Friday night. "The idea that World ID is not just private, but it's one of the most private things you've ever used, that's not obvious," says Sada. "We're just not used to this kind of technology. Many people used to tape their [iPhone's sensor used to enable] Face ID when it came out, then we got used to it."
Read more of this story at Slashdot.
17:00 EDT
Mozilla 'Thunderbolt' Is an Open-Source AI Client Focused On Control and Self-Hosting [Slashdot]
BrianFagioli writes: Mozilla's email subsidiary MZLA Technologies just introduced Thunderbolt, an open-source AI client aimed at organizations that want to run AI on their own infrastructure instead of relying entirely on cloud services. The idea is to give companies full control over their data, models, and workflows while still offering things like chat, research tools, automation, and integration with enterprise systems through the Haystack AI framework. Native apps are planned for Windows, macOS, Linux, iOS, and Android. Thunderbolt allows organizations to do the following: - Run AI with their choice of models, from leading commercial providers to open-source and local models - Connect to systems and data: Integrate with pipelines and open protocols, including: deepset's Haystack platform, Model Context Protocol (MCP) servers, and agents with the Agent Client Protocol (ACP) - Automate workflows and recurring tasks: Generate daily briefings, monitor topics, compile reports, or trigger actions based on events and schedules - Work seamlessly across devices with native applications for Windows, macOS, Linux, iOS, and Android - Maintain security with self-hosted deployment, optional end-to-end encryption, and device-level access controls
Read more of this story at Slashdot.
16:00 EDT
Trump picks qualified, normal health leader to head CDC; experts still cautious [Ars Technica - All content]
President Trump on Thursday announced his third nominee for director of the Centers for Disease Control and Prevention: Dr. Erica Schwartz, a well-qualified former public health official and board-certified physician in preventive medicine, who has publicly supported vaccination and followed evidence-based medicine.
The uncontroversial pick comes amid concern within the administration that the aggressive anti-vaccine agenda from Health Secretary Robert F. Kennedy Jr.—who has no medical, science, or public health background—has become a liability for the party in the lead up to the midterms.
Schwartz was deputy surgeon general in Trump's first administration. She spent much of her career as a Navy officer, held the role of Chief Medical Officer with the US Coast Guard, and is a retired rear admiral of the US Public Health Service Commissioned Corps. She has a medical degree from Brown University, a master's degree in public health, and a law degree from the University of Maryland. During the pandemic, she was involved in the federal rollout of COVID-19 vaccines.
$25,000 buys plenty of used EVs: Here are some options [Ars Technica - All content]
Whether you're considering an electric vehicle because of gas prices or climate change, there has probably never been a better time to buy a used EV, despite that the Trump administration abolished the used clean vehicle tax credit last year. When we started this ongoing series looking at used EV options, the initial idea was to see what was available at bargain-basement prices. But today we're looking at the $20,000–$25,000 bracket, and we're firmly out of the basement, with thousands of EVs across the country to choose from.
If you're only spending $5,000 on an EV, you're looking at much older models with smaller batteries that never had that much range even when new. But at four or five times that sum, the net casts much, much wider. Buyers can start being a little choosy here, particularly as ex-lease cars begin filling dealership lots this year.
For those in the market, it helps that EVs face lower residuals than equivalent hydrocarbon-powered cars. All those incentives given to the original purchaser are passed along to future owners, but according to a Deloitte report, EV residuals are underperforming even more than expected. While I might expect most Ars Technica readers to see the potential, "many US consumers remain cautious about range, charge time, price, battery replacement cost, and public charging access," says Deloitte. Changing that will require automakers and car salespeople to do a much better job explaining battery longevity and range, according to the consulting company.
Satellite and drone images reveal big delays in US data center construction [Ars Technica - All content]
Silicon Valley has been pouring hundreds of billions of dollars into building ever-larger AI data centers that require as much electricity as hundreds of thousands of US homes—but that massive buildout faces significant construction and power challenges along with growing local resistance. Now satellite imagery is showing that nearly 40 percent of US data center projects may fail to be completed this year as scheduled.
The Financial Times drew upon satellite imagery from the geospatial data analytics company SynMax showing how much progress has been made in clearing land and laying building foundations for each data center project. It also cross-checked project progress against public statements and permit documents compiled by the industry research group IIR Energy. The resulting analysis revealed how major projects from tech companies such as Microsoft, Oracle, and OpenAI are “likely to miss completion dates by more than three months.”
Interviews with more than a dozen industry executives highlighted data center delays caused by “chronic shortages of labor, power and equipment” along with the process of securing the necessary permits, according to the Financial Times. Construction executives involved with OpenAI projects specifically mentioned not having enough tradespeople, such as electricians and pipe fitters, to work on multiple data center projects.