Paramount and Comcast's NBCUniversal are joining Microsoft in telling employees "they could face consequences if they don't return to the office more frequently," reports the Washington Post: NBCUniversal sent a memo to its employees telling them to return to the office four days a week starting in January [with the option to work remotely on Fridays]. Last week, Paramount told employees to return five days a week, with the first group starting in January. Both Paramount and NBCUniversal said they would offer severance packages to eligible employees who are unwilling or unable to make the switch... Companies have been cracking down on flexible work for the past several years, with Goldman Sachs being one of the first to implement a five-day office policy. Since then, others have joined in including Amazon, AT&T, JPMorgan Chase and the federal government...

Overall, the number of people working full time in office hasn't changed much over the past couple of years. About 61.7 percent of salaried employees worked from an office full time in August, according to data from university researchers Jose Maria Barrero, Nicholas Bloom and Steven J. Davis, who are studying the matter. That is down one percentage point from August 2024, their research shows. During the same period, the amount of people working remotely dropped two percentage points and those working hybrid schedules increased three points.

While most of the big office pushes are coming from some of the largest employers in the nation, the majority of companies in the United States aren't requiring full-time office work, said Brian Elliott [publisher of the Flex Index, which tracks flexible policies, and CEO]. And about half of U.S. workers are employed by smaller companies, he added. Some companies are capitalizing on the mandates, using flexible policies as a way to poach talent from their competitors, he said....

Some employers are using office mandates to purposely shed workers. An August report from the Federal Reserve Bank shows that "multiple districts reported reducing headcounts through attrition — encouraged, at times, by return-to-office policies and facilitated, at times, by greater automation, including new AI tools." Still, with fewer job openings in the market, some employees will have to comply with office mandates.
Announcing their return-to-office mandates, employers gave the following reasons:

• "In-person collaboration is absolutely vital to building and strengthening our culture and driving the success of our business. Being together helps us innovate, solve problems, share ideas, create, challenge one another, and build the relationships that will make this company great."
  
  -- Paramount CEO David Ellison (in a memo to staff)

• "It has become increasingly clear that we are better when we are together. As we have all experienced, in-person work and collaboration spark innovation, promote creativity, and build stronger connections."
  
  -- Adam Miller, NBCUniversal chief operating officer (in a memo to staff)

An anonymous reader quotes a report from The Intercept: The company behind the Proton Mail email service, Proton, describes itself as a "neutral and safe haven for your personal data, committed to defending your freedom." But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency. After a public outcry, and multiple weeks, the journalists' accounts were eventually reinstated -- but the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place.

Martin Shelton, deputy director of digital security at the Freedom of the Press Foundation, highlighted that numerous newsrooms use Proton's services as alternatives to something like Gmail "specifically to avoid situations like this," pointing out that "While it's good to see that Proton is reconsidering account suspensions, journalists are among the users who need these and similar tools most." Newsrooms like The Intercept, the Boston Globe, and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions. Shelton noted that perhaps Proton should "prioritize responding to journalists about account suspensions privately, rather than when they go viral." On Reddit, Proton's official account stated that "Proton did not knowingly block journalists' email accounts" and that the "situation has unfortunately been blown out of proportion."

The two journalists whose accounts were disabled were working on an article published in the August issue of the long-running hacker zine Phrack. The story described how a sophisticated hacking operation -- what's known in cybersecurity parlance as an APT, or advanced persistent threat -- had wormed its way into a number of South Korean computer networks, including those of the Ministry of Foreign Affairs and the military Defense Counterintelligence Command, or DCC. The journalists, who published their story under the names Saber and cyb0rg, describe the hack as being consistent with the work of Kimsuky, a notorious North Korean state-backed APT sanctioned by the U.S. Treasury Department in 2023. As they pieced the story together, emails viewed by The Intercept show that the authors followed cybersecurity best practices and conducted what's known as responsible disclosure: notifying affected parties that a vulnerability has been discovered in their systems prior to publicizing the incident. Phrack said the account suspensions created a "real impact to the author. The author was unable to answer media requests about the article." Phrack noted that the co-authors were already working with affected South Korean organizations on responsible disclosure and system fixes. "All this was denied and ruined by Proton," Phrack stated.

Phrack editors said that the incident leaves them "concerned what this means to other whistleblowers or journalists. The community needs assurance that Proton does not disable accounts unless Proton has a court order or the crime (or ToS violation) is apparent."

The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption. From a report: The proposal, which is not subject to parliamentary approval, has alarmed privacy and digital-freedoms advocates worldwide because of how it will destroy anonymity online, including for people located outside of Switzerland. A large number of virtual private network (VPN) companies and other privacy-preserving firms are headquartered in the country because it has historically had liberal digital privacy laws alongside its famously discreet banking ecosystem.

Proton, which offers secure and end-to-end encrypted email along with an ultra-private VPN and cloud storage, announced on July 23 that it is moving most of its physical infrastructure out of Switzerland due to the proposed law. The company is investing more than $117 million in the European Union, the announcement said, and plans to help develop a "sovereign EuroStack for the future of our home continent." Switzerland is not a member of the EU. Proton said the decision was prompted by the Swiss government's attempt to "introduce mass surveillance."

Sega allegedly orchestrated a police raid to recover Nintendo development kits it had accidentally disposed of during an office relocation from Brentford to Chiswick Business Park. An anonymous UK reseller purchased the items -- including Game Boy Advance, DSi, 3DS, Wii, and Wii U development consoles plus prototype games like Sonic Chronicles and Mario & Sonic at the Winter Olympic Games -- for roughly $13,575 from a removals worker handling Sega's office clearance.

City of London Police arrested the seller July 14, 2025, on money laundering charges, deploying approximately ten officers to seize the hardware. The seller claims the search warrant was defective and authorized Sega representatives to participate in the raid. Nintendo development kits remain the hardware manufacturer's property regardless of possession, outlet Time Extension writes. Police requested the seller relinquish ownership two days after releasing him from eight hours in custody, which he refused. Sega has not responded to multiple legal letters or six separate pre-action protocol claims from the seller.

India's massive IT sector faces a lengthy period of uncertainty with customers delaying or re-negotiating contracts while the U.S. debates a proposed 25% tax on American firms using foreign outsourcing services, analysts and lawyers told Reuters. From a report: The sector is likely to be on the receiving end of a bill which, though unlikely to pass in its nascent form, will initiate a gradual shift in how big-name firms in the world's largest outsourcing market buy IT services, they said. Still, with U.S. firms having to pay the tax, those heavily reliant on overseas IT services are likely to push back, setting the stage for extensive lobbying and legal battles, analysts and lawyers said.

India's $283 billion information technology sector has thrived for more than three decades exporting software services, with prominent clients including Apple, American Express, Cisco, Citigroup, FedEx and Home Depot. It has grown to make up over 7% of GDP. However, it has also drawn criticism in customer countries over job loss to lower-cost workers in India. Last week, U.S. Republican Senator Bernie Moreno introduced the HIRE Act, which proposes taxing companies that hire foreign workers over Americans, with the tax revenue used for U.S. workforce development.

US Senator Ron Wyden says glaring cybersecurity flaws by Microsoft enabled a ransomware attack on a US hospital system and has called on the Federal Trade Commission to investigate. Bloomberg: In a letter sent Wednesday to FTC Chairman Andrew Ferguson, the Oregon Democrat accused Microsoft of "gross cybersecurity negligence," which he said had resulted in ransomware attacks against US critical infrastructure.

The senator cited the case of the 2024 breach at Ascension, one of the nation's largest nonprofit health systems. The intrusion shut down computers at many of Ascension's hospitals, leading to suspended surgeries and the theft of sensitive data on more than 5 million patients. Wyden said an investigation by his office found that the Ascension hack began after a contractor carried out a search using Microsoft's Bing search engine and was served a malicious link, which led to the contractor inadvertently downloading malware. That allowed hackers access to Ascension's computer networks.

According to Wyden, the attackers then gained access to privileged accounts by exploiting an insecure encryption technology called RC4, which is supported by default on Windows computers. The hacking method is called Kerberoasting, which the company described as a type of cyberattack in which intruders aim to gather passwords by targeting an authentication protocol called Kerberos.

An anonymous reader shares a report: South Africa's energy regulator apologized for a 54 billion-rand ($3.1 billion) error in calculating electricity tariffs, a mistake that will be passed on to consumers.

The National Energy Regulator of South Africa, which determines what state power utility Eskom Holdings SOC Ltd. can charge for electricity, announced the miscalculation last month, without providing further details. On Wednesday, it put the blunder down to a "data input error" that was picked up by Eskom, according to a presentation to lawmakers.

While the mistake had been identified before the tariff determination was made in January, it wasn't rectified as indicated at the time, and only discovered five months later, the regulator said. "The error is regrettable; it should not have happened," it said.

The incident brought into the spotlight South Africa's surging electricity prices and will result in them increasing by 8.76% in the next financial year, instead of the 5.36% originally agreed, and by 8.83% the year after, compared with 6.19%.

Canon will rerelease its 2016 PowerShot Elph 360 HS point-and-shoot camera as the PowerShot Elph 360 HS A in late October for $379 -- $169 more than the original's $210 launch price. The camera retains the same 20.2-megapixel CMOS sensor, Digic IV Plus processor, 12x optical zoom, 1080p video recording, and USB Mini port.

The new version switches from SD to microSD cards and removes Wi-Fi image transfer and direct printing capabilities. The rerelease comes after celebrities including Kendall Jenner and Dua Lipa popularized the original model on social media. The camera will be available in black or silver only; the original purple option has been discontinued.

BrianFagioli writes: Microsoft has decided it is time to rein in remote work. The company will soon require employees to spend at least three days per week in the office, starting with those in the Puget Sound region by February 2026. From there, the policy will spread across the United States and eventually overseas.

BrianFagioli shares a report from NERDS.xyz: Plex has alerted its customers about a security incident that may have affected user accounts. In an email sent to subscribers, the popular media server company confirmed that an unauthorized third party gained access to one of its databases. The breach exposed emails, usernames, and hashed passwords. Plex emphasized that passwords were encrypted following best practices, so attackers cannot simply read them. The company also reassured users that no credit card data was compromised, since Plex does not store that information on its servers. Still, out of caution, it is requiring all account holders to reset their credentials.

Users are being directed to reset their passwords at plex.tv/reset. During the process, Plex recommends enabling the option to sign out all connected devices. This measure logs out every device associated with the account, including Plex Media Servers, forcing a fresh login with the updated password. The company says it has already fixed the method used by the intruder to gain entry and is conducting additional security reviews. Plex is also urging subscribers to enable two-factor authentication if they have not already done so.

Jaguar Land Rover has extended the shutdown of its UK and overseas factories after a cyberattack forced it to take IT systems offline, disrupting production, dealerships, and suppliers. The BBC reports: Jaguar Land Rover's (JLR) UK factories are now expected to remain closed until at least Wednesday after work was disrupted by a cyber attack just over a week ago. The car plants at Halewood and Solihull and its Wolverhampton engine facility, along with production facilities in Slovakia, China and India, have been unable to operate since the company fell victim to the cyber attack. Staff who work on the production lines have been told to remain at home. JLR shut down its IT systems in response to the attack on 31 August, in order to protect them from damage. However, this caused major disruption. [...]

Under normal circumstances, the company builds about 1,000 cars a day. The production stoppage has had a significant impact on the company's suppliers, with some understood to have told their own staff not to come into work. As well as forcing the factories to stop building cars, it also left dealerships unable to register new cars and garages that maintain JLR vehicles unable to order the parts they needed -- although it is understood workarounds have since been put in place. The attack began at what is traditionally a popular time for consumers to take delivery of new vehicles. The latest batch of new registration plates became available on Monday, September 1.

An anonymous reader quotes a report from The Register: All work in IT departments will be done with the help of AI by 2030, according to analyst firm Gartner, which thinks massive job losses won't result. Speaking during the keynote address of the firm's Symposium event in Australia today, VP analyst Alicia Mullery said 81 percent of work is currently done by humans acting alone without AI assistance. Five years from now Gartner believes 75 percent of IT work will be human activity augmented by AI, with the remainder performed by bots alone.

Distinguished VP analyst Daryl Plummer said this shift will mean IT departments gain labor capacity and will need to show they deserve to keep it. "You never want to look like you have too many people," he advised, before suggesting technology leaders consult with peers elsewhere in a business to identify value-adding opportunities IT departments can execute. Plummer said Gartner doesn't foresee an "AI jobs bloodbath" in IT or other industries for at least five years, adding that just one percent of job losses today are attributable to AI. He and Mullery did predict a reduction in entry-level jobs, as AI lets senior staff tackle work they would once have assigned to juniors.

The two analysts also forecast that businesses will struggle to implement AI effectively, because the costs of running AI workloads balloon. ERP, Plummer said, has straightforward up-front costs: You pay to license and implement it, then to train people so they can use it. AI needs that same initial investment but few organizations can keep up with AI vendors' pace of innovation. Adopting AI therefore creates a requirement for near-constant exploration of use cases and subsequent retraining. Plummer said orgs that adopt AI should expect to uncover 10 unanticipated ancillary costs, among them the need to acquire new datasets, and the costs of managing multiple models. The need to use one AI model to check the output of others -- a necessary step to verify accuracy -- is another cost to consider. AI's hidden costs mean Gartner believes 65 percent of CIOs aren't breaking even on AI investments.

An anonymous reader shares a report: In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.

The package maintainer whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.

In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.

Signal has begun rolling out end-to-end encrypted cloud backups in its latest Android beta release. The opt-in feature allows users to restore message history if their phone is lost or damaged. Free backups include all text messages and 45 days of media attachments. A $1.99 monthly subscription extends media storage to 100GB.

Users generate a 64-character recovery key on their device that Signal's servers never access. Backups refresh daily, excluding view-once messages and those set to disappear within 24 hours. The nonprofit cited storage costs as the reason for its first paid tier. iOS and Desktop support will follow the Android rollout. Signal said it stores backup archives without linking them to specific user accounts or payment information.

The former head of security for WhatsApp filed a lawsuit on Monday accusing Meta of ignoring major security and privacy flaws that put billions of the messaging app's users at risk, the latest in a string of whistle-blower allegations against the social media giant. The New York Times: In the lawsuit filed in the U.S. District Court of the District of Northern California, Attaullah Baig claimed that thousands of WhatsApp and Meta employees could gain access to sensitive user data including profile pictures, location, group memberships and contact lists. Meta, which owns WhatsApp, also failed to adequately address the hacking of more than 100,000 accounts each day and rejected his proposals for security fixes, according to the lawsuit.

Mr. Baig tried to warn Meta's top leaders, including its chief executive, Mark Zuckerberg, that users were being harmed by the security weaknesses, according to the lawsuit. In response, his managers retaliated and fired him in February, he claims. Mr. Baig, who is represented by the whistle-blower organization Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes, argued in the suit that the actions violated a privacy settlement Meta reached with the Federal Trade Commission in 2019, as well as securities laws that require companies to disclose risks to shareholders.

An anonymous reader shared this report from Fortune: The percentage of young Gen Z employees between the ages of 21 and 25 has been cut in half at technology companies over the past two years, according to recent data from compensation management software business Pave with workforce data from more than 8,300 companies.

These young workers accounted for 15% of the workforce at large public tech firms in January 2023. By August 2025, they only represented 6.8%. The situation isn't pretty at big private tech companies, either — during that same time period, the proportion of early-career Gen Z employees dwindled from 9.3% to 6.8%. Meanwhile, the average age of a worker at a tech company has risen dramatically over those two and a half years. Between January 2023 and July 2025, the average age of all employees at large public technology businesses rose from 34.3 years to 39.4 years — more than a five year difference. On the private side, the change was less drastic, with the typical age only increasing from 35.1 to 36.6 years old...

"If you're 35 or 40 years old, you're pretty established in your career, you have skills that you know cannot yet be disrupted by AI," Matt Schulman, founder and CEO of Pave, tells Fortune. "There's still a lot of human judgment when you're operating at the more senior level...If you're a 22-year-old that used to be an Excel junkie or something, then that can be disrupted. So it's almost a tale of two cities." Schulman points to a few reasons why tech company workforces are getting older and locking Gen Z out of jobs. One is that big companies — like Salesforce, Meta, and Microsoft — are becoming a lot more efficient thanks to the advent of AI. And despite their soaring trillion-dollar profits, they're cutting employees at the bottom rungs in favor of automation. Entry-level jobs have also dwindled because of AI agents, and stalling promotions across many agencies looking to do more with less. Once technology companies weed out junior roles, occupied by Gen Zers, their workforces are bound to rise in age.
Schulman tells Fortune Gen Z also has an advantage: that tech corporations can see them as fresh talent that "can just break the rules and leverage AI to a much greater degree without the hindrance of years of bias." And Priya Rathod, workplace trends editor for LinkedIn, tells Fortune there's promising tech-industry entry roles in AI ethics, cybersecurity, UX, and product operations. "Building skills through certifications, gig work, and online communities can open doors....

"For Gen Z, the right certifications or micro credentials can outweigh a lack of years on the resume. This helps them stay competitive even when entry level opportunities shrink."

As America's trade talks with China were set to begin last July, a "puzzling" email reached several U.S. government agencies, law firms, and trade groups, reports the Wall Street Journal. It appeared to be from the chair of a U.S. Congressional committee, Representative John Moolenaar, asking recipients to review an alleged draft of upcoming legislation — sent as an attachment. "But why had the chairman sent the message from a nongovernment address...?"

"The cybersecurity firm Mandiant determined the spyware would allow the hackers to burrow deep into the targeted organizations if any of the recipients had opened the purported draft legislation, according to documents reviewed by The Wall Street Journal." It turned out to be the latest in a series of alleged cyber espionage campaigns linked to Beijing, people familiar with the matter said, timed to potentially deploy spyware against organizations giving input on President Trump's trade negotiations. The FBI and the Capitol Police are investigating the Moolenaar emails, and cyber analysts traced the embedded malware to a hacker group known as APT41 — believed to be a contractor for Beijing's Ministry of State Security... The hacking campaign appeared to be aimed at giving Chinese officials an inside look at the recommendations Trump was receiving from outside groups. It couldn't be determined whether the attackers had successfully breached any of the targets.

A Federal Bureau of Investigation spokeswoman declined to provide details but said the bureau was aware of the incident and was "working with our partners to identify and pursue those responsible...." The alleged campaign comes as U.S. law-enforcement officials have been surprised by the prolific and creative nature of China's spying efforts. The FBI revealed last month that a Beijing-linked espionage campaign that hit U.S. telecom companies and swept up Trump's phone calls actually targeted more than 80 countries and reached across the globe...

The Moolenaar impersonation comes as several administration officials have recently faced impostors of their own. The State Department warned diplomats around the world in July that an impostor was using AI to imitate Secretary of State Marco Rubio's voice in messages sent to foreign officials. Federal authorities are also investigating an effort to impersonate White House chief of staff Susie Wiles, the Journal reported in May... The FBI issued a warning that month that "malicious actors have impersonated senior U.S. officials" targeting contacts with AI-generated voice messages and texts.
And in January, the article points out, all the staffers on Moolenaar's committee "received emails falsely claiming to be from the CEO of Chinese crane manufacturer ZPMC, according to people familiar with the episode."

Thanks to long-time Slashdot reader schwit1 for sharing the news.

Cybersecurity company ESET thought they'd discovered the first AI-powered ransomware in the wild, which they'd dubbed "PromptLock". But it turned out to be the work of university security researchers...

"Unlike conventional malware, the prototype only requires natural language prompts embedded in the binary," the researchers write in a research paper, calling it "Ransomware 3.0: Self-Composing and LLM-Orchestrated." Their prototype "uses the gpt-oss:20b model from OpenAI locally" (using the Ollama API) to "generate malicious Lua scripts on the fly." Tom's Hardware said that would help PromptLock evade detection: If they had to call an API on [OpenAI's] servers every time they generate one of these scripts, the jig would be up. The pitfalls of vibe coding don't really apply, either, since the scripts are running on someone else's system.
The whole thing was actually an experiment by researchers at NYU's Tandon School of Engineering. So "While it is the first to be AI-powered," the school said in an announcement, "the ransomware prototype is a proof-of-concept that is non-functional outside of the contained lab environment."

An NYU spokesperson told Tom's Hardware a Ransomware 3.0 sample was uploaded to malware-analsys platform VirusTotal, and then picked up by the ESET researchers by mistake: But the malware does work: NYU said "a simulation malicious AI system developed by the Tandon team carried out all four phases of ransomware attacks — mapping systems, identifying valuable files, stealing or encrypting data, and generating ransom notes — across personal computers, enterprise servers, and industrial control systems." Is that worrisome? Absolutely. But there's a significant difference between academic researchers demonstrating a proof-of-concept and legitimate hackers using that same technique in real-world attacks. Now the study will likely inspire the ne'er-do-wells to adopt similar approaches, especially since it seems to be remarkably affordable.

"The economic implications reveal how AI could reshape ransomware operations," the NYU researchers said. "Traditional campaigns require skilled development teams, custom malware creation, and substantial infrastructure investments. The prototype consumed approximately 23,000 AI tokens per complete attack execution, equivalent to roughly $0.70 using commercial API services running flagship models."

As if that weren't enough, the researchers said that "open-source AI models eliminate these costs entirely," so ransomware operators won't even have to shell out the 70 cents needed to work with commercial LLM service providers...
"The study serves as an early warning to help defenders prepare countermeasures," NYU said in an announcement, "before bad actors adopt these AI-powered techniques."

ESET posted on Mastodon that "Nonetheless, our findings remain valid — the discovered samples represent the first known case of AI-powered ransomware."

And the ESET researcher who'd mistakenly thought the ransomware was "in the wild" had warned that looking ahead, ransomware "will likely become more sophisticated, faster spreading, and harder to detect.... This makes cybersecurity awareness, regular backups, and stronger digital hygiene more important than ever."

Researchers from Nanjing University and the University of Sydney developed an AI-powered bug-hunting agent that mimics human vulnerability discovery, validating flaws with proof-of-concept exploits. The Register reports: Ziyue Wang (Nanjing) and Liyi Zhou (Sydney) have expanded upon prior work dubbed A1, an AI agent that can develop exploits for cryptocurrency smart contracts, with A2, an AI agent capable of vulnerability discovery and validation in Android apps. They describe A2 in a preprint paper titled "Agentic Discovery and Validation of Android App Vulnerabilities."

The authors claim that the A2 system achieves 78.3 percent coverage on the Ghera benchmark, surpassing static analyzers like APKHunt (30.0 percent). And they say that, when they used A2 on 169 production APKs, they found "104 true-positive zero-day vulnerabilities," 57 of which were self-validated via automatically generated proof-of-concept (PoC) exploits. One of these included a medium-severity flaw in an Android app with over 10 million installs.

Microsoft is giving away Microsoft 365 Personal subscriptions to all US college students. From a report: This subscription gives students free access to Microsoft's Office apps and the Copilot AI assistant integration for a year, after which the students are eligible for a 50 percent discount to continue the subscription.

While most students have access to education versions of Microsoft 365 or Google Workspace, Microsoft's offer is for student's own personal Microsoft accounts, and is available to claim until October 31st. Microsoft 365 Personal is usually $99.99 a year, or $9.99 a month, and includes 1TB of OneDrive cloud storage.