Phoronix's Michael Larabel reports: A 21 year old bug report requesting support of the XDG Base Directory specification is finally being addressed by Firefox. The Firefox 147 release should respect this XDG specification around where files should be positioned within Linux users' home directory. The XDG Base Directory specification lays out where application data files, configuration files, cached assets, and other files and file formats should be positioned within a user's home directory and the XDG environment variables for accessing those locations. To date Firefox has just positioned all files under ~/.mozilla rather than the likes of ~/.config and ~/.local/share.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the New York Times: For the first time, scientists are tracking the migration of monarch butterflies across much of North America, actively monitoring individual insects on journeys from as far away as Ontario all the way to their overwintering colonies in central Mexico. This long-sought achievement could provide crucial insights into the poorly understood life cycles of hundreds of species of butterflies, bees and other flying insects at a time when many are in steep decline. The breakthrough is the result of a tiny solar-powered radio tag that weighs just 60 milligrams and sells for $200. Researchers have tagged more than 400 monarchs this year and are now following their journeys on a cellphone app created by the New Jersey-based company that makes the tags, Cellular Tracking Technologies. Most monarchs weigh 500 to 600 milligrams, so each tag-bearing migrator making the transcontinental journey is, by weight, equivalent to a half-raisin carrying three uncooked grains of rice. Researchers are tracking more than 400 tagged monarch butterflies as they fly toward winter colonies in central Mexico. The maps [in the article] follow six butterflies. [...] Tracking the world's most famous insect migration may also have a big social impact, with monarch lovers able to follow the progress of individual butterflies on the free app, called Project Monarch Science. Many of the butterflies are flying over cities and suburbs where pollinator gardens are increasingly popular. Some tracks could even lead to the discovery of new winter hideaways. "There's nothing that's not amazing about this," said Cheryl Schultz, a butterfly scientist at Washington State University and the senior author of a recent study documenting a 22 percent drop in butterfly abundance in North America over a recent 20-year period. "Now we will have answers that could help us turn the tide for these bugs."

Read more of this story at Slashdot.

OpenAI has introduced Aardvark, a GPT-5-powered autonomous agent that scans, reasons about, and patches code like a human security researcher. "By embedding itself directly into the development pipeline, Aardvark aims to turn security from a post-development concern into a continuous safeguard that evolves with the software itself," reports InfoWorld. From the report: What makes Aardvark unique, OpenAI noted, is its combination of reasoning, automation, and verification. Rather than simply highlighting potential vulnerabilities, the agent promises multi-stage analysis -- starting by mapping an entire repository and building a contextual threat model around it. From there, it continuously monitors new commits, checking whether each change introduces risk or violates existing security patterns. Additionally, upon identifying a potential issue, Aardvark attempts to validate the exploitability of the finding in a sandboxed environment before flagging it. This validation step could prove transformative. Traditional static analysis tools often overwhelm developers with false alarms -- issues that may look risky but aren't truly exploitable. "The biggest advantage is that it will reduce false positives significantly," noted Jain. "It's helpful in open source codes and as part of the development pipeline." Once a vulnerability is confirmed, Aardvark integrates with Codex to propose a patch, then re-analyzes the fix to ensure it doesn't introduce new problems. OpenAI claims that in benchmark tests, the system identified 92 percent of known and synthetically introduced vulnerabilities across test repositories, a promising indication that AI may soon shoulder part of the burden of modern code auditing.

Read more of this story at Slashdot.

"Windows Recovery Environment (RE), as the name suggests, is a built-in set of tools inside Windows that allow you to troubleshoot your computer, including booting into the BIOS, or starting the computer in safe mode," writes Tom's Hardware. "It's a crucial piece of software that has now, unfortunately, been rendered useless (for many) as part of the latest Windows update." A new bug discovered in Windows 11's October build, KB5066835, makes it so that your USB keyboard and mouse stop working entirely, so you cannot interact with the recovery UI at all. This problem has already been recognized and highlighted by Microsoft, who clarified that a fix is on its way to address this issue. Any plugged-in peripherals will continue to work just fine inside the actual operating system, but as soon as you go into Windows RE, your USB keyboard and mouse will become unresponsive. It's important to note that if your PC fails to start-up for any reason, it defaults to the recovery environment to, you know, recover and diagnose any issues that might've been preventing it from booting normally. Note that those hanging onto old PS/2-connector equipped keyboards and mice seem to be unaffected by this latest Windows software gaffe.

Read more of this story at Slashdot.

A now-fixed security flaw in India's income tax e-filing portal exposed millions of taxpayers' personal and financial data due to a basic IDOR vulnerability that let users view others' records by swapping PAN numbers. "The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India," reports TechCrunch. "The data also exposed citizens' Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services." From the report: The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else's sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads. This could be done using publicly available tools like Postman or Burp Suite (or using the web browser's in-built developer tools) and with knowledge of someone else's PAN, the researchers told TechCrunch. The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department's back-end servers were not properly checking who was allowed to access a person's sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches. "This is an extremely low-hanging thing, but one that has a very severe consequence," the researchers told TechCrunch. In addition to the data of individuals, the researchers said that the bug also exposed data associated with companies who were registered with the e-Filing portal. [...] It remains unclear how long the vulnerability has existed or whether any malicious actors have accessed the exposed data.

Read more of this story at Slashdot.