Organisations using VMware now have no choice but to buy an annual subscription for a bundled product if they plan to continue using the hypervisor. As Computer Weekly has previously reported, Broadcom has simplified the VMware product family, which is now only available as a subscription, licensed on a per-core basis. Some organisations, like Telefónica Germany, have managed to remain on perpetual licences by purchasing second-hand VMware licences and using a third-party support provider. But a recent security alert has brought into focus the difficulty of keeping licensed copies of VMware running without upgrading to a VMware subscription. Last month, Broadcom published a critical security advisory that covered three new zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation and Fusion. The most severe of these was a critical vulnerability in ESXi and Workstation. According to Rapid7, these are not remotely exploitable vulnerabilities – they require an attacker to have existing privileged access on a virtual machine (VM) that is running on an affected VMware hypervisor. In a blog, Rapid7 noted that it may be possible to chain together the three vulnerabilities: “This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.” Broadcom said administrators should assume that all versions of ESXi, vSphere and VCF are affected, apart from versions listed as “fixed”. “If there is any uncertainty about whether a system is affected, it should be presumed vulnerable, and immediate action should be taken,” the Broadcom advisory warned, adding that exploitation of the vulnerabilities has occurred “in the wild”. In terms of VMware users running older versions of ESXi, Broadcom has issued a patch for ESX 6.7, which is available via the Support Portal to all customers. ESX 6.5 customers, meanwhile, need to use the extended support process for access to patches, said Broadcom. It said products that are past their end of general support dates are not evaluated, and urged organisations using vSphere 6.5 and 6.7 to update to vSphere 8. To apply the patches issued by Broadcom, IT decision-makers will need to upgrade to a Broadcom subscription for VMware – unless they are prepared to source second-user licences covering a supported version of vSphere. This provides patches and updates for the latest supported VMware releases.  If managed carefully, moving to a VMware subscription could be the right approach, especially in organisations that can use the full VMware Cloud Foundation (VCF) suite and need a platform that can manage both virtualisation and containerisation. As Holland Barry, field chief technology officer for cloud and infrastructure at DXC Technology, pointed out in a recent Computer Weekly article, organisations adapting to VMware’s evolving licensing models are finding opportunities to optimise costs and enhance efficiencies. “Many have successfully streamlined their IT estates by replacing redundant functionalities – such as logging, observability, automation, software-defined networking, microsegmentation and hyperconverged infrastructure – with integrated solutions now available within their VMware Cloud Foundation model,” he said. For Bola Rotibi, principal analyst at CCS Insight, VCF’s architectural principle is based on building for interoperability. For hybrid and multicloud deployment scenarios, VCF provides what Rotibi regards as a consistent, enterprise-grade cloud experience. However, one of VCF’s biggest advantages, according to Rotibi, is its ability to support VMs and Kubernetes-based workloads on a single platform. “Many enterprises are still running legacy applications that rely on virtual machines,” she said. However, they also want to modernise with cloud-native, containerised applications. “Instead of forcing businesses to choose between two separate architectures, VCF seamlessly integrates both.” Barry recommends IT leaders align their hardware footprints to VMware’s new 16-core-per-CPU socket minimum, which, in his experience, is crucial for maximising performance and value. “By carefully recalibrating memory-to-CPU ratios, businesses have ensured that workloads run optimally without unnecessary overhead,” he added. Many IT leaders will not want to take a risk by running IT systems unpatched, but VMware is a mature product, which implies that best practices for maintaining a secure VMware environment are well understood.  According to third-party support provider Spinnaker Support, VMware customers are having to figure out for themselves whether older, unsupported products are impacted by newly discovered vulnerabilities. Looking at a recent vulnerability affecting version 6.7 of VMware, Spinnaker Support said the feature that needed patches was not something built into version 5.5, making the risk irrelevant in organisations using the older version of the VMware product. While Broadcom’s bundling of VMware products simplifies the product family, in Spinnaker’s experience, this means VMware patches are being released for products that many organisations do not use.  Craig Savage, vice-president of cyber security at Spinnaker Support, said: “Broadcom’s bundling strategy is making it harder for customers to separate genuine security risks from noise. When everything is wrapped into large, expensive packages, understanding what truly needs protection – and what doesn’t – becomes far more difficult.” Read more VMware strategy stories Nutanix event shows massive interest in VMware migration: A recent event held by VMware rival Nutanix attracted many people new to the hyperconverged infrastructure provider. What are the options when migrating from VMware: Broadcom’s changes to VMware licensing means some people are facing big price increases – we look at how these can be avoided.

ZDNET's key takeaways The Ozlo Sleepbuds, created by three Bose engineers, launched last fall, and they are the most useful sleep earbuds I've tested so far The sound is perfect for masking environmental annoyances that keep you awake, and the fit is comfortable and secure. The sleep tracking feature hasn't hit the earbuds yet, and setup took a few tries and several glitches, but once these work in your ears, they get you to bed instantly. more buying choices I take my sleep as seriously as some athletes take their workout or diet routine. While I can control everything from the steps I take ahead of bedtime to the pajamas I wear or the sleep mask I put over my eyes to drown out light, one uncontrollable factor often keeps me awake: the sounds outside my Brooklyn apartment. My bedroom overlooks a busy -- and often noisy -- street. As I write this, motorcycle engines rev, and a firetruck's siren blares in the background. I've woken up to police sirens, honking cars, noisy pedestrians, and my neighbors, who loudly celebrate with songs and festivities into the wee hours of the night. During the 2023 holiday season, the loud voices singing songs until 1 a.m. kept me awake and made it difficult to get to bed. But this year, I took the noisy opportunity to test out the Ozlo Sleepbuds, and, boy, am I glad I did. They helped me get to sleep in minutes.For that reason, ZDNET and the rest of the CNET Group picked it for a CES award for 2025. You can see all 12 of the Best of CES winners selected by the CNET Group (ZDNET, CNET, PCMag, Mashable, and Lifehacker) in partnership with the organization that runs CES.  details View at Ozlo Sleep The Ozlo Sleep earbuds are some of the most comfortable and effective sleep earbuds I've ever tested, and I can't recommend them enough to anybody who needs to quiet down their bedtime environment to catch a few more Z's, that is, if they're willing to pay the $300 price tag. Keep reading to learn why. Also: I replaced my Oura 4 with this no-subscription smart ring - and didn't miss itIf you've heard anything about Ozlo, it's probably because you were interested in the discontinued Bose Sleepbuds that the audio brand cut the cord on in 2020. The buds "didn't reach the level of adoption" Bose hoped they would, despite their avid following, Bose spokesperson Joanne Berthiaume told The Verge. The Ozlo Sleepbuds are the Sleepbuds reincarnate, taking some of Bose's proprietary tech, like the StayHear Plus tips, and implementing them into a new product.  The earbuds come in a hefty but sleek case, and you can customize your ear tip and ear wing size to suit your desired fit. Setup was where I confronted the most issues, and the connection fell through twice before I could link up with the app. Once I was connected, the app's introductory pages glitched, and I found myself closing out the app to relaunch it several times. When my settings in the app were confirmed and the connection was established, I had no trouble using these buds. Thankfully, you don't need the app to get white noise out of the earbuds from the jump, and the first night I tested them, I used them easily without the app. But if you want customization, the Ozlo app provides ten different sleep sounds (or masking sounds) you can sort through. There's an earbud alarm you can use (though I have bad luck with these in-ear alarms, given how I wake up with my earbuds strewn across my bed), a sleep timer that shuts down the buds after a customizable amount of time to save battery, and an Auto-Play Sleep Sound feature that detects once you've fallen asleep and switches from the podcast or music you're playing to the masking sound you've selected.The Ozlo Sleepbuds hit the market with two key features that are unfortunately missing: sleep-tracking and environment-sensing capabilities. Eventually, Ozlo will roll out an over-the-air update to add these features. I will test them out once they are available and update my review with my thoughts, although it is disappointing that these key selling points aren't available at launch. These buds are made to last in your ears through a night's sleep. A pair of earbuds rarely lasts the night in my ears, given how regularly I move around in my sleep. When I wear sleep earbuds, it's to help me fall asleep amid a noisy backdrop of sound outside my window. Once I'm asleep, I can stay asleep and am not woken up by much. I only need them to stay in and fit well at the beginning of the night; I don't need them in for the entire night -- though I don't mind when they are. The ear wings on the Sleepbuds stabilize the fit for a long time, and when I wake up, normally, one earbud is still in my ear (there was one night over the past week of testing where both stayed in the entire night). The battery life lasted me about one and a half nights before it was due for a recharge.  Nina Raemont/ZDNETEvery night I wore these buds, I slept like a baby and fell asleep within minutes. I found myself first gravitating towards them on nights when my neighbors celebrated on the street outside my apartment. However, I eventually put them in my ears even when outside disturbances were negligible. They're simply that comfortable and effective. They succeed at masking noise around me and isolating me from the pesky engines and sirens outside. One area that I couldn't test was whether they mask snoring. From my experience using them alone in my bedroom to dim outside sounds, I'd say they do a good job of removing ambient distractions, but I can't confirm how effective they'd be at minimizing snores right next to you. Also: Your Galaxy Watch could get a major sleep apnea upgrade, thanks to AI and StanfordIf you don't shuffle in bed throughout the night, these will stick in your ears -- and they're quite comfortable for side sleepers. I didn't experience any pressure built up over time, and, in the mornings, I didn't feel any soreness or sensitivity. One of my favorite aspects of these buds is the sleep sounds paired with the Sleepbuds' audio strength, which is loud enough to completely mask external sounds outside my bedroom window while being quiet and neutral enough to send me to sleep. That's a difficult feat and one that I had trouble finding while testing competing sleep earbuds.ZDNET's buying adviceSo, who are these for? People who prioritize comfort in a sleep earbud and are willing to pay $300 for it. These earbuds dissolved in my ears during sleep, and as I shuffled from one side to the other, I found myself absolutely content with them in my ears. The Ozlo Sleepbuds masked noises properly and efficiently, dulling down the outside hubbub on one of the busiest weeks of the year in my neighborhood. So, yes, they work as a noise masker (they technically aren't noise canceling). Setup and connection can be a bit dodgy, but brand-new product launches inevitably come with bugs. The product itself is great once it's connected. I look forward to sleeping with these earbuds the next time my neighborhood is up all night singing and partying. What are the tariffs in the US? The recent US tariffs on imports from countries like China, Vietnam, and India aim to boost domestic manufacturing but are likely to drive up prices on consumer electronics. Products like smartphones, laptops, and TVs may become more expensive as companies rethink global supply chains and weigh the cost of shifting production.Headphones and wearable devices, which are predominantly manufactured in these regions, are now subject to tariffs as high as 54% on Chinese imports and 46% on Vietnamese goods. As a result, consumers may see price increases of approximately 20% on these items. Manufacturers are exploring options like relocating production to countries with lower tariffs, but such shifts are complex and may not provide immediate relief. In the short term, shoppers should anticipate higher costs for headphones and wearables due to these trade policies. Show more Featured reviews

Although Discord originally built its user base within the gaming community, it appeals to a broad range of users, including those in financial services.

In the latest development in an ongoing struggle over OpenAI's future direction—and potentially the future of artificial intelligence itself—dozens of prominent figures are urging the Attorneys General of California and Delaware to block OpenAI’s controversial plan to convert from its unique nonprofit-controlled structure to a for-profit company. In a letter made public April 23, signatories including “AI Godfather” Geoffrey Hinton, Harvard legal professor Lawrence Lessig, and several former OpenAI researchers argue the move represents a fundamental betrayal of OpenAI’s founding mission. “The proposed restructuring would eliminate essential safeguards, effectively handing control of, and profits from, what could be the most powerful technology ever created to a for-profit entity with legal duties to prioritize shareholder returns,” the letter’s authors write. It lands as OpenAI faces immense pressure from the other side: failing to implement the restructure by the end of the year could cost the company $20 billion and hamstring future fundraising.OpenAI was founded in 2015 as a non-profit, with its stated mission being to ensure that artificial general intelligence (AGI) “benefits all of humanity" rather than advancing "the private gain of any person." AGI, which OpenAI defines as systems outperforming humans at most economically valuable work, was seen as potentially world-changing but also carrying clear risks, especially if controlled solely by a for-profit company. By 2019, believing they’d need to attract outside investment to build AGI, OpenAI’s leadership created a “capped-profit” subsidiary controlled by the original nonprofit—a hybrid that has allowed the firm to take on over $60 billion in capital over the years to become one of the most valuable startups in history. CEO Sam Altman himself testified to Congress in 2023 that this structure "ensures it remains focused on [its] long-term mission." Then, in December, OpenAI proposed dismantling that unique arrangement, morphing its capped-profit arm into a public benefit corporation, which would take control of OpenAI’s operations and business. The original nonprofit, while relinquishing direct control, would become—through owning a significant equity in the new company—a massively endowed foundation; it would hire its own leadership to fund and pursue separate charitable work in fields such as science and education. OpenAI says the new arrangement would enable them to “raise the necessary capital with conventional terms like others in this space.” Indeed, the need for such terms appears already baked into recent deals: investors from OpenAI’s most recent $40 billion fundraising round, finalized in March, can withdraw half that amount if OpenAI doesn’t restructure by the end of this year.“Our Board has been very clear: our nonprofit will be strengthened and any changes to our existing structure would be in service of ensuring the broader public can benefit from AI. Our for-profit will be a public benefit corporation, similar to several other AI labs like Anthropic - where some of these former employees now work - and xAI, except that they do not support a nonprofit,” an OpenAI spokesperson told TIME via email. “This structure will continue to ensure that as the for-profit succeeds and grows, so too does the nonprofit, enabling us to achieve the mission.”Under the restructure, board members would still legally have to consider OpenAI’s founding mission—albeit it would be downgraded, having to be weighed against profits. “The nonprofit has the authority to basically shut down the company if it thinks it's deviating from [OpenAI’s] mission. Think of it as an off-switch,” Stuart Russell tells TIME. Russell is one of the letter's signatories and a UC Berkeley computer science professor, who co-authored the field's standard textbook. “Basically, they're proposing to disable that off-switch,” he says.That OpenAI’s competitors are for-profit is besides the point, says Sunny Gandhi, vice president of political affairs at youth-led advocacy group Encode Justice and one of the letter’s signatories. “It’s sort of like asking a conservation nonprofit why they can't convert to a logging company just because there are other logging companies out there,” he says. “I think that it would be great if xAI and Anthropic were also nonprofit, but they're not,” he adds. If OpenAI wants to prioritize competitiveness over its original mission, Gandhi says “that's the problem that their original structure was trying to prevent.”The open letter’s targeting of the Attorneys General Rob Bonta of California and Kathy Jennings of Delaware is strategic. In March, Elon Musk lost his bid for an immediate preliminary injunction that would block OpenAI’s conversion, but the decision turned largely on Musk's questionable legal standing—or interest in the case—not the conversion's inherent legality. The judge indicated Musk’s argument that the for-profit shift breaches OpenAI's charitable charter is worthy of further consideration, expediting the trial to this fall. Unlike Musk, however, California and Delare’s Attorneys General have a clear legal interest in the case.California’s Attorney General Rob Bota’s office is reportedly already investigating OpenAI’s plans, and Delaware Attorney General Kathy Jennings has previously signalled she intends to scrutinize any restructuring. Neither responded to TIME’s request for comment on the letter specifically. But how they act may set a precedent, signaling whether corporate governance structures designed to preserve a company’s ideals can withstand the financial gravity of the AI gold rush, or will ultimately buckle under its weight.

So Much Winning: According to multiple analysts, Donald Trump introduced his unprecedented tariff plan in an effort to force manufacturers to return to the US. If that was truly the goal, the tariffs ended up being instrumental in achieving the exact opposite outcome. The so-called "reciprocal tariffs" imposed by the Trump administration could push major PC manufacturers to find new production hubs, and it likely won't be in the US. Earlier this month, laptop makers were already forced to halt shipments to the US due to tariff-related uncertainty and logistical chaos. Now, some of the world's largest PC brands appear to be eyeing Saudi Arabia as their next manufacturing base. According to a recent report by DigiTimes, Lenovo, HP, and Dell are actively exploring new manufacturing initiatives in the Middle Eastern kingdom. Lenovo publicly announced its plans earlier this year, stating that the move is part of a broader strategy to diversify operations and gain privileged access to markets in the Middle East and Africa. Lenovo's initiative is backed by a $2 billion investment from Saudi Arabia's Public Investment Fund, a massive $620 billion fund aimed at transforming the kingdom's economy beyond its dependence on fossil fuels. PIF is also expected to play a role in supporting HP and Dell's potential relocations, although progress on those fronts has been slower. The two US-based OEMs have dispatched teams to Saudi Arabia after being approached by local government authorities. These scouting teams are tasked with assessing the situation on the ground and identifying potential sites for new manufacturing facilities. Sources indicate the new plants would likely be located near Riyadh, the capital of Saudi Arabia. In addition, Riyadh officials have extended invitations to several original design manufacturers including Foxconn, Quanta, Wistron, Compal, and Inventec. These companies are capable of both designing and manufacturing their own products and typically require specific industrial conditions to meet their production goals. To attract OEMs and ODMs, Saudi Arabia is offering a range of exclusive incentives including covering the full cost of constructing the new facilities. // Related Stories Relocating to Saudi Arabia could offer manufacturers strategic advantages amid current global economic volatility. While Donald Trump has imposed a steep 245 percent tariff on imports from China, Saudi Arabia faces a relatively modest 10 percent reciprocal tariff. For OEMs, improved access to Middle East and African markets is an appealing proposition, while ODMs may also leverage existing operations in Mexico to circumvent US tariffs altogether.

Wiim, the wireless audio company that has been making big inroads into a market once dominated by Sonos, quietly launched a version of its Wiim Home app for Apple TV owners earlier this month. Though not groundbreaking by any means, it’s yet another example of how this wireless audio upstart is moving at an incredible speed when compared to its main competitor. Sonos and Wiim have a similar approach when it comes to the mobile apps for iOS and Android that are used to control their respective products. Sonos — despite its horrendously botched redesign that continues to plague owners with issues — has a more sophisticated set of features, but one thing it has never done is develop a version of its app for either tvOS or Android TV. Simon Cohen / Digital Trends What’s even more striking is that none of Sonos’ soundbars that connect to a TV via HDMI ARC, leverage that connection to let you see a now playing screen when you use the soundbar for streaming music instead of TV content. When the company announced its updated flagship, the Sonos Arc Ultra, the press imagery included what looked like a now playing screen, but the company said it was not meant to reflect a feature of the Arc Ultra either at launch, or as a planned update. Recommended Videos Until March 2025, it was fully expected that Sonos would launch its own streaming video device to compete with the Apple TV. Codenamed Pinewood, the device was reportedly going to sport multiple HDMI connections and a lag-free wireless connection to Sonos speakers and soundbars. The device would, it could be assumed, have a full TV interface for controlling Sonos devices. And yet, on March 12, Sonos management informed employees that the product had been removed from the company’s roadmap, with no discussion of when or if it might return. Simon Cohen / Digital Trends The Wiim Home for tvOS takes a simpler approach — at least for now. More than just a giant version of the song info displayed on the front of its Wiim Ultra network music streamer, the app is similar to native tvOS streaming services, like Apple Music or Tidal. It’s a mini player, giving you playback, volume, repeat/shuffle, and scrubbing controls for the currently playing song, as well as a way to switch between Wiim devices on your network. Simon Cohen / Digital Trends You can pick between two different song info screen treatments — a color block or a blurred background based on the album cover display. Related John Darko performed some in-depth testing with the tvOS app and discovered it would display song info on Wiim device, even if he used music sources that didn’t originate from within the Wiim mobile app (like using AirPlay 2 or Tidal Connect). Some bugs were noted: the queue list didn’t populate correctly and the Apple remote’s own play/pause and forward/back buttons couldn’t be used for direct control (you need to use the d-pad to select the relevant on-screen controls). Simon Cohen / Digital Trends Simon Cohen / Digital Trends Wiim says it’s gathering feedback from users on the new app — and has already confirmed an Android TV version is coming — so I wouldn’t be too concerned about these minor issues. Plus, the current feature set may yet evolve. Should the Wiim Home for tvOS app try to emulate every feature from the company’s mobile apps? I don’t think that’s necessary or needed. For most folks, simply being able to use the biggest screen in the house to show what’s playing, is already more than enough reason to download and install the free app. And as for Sonos? Let’s hope it’s taking notes. Lots of notes. Editors’ Recommendations

In Provence, this savory tart topped with caramelized onions, anchovies and olives is called a pissaladière. We call it a great excuse to put your dinner guests to work assembling dinner. This recipe makes it easy.

Most Metal Caterpillar Ever Bone collector caterpillar adorns itself in insect body parts The caterpillars even tailor the body parts, nibbling away at excess material to ensure a proper fit. Jennifer Ouellette – Apr 24, 2025 2:00 pm | 12 "If you're going to live in Smaug's lair, you'd better look like treasure." Credit: Rubinoff lab/University of Hawaii, Manoa "If you're going to live in Smaug's lair, you'd better look like treasure." Credit: Rubinoff lab/University of Hawaii, Manoa Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more This Hawaiian caterpillar raids spiderwebs camouflaged in insect prey’s body parts, and it's not above cannibalism in a pinch. Credit: Rubinoff lab/University of Hawaii, Manoa. We think of moths and butterflies as relatively harmless creatures, but there are certain species with a darker side—for example, carnivorous caterpillars that eat aphids, butterflies that drink alligator tears, or "vampire" moths that feed on livestock blood. Add to that list the newly discovered "bone collector" caterpillar, which conducts daring raids on spider webs for sustenance, camouflaging itself in the body parts of already-consumed insects to avoid being eaten. Not only that, but according to a new paper published in the journal Science, the caterpillars can tailor those insect parts, nibbling away at any excess material to ensure a proper fit. Daniel Rubinoff, an entomologist at the University of Hawaii, Manoa, studies a genus of moths found in Hawaii called Hyposcoma, or as he has dubbed their larval form, "Hawaiian Fancy Case" caterpillars, so named because they spin their own casings, adding to them as they grow, although the materials used can vary widely.  There are now more than 600 species within this genus, many of them not yet officially described, so it was a rich research area to explore. The discovery of the bone collector species was serendipitous. "You never forget your first bone collector," Rubinoff told Ars. His team was on Oa'hu looking for Hyposcoma when they came across a little tree hollow and spotted something at the bottom that at first glance just looked like "a bag of bug bits." The caterpillar then stuck its head out, and the researchers realized it was a new kind of case. Rubinoff assumed that the spider web also found in the tree hollow was a coincidence; the caterpillar just used the materials readily available in the tree hollow to make its fancy case. But then the team started finding more of these caterpillars, all covered in the body parts of other insects and shed spider skins, and all in the vicinity of spider webs. "We started realizing these things are only hanging out where there are spiders," said Rubinoff, who spent several years verifying that this was, indeed, a rare new species. "It's the sort of thing you really want to be sure of because it's not just incredible, it's unimaginable." A genomic analysis confirmed the researchers' suspicions and shed some light on the bone collector's possible evolutionary pathway. The bone caterpillar may have only just been discovered by humans, but it's at least 5 million years old and possibly as old as 12 million years, predating the island of O'ahu on which it now exclusively resides in an area of about 15 square kilometers in the Wai'anae Mountains. No other known member of the same lineage has yet been found, suggesting that the species originated on an early island in a chain that has since subsided. Dressed for success Why do the caterpillars do this? "It's a decorate or die situation," said Rubinoff. "In evolutionary history, the ones that didn't decorate their cases were probably removed from the gene pool pretty quickly. But a few of them started incorporating bug and spider bits in their cases and survived. Selection would drive them toward having the sensory capacity to detect those bits and use them as camouflage. If you're going to live in Smaug's lair, you'd better look like treasure." Bone collector larva in web. Rubinoff lab/University of Hawaii, Manoa Bone collector larva in web. Rubinoff lab/University of Hawaii, Manoa Pinned adult female (left) of the bone collector caterpillar and portable case (right) in which the larva resides decorated with body parts from ants, bark beetles, weevils, and flies. D. Rubinoff et al., 2025 Pinned adult female (left) of the bone collector caterpillar and portable case (right) in which the larva resides decorated with body parts from ants, bark beetles, weevils, and flies. D. Rubinoff et al., 2025 Bone collector cases. Rubinoff lab/University of Hawaii, Manoa Bone collector cases. Rubinoff lab/University of Hawaii, Manoa Pinned adult female (left) of the bone collector caterpillar and portable case (right) in which the larva resides decorated with body parts from ants, bark beetles, weevils, and flies. D. Rubinoff et al., 2025 Bone collector cases. Rubinoff lab/University of Hawaii, Manoa It's a jumbled-up, messy kind of treasure, since arranging the body parts in too orderly a fashion would defeat the purpose of camouflage as they crawl around the three-dimensional cobwebs they favor. "They're not going to do a tightrope walk between two trees; they're hiding in a little hole in a log where there are cobwebs," said Rubinoff. "A spider detects vibrations in the web, rushes out to grab its prey, smells itself and prey it's already eaten, and assumes there is nothing new to eat." The next step is to take a closer look at the caterpillar genome to find an underlying mechanism for this unusual behavior, as well as details on how the caterpillars can distinguish between bug bits and, say, dirt, and how they are able to perceive size for tailoring purposes. A bone collector can be quite selective, picking up potential body parts among the web detritus and probing them with its mandibles, chewing larger pieces down to the desired size. Nor will the caterpillars accept other materials when they spin their cases: It's the discarded corpses of their enemies or nothing, even in captivity. Rubinoff has already brought several into the lab, where the caterpillars can gorge themselves on Drosophila pupae with no fear of spiders interrupting the feast. This confirmed that bone collectors are no mere scavengers; they are predatory, chewing right through the silk to eat the live pupae. They will even cannibalize each other, "which is why you don't see more than one at each spiderweb," said Rubinoff. The clock is ticking, however, as the bone collector is extremely rare and in danger of extinction, due to the large number of invasive species—especially non-native ants and parasitic wasps—that have found their way to Hawaii. Thus far, the bone collector has been able to adapt and raid the cobwebs of non-native spiders to survive. "I don't want to say it's on the verge of winking out, but in the context, it seems likely," said Rubinoff. "We've lost entire genera of endemic insects [in Hawaii]. It could be one new ant species away from being obliterated." Science, 2025. DOI: 10.1126/science.ads4243  (About DOIs). Jennifer Ouellette Senior Writer Jennifer Ouellette Senior Writer Jennifer is a senior writer at Ars Technica with a particular focus on where science meets culture, covering everything from physics and related interdisciplinary topics to her favorite films and TV series. Jennifer lives in Baltimore with her spouse, physicist Sean M. Carroll, and their two cats, Ariel and Caliban. 12 Comments

Max Belov, Chief Technology Officer, Coherent SolutionsApril 24, 20254 Min Readnipiphon na chiangmai via Alamy StockAttacks on software supply chains to hijack sensitive data and source code occur almost daily. According to the Identity Theft Resource Center (ITRC), over 10 million individuals were affected by supply chain attacks in 2022. Those attacks targeted more than 1,700 institutions and compromised vast amounts of data.  Software supply chains have grown increasingly complex, and threats have become more sophisticated. Meanwhile, AI is working in favor of hackers, supporting malicious attempts more than strengthening defenses. The larger the organization, the harder CTOs have to work to enhance supply chain security without sacrificing development velocity and time to value.   More Dependencies, More Vulnerabilities   Modern applications rely more on pre-built frameworks and libraries than they did just a few years ago, each coming with its own ecosystem. Security practices like DevSecOps and third-party integrations also multiply dependencies. While they deliver speed, scalability, and cost-efficiency, dependencies create more weak spots for hackers to target.  Such practices are meant to reinforce security, yet they may lead to fragmented oversight that complicates vulnerability tracking. Attackers can slip through the pathways of widely used components and exploit known flaws. A single compromised package that ripples through multiple applications may be enough to result in severe damage. Related:Supply chain breaches cause devastating financial, operational, and reputational consequences. For business owners, it’s crucial to choose digital engineering partners who place paramount importance on robust security measures. Service vendors must also understand that guarantees of strong cybersecurity are becoming a decisive factor in forming new partnerships.  Misplaced Trust in Third-Party Components  Most supply chain attacks originate on the vendor side, which is a serious concern for the vendors. As mentioned earlier, complex ecosystems and open-source components are easy targets. CTOs and security teams shouldn't place blind trust in vendors. Instead, they need clear visibility into the development process.    Creating and maintaining a software bill of materials (SBOM) for your solution can help mitigate risks by revealing a list of software components. However, SBOMs provide no insight into how these components function and what hidden risks they carry.  For large-scale enterprise systems, reviewing SBOMs can be overwhelming and doesn’t fully guarantee adequate supply chain security. Continuous monitoring and a proactive security mindset -- one that assumes breaches exist and actively mitigates them -- make the situation better controllable, but they are no silver bullet. Related:Software supply chains consist of many layers, including open-source libraries, third-party APIs, cloud services and others. As they add more complexity to the chains, effectively managing these layers becomes pivotal. Without the right visibility tools in place, each layer introduces potential risk, especially when developers have little control over the origins of each component integrated into a solution. Such tools as Snyk, Black Duck, and WhiteSource (now Mend.io) help analyze software composition, by scanning components for vulnerabilities and identifying outdated or insecure ones.     Risks of Automatic Updates  Automatic updates are a double-edged sword; they significantly reduce the time needed to roll out patches and fixes while also exposing weak spots. When trusted vendors push well-structured automatic updates, they can also quickly deploy patches as soon as flaws are detected and before attackers exploit them.  However, automatic updates can become a delivery mechanism for attacks. In the SolarWinds incident, malicious code was inserted into an automated update, which made massive data theft possible before it was detected. Blind trust in vendors and the updates they deliver increases risks. Instead, the focus should shift to integrating efficient tools to build sustainable supply chain security strategies.  Related:Building Better Defenses   CTOs must take a proactive stance to strengthen defenses against supply chain attacks. Hence the necessity of SBOM and software composition analysis (SCA), automated dependency tracking, and regular pruning of unused components. Several other approaches and tools can help further bolster security:  Threat modeling and risk assessment help identify potential weaknesses and prioritize risks within the supply chain.  Code quality ensures the code is secure and well-maintained and minimizes the risk of vulnerabilities.  SAST (static application security testing) scans code for security flaws during development, allowing teams to detect and address issues earlier.  Security testing validates that every system component functions as intended and is protected.  Relying on vendors alone is insufficient -- CTOs must prioritize stronger, smarter security controls. They should integrate robust tools for tracking SBOM and SCA and should involve SAST and threat modeling in the software development lifecycle. Equally important are maintaining core engineering standards and performance metrics like DORA to ensure high delivery quality and velocity. By taking this route, CTOs can build and buy software confidently, staying one step ahead of hackers and protecting their brands and customer trust.  Read more about:Supply ChainAbout the AuthorMax BelovChief Technology Officer, Coherent SolutionsMax Belov joined Coherent Solutions in 1998 and assumed the role of CTO two years later. He is a seasoned software architect with deep expertise in designing and implementing distributed systems, cybersecurity, cloud technology, and AI. He also leads Coherent’s R&D Lab, focusing on IoT, blockchain, and AI innovations. His commentary and bylines appeared in CIO, Silicon UK Tech News, Business Reporter, and TechRadar Pro.  See more from Max BelovReportsMore ReportsNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also Like

Illustration of the exoplanet K2-18bNASA’s Goddard Space Flight Center/SCIENCE PHOTO LIBRARY Apparent signs of alien life on the exoplanet K2-18b may just be statistical noise, according to a new analysis of data from the James Webb Space Telescope. On 17 April, Nikku Madhusudhan at the University of Cambridge and his colleagues made the stunning claim that K2-18b, a super-Earth 124 light years away, showed strong evidence of an atmosphere containing dimethyl sulphide, a gas that on Earth is only produced by living things. But Jake Taylor at…