The Linux world is currently seeing an explosion in new users, thanks in large part to Microsoft turning its Windows operating system into the most intrusive piece of spyware in modern computing. For those who value privacy and security, Linux has long been the safe haven where there’s reasonable certainty that the operating system itself isn’t harvesting user data or otherwise snooping where it shouldn’t be. Yet even after solving the OS problem, a deeper issue remains: the hardware itself. Since around 2008, virtually every Intel and AMD processor has included coprocessors running closed-source code known as the Intel Management Engine (IME) or AMD Platform Security Processor (PSP).
M1 MacBook Air, now with more freedom
These components operate entirely outside the user’s and operating system’s control. They are given privileged access to memory, storage, and networking and can retain that access even when the CPU is not running, creating systemic vulnerabilities that cannot be fully mitigated by software alone. One practical approach to minimizing exposure to opaque management subsystems like the IME or PSP is to use platforms that do not use x86 hardware in the first place. Perhaps surprisingly, the ARM-based Apple M1 and M2 computers offer a compelling option, providing a more constrained and clearly defined trust model for Linux users who prioritize privacy and security.

Before getting into why Apple Silicon can be appealing for those with this concern, we first need to address the elephant in the room: Apple’s proprietary, closed-source operating system. Luckily, the Asahi Linux project has done most of the heavy lifting for those with certain Apple Silicon machines who want to go more open-source. In fact, Asahi is one of the easiest Linux installs to perform today even when compared to beginner-friendly distributions like Mint or Fedora, provided you are using fully supported M1 or M2 machines rather than attempting an install on newer, less-supported models. The installer runs as a script within macOS, eliminating the need to image a USB stick. Once the script is executed, the user simply follows the prompts, restarts the computer, and boots into the new Linux environment. Privacy-conscious users may also want to take a few optional steps, such as verifying the Asahi checksum and encrypting the installation with LUKS but these steps are not too challenging for experienced users.

Black Boxes

Changing the operating system on modern computers is the easy part, though. The hard part is determining exactly how much trust should be placed in the underlying hardware and firmware of any given system, and then deciding what to do to make improvements. This is where Apple Silicon starts to make a compelling case compared to modern x86 machines. Rather than consolidating a wide range of low-level functionality into a highly privileged black box like the IME or PSP, Apple splits these responsibilities more narrowly, with components like the Secure Enclave focusing on specific security functions instead of being given broad system access.

Like many modern systems, Apple computers include a dedicated security coprocessor alongside the main CPU, known as the Secure Enclave Processor (SEP). It runs a minimal, hardened operating system called sepOS and is isolated from the rest of the system. Its primary roles include securely storing encryption keys, handling sensitive authentication data, and performing cryptographic operations. This separation helps ensure that even if the main operating system is compromised, secrets managed by the SEP remain protected.

The Chain of Trust

To boot an Apple Silicon computer, a “chain of trust” is followed in a series of steps, each of which verifies the previous step. This is outlined in more detail in Apple’s documentation, but starts with an immutable boot ROM embedded in the system-on-chip during manufacturing. It first verifies early boot stages, including the low-level bootloader and iBoot, which in turn authenticate and verify the operating system kernel and system image before completing the boot process. If any of these verification steps fail, the system halts booting to prevent unauthorized or compromised code from executing.

Perhaps obvious at this point is that Apple doesn’t sign Asahi Linux images. But rather than allowing unrestricted execution like many PCs, or fully locking down the device like a smartphone, Apple’s approach takes a middle way. They rely on another critical piece of “security hardware” required to authorize that third-party OS: a human user. The Asahi Linux documentation discusses this in depth, but Apple’s secure boot system allows the owner of the computer to explicitly authorize additional operating systems by creating a custom boot policy within the user-approved trust chain. In practice, this means that the integrity of the boot process is still enforced, but the user ultimately decides what is trusted. If a boot component is modified outside of this trust chain, the system will refuse to execute it. In contrast to this system, where secure boot is enforced by default and only relaxed through explicit user action, x86 systems can treat these protections as optional. A motivated x86 user can achieve a comparable level of security, but they must assemble and maintain it themselves, as well as figure it out in the first place.

Reducing the Attack Surface

The limited scope of Apple’s Secure Enclave gives it a much smaller attack surface compared to something like the Intel Management Engine. As mentioned before, the IME combines a wider range of functionality, including features designed for low-level remote system management. This broader scope increases its complexity and, by extension, its attack surface which has led to several high-profile vulnerabilities. Apple’s Secure Enclave, by contrast, is designed with a much narrower focus. That’s not to say it’s a perfect, invulnerable system since it’s also a closed-source black box, but its limited responsibilities inherently reduce that attack surface.

It’s also worth mentioning that there are a few other options for those who insist on x86 hardware or who refuse to trust Apple even in the most minimal amount, but who still consider the IME and its equivalents as unacceptable security risks. Some hardware manufacturers like NovaCustom and even Dell have given users the option of disabling the IME (although this doesn’t remove it entirely), and some eight and ninth generation Intel machines can have their management engines partially disabled by the user as well. In fact these are the computers that my own servers are based on for this reason alone. Going even further, it is possible to get a 2018-era Thinkpad to run the open-source libreboot firmware. However, libreboot installations can become extremely cumbersome, and even then you’ll be left with a computer that lacks the performance-per-watt and GPU capabilities of even the lowest-tier M1 machines. In my opinion, this compromise of placing a kernel of trust in Apple is the lesser evil for most people in most situations, at least until libreboot is able to support more modern machines and/or until the libreboot installation process is able to be streamlined.

I’ll also note here that Apple is far from a perfect company. Their walled garden approach is inherently anti-consumer, and they’ve rightly taken some criticism for inflating hardware costs, deliberately making their computers difficult to repair, enforcing arbitrary divisions between different classes of products to encourage users to buy more devices, and maintaining a monopolistic and increasingly toxic app store.

But buying an M1 or M2 machine on the used market won’t directly give Apple any money, and beyond running the Asahi installer script doesn’t require interacting with any Apple software or their ecosystem in any way, beyond the initial installation. I’ve argued in the past that older Apple computers make excellent Linux machines for these reasons as well, and since the M1 and M2 machines eliminate the IME risk of these older computers they’re an even better proposition, even without considering the massive performance gains possible.

Ultimately, though, the best choice of hardware depends on one’s threat model and priorities. If the goal is to minimize exposure to IME/PSP-level risks while retaining semi-modern performance, an M1/M2 Mac with Asahi Linux is one of the best options available today. But if fully open hardware is non-negotiable, you’ll need to accept older or less powerful machines… for now.

hackaday.com/2026/03/25/the-mo…

Giovedì 15 aprile 2026, ore 9.30

Fondazione Paolo Murialdi, via Nizza 35, Roma

Seminario in collaborazione con la Fondazione sul giornalismo italiano “Paolo Murialdi”

Intervengono

Domenico Affinito, “Dataroom” Corriere della Sera

Arturo Di Corinto, giornalista e consigliere Agenzia per la Cybersicurezza Nazionale

Paola Marsocci, prof.ssa di Diritto costituzionale, CoRiS Sapienza

Michele Mezza, giornalista e saggista, autore di “Guerre in codice” (Donzelli, 2025)

Vittorio Roidi, già Presidente della Fondazione sul giornalismo italiano “Paolo Murialdi”

Christian Ruggiero, Presidente Laurea Magistrale Media, comunicazione digitale e

giornalismo, CoRiS Sapienza

Giancarlo Tartaglia, Segretario Generale Fondazione sul giornalismo italiano “Paolo Murialdi”

dicorinto.it/formazione/intell…

Kaspersky Security Services provide a comprehensive cybersecurity ecosystem, taking enterprise threat protection to another level. Services like Kaspersky Managed Detection and Response and Compromise Assessment allow for timely detection of threats and cyberattacks. SOC Consulting provides a practical approach ensuring the corporate infrastructure stays secured, while Incident Response is suited for timely remediation with a maximized recovery rate.

High-level overview of the MDR, IR and CA connection

This new report brings together statistics across regions and industries from our Managed Detection and Response and Incident Response services, and for the first time, it also includes insights from our Compromise Assessment and SOC Consulting services — all to provide you with more comprehensive view of different aspects of corporate information security worldwide.

The scope of MDR and IR services

Provision of Kaspersky’s MDR and IR services follows a global approach. The majority of customers accounted for the CIS (34.7%), the Middle East (20.1%), and Europe (18.6%).

Distribution of customers by geographical region, 2025

MDR telemetry

Following the previous year’s numbers, in 2025, the MDR infrastructure received and processed an average of 15,000 telemetry events per host every day, generating security alerts as a result. These alerts are first processed by AI-powered detection logic, after which Kaspersky SOC analysts handle them as required. Overall, a total of approximately 400,000 alerts were generated in 2025. After counting out false positives, 39,000 alerts were further investigated.

MDR telemetry statistics, 2025

Incident statistics

The distribution of remediation requests by industry has slightly changed as compared to previous years’ pattern. Government (18.5%) and industrial (16.6%) organizations are still the most targeted industries in regards to cyberattacks that require incident response activities. However, this year, the IT sector saw a growth in the number of IR requests, eventually being placed third in the overall industry distribution rankings and thus replacing financial organizations, which were targeted less often than in 2024. This is equally true for smaller-scale attacks that can be contained and remediated through automated means — the only difference is that medium- and low-severity incidents are more often experienced by financial organizations.

Distribution of all incidents by industry sector, 2025

Key trends and statistics

This section presents key findings and trends in cyberattacks in 2025:

• The number of high-severity incidents decreased, following a downward trend that we’ve been observing since 2021. The majority of those incidents account for APT attacks and red teaming exercises, which indicates two landscape trends. On the one hand, skilled adversaries make efforts to increase impact, while on the other, organizations spend more resources on probing their defense systems.
• The most common vulnerabilities exploited in the wild were related to Microsoft products. Half of all identified CVEs led to remote code execution, notably without authentication in some cases.
• Exploitation of public-facing applications, valid accounts, and trusted relationships remain the most popular initial vectors, and their overall share has increased, accounting to over 80% of all attacks in 2025. In particular, attacks through trusted relationships are evolving: their share has increased to 15.5% from 12.8% in 2024. They are also becoming more complex: for instance, we witnessed a case where adversaries had compromised more than two organizations in sequence to ultimately gain access to a third target.
• Standard Windows utilities remain a popular LotL tool. Adversaries use those to minimize the risk of detection during delivery to a compromised system. The most popular LOLBins we observed in high-severity incidents were powershell.exe (14.4%), rundll32.exe (5.9%), and mshta.exe (3.8%). Among the most popular legitimate tools used in incidents we flag Mimikatz (14.3%), PowerShell (8.1%), PsExec (7.5%), and AnyDesk (7.5%).

The full 2026 Global Report provides additional information about cyberattacks, including real-world cases discovered by Kaspersky experts. We also describe SOC Consulting projects and Compromise Assessment requests. The report includes comprehensive analysis of initial attack vectors in correlation with the MITRE ATT&CK tactics and techniques and the full list of vulnerabilities that we detected during Incident Response engagements.

securelist.com/global-report-s…

Once upon a time, they told us we wouldn’t download a car, and they were wrong. Later, Zero Motorcycles stated in their FAQ that you cannot hack an electric motorcycle, a statement which [Persephone Karnstein] and collaborator [Mitchell Marasch] evidently took issue with. Not only can you hack an electric motorcycle, it is — in [Persephone]’s words — a security nightmare.

You should absolutely go over to [Persephone]’s website and check out the whole write-up, which is adapted from a talk given at BSides Seattle 2026. There’s simply way more detail than we can get into here. Everything from “what horridly toxic solvents would I need to unpot this PCB?” to the scripts used in de-compiling and understanding code, it’s all there, and in a lively and readable style to boot. Even if you have no interest in security, or electric motorcycles, you should check it out.

The upshot is that not only were Zero Motorcycles wrong when they said their electric motorcycles could not be hacked, they were hilariously wrong. The problem isn’t the motorcycle alone: it has an app that talks to the electronics on the bike, which take over-the-air (OTA) updates. What about the code linked to the VIN alluded to in that screenshot? Well, it turns out you just need a code structured like a VIN, not an actual number. Oops. By the end of it, [Persephone] and [Mitchell] have taken absolute control of the bike’s firmware, an so have them full control over all its systems.

Why cut the brake lines when you can perform an OTA update that will do the same thing invisibly? And don’t think you can just reset the bike to factory settings to fix it: they thought of this, and the purely-conceptual, never-deployed malware has enough access to prevent that. Or they could just set the battery on fire. That was an option, too, because the battery management system gets OTA updates as well.

To be clear, we don’t have any problem with a motorcycle that’s dependent on electronics to operate. After all, we’ve seen many projects that would meet that definition over the years. But the difference is none of those projects fumbled the execution this badly. Even this 3 kW unicycle, which has a computer for balance control, doesn’t see the need to expose itself. It’s horribly unsafe in very different ways.

hackaday.com/2026/03/25/electr…