News from KW52.2025

Shortly before the end of the year one last re-reading of the Christmas week until between the holidays (22.12-28.12.2025), as usual 9 news from technology and IT, this time with opinion, cinnamon and sugar.

Article 1

Legal preview 2026: Focus on AI compliance and IT security

Nice overview in the iX magazine at the end of the year: The year 2026 marks the transition from legislation to practical implementation in IT law. While new major projects are missing, the focus is on readjustments (digital omnibus package) and fundamental judicial decisions.

The most important topics at a glance:

AI Regulation (AI Act): From 2 August 2026 Most of the provisions of the AI Act apply, in particular to high-risk systems. Businesses now need to put in place governance structures, although the Digital Omnibus package could extend some deadlines to 2027/28 to ease the burden on the economy.

AI & Copyright: Following the GEMA ruling against OpenAI, a groundbreaking appeal procedure is expected for 2026. The key question is whether the training of AI models constitutes copyright infringement or falls under a legal exception.

Data Act: From September 2026, the obligations will apply. Data provision. Manufacturers of connected products (IoT) must technically ensure that users can easily access their data and take it with them to other providers.

IT security (NIS2 & CRA): 2026 is the first full year under the new NIS2 Implementation Act. Significantly more companies are now under the supervision of the BSI and have to comply with strict risk and reporting obligations. In addition, in the autumn of 2026, the first reporting requirements of the Cyber Resilience Act (CRA).

Digital identity (eIDAS 2.0): By 2026, EU Member States should: Digital identity wallet offer. Citizens can use it to digitally manage ID cards or certificates on their smartphones and sign them legally.

Platforms & Sovereignty: Under DSA and DMA, initial sanctions against big tech companies are expected. There is a trend in public procurement Buy European Sovereignty and cloud interchangeability become important award criteria.

This video from VamiSec summarizes the most important information:

Conclusion: 2026 is the year of Compliance audit. IT managers must adapt existing architectures to the new regulatory categories to avoid fines and liability risks.

End of the Banner Flood? First recognised ‘consent agent’ launched

Article by heise.de. An important piece of the puzzle for digital self-determination goes into the practical test: With the tool Consenter is the first service for the management of cookie consents available in Germany, which has been officially recognized by the Federal Data Protection Authority.

The details of the start:

Silent release: The browser plugin is up-to-date Available via a pre-link in the Chrome Store. The official launch and listing for Firefox and Safari will take place on 26 January 2026.

How it works: Users set their privacy preferences once centrally in the browser plugin. The agent automatically transmits these to visited websites, which should eliminate the annoying manual clicks on cookie banners.

The hurdle: In order for the system to work, website operators must also play a role. Since many existing consent solutions do not yet voluntarily process the signals of browser plugins, the team behind Consenter offers its own, compatible banner for websites.

Scientific background: The project was funded by the Federal Ministry of Research and developed under the direction of Prof. Dr. von Grafenstein (UdK Berlin). The aim is to combat ‘consent fatigue’ and enable genuine digital sovereignty.

Why this is important for IT decision makers: The Consenter provides automated risk assessment for third-party tools. Website operators who implement the system receive a kind of independent data protection impact assessment. This can not only make compliance more legally secure, but also increase user acceptance through greater transparency.

Article 3

AI use costs indie award: 'Clair Obscur - Expedition 33' loses title

Read on Reddit. The French studio Sandfall Interactive soon after the success at the Indie Game Awards 2025 Return two titles. The reason is a violation of the strict guidelines for the use of artificial intelligence.

The background to the decision:

Zero tolerance policy: The Indie Game Awards Only allow nominations for games that have been developed completely without AI tools. Sandfall Interactive had assured in the application process that it would comply with this requirement.

The ‘Kauderwelsch’ indicator: Shortly after release, players discovered AI-generated textures (unreadable text on a advertising column). The studio then admitted in an interview that it had used ‘a bit of AI’ for placeholder textures that had accidentally remained in the sales version.

The consequences: The game subsequently loses the awards as Indie Game of the Year (Goes now to Blue Prince) and the Debut Game Award (to be addressed Sorry We're Closed).

Important distinction: The general cross-platform title “Game of the Year” of the separate The Game Awards can keep the game, because there the use of AI does not lead to exclusion.

Relevance for the IT and creative industries: The case highlights the growing gap in the assessment of AI: While it becomes standard in the AAA industry as an efficiency tool, it is often considered taboo in the indie scene. For developers, this means: Transparency about the tech stack is increasingly becoming a legal and reputational risk in award submissions and marketing.

Article 4

Hardware acceleration for BitLocker: More Speed for NVMe Drives

Microsoft has announced a major architecture change for Windows encryption. With the Hardware-accelerated BitLocker The company addresses performance losses that have hitherto been particularly noticeable in extremely fast NVMe SSDs and computationally intensive tasks (video editing, gaming). This will be implemented with the coming CPU generations in 2026.

The technical highlights:

Crypto offloading: The encryption work is transferred from the main CPU to a dedicated Crypto engine SoC (System on Chip). This saves on average, according to Microsoft 70 % CPU cycles and protects the battery.

Hardware protected keys: The encryption keys are "wrapped" on the hardware side. The goal is to completely ban BitLocker keys from the CPU cache and memory in the future in order to protect them from read-out attacks.

Algorithm: Supported devices use by default XTS-AES-256.

Availability and Requirements:

Software: Prerequisite is the Windows 11 Update from September 2025 (version 24H2) or the new version 25H2.

Hardware: Getting Started with Intel's Coming Devices Panther Lake processors (Core Ultra Series 3). Other manufacturers will follow.

Check: About the order manage-bde status the command prompt can be used to check whether ‘hardware acceleration’ is active.

Important note for administrators: Hardware BitLocker deactivated, when Group Policy (GPOs) enforce obsolete or incompatible algorithms (such as AES-CBC). Microsoft recommends changing policies to XTS-AES-256 to take advantage of performance benefits.

Article 5

Urgent patch call: Vulnerability in MongoDB

Read on Bleepingcomputer.com: MongoDB warns administrators of a serious vulnerability (CVE-2025-14847) in storage management, which requires immediate action.

The most important facts:

The risk: A mistake in the zlib-Implementation of the server allows remote unauthenticated attackers to read out uninitialized memory (heap memory). The attack is not very complex and does not require user interaction.

Possible consequences: According to security experts, in the worst case, the gap could lead to attackers taking control of affected systems.

Affected versions: The list is long and includes almost all common versions (from v4.4 to v8.2) as well as all versions of the v4.2, v4.0 and v3.6 series.

Emergency measures:

Update: Updated to versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 or 4.4.30.

Workaround: If an update is not possible immediately, the zlib compression disabled will be. This is done by starting mongod or mongos with the option, zlib Explicitly from the networkMessageCompressors Excluded.

Classification for IT security: As MongoDB is one of the world's most widely used NoSQL databases (over 62,000 customers, including many Fortune 500 companies), this gap is an attractive target for automated attacks. Administrators should prioritize patch recording due to remote executability without authentication.

Article 6

39C3: Sharp criticism of the ePA because security deficiencies remain unresolved

One year after the introduction of the electronic health record (ePA), safety research is moving to 39. Chaos Communication Congress is a sobering record. Researcher Bianca Kastl warns that key structural problems continue to exist.

The key criticisms:

Uncertain identities: The main problem lies in the authentication procedures of the telematics infrastructure. Kastl criticizes that the identity verification processes are organizationally error-prone and allow abuse, which cannot be corrected by small corrections.

Lack of transparency: The communication of the Federal Ministry of Health (campaign ‘ePA, nasicher!’) is classified as euphemistic. Critical evidence from experts would be ignored or relativized.

Diffuse responsibility: Responsibility for security risks is shifted back and forth between politicians, authorities and actors. In the end, the insured persons bear the full risk (e.g. in the event of data leaks or incorrect access).

Warning about the EU ID wallet: With regard to the planned state-owned EU ID wallet (see eIDAS 2.0), Kastl warns against committing the same structural errors again – but with a far greater impact on digital sovereignty.

Heise was on site and also has video material online:

Article 7

The Gmail revolution: Email address finally changeable (alias system)

After more than 20 years, Google is loosening one of its strictest rules: Users can now use their primary @gmail.comChange your address without having to open a new account. This is especially a blessing for those who use a ‘youth sin’ as an e-mail name (e.g. party-maus2005@) would like to exchange for a reputable address.

This is how the new system works:

Automatic alias function: If you change your address, the old address will not be deleted. She remains as alias permanently associated with your account.

No data loss: All emails, photos, drive files and logins remain. You still receive mails that are sent to the old address, but you appear to the outside with the new name.

Flexible login: You can still sign in to Google services with both addresses (old and new).

Restrictions: * The change is only once every 12 months possible.

Total is maximum three address changes Per account allowed.
In some deep-rooted systems (such as old calendar entries), the original address may still be visible.

Additional feature “Shielded Email”: In parallel, Google is rolling out the so-called "Shielded Emails" off. This allows you to create temporary aliases for newsletters or app sign-ups (similar to Apple’s ‘Hide email address’). These forward messages to your main mailbox, but keep your real address secret and thus protect against spam.

Incidentally, the alias function itself is not new at all, only the change of the ‘main address’, which thus becomes an alias address.

Article 8

39C3: Alliance calls for Digital Independence Day

Read on golem.de: On the 39th. Chaos Communication Congress (39C3) has a broad alliance around the Chaos Computer Club (CCC) and Wikimedia UK A new initiative has been launched against the dominance of big tech companies.

Di.Day: From 4 January 2026 Digital Independence Day is celebrated every first Sunday of the month. The aim is to reduce the influence of US platforms on democratic processes and privacy.

Exchange parties & Workshops: Hackerspaces in more than ten cities hold workshops to help move from WhatsApp to Signal, from Chrome to Firefox or from Windows to Linux.

Prominent support: The author Marc-Uwe Kling Promote the action at Congress. The aim is to leave ‘surveillance capitalism’ behind and promote digital sovereignty through ‘change parties’ (also offline).

Changing recipes: On the campaign page Di.Day Users will find concrete instructions on how to export data and safely migrate to free alternatives.

Article 9

Data leak at WIRED: Hackers release millions of user data

Bleepingcomputer.com: A cybercriminal with the pseudonym ‘Lovely’ has a database of the renowned US magazine WIRED leaked. The leak is part of a major attack on the media company Condé Nast, According to the threat of the hacker, a total of up to 40 million records of various publications (including Vogue, The New Yorker and Vanity Fair) could be in circulation.

Details of the incident:

Scope: The published WIRED database contains approx. 2.37 million records.

Content: E-mail addresses, internal IDs and timestamps were leaked. Some subscribers also include clear names, physical addresses, dates of birth and telephone numbers. Passwords do not appear to be included directly in plain text, but the data has already been verified by comparison with other info stealer logs.

Background: The hacker claims that he had previously warned Condé Nast about security vulnerabilities in vain for a month. As the company did not react, he now published the data as a ‘penalty’. However, security experts do not classify the perpetrator as an ethical researcher, but as a classic blackmailer.

Current status: The data has already been put into service. Have I Been Pwned groomed. Users can check there whether their e-mail address is affected.

Importance for IT security: This case again shows the risk of credential stuffing and phishing attacks. Since the database contains information dating back to 1996, long-term users are also at risk. IT departments should raise awareness among employees who have used corporate emails for private subscriptions to Condé-Nast titles.

As already announced last week, colleague Sun-Tsu is on a well-deserved Christmas holiday and is having fun on the Retro LAN. I'll make it short: Come over and see us in the new year in old freshness!