Agregátor RSS

Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. "

Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. "Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Nový asteroid 2026 JH2 bezpečně mine naši planetu již toto pondělí v noci • Průměr blížícího se tělesa vědci odhadují na patnáct až pětatřicet metrů • Živý přenos průletu nabídne na internetu italská virtuální observatoř

Nikoli Samsung, ale Intel? Poslední dobou je více slyšet o čipech Tesla AI5 a AI6. Zakázky měly být rozděleny mezi TSMC a Samsung, ale vypadá to, že výrobu jedné varianty získal Intel…

The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. The vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It's

The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. The vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It's Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Na všech herních platformách je každou chvíli nějaká slevová akce. Každý týden proto vybíráme ty nejatraktivnější, které by vám neměly uniknout. Pokud chcete získat hry zdarma nebo s výhodnou slevou, podívejte se na aktuální přehled akcí!

Windows Snipping Tool - NTLMv2 Hash Hijack

Remote Sunrise Helper for Windows 2026.14 - Unauthenticated File/Directory Listing

Remote Sunrise Helper for Windows 2026.14 - Remote Code Execution

The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data. [...]

FEATURE When Instructure “reached an agreement” with data theft and extortion crew ShinyHunters this week, the education tech giant assured Canvas users after attackers claimed to have stolen data tied to 275 million students, teachers, and staff that their private chats and email addresses would not turn up on a dark-web marketplace, and that they would not be extorted over the incident. “We received digital confirmation of data destruction (shred logs),” Instructure assured the nearly 9,000 affected universities and K-12 schools. “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” Not a single responder that The Register spoke with believes this is true. “Do I believe they deleted the data? No. They're criminals and scumbags,” Recorded Future threat intelligence analyst Allan Liska, aka the Ransomware Sommelier, told us. “But, this is part of what Max Smeets calls ‘The Ransomware Trust Paradox,’” he added. “Ransomware groups have to, minimally, not post data they claimed to have deleted or no one will pay them in the future, but this is done knowing that the data is likely not deleted.” Halcyon Ransomware Research Center SVP Cynthia Kaiser, who previously spent two decades at the FBI, said she doesn’t think that anyone who studies ransomware groups’ operations believes the gang actually destroyed the stolen files. “‘We destroyed the data’ is a standard line from extortion groups once a payment is made or negotiations conclude, but time after time it has proven untrue,” Kaiser told The Register. “ShinyHunters in particular has a documented history of recycling, reselling, and re-leveraging stolen data across campaigns – data they claimed was contained from earlier intrusions has resurfaced on criminal forums months and years later.” Kaiser also doesn’t think this is the last threat that the schools will face from the Canvas breach. “Halcyon expects targeted phishing waves against staff, students, and parents over the next six to 12 months using leaked names, email addresses, and Canvas chat context to make the lures convincing,” she said. To be clear: Instructure execs never directly said the company paid the ransom, and we don’t know the exact amount of money the criminals demanded from the digital learning biz. We do know, however, that “reached an agreement” is corporate-speak for the victim paid up. Alliance Risk CEO David Vainer estimates the figure sits somewhere between $5 million and $30 million. Meanwhile, this latest extortion attack illustrates the impossible choice facing organizations entrusted with protecting people’s data when digital thieves breach their networks and steal sensitive information. “The FBI says don’t pay,” Doug Thompson, chief education architect at cybersecurity firm Tanium, told The Register. “But the operational reality at 3 a.m. during finals week or enrollment season can push institutions toward a very different calculation. Until that incentive structure changes, education is likely to remain unusually vulnerable to extortion pressure.” To pay, or not to pay? The US federal government, law enforcement agencies, and private-sector threat intelligence analysts all advise victims not to pay a ransom. “Paying ransoms rewards and incentivizes the criminals, funding their search for new victims, and I’ve long advocated before for a ban on ransomware payments,” Emsisoft threat analyst Luke Connolly told us. “But in the absence of regulation applying to all organizations, the stark reality is that Instructure faced a crisis, and they negotiated to try to minimize risk and harm.” No company wants to pay a ransom to its attackers, and most say they won’t – at least in principle – because they don’t want to fund criminal operations and incentivize the crooks. There’s also no guarantee that paying will guarantee the return of their data or prevent additional extortion attempts. CrowdStrike surveyed 1,100 global security leaders last summer, and of the 78 percent who said they experienced a ransomware attack in the past year, 83 percent of those that paid ransoms were attacked again. Plus 93 percent lost data regardless of payment. While data suggests that fewer organizations are paying criminals’ ransom demands - Chainalysis found the percentage of paying victims in 2025 dropped to an all-time low of 28 percent, despite attacks hitting record highs - when faced with extortion or a ransomware infection, the "to pay or not to pay" debate becomes much more complicated. “Most organizations still say publicly that they won't pay, and many genuinely don't, but when the alternative is mass downstream harm to students, parents, and thousands of customer institutions, the calculus shifts,” Kaiser said. “Pay-or-leak groups like ShinyHunters specifically engineer that calculus by creating intense financial and reputational pressure, and when demands go unmet, they escalate to direct harassment of victim companies, employees, and clients.” ShinyHunters did just that. The crew initially compromised Instructure in late April, and after the initial pay-or-leak deadline passed on May 6, ShinyHunters switched tactics to school-by-school extortion. They injected a ransom message into about 330 Canvas school login portals, causing Instructure to take the platform offline for a day - during final exams and Advanced Placement testing for many. Other ransomware scum have gone to horrifying extremes, posting pictures and addresses of preschool children in an effort to get a payday, leaking cancer patients’ nude photos and threatening them with swatting attacks. Mandiant Consulting CTO Charles Carmakal previously told The Register that ransomware infections have morphed into "psychological attacks” with crooks SIM swapping executives’ kids to pressure their parents into paying. Calculating risk In addition to responding to criminals directly harassing their students, patients, customers and employees, victim organizations also have to take into account potential lawsuits if the crooks dump individuals’ personal or health data, and the reputational hit from seeing all of this protected information published online. The decision about what to do in a ransomware attack revolves around risk reduction, Liska said. “Not paying a ransom means an increased risk of data exposure, which in this case could cause serious harm,” he told us. “While there is no good decision in most ransomware negotiations, the idea is to protect as many people as possible and that may mean that paying is the least bad option.” While he didn’t respond to or investigate the Instructure case, “protecting children's data is absolutely a critical factor in these types of decisions, especially when the attacks originate from one of the groups associated with The Com,” Liska added. The Com, a loosely knit group of primarily English speakers who are also involved in several interconnected networks of hackers, SIM swappers, and extortionists such as ShinyHunters and Scattered Lapsus$ Hunters, has been known to blackmail kids and teens into carrying out shootings, stabbings, and other real-life criminal acts. “These groups are known to coerce victims using threats of physical harm, including bricking and swatting," he said. "Not paying may have increased the risk of serious harm to the children whose data was exposed.” A representative of ShinyHunters contacted The Register to "deny any and all association, affiliation, and/or linkage with 'The Com' including 'Scattered Lapsus Hunters'" The rep said "There is no actual concrete evidence to support that we are associated, affiliated, or linked to the aforementioned. These are baseless allegations and industry propaganda surrounding 'The Com.'" The Shiny one admitted that some of their crew's tactics are similar to those the other gangs use but suggested it's lazy to assume a link. "If China or North Korea used vishing to infiltrate organizations networks would they also immediately become associated with “The Com?'" the representative asked. Ed sector 'more likely to pay' Instructure’s intrusion follows several other high-profile attacks against education-sector software providers. In December 2024, PowerSchool suffered a breach, affecting tens of millions of students. The company reportedly paid about $2.85 million in bitcoin in exchange for a video supposedly showing the attackers destroying the data. But about five months later, in May 2025, the ed-tech provider’s school district customers received individual extortion threats from either the same ransomware crew that hit PowerSchool or someone connected to the crooks. Earlier this year, ShinyHunters claimed it stole data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions. “Education keeps emerging as one of the sectors where organizations are still more likely to pay under pressure,” Thompson said. In addition to students’ – especially minors’ – data containing highly sensitive personal details, and therefore presenting an attractive target for attackers, this is also driven in part by market pressure and economics. It’s costly and inconvenient for schools to switch learning management systems, and they are typically locked into multi-year contracts with these software vendors, according to Thompson. “The other issue is concentration,” he said. “A relatively small number of vendors hold data for enormous portions of the education system. PowerSchool, Infinite Campus, Canvas, Blackboard; those four hold records on something close to every American student, and hackers know it. Three of the four have been breached at a multi-million-record scale in the last 18 months.” Thompson said he expects to see additional attacks against major education platforms to follow. “The economics are good. Instructure paid. PowerSchool paid last year. Every other ed-tech vendor's board just had a conversation about what their number would be,” he told us. “The pattern is established.” According to Connolly, the universities and K-12 schools affected by the Canvas hack shouldn’t consider their data safe, regardless of Instructure’s assurances or the crooks' promises to delete it. “There will be future attacks, without a doubt.” ® Correction: The estimate of $5 million to $30 million comes from Alliance Risk CEO David Vainer.

Ministerstvo financí si znovu půjčí od domácností. Jaké podmínky jim přitom nabídne a co na novou emisi Dluhopisů Republiky říkají ekonomové?

Je tomu už 11 let, co Satya Nadella na pódiu prohlásil, že Microsoft miluje Linux. Tehdy jsme to spíše vítali, nicméně sbližování začalo už dříve. Bylo jasné, že Microsoft si tohle musí pohlídat a udělal to ukázkově.

Mercury Research zveřejnila statistiky trhu s procesory za první kvartál (zimu) letošního roku. AMD posílila v noteboocích a zejména v serverech. Slabší je v desktopu, což souvisí s trhem pamětí…

Měď si užila v elektrické kabeláži spoustu zábavy po dlouhé desítky let. Její éra se ale možná chýlí ke konci. Španělští materiáloví vědci nadopovali vlákna z uhlíkových nanotrubiček tetrachlorohlinitanovým aniontem, čímž značně zvýšili jejich elektrickou vodivost. Kabeláž pro elektromobily, letadla, drony nebo třeba nadzemní elektrická vedení už asi nebude, co bývala.

Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. [...]

Photons traveling straight through a cloud of gas appear to exit, on average, before they enter.

As Homer tells us, Odysseus made an epic journey, against the odds, from Troy to his home in Ithaca. He visited many lands, but mostly dwelt with the nymph Calypso on her island.

We can imagine that his wife, Penelope, would have asked him about that particular time. Odysseus might have replied, “It was nothing. In fact, it was less than nothing. Negative five years I dwelt with Calypso. How else could I have arrived home after only ten years? If you don’t believe me, ask her.”

Quantum particles, it turns out, are just as wily as Odysseus, as my colleagues and I have shown in an experiment published in Physical Review Letters. Not only can their arrival time suggest that they dwelt with other particles for a negative amount of time, but if one asks those other particles, they will corroborate the story.

Photons Dwelling With Atoms

Our experiment used photons—quantum particles of light—and the against-the-odds journey they must undertake to pass straight through a cloud of rubidium atoms.

These atoms have a “resonance” with the photons, meaning the energy of the photon can be transferred temporarily to the atoms as an atomic excitation. This allows the photon to “dwell” in the atomic cloud for a time before being released.

For this resonance to be effective, the photon must have a well-defined energy, matching the amount of energy required to put a rubidium atom into an excited state.

But, by a form of Heisenberg’s famous uncertainty principle, if the energy of the photon is well defined then its timing must be uncertain: The pulse of light the photon occupies must have a long duration. This means we can’t know exactly when the photon enters the cloud, but we can know on average when it enters.

If a photon like this is fired into the cloud, the most likely outcome is that its energy will be transferred to the atoms and then re-emitted as a photon traveling in a random direction. In such cases, the photon is scattered and fails to arrive at its Ithaca.

Photon Arrival Times

But if the photon does make it straight through, a strange thing happens. Based on the average time when the photon enters the cloud, one can calculate the expected average time it would arrive at the far side of the cloud, assuming it travels at the speed of light (as photons usually do).

What one finds is that the photon actually arrives far earlier than that. In fact, it arrives so early it appears to have spent a negative amount of time inside the cloud—to exit, on average, before it enters.

This effect has been known for decades and was observed in a 1993 experiment. But physicists had mostly decided not to take this negative time seriously.

That’s because it can be explained by saying that only the very front of the long-duration pulse makes it straight through the atomic cloud, while the rest is scattered. This leads to a successful (non-scattered) photon arriving earlier than would be naively expected.

Asking the Atoms

However, Aephraim Steinberg, one of the authors of that 1993 paper, was not so quick to accept this dismissal of the negative time as an artifact. In his laboratory at the University of Toronto, he wanted to find out what happened if one queried the rubidium atoms in the cloud to find out how long the photon had spent dwelling among them as an excitation. After an initial experiment with inconclusive results, he asked me, as a quantum theorist, for help in working out what to expect.

When we talk of querying the atoms, what this means in practice is continuously making a measurement on the atoms while the photon is passing through the cloud to probe whether the photon’s energy is currently dwelling there. But there is a subtlety here: Measurements in quantum physics inevitably disturb the system being measured.

If we were to make a precise measurement of whether the photon is dwelling in the atoms, at each instant of time, we would prevent the atoms from interacting with the photon. It is as if, merely by watching Calypso closely, we would stop her getting her hands on Odysseus (or vice versa). This is the well-known quantum Zeno effect, which would destroy the very phenomenon we want to study.

Our Experiment

The solution is to make, instead, a very imprecise (but still very accurately calibrated) measurement. That is the price paid to keep the disturbance negligible. Specifically, we fired a weak laser beam—unrelated to the single photon pulse—through the cloud of atoms, and measured small changes in the phase of the beam’s light to probe whether the atoms were excited.

Any single run of the experiment gives only a very rough indication of whether the photon dwelt in the atoms, but averaging millions of runs yields an accurate dwell time.

Amazingly, the result of this weak measurement of dwell time, when the photon goes straight through the cloud, exactly equals the negative time suggested by the photons’ average arrival time. Prior to our work, no-one suspected that these two times, measured in entirely different ways, would be equal.

Crucially, the negative value of the weakly measured dwell time cannot be explained by imagining that only the front of the photon’s pulse gets through, unlike the time inferred from the arrival time.

So what does this all mean? Is a time machine just around the corner?

Sadly, no. Our experiment is fully explained by standard physics.

But it does show that negative dwell time is not an artifact. However paradoxical it may seem, it has a directly measurable effect on the atomic cloud that the photon traverses. And it reminds us that there are still lands to discover on the odyssey that is quantum research.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The post Physicists Have Measured ‘Negative Time’ in the Lab appeared first on SingularityHub.

Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices. [...]

OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution. [...]