Agregátor RSS

A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

cURL developer Daniel Stenberg has seen Anthropic’s Mythos, a model the AI biz has suggested is too capable at finding security holes to release publicly, scan his popular open source project. But after the system turned up just a single vulnerability, he concluded the hype around Mythos was “primarily marketing” rather than a major AI security breakthrough. Stenberg explained in a Monday blog post that he was promised access to Anthropic’s Mythos model - sort of - through the AI biz’s Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl’s codebase and later sent him a report. “It’s not that I would have a lot of time to explore lots of different prompts and doing deep dive adventures anyway,” Stenberg explained. “Getting the tool to generate a first proper scan and analysis would be great, whoever did it.” That scan, which analyzed curl’s git repository at a recent master-branch commit, was sent back to him earlier this month, and it found just five things that it claimed were “confirmed security vulnerabilities” in cURL. Saying he had expected an extensive list of vulnerabilities, Stenberg wrote that the report “felt like nothing,” and that feeling was further validated by a review of Mythos’ findings. “Once my curl security team fellows and I had poked on this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability,” Stenberg said, bringing us back to the aforementioned number. As for the other four, three turned out to be false positives that pointed out cURL shortcomings already noted in API documentation, while the team deemed the fourth to be just a simple bug. “The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June,” the cURL meister noted. “The flaw is not going to make anyone grasp for breath.” That said, Mythos did find several other non-security bugs that Stenberg said the team is working on fixing, and he notes that their description and explanation were well done. Mythos can do good work, in other words, but it’s not a ground-breaking, game-changing AI model like Anthropic has claimed. “My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” Stenberg said in the blog post. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.” cURL code is no stranger to AI To say cURL has become widely used in its nearly three decades of existence would be an understatement. Its wide reach has meant that its team has been running it through all sorts of static code analyzers and fuzz testing it since well before the dawn of the AI age. With AI’s rise, the cURL team has adapted, meaning Mythos is hardly the first AI to get its fingers on cURL’s codebase. “These tools and the analyses they have done have triggered somewhere between two and three hundred bugfixes merged in curl through-out the recent 8-10 months or so,” Stenberg said of tools like AISLE, Zeropath, and OpenAI Codex Security that’ve tested cURL code. “A bunch of the findings these AI tools reported were confirmed vulnerabilities and have been published as CVEs. Probably a dozen or more.” Stenberg’s experience with AI testing cURL, in other words, makes it a great candidate to see how effective Mythos can really be at finding more than the average AI. As Stenberg noted elsewhere in his blog post, Mythos isn’t doing anything particularly novel when it comes to security discoveries: It might be a bit better at finding things than previous models, but “it is not better to a degree that seems to make a significant dent in code analyzing,” the cURL author noted. Stenberg isn’t an AI doomer when it comes to its ability to improve software design, though. Yes, he may have closed the cURL bug bounty earlier this year due to an influx of sloppy, useless bug reports, but he also noted a few months prior to the bounty closure that some security researchers assisted by AI have made valuable reports. “AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past,” Stenberg said, adding an important qualifier for the Mythos moment: “All modern AI models are good at this now.” Mythos isn’t any more creative than its creators Both older AI models and security-focused tools like Mythos have a common limitation, as far as Stenberg is concerned: They’re only as good at finding security vulnerabilities as the humans who programmed them. “AI tools find the usual and established kind of errors we already know about. It just finds new instances of them,” Stenberg said. “We have not seen any AI so far report a vulnerability that would somehow be of a novel kind or something totally new.” As for Mythos, Stenberg remains unimpressed, calling it "an amazingly successful marketing stunt for sure" in his blog post. In an email to The Register, Stenberg admitted that it’d be possible for AI models to actually discover new, novel types of vulnerabilities, but he’s still not convinced that they can go beyond what humans are capable of finding, given that they’re limited by our understanding of how software vulnerabilities work. At the end of the day, Stenberg explained, when we talk about security, we’re only talking about code. “Source code is text and it feels like maybe we already know about most ways we can do security problems in it,” he pondered in his email. In other words, like the valuable AI-assisted reports made to the cURL bug bounty program before its closure due to a flood of AI garbage, making valuable use of systems like Mythos is going to require humans to get creative. Sorry, no foisting your critical thinking onto a bot. “Human researchers have always used tools when they look for security problems,” Stenberg told us. “Adding AIs to the mix gives the humans even more powerful tools to use, more ways to find problems. I expect that many security bugs going forward will be found by humans coming up with new ways and angles of prompting the AIs.” Stenberg said that he hopes he’ll actually get his hands on Mythos so he can experiment with its capabilities, but he doesn’t seem to be holding out hope the promised access will materialize. “I have been promised access and for all I know I will eventually get it,” Stenberg told us. “I just don't know when.” ®

Evropské instituce i některé americké státy dál zpřísňují pravidla pro ověřování věku na internetu. Cílem je zabránit dětem v přístupu k obsahu pro dospělé. Úřady ale narážejí na zásadní problém – stále více lidí používá VPN, tedy služby umožňující skrýt identitu i skutečnou polohu na internetu. Právě VPN nyní Evropská parlamentní výzkumná služba (EPRS) označila za „mezeru v legislativě, kterou je potřeba uzavřít“ [Novinky.cz].

Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. The activity is said to be the work of cybercrime threat actors who appear to Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Kromě čelovek si už Alza vyrábí i své ruční baterky. • Ode dneška prodává dva modely Campgo. • Mají kovové tělo, zoom, několik režimů a vyměnitelný akumulátor.

Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. [...]

Multiplatformní open source aplikace pro psaní poznámek Joplin (Wikipedie) byla vydána v nové verzi 3.6. Nově lze mít v poznámkách embedovaný externí obsah, např. YouTube videa.

Apple’s platforms are secure by design, but when it comes to authentication, the company seems to be protecting employees more than it protects IT admins. It’s an attack vector just waiting to be exploited — if it hasn’t been already.

As noted first by Six Colors, the problem is that administrator and People Manager accounts on Apple Business Manager (ABM) can’t sign in using federated authentication, even though they manage the federation process for everyone else. 

What are the implications?

What this means in practice is that when admins engage with the authentication process, they need to do so using non-federated Apple Account sign-in with Apple’s two‑factor authentication (typically via a trusted device or trusted phone number using SMS/voice). That’s weird; it means the key accounts that manage protection for sometimes thousands of devices are still only protected by a six-digit SMS code sent to a specified phone number. We know that SMS authentication is risky, with three well-known attack paths:

• SIM swapping, where an assailant contacts your cellular company posing as you and convinces them to transfer your phone number to a SIM in their control. Once that takes place, all your SMS codes go to them.
• Phishing, such as a fake login page that acts normally but intercepts your SMS code once you enter it, capturing and immediately using it to attack your actual account.
• Interception, in which sophisticated, usually nation-state-adjacent attackers exploit the known vulnerabilities of SMS to intercept messages in transit.

While it is true most small and mid-size businesses probably don’t need to worry about that third attack possibility, and the second can be mitigated against by being careful never to use a link provided in an email to access key accounts, the first exploit sits within the reach of determined attackers.

A hole in the bucket

The consequences of a successful attack can be serious. Equipped with a compromised ABM account, an attacker could reassign enrolled devices to an MDM server they control, wipe devices, or push malicious apps/profiles or configurations at your devices. Those outcomes are, shall we say, sub-optimal.

I’m certain Apple has thought about this. It has, after all, introduced a range of security protections for all its devices, including managed devices. But in this case, it’s left things a little exposed. That weakness is made more critical because Apple’s system permits just a small number of administrators for each ABM setup, regardless of company size. 

As a result, an attacker might be able to penetrate a company with perhaps tens of thousands of users simply by identifying five names to target with any/all of the above attacks. Apple does not need to leave this hole in its security bucket.

What can you do to improve protection?

There are some easy wins when you try to protect your business while using Apple’s existing system:

• The best practice seems to be for admins to use a dedicated phone number that is only used to handle the ABM and never anything else.
• The number should have SIM swap protection in place. You might be able to set this up with a call to your carrier to have this applied to the account.
• The number of active admin accounts should be limited to a minimum to narrow the target surface.

What can Apple do better?

Apple needs to change things up. Doing so needn’t be horrifically complex, either, as most of these mitigations are already in place elsewhere in its ecosystem. Here are some suggestions:

• Extend authenticator support to ABM admin accounts.
• Introduce Passkeys for admin accounts.
• Put FIDO2 support in place so admins can use hardware security keys to authenticate, if they choose.
• Introduce mitigations such as conditional access, so logins from unexpected locations aren’t respected.
• Introduce support for Sign in with Apple, using biometric data to a specific device as a second factor.

All of these protections are already available in the Apple ecosystem; all Apple needs is to divert a little of its R&D cash into implementing the same protections in Apple Business Manager. From what I’ve seen, the Apple admin community would rejoice if it did. I imagine the Apple Business team is already lobbying for it to find the resources to do just that.

Please follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Open Hardware Summit 2026 organizovaný OSHWA (Open Source Hardware Association) proběhne o víkendu 23. a 24. května v Berlíně na Technické univerzitě Berlín.

Pomalé dobíjení telefonu omezuje zahřívání baterie a snižuje její degradaci • Současné moderní smartphony samy inteligentně řídí a optimalizují nabíjecí proces • Dlouhodobé testy prokazují, že rozdíly obou metod jsou naprosto minimální

Navigace se soukromím CoMaps postavena nad OpenStreetMap byla vydána v nové verzi 2026.05.06. Přibyla možnost aktualizovat mapy v aplikaci CoMaps, aniž by bylo nutné aktualizovat i verzi aplikace. CoMaps je komunitní fork aplikace Organic Maps.

UPDATED BWH Hotels is informing customers about a third-party data breach that gave cybercriminals access to six months' worth of data. The notification email stated that BWH Hotels, which owns the WorldHotels, Best Western Hotels & Resorts, and Sure Hotels brands, identified the intrusion on April 22, but the affected data goes back to October 14, 2025. BWH Hotels CTO Bill Ryan, who penned the notification email, said names, email addresses, telephone numbers, and/or home addresses belonging to "certain guests" were accessed by an unauthorized third party. The intruders also accessed reservation details, such as reservation numbers, dates of stay, and any special requests. It confirmed that the attack targeted one of its "web applications that houses certain guest reservation data." No payment or bank details were involved. The Register asked BWH Hotels whether the intrusion began in October and went undetected until April, or whether a later breach exposed data dating back to October. We also asked if this was related to information we were sent in March about BWH Hotel customer booking data being stolen and used for phishing campaigns. At the time, the company neither confirmed nor denied the information seen by The Register. BWH Hotels did not immediately respond to our request for comment on Monday. "Upon discovering the incident, we immediately took the application offline and revoked the unauthorized access," said Ryan. "We have engaged leading external cybersecurity experts to support our incident response efforts and to assist with the further strengthening of existing safeguards." "We advise guests to be extra vigilant when viewing any unexpected or suspicious communications about hotel stays. If you receive a suspicious communication such as an unexpected email, text, WhatsApp message, or telephone call that asks for payment, codes, logins, or 'verification,' even if they reference a BWH Hotels property or an upcoming reservation, do not engage. Navigate to sites directly rather than clicking links." ® Updated to add at 1542 UTC, May 12 BWH Hotels ignored all The Register's questions, but provided the following statement: "BWH® Hotels recently notified certain guests of unauthorized activity involving one of its guest reservation applications that contains limited guest contact information and reservation details. Importantly, payment or financial information was not stored in the affected system and therefore was not affected in this incident. Once the unauthorized activity was discovered, we immediately took the application offline and revoked the unauthorized access. We have also taken and will continue to take technical and organizational safeguards to further protect guest information. We have notified the appropriate regulatory agencies. BWH Hotels takes the security and privacy of guest information very seriously and apologizes for any inconvenience or concern this incident may have caused."

Linux runs a massive part of the internet. Cloud platforms, databases, containers, web hosting, APIs, and internal business infrastructure all depend heavily on Linux systems. Most people interact with Linux-backed services every day without realizing it. That popularity also makes Linux server security a constant concern.

Linux runs a massive part of the internet. Cloud platforms, databases, containers, web hosting, APIs, and internal business infrastructure all depend heavily on Linux systems. Most people interact with Linux-backed services every day without realizing it. That popularity also makes Linux server security a constant concern.

Far from shore, the server farms would be powered by waves, cooled by seawater, and networked by satellite.

As AI demand for computing power surges, companies are searching for new ways to fuel data centers. One startup is now proposing floating data centers powered by ocean waves, and they just raised $140 million to bring the idea to fruition.

Tech companies are planning to spend roughly $750 billion on data centers this year. But the elephant in the room is figuring out how to power these facilities. They’re already straining electrical grids across the world, and the pace of the buildout is far surpassing our ability to bring new power online.

This energy shortfall is leading tech companies to invest in a series of increasingly outlandish fixes from restarting shuttered nuclear reactors to developing novel geothermal energy technology and even launching data centers into space.       

Now, several leading Silicon Valley figures, including Palantir’s Peter Thiel and Salesforce’s Marc Benioff are backing Oregon-based startup Panthalassa. The startup is developing floating data centers that generate their own electricity from waves. These investors recently joined a $140 million series B round that will allow the company to complete a pilot manufacturing facility near Portland and begin deploying the latest generation of its devices, or “nodes.”

“There are three sources of energy on the planet with tens of terawatts of new capacity potential: solar, nuclear, and the open ocean,” CEO Garth Sheldon-Coulson said in a press release. “We’ve built a technology platform that operates in the planet’s most energy-dense wave regions, far from shore, and turns that resource into reliable clean power.”

The company’s nodes are nearly 300 feet long. A bulbous sphere at the top floats on the ocean’s surface, and a lengthy tube-like housing beneath holds computer servers. As the node bobs up and down on the waves, the movement forces water up through a tube into a pressurized reservoir where it drives a turbine to generate electricity for the chips.

Besides powering the data center with renewable energy, the nodes also use the surrounding seawater to cool the chips—a much more sustainable solution compared to land-based facilities, which use significant amounts of water and electricity to manage heat.

The data centers transfer information via SpaceX’s Starlink satellite network. This does away with the need for cabling, either for power transmission or networking, and allows the nodes to operate autonomously from anywhere in the ocean. They’re also self-propelling, can navigate to their deployment location, and can stay in position without external help.

The company designed the hardware with minimal moving parts, so it can operate for extended periods without maintenance—a crucial factor for operating far from shore. Panthalassa validated the concept with a three-week trial of their second-generation node Ocean-2 off the coast of Washington state in early 2024.

This isn’t the first attempt to harness the power of waves to generate renewable energy. The company’s main innovation is that it skips the complexities of getting power back to shore. “One of the key insights we had…was that it’s very important to use the electricity in place,” Sheldon-Coulson told the Financial Times. “We will never be transmitting electricity back to shore. That makes us very different from all other ocean energy that’s been tried in the past.”

The latest funding will be used to complete a pilot manufacturing facility near Portland and deploy Panthalassa’s next-generation Ocean-3 nodes, which are scheduled for testing in the northern Pacific later this year. The company says it’s targeting commercial deployment in 2027.

The approach does face some major hurdles though, Benjamin Lee, a computer architect at the University of Pennsylvania, told Ars Technica. While relying on satellite communication does away with power transmission headaches, these links have significantly lower bandwidth compared to the optical fiber normally used to network data centers. Combined with the potential for signal delays, this could limit how useful they are for the heavy AI workloads they’re meant to handle.

However, the approach has clear parallels with another idea that’s seized Silicon Valley—orbital data centers. Rather than using wave energy and ocean water for cooling, these facilities would rely on abundant solar energy and the frigid deep-space vacuum to chill their chips. But going orbital would be far costlier and more complex, suggesting Panthalassa’s approach may be a more viable alternative.

The sea is a cruel mistress though, and deploying and maintaining a fleet of ocean-going data centers won’t be simple. Nonetheless, if they can pull it off, the idea may ease the AI energy crunch.

The post In the Scramble to Power AI, Investors Bet $140 Million on Data Centers at Sea appeared first on SingularityHub.

Resetting a password doesn't always remove attackers from Active Directory. Specops Software explains how cached credentials and Kerberos tickets can keep attackers authenticated after a reset. [...]

Flightradar24 zobrazuje polohu letadel v reálném čase • Když mu pomůžete sbírat data, dostanete nejvyšší paušál zdarma • Jak to vlastně celé funguje a co je k tomu potřeba?