Agregátor RSS

Byly publikovány informace o kritické zranitelnosti CVE-2026-31431 pojmenované Copy Fail v Linuxu, konkrétně v kryptografii (AF_ALG). Běžný uživatel může získat práva roota (lokální eskalaci práv). Na všech distribucích Linuxu vydaných od roku 2017. Pomocí 732bajtového skriptu. V upstreamu je již opraveno. Zranitelnost byla nalezena pomocí AI Xint Code.

Přehled březnových vydání Jaderných novin: stav vydání jádra, citáty týdne a seznam článků týkajících se jádra.

Zaměstnankyně způsobila požár a přisvojila si peníze i majetek zaměstnavatele. Smí takový dluh vymáhat firma, na kterou byl postoupen?

O předchozích verzích jsem napsal, že změny byly primárně interní. Devatenáctka je jiná. Tam je viditelných změn opravdu hodně. Nová verze je pelmelem nových funkcí a různých vylepšení, menších nebo větších.

Dnes se zaměříme na popis techniky nazvané dynamický výběr (dynamic dispatch) v Pythonu. Ve standardní knihovně je podporován single dispatch, a to jak pro funkce, tak i pro metody. Rozšířením této techniky vzniká multiple dispatch.

AI datové centrum Stratos, které vznikne v Utahu, dostalo zelenou od regulačních orgánů. 9GW řešení bude napájené výlučně z vlastních zdrojů navýší energetickou výrobu v zemi více než na trojnásobek…

Do Japonska se valí davy turistů. Problém je, že Japonsku dochází pracovní síla a zahraniční zaměstnanci přinášejí spoustu dalších komplikací. Řešením by se mohli stát humanoidi. Na letitě Haneda již letos v květnu nastupují do zkušebního provozu humanoidu G1 čínských Unitree. Kdy se asi nějací objeví i u nás?

Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers. [...]

GPS spoofing, which sends fake satellite-like signals, and GPS jamming, which drowns receivers in noise, are increasingly serious problems. Researchers at Oak Ridge National Laboratory in Tennessee have created what they say is the most effective system yet for detecting GPS interference, which could help blunt such attacks. ORNL said Wednesday that a group of boffins led by researcher Austin Albright has developed a new portable device that can detect both spoofing, which sends fake signals that mimic GPS satellite signals to provide bad location data, and jamming, which simply floods GPS receivers with noise. The device can operate from a vehicle to detect attacks on commercial trucks and warn drivers, the lab said, and tests with the US Department of Homeland Security suggest it's sensitive enough to outperform industry-developed systems that already exist.  That sensitivity would be notable enough, but ORNL said that the device is able to do something else that no known GPS interference detector can: It's able to detect spoofing even when fake and real signals are equally strong.  The ORNL device also operates entirely independently of GPS: It doesn't even have a GPS-specific receiver or knowledge of expected GPS signals, according to the lab. Instead, it consists of just a couple of well-known pieces of equipment, namely a software-defined radio and an embedded GPU, and what ORNL said is a new mathematical radio frequency analysis method to separate legit signals from malicious ones. The GPU's role is simply to perform the math in real time to detect spoofs or jams.  "Trucking needs a solution that works without special conditions or dependence on a trusted reference source," Albright said of the new device in ORNL's writeup. "Ours is the best in the world."  With the successful testing of the device completed, Albright and his team are now looking at ways to make the thing cheaper to produce, which we can imagine might include replacing the GPU with something less in-demand by the AI industry.  GPS spam: Not just a problem for planes We've reported plenty on GPS spoofing and jamming at The Register, but most of our writing on the topic has focused on aviation, with issues like GPS spoofing rampant at multiple airports in India, disrupting a flight carrying European Commission President Ursula von der Leyen, and generally rising to the level of being a serious flight safety concern for aviators around the world.  ORNL acknowledged the problem of GPS interference in aviation in its writeup, and while the device could potentially help detect attacks against aircraft, the lab’s immediate focus appears to be protecting truckers moving goods across the US. As an example, ORNL pointed to an incident last year in which two tractor-trailer loads of tequila from a brand co-founded by celebrity chef and Flavortown mayor Guy Fieri and former Van Halen singer Sammy Hagar were stolen. GPS spoofing was used during the crime to keep those waiting for the estimated 24,000 bottles from getting suspicious that the trucks weren't on course.  Some of the booze was eventually recovered in California (it was supposed to be delivered to Pennsylvania), but not before Fieri said the company had to lay people off due to the losses.  While stolen tequila is bad, the same attacks could also be used to waylay or misdirect shipments carrying everything from personal packages to nuclear materials and other essential goods. "Everyone uses cargo monitoring with GPS tracking, whether for your personal packages, your pizza, or nuclear materials," Albright said, adding that the device would act like any other sort of alarm to alert a driver that something's amiss.  "Like a carbon monoxide alarm alerts you to an invisible danger, spoofing detection is critical to alerting us to a new invisible danger," Albright said. Drivers with one of the ORNL devices, for example, could get an alert, "know something bad is happening and call someone," potentially protecting the driver, their shipment, and people who would be harmed by its loss.  We reached out to ORNL to learn more about the future of the project, but the lab wasn't able to meet our deadline. ®

ORNL says portable detector kit can separate real GPS signals from fake ones even at equal strength

GPS spoofing, which sends fake satellite-like signals, and GPS jamming, which drowns receivers in noise, are increasingly serious problems. Researchers at Oak Ridge National Laboratory in Tennessee have created what they say is the most effective system yet for detecting GPS interference, which could help blunt such attacks.…

Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a zero-click Windows flaw that can expose sensitive information on vulnerable systems. While we don't know who is attacking this one, tracked as CVE-2026-32202, we'd suggest betting it all on Putin's goons. The flaw stems from an incomplete fix for an earlier vulnerability found and abused by Russian spies a month before Redmond released a patch. The new bug, CVE-2026-32202, is an authentication coercion flaw in Windows Shell that can expose sensitive information on vulnerable systems via network spoofing. "An attacker who successfully exploited the vulnerability could view some sensitive information," Redmond warned when it disclosed the CVE on April 14.  On Monday, the Windows giant marked the bug as "exploitation detected." The next day, CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog, and set a May 12 deadline for federal agencies to fix the flaw. The Register reached out to Microsoft about the scope of exploitation, who is responsible for the attacks, and what they are doing with the illicit access. We will update this story if we receive any response. Microsoft credited Akamai senior security researcher Maor Dahan with finding and reporting CVE-2026-32202, and in Dahan's write-up, he says an incomplete patch for CVE-2026-21510 created the newer vuln. Redmond attempted to patch CVE-2026-21510 in February. It was one of six actively exploited zero-days disclosed during that month's Patch Tuesday, and Akamai detected Russia's APT28 (also known as Fancy Bear) exploiting that security hole in January.  According to Akamai, citing Ukraine's Computer Emergency Response Team, APT28 exploited CVE-2026-21510 in attacks against Ukraine and European Union countries.  These attacks began with a phishing email, purporting to be from Ukraine's hydro-meteorological center, that contained a weaponized LNK file to exploit another vulnerability, CVE-2026-21513. By chaining CVE-2026-21513 with CVE-2026-21510, the Russian spies bypassed Microsoft security features including Defender SmartScreen and remotely executed malicious code on victims' computers. Microsoft fixed both of these CVEs on February's Patch Tuesday. However, "while Microsoft's fix successfully prevented the initial remote code execution (RCE) and SmartScreen bypass, it left behind a zero-click authentication coercion vulnerability," Dahan wrote, adding that he and his fellow Akamai bug hunters found CVE-2026-32202 while testing the February patches. "While testing the patch, we noticed something interesting: The victim machine was still authenticating to the attacker's server," he said. As Dahan explains, the security hole can be abused to send the victim's Net-NTLMv2 hash (authentication data) to the attacker, thus allowing the digital intruder to authenticate as the user, steal sensitive data, and snoop around on the victim's network. "This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files," he wrote. ®

Second try's a charm?

Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a zero-click Windows flaw that can expose sensitive information on vulnerable systems.…

Microsoft has warned users still clinging to legacy TLS versions that the end is nigh for TLS 1.0 and 1.1 on POP3 and IMAP4 connections to Exchange Online. Redmond warned, "We will start to block legacy version connections starting in July 2026." The move is long overdue, and the Windows giant has been warning users for years that it was coming. Support for TLS 1.0 and 1.1 in Exchange Online ended in 2020. In 2023, Microsoft announced plans to disable those older TLS versions for POP3 and IMAP4 clients in the name of compliance and security, but acknowledged that there was a "significant" number of POP3/IMAP4 clients that didn't support TLS 1.2 or later, and so added an endpoint for clients to opt to keep using the legacy protocols. It was, however, very much an opt-in thing, and in July 2026, the time will run out. Transport Layer Security (TLS) dates back decades. 1.0 was published in 1999, and 1.1 in 2006. Both were deprecated in 2021, and Microsoft stated that they "are no longer considered secure." However, Microsoft is also famous for backward compatibility, and has historically taken a very cautious approach when it comes to switching off services that might make its corporate customers shriek. Hence, Redmond kept the lights on for TLS 1.0 and 1.1, even considering the inherent insecurity of the technology. Microsoft expects minimal impact from the change. The company wrote, "Modern email clients and libraries already support TLS 1.2 or higher." "And the vast majority of POP and IMAP traffic to Exchange Online today uses these newer protocols." Google Workspace still supports TLS 1.0 and 1.1, according to its documentation, although it would be prudent for users to select a more recent protocol, assuming that their client supports it. However, Google's browser tentacle, along with the likes of Firefox and Edge, announced that the legacy protocols were not long for this world in 2018. The Exchange Online switch-off for TLS 1.0 and 1.1 has been a long time coming, but there could still be disruption despite the protocols' relatively low usage. Legacy devices or software, for example, might stop working as connections fail. As far as Microsoft is concerned, "Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation." So, anyone using Exchange Online who opted into the legacy protocols should check how their email clients are connecting, or risk summer support calls if things start failing in July. ®

Microsoft readies the axe once again for yesterday's security

Microsoft has warned users still clinging to legacy TLS versions that the end is nigh for TLS 1.0 and 1.1 on POP3 and IMAP4 connections to Exchange Online.…

The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000. [...]

Most information security best practices are built on a single, comfortable assumption: that if we find a bug, we can patch it, and once it's patched, the system is "safe" again.

Konverzní kity, které z kola udělají elektrokolo, jsou velké téma a projekt Cyplore je nejnovějším příspěvkem. Prioritou jsou jednoduchá instalace a nízká hmotnost. Vyměníte celé zadní kolo, motor je integrovaný v náboji. Baterie je maskovaná jako lahev s pitím a jako lahev s pitím ji připevníte ...

Unlike search engines that let you judge competing sources, search-backed AI chatbots can turn shaky web material into confident answers. Case in point: A security engineer convinced several bots that he was the reigning world champion of a popular German card game, even though no such championship exists. If you were to check Wikipedia up until the end of last week, you would have seen Ron Stoner listed on the page for 6 Nimmt!, also known as Take 5 to English-speaking audiences, as the 2025 world champion. The Wikipedia entry cited the official-looking 6nimmt.com as the source for the claim, and visiting that URL does reveal a short press release celebrating Stoner's victory. The only problem with the whole thing is that Stoner says he created both the Wikipedia entry about his victory and the 6 Nimmt! domain hosting the only evidence of it, but that still didn't stop several AI chatbots from telling him he was the world champ when he asked. "My site has no independent corroboration. It's totally made up," Stoner said in the blog post. "The whole house of cards rests on a $12 domain registration I did while drinking coffee."  In other words, this is poisoning at the retrieval-augmented generation layer. Not prompt injection, but targeting the same plane of AI functionality, namely the one that searches the web.  As he explains, and many El Reg readers are likely already aware, AI doesn't really care about the provenance of the sources it cites as authority for its claims, and that's the very thing Stoner sought to exploit when he concocted his experiment.  "Every frontier LLM with web search grounds its answers in whatever retrieval ranks highest for a given query," Stoner wrote. In the case of the nonexistent 6 Nimmt! championship, his planted source was the only one, and with Wikipedia lending apparent authority, it became a sure-fire way to fool an AI into presenting falsehood as fact - a trick simple enough for non-technical users to pull off. "I didn't do anything novel here. This is old school SEO and misinformation tactics wrapped in new LLM technology and interfaces," Stoner told The Register in an email. "What's changed is that AI now serves these results as authoritative, and most users have no idea how the data pipeline works behind the scenes."  A Large Language Mess "The thing LLMs are worst at detecting is the thing they're designed to do, which is trust text and resources," Stoner argues in his writeup. "The answer is not 'the model will figure it out,' as the model cannot tell a real source from one I registered last Tuesday. Or how many R's are actually in the word 'strawberry.'"  The problem Stoner exposes in his experiment, he explains, involves three separate failure modes that could be exploited for more damaging ends than inventing a card-game championship. First, there's the retrieval layer, which can immediately cause an LLM to spit out bad data, as "any LLM that grounds answers in web search inherits the trustworthiness of whatever ranks for a given query."  Second is model training corpora, which Stoner said his edit could enter if the Wikipedia change remained live long enough to be scraped. The entry was removed as of last Friday when he published his post, but he made the addition in February 2025, meaning any AI firm that scraped Wikipedia during that window could have picked up his fictional victory in its training data. "Even if the Wikipedia edit is reverted later, any model trained on the pre-revert dump still carries my legacy," Stoner said in his post. "The cleanup problem for corpus poisoning is genuinely unsolved as of 2026." Stoner told us he plans to check this in six months or so, once new models have been released, and if it returns his championship without needing to go online, that's proof his lie made it into training data.  Then there are AI agents, which Stoner says are where the real money is for anyone with malicious intent. "Chat models producing bad information is a reputational problem. Agents with tool access producing bad actions is a security problem," he noted. Poisoning an agent-retrieved source would let an attacker specify the action they want an agent to take, says Stoner. "This attack and test was a $12 domain, a single Wikipedia edit, and about twenty minutes of my time," Stoner concluded in his blog. "Scale that up with a motivated adversary, a handful of seeded domains, a coordinated edit campaign across a dozen low traffic articles, and the attack surface gets interesting very quickly." Stoner told us that retrieval poisoning is something LLM providers need to address and warn users about, and that he expects AI chatbots to start incorporating some sort of warning, especially for RAG-sourced results, in the near future.  He hopes that AI firms will make data provenance a key component of their process, and also wants recent web content heuristically filtered to account for suspicious patterns that would have easily been caught in the 6 Nimmt! case: A single citation pointing to a domain that was registered within a short window of the Wikipedia update should have sounded alarms, but it didn't.  The championship was fake, and it's now gone from Wikipedia and RAG responses as well, but Stoner notes the bad trust pattern that made it work is absolutely real and a looming problem for AI makers. "I'm happy my article is spurring discussion about LLMs, sources, trust, and how all of this works," Stoner told us. "That was my goal and it appears I've achieved it." ®

Nejlevnější routery stojí šest stovek, nejdražší klidně dvacet tisíc. • Vybrali jsme ty nejlepší nebo nejvýhodnější, které podporují Wi-Fi 6 a novější. • Při pokrývání velkých ploch nehledejte jedno zařízení, ale vsaďte na mesh.

Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – calling itself the Mini Shai-Hulud – has affected the following packages associated with