Agregátor RSS

…aneb Co ukázala pozoruhodná kost z Nového Mexika

Asi 70 kilometrů od města Jang-ťiang na pobřeží jižní Číny uvedli do provozu největší jednotlivou plovoucí větrnou turbínu na světě. Gigantický rotor o průměru 252 sahá až do výšky 270 a sklízí vítr z plochy 7 fotbalových hřišť. U pobřeží je už těsno a poloponorné konstrukce jako je tato by mohly využívat větry vanoucí na volném oceánu.

Ceny pamětí rostou od loňského podzimu, ale naplno se tyto důsledky projeví až ve druhém pololetí letošního roku. Trh s PC a herním hardwarem očekává citelný propad…

Před týdnem zranitelnost Copy Fail. Dnes zranitelnost Dirty Frag. Běžný uživatel může na Linuxu získat práva roota (lokální eskalaci práv). Na většině linuxových distribucí vydaných od roku 2017. Aktuálně bez oficiální záplaty a CVE čísla [oss-security mailing list].

A LinkedIn feature that allows paid subscribers to view a list of visitors to their profile should be made available to all EU users free of charge to comply with the region’s General Data Protection Regulation (GDPR), a legal complaint launched by the None of Your Business (NOYB) digital rights group has claimed.

Filed this week in an Austrian court, the group’s argument is that LinkedIn’s ‘Who’s Viewed Your Profile’ feature contravenes the GDPR Article 15, which covers a subject’s right of access to their own data.

NOYB has a history of taking on tech companies. In 2025, Google was hit by a €325 million ($381 million) fine by French privacy regulator, the CNIL, over its data collection and advertising policies after a complaint by the group.

Contradictory policy

LinkedIn began offering users the ability to see who has viewed their profile around 2007, later turning this into a paywalled perk in a move that pre-dated the arrival of GDPR in 2018.

According to NOYB, this commercialization left non-subscription users in a bind. Profile visitor data should legally be accessible to EU citizens under GDPR, but when they ask for this via a formal Data Subject Access Request (DSAR), LinkedIn refuses access, citing data protection.

Despite this, if the user subscribes to a LinkedIn Premium Career plan starting at €30 per month ($40 per month in the US), the same data suddenly becomes accessible.

“It is particularly absurd that LinkedIn is using a supposed ‘data protection interest’ as an argument to deny the right of access to data under the GDPR,” argued NOYB’s press release.

In NOYB’s view, LinkedIn’s policy is contradictory. The company limits access to something that should legally be free because allowing access would undermine the incentive to pay for it.

“Either the data must not be accessible to anyone, or – if it is clear to the visitor that the data is visible – it must also be disclosed in accordance with Article 15 GDPR,” NOYB said. In its view, LinkedIn’s policy of charging to access this data is illegal and the company should be fined to prevent future breaches.

Right to view

LinkedIn will doubtless point out to the Austrian Data Protection Authority that all users, including free subscribers, can opt out of having their profile visit made visible by toggling off the feature in Settings/Visibility tab/’Visibility when viewing other profiles’. Then each visit a user makes to another profile is recorded as one by an ‘Anonymous LinkedIn Member’. Free users can also see the last five visitors to their profile, as long as those users have not selected this anonymity setting.

It’s possible the company will further argue that, under Article 15, the rights of users to know who has viewed their data conflicts with the rights of other users to maintain their own privacy.

When contacted for response, a LinkedIn spokesperson sent the following statement: “This assertion [by NOYB] is false. Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy.”

According to Helen Brain, partner and head of commercial at Square One Law in the UK, the case would cause problems for LinkedIn’s lawyers even if the outcome remained uncertain.

“NOYB appears to have a strong argument that LinkedIn is breaching GDPR in one way or the other, but it’s impossible to say how likely they are to succeed before we see LinkedIn’s counter-arguments,” she said.

The complaint is on strong ground when arguing that profile visits should fall under GDPR Article 15 Right of Access. “If the viewer’s personal data is private and shouldn’t be disclosed in response to a DSAR by the viewed person, logically that means the viewer’s personal data should not be disclosed to premium account holders either,” said Brain. “If NOYB is successful in its complaint, the Austrian Data Protection Authority could ultimately issue a fine, and that could be substantial.” 

However, predicting the wider effect on technology companies using the same ‘data as a feature’ to incentivize paid subscriptions is difficult in advance of a ruling. If NOYB prevails, LinkedIn could be ordered to stop its disclosure of profile searchers or, alternatively, to make this available free of charge in response to DSARs.

However, Brain believed the issue might come down to the way consent is gained. “Even if LinkedIn is ordered to change what it is doing, it will find a new way to gain consent to permit the disclosures of searchers lawfully and continue to charge for the data they gather.”

How explicit does the maker of a footgun need to be about the product's potential to shoot you in the foot? That's essentially the question security firm Adversa AI is asking with the disclosure of a one-click remote code execution attack via an MCP server in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. The TrustFall proof-of-concept attack demonstrates how a cloned code repository can include two JSON files (.mcp.json and .claude/settings.json) that open the door to an attacker-controlled Model Context Protocol (MCP) server. MCP servers make tools, configuration data, schemas, and documentation available in a standard format to AI models via JSON. The vulnerability arises from inconsistent restrictions governing the scope of settings: Anthropic blocks some dangerous settings at the project level (e.g. bypassPermissions) but not others (e.g. enableAllProjectMcpServers and enabledMcpjsonServers). The JSON files simply enable those settings. "The moment a developer presses Enter on Claude Code's generic 'Yes, I trust this folder' dialog, the server spawns as an unsandboxed Node.js process with the user's full privileges — no per-server consent, no tool call from Claude required," Adversa AI explains in its PoC repo. The likely result is a compromised system. The PoC demonstrated in this video. It worked on Claude Code CLI v2.1.114, as of May 2. Other agent CLIs are also said to be affected, but specific PoCs have not been published. "It's the third CVE in Claude Code in six months from the same root cause (project-scoped settings as injection vector)," Alex Polyakov, co-founder of Adversa AI, told The Register in an email. "Each gets patched in isolation but the underlying class hasn't been finally fixed. Most developers don't know these settings exist, let alone that a cloned repo can set them silently." Anthropic, according to the security biz, contends that the user's trust decision moves the issue outside its threat model. CVE-2025-59536 was considered a vulnerability because it triggered automatically when a user started up Claude Code in a malicious directory. TrustFall, however, is considered out of scope because the user has been presented with a dialog box and made a trust decision. Adversa argues that the decision is not being made with informed consent, citing a prior, more explicit warning notice that was removed in v2.1 of the Claude Code CLI. "The pre-v2.1 dialog explicitly warned that .mcp.json could execute code and offered three options including 'proceed with MCP servers disabled,'" writes Adversa's Sergey Malenkovich. "That informed-consent UX was removed. The current dialog defaults to 'Yes, I trust this folder' with no MCP-specific language, no enumeration of which executables will spawn, and no opt-out for MCP while keeping the rest of the trust grant." Then there's the zero-click variant to consider for CI/CD pipelines that implement Claude Code. When Claude Code is invoked in CI/CD, that happens via SDK rather than the interactive CLI. So there's no terminal prompt. Malenkovich argues that Anthropic should make three changes. First, block enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside a project. The idea is that a malicious server should not be able to approve its own servers. Second, implement a dedicated MCP consent dialog that defaults to "deny." And third, require interactive consent per server rather than for all servers. Anthropic did not respond to a request for comment. ®

The disbelief was palpable when Mozilla’s CTO last month declared that AI-assisted vulnerability detection meant “zero-days are numbered” and “defenders finally have a chance to win, decisively.” After all, it looked like part of an all-too-familiar pattern: Cherry-pick a handful of impressive AI-achieved results, leave out any of the fine print that might paint a more nuanced picture, and let the hype train roll on.

Mindful of the skepticism, Mozilla on Thursday provided a behind-the-scenes look into its use of Anthropic Mythos—an AI model for identifying software vulnerabilities—to ferret out 271 Firefox security flaws over two months. In a post, Mozilla engineers said the finally ready-for-prime-time breakthrough they achieved was primarily the result of two things: (1) improvement in the models themselves and (2) Mozilla’s development of a custom “harness” that supported Mythos as it analyzed Firefox source code.

"Almost no false positives"

The engineers said their earlier brushes with AI-assisted vulnerability detection were fraught with “unwanted slop.” Typically, someone would prompt a model to analyze a block of code. The model would then produce plausible-reading bug reports, and often at unprecedented scales. Invariably, however, when human developers further investigated, they’d find a large percentage of the details had been hallucinated. The humans would then need to invest significant work handling the vulnerability reports the old-fashioned way.

Read full article

Comments

A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. [...]

The Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute  the Vidar Stealer info-stealing malware. [...]

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting

Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attemptingRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

Podívejte se na nejprodávanější telefony současnosti • Žebříčku tradičně dominují iPhony a Samsungy • V Top 10 se objevuje i levný model od Redmi

Container security has long carried a reputation for resilience, but attackers have increasingly shifted their focus toward something easier to exploit: the Kubernetes environments surrounding the containers themselves.

It’s World Password Day, and there’s really no better way to celebrate than with news that a majority of supposedly secure password hashes can be cracked with a single GPU in less than an hour, some in less than a minute. Using a dataset of more than 231 million unique passwords sourced from dark web leaks - including 38 million added since its previous study - and hashing them with MD5, researchers at security firm Kaspersky found that, using a single Nvidia RTX 5090 graphics card, 60 percent of passwords could be cracked in less than an hour, and a full 48 percent in under 60 seconds. Sure, that’s not exactly your run-of-the-mill desktop graphics processor given its price, but it highlights an important point: It takes surprisingly little to crack the average password hash. Aspiring cybercriminals don’t even really need their own 5090, Kaspersky notes, as they can easily rent one from a cloud provider and crack hashes for a few bucks. The bottom line is that passwords protected only by fast hashing algorithms such as MD5 are no longer safe if attackers obtain them in a data breach. “One hour is all an attacker needs to crack three out of every five passwords they’ve found in a leak,” Kaspersky noted. Much of the reason password hashes have become so easy to crack is password predictability. Per Kaspersky, its analysis of more than 200 million exposed passwords revealed common patterns that attackers can use to optimize cracking algorithms, significantly reducing the time needed to guess the character combinations that grant access to target accounts. In case you’re wondering whether there’s a trend to compare this to, Kaspersky ran a prior iteration of this study in 2024, and bad news: Passwords are actually a bit easier to crack in 2026 than they were a couple of years ago. Not by much, mind you - only a few percent - but it’s still a move in the wrong direction. “Attackers owe this boost in speed to graphics processors, which grow more powerful every year,” Kaspersky explained. “Unfortunately, passwords remain as weak as ever.” How about a World Let’s-Stop-Relying-On Passwords Day? News of the death of the password has, unfortunately, been greatly exaggerated in the past couple of decades, yet most of us still rely on them multiple times a day. It likely won’t surprise El Reg readers to learn that us vultures are inundated with pitches for events like World Password Day, and most of them received this year had the same takeaway: We really need to get a move on with ditching passwords, or, at the very least, rethinking our security paradigms. Chris Gunner, a CISO-for-hire at managed service provider giant Thrive, told us in emailed comments that there’s no reason to ditch passwords entirely, but they need to be just one part of a broader identity-based security strategy. “Even a strong password can be undermined if the wider identity and access environment is not properly managed,” Gunner said. Passwords should be paired with a second factor, preferably biometric, said Gunner, because it’s the most difficult for hackers to bypass. “MFA controls should then be joined by identity governance and endpoint protection so gaps between systems are reduced,” Gunner added, recommending that a broader zero trust model be established as well, restricting lateral movement possibilities via a compromised account. Senior IEEE member and University of Nottingham cybersecurity professor Steven Furnell said that World Password Day messaging shouldn’t stop at telling people to improve their personal security posture either. Passwords aren’t going anywhere for a long while, Furnell explained in an email, and inconsistent adoption of new security technologies will mean users will be left at risk as certain providers fail to adapt. “Many sites and services still don’t offer passkey support, so users will find themselves with a mixed login experience,” Furnell explained. “While some might argue that it’s the user’s responsibility to protect themselves properly, they need to know how to do it.” The professor noted that, in many cases, users aren’t told how to create a good modern password, and in other cases, sites simply don’t enforce adequate password requirements to make passwords secure, to the degree that they can be made so. “This World Password Day, the main message ought not to be to the users, who often have no choice but to use passwords anyway, but to the sites and providers that are requiring them to do so,” Furnell told us. You heard the man - time to upgrade that user security stack. No matter how safe you think those passwords might be, with their complex requirements and proper hashed storage, it probably won’t take too long for someone to break in, making it an organizational responsibility to ensure there’s yet another locked door behind the first one. ®

Kvalita reproduktorů je důležitější, než jak vypadají. • Vybírejte spíše od výrobců audio komponent než od typických PC značek. • Jak reproduktory nejlépe připojit a kdy se hodí subwoofer.