Agregátor RSS

The Kraken ransomware, which targets Windows, Linux/VMware ESXi systems, is testing machines to check how fast it can encrypt data without overloading them. [...]

US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.  [...]

In a reality attack destined no doubt to be completely ignored by ideologically deluded regulators and cash-hungry competitors, Apple has published an extensive report that proves the anticipated benefits of lower App Store commissions are not reaching European consumers at all. 

Not only that, but even the developers who do benefit from this ham-fisted attempt at market liberalization aren’t based in Europe.

Are you really surprised? 

After all, the initial implantation of these laws is based on theory, rather than practice. It is, surely, obvious that under free market theory, people will sell goods and services for as much as the market can sustain.

That means that making it cheaper to sell those goods (by App Store changes) will not automatically translate into any wider consumer benefit. But it is more likely to turn into yet more profit for those with goods on sale.

In that respect, there can be no tangible consumer benefits from App Store liberalization, so long as prices charged at that store reflect market demand. All that’s really happening is a different split in profit share. 

Who cares?

The problem is that consumers are directly harmed by the way in which this new fiscal carve up is created. That’s because they are forced to accept heightened security and privacy risks as store fronts multiply — even as regulation over the privacy and security of those stores remains relatively weak. 

Plus, in the case of App Stores, this also means device vendors (Apple, in particular) end up being forced to provide tech support for people who have problems installing apps from third-party operations.  Sure, Apple might not have a legal responsibility to sort these problems out, but it is a company with relatively ethical values and will no doubt spend time trying to help its customers. That’s a cadre of free tech support for those third-party app stores — profitable for them, but at the cost of higher running costs for Apple and a degraded user experience for the rest of us.

Today’s report doesn’t go into all of this, of course. But it’s hard not to see how its criticisms point to the logical conclusion that far from benefitting consumers, App Store liberalization has simply exposed them to potential fraud and other harms, inconsistent user experiences, security threats — all so a few more dollars can land in the laps of the multi-millionaires who paid so much cold hard cash to lobbyists, politicians, and PRs to complain about the so-called “Apple Tax.”

Wake up, people: These folks didn’t resent that so-called tax because you paid it; they resented it because they didn’t get to keep all of it. 

What really happens

And that’s precisely what seems to be happening, according to the Apple report. It’s important to note that this report was conducted by economics experts at Analysis Group (paid for by Apple). I won’t paraphrase the entire thing here; you can read it yourself and draw your own conclusions. What I have done is selected just three choice quotes to demonstrate the argument:

• “The five top-selling developers in EU App Store storefronts in the three-month period prior to adopting the alternative business terms kept the price of their most popular product (defined as a paid app or a specific in-app purchase, such as a particular subscription or a given number of virtual coins) unchanged, even though they experienced a substantial reduction in the commission rate they paid.”

• “Developers’ decision not to pass on commission savings to EU users mirrors Apple’s past experience following the launch of the Small Business Program, which reduced commission rates from 30% to 15% for tens of thousands of small developers beginning in 2021. Less than 5% of those developers’ apps exhibited any price decreases whatsoever after their commission rates decreased.”

• “The findings of this study demonstrate that commission savings as a result of the DMA have not led to price decreases for customers and overwhelmingly flowed to developers outside the EU. Despite lower commission rates, developers maintained, or increased, the prices of 91% of products, accounting for 94% of transactions, and the small number of price decreases appear mostly, if not entirely, unrelated to the lower fees. In addition to developers keeping most of the commission savings for themselves, over 86% of the savings went to developers based outside of the EU.”

So, next time someone bewails the Apple tax, just look at what they do. Are they genuinely complaining about Apple’s business practices, or do they just want to take a bigger slice of the pie? Following the money (and the data) suggests the answer.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

A self-spreading package published on npm spams the registry by spawning new packages every seven seconds, creating large volumes of junk. [...]

Společnost Epic Games vydala verzi 5.7 svého proprietárního multiplatformního herního enginu Unreal Engine (Wikipedie). Podrobný přehled novinek v poznámkách k vydání.

Oživeno 22:05 | SpaceX už není jediné! Znovupoužitelný první stupeň stometrové rakety New Glenn před pár minutami poprvé úspěšně přistál na námořní platformě Jacklyn nedaleko pobřeží Floridy. Sice vypadávalo spojení, ale podařilo se to. Toto dnes umí jen SpaceX a Blue Origin Jacklyn je ...

A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around

A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Tyto filmy a seriály jsou teď na Oneplay (dříve Voyo) nejoblíbenější. Nerozlišujeme žánr, stáří ani hodnocení na filmových webech. Jde o souhrnnou oblíbenost za poslední týdny, kterou zjišťuje a počítá web FlixPatrol.

Checkout.com will instead donate the amount to fund cybercrime research

Digitial extortion is a huge business, because affected orgs keep forking over money to get their data back. However, instead of paying a ransom demand after getting hit by extortionists last week, payment services provider Checkout.com donated the demanded amount to fund cybercrime research.…

The ImunifyAV malware scanner for Linux server, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment. [...]

A growing digital afterlife industry promises to make memory interactive and, in some cases, eternal.

Artificial intelligence is increasingly being used to preserve the voices and stories of the dead. From text-based chatbots that mimic loved ones to voice avatars that let you “speak” with the deceased, a growing digital afterlife industry promises to make memory interactive and, in some cases, eternal.

In our research, recently published in Memory, Mind & Media, we explored what happens when remembering the dead is left to an algorithm. We even tried talking to digital versions of ourselves to find out.

“Deathbots” are AI systems designed to simulate the voices, speech patterns, and personalities of the deceased. They draw on a person’s digital traces—voice recordings, text messages, emails, and social media posts—to create interactive avatars that appear to “speak” from beyond the grave.

As the media theorist Simone Natale has said, these “technologies of illusion” have deep roots in spiritualist traditions. But AI makes them far more convincing and commercially viable.

Our work is part of a project called Synthetic Pasts, which explores the impact technology has on the preservation of personal and collective memory. For our study, we looked at services that claim to preserve or recreate a person’s voice, memories, or digital presence using AI. To understand how they work, we became our own test subjects. We uploaded our own videos, messages, and voice notes, creating “digital doubles” of ourselves.

In some cases, we played the role of users preparing our own synthetic afterlives. In others, we acted as the bereaved trying to talk to a digital version of someone who has passed away.

What we found was both fascinating and unsettling. Some systems focus on preserving memory. They help users record and store personal stories, organized by theme, such as childhood, family, or advice for loved ones. AI then indexes the content and guides people through it, like a searchable archive.

Others use generative AI to create ongoing conversations. You upload data about a deceased person—messages, posts, even voice samples – and the system builds a chatbot that can respond in their tone and style. It uses a subset of AI called machine learning (which improves through practice) to make its avatars evolve over time.

Some present themselves as playful (“host a séance with AI”), but the experience can feel eerily intimate. All the platforms claim to offer an “authentic” emotional connection. Yet the more personalization we attempted, the more artificial it felt.

When prompted by these systems we provided more information about ourselves, only to have the bot repeat the exact phrasing we had used in stiff, scripted replies. At times, the tone was incongruous, such as when cheerful emojis or upbeat phrasing appeared even when discussing death—a clear reminder that algorithms are poor at handling the emotional weight of loss:

Oh hun… it (the death) is not something I’d wish for anyone to dwell on. It’s all a bit foggy now, to be honest. Let’s chat about something a bit cheerier, yeah?

The more archival-based tools we tested offered a calmer experience but also imposed rigid categories and limited nuance. As digital media scholar Andrew Hoskins has observed, memory in the age of AI becomes “conversational”—shaped by interactions between human and machine. But in our experiments, those conversations often felt flat, exposing the limits of synthetic intimacy:

Human: You were always so encouraging and supportive. I miss you.

Deathbot: I’m right here for you, always ready to offer encouragement and support whenever you need it. And I miss you too… Let’s take on today together, with positivity and strength.

Behind these experiences lies a business model. These are not memorial charities, they are tech startups. Subscription fees, “freemium” tiers, and partnerships with insurers or care providers reveal how remembrance is being turned into a product.

As the philosophers Carl Öhman and Luciano Floridi have argued, the digital afterlife industry operates within a “political economy of death,” where data continues to generate value long after a person’s life ends.

Platforms encourage users to “capture their story forever,” but they also harvest emotional and biometric data to keep engagement high. Memory becomes a service—an interaction to be designed, measured, and monetized. This, as the professor of technology and society Andrew McStay has shown, is part of a wider “emotional AI” economy.

Digital Resurrection?

The promise of these systems is a kind of resurrection—the reanimation of the dead through data. They offer to return voices, gestures, and personalities, not as memories recalled but as presences simulated in real time. This kind of “algorithmic empathy” can be persuasive, even moving, yet it exists within the limits of code and quietly alters the experience of remembering, smoothing away the ambiguity and contradiction.

These platforms demonstrate a tension between archival and generative forms of memory. All platforms, though, normalize certain ways of remembering, placing privilege on continuity, coherence, and emotional responsiveness, while also producing new, data-driven forms of personhood.

As the media theorist Wendy Chun has observed, digital technologies often conflate “storage” with “memory,” promising perfect recall while erasing the role of forgetting—the absence that makes both mourning and remembering possible.

In this sense, digital resurrection risks misunderstanding death itself: replacing the finality of loss with the endless availability of simulation, where the dead are always present, interactive, and updated.

AI can help preserve stories and voices, but it cannot replicate the living complexity of a person or a relationship. The “synthetic afterlives” we encountered are compelling precisely because they fail. They remind us that memory is relational, contextual, and not programmable.

Our study suggests that while you can talk to the dead with AI, what you hear back reveals more about the technologies and platforms that profit from memory—and about ourselves—than about the ghosts they claim we can talk to.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The post Can You Really Talk to the Dead Using AI? We Tried Out ‘Deathbots’ So You Don’t Have To appeared first on SingularityHub.

Posted by Jeff Vander Stoep, Android

Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in new code quickly yields durable and compounding gains. This year we look at how this approach isn’t just fixing things, but helping us move faster.

The 2025 data continues to validate the approach, with memory safety vulnerabilities falling below 20% of total vulnerabilities for the first time.

Updated data for 2025. This data covers first-party and third-party (open source) code changes to the Android platform across C, C++, Java, Kotlin, and Rust. This post is published a couple of months before the end of 2025, but Android’s industry-standard 90-day patch window means that these results are very likely close to final. We can and will accelerate patching when necessary.

We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was Rust's impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one.

In this post, we dig into the data behind this shift and also cover:

• How we’re expanding our reach: We're pushing to make secure code the default across our entire software stack. We have updates on Rust adoption in first-party apps, the Linux kernel, and firmware.
• Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence. It’s also a good chance to answer the question “if Rust can have memory safety issues, why bother at all?”

Building Better Software, Faster

Developing an operating system requires the low-level control and predictability of systems programming languages like C, C++, and Rust. While Java and Kotlin are important for Android platform development, their role is complementary to the systems languages rather than interchangeable. We introduced Rust into Android as a direct alternative to C and C++, offering a similar level of control but without many of their risks. We focus this analysis on new and actively developed code because our data shows this to be an effective approach.

When we look at development in systems languages (excluding Java and Kotlin), two trends emerge: a steep rise in Rust usage and a slower but steady decline in new C++.

Net lines of code added: Rust vs. C++, first-party Android code.
This chart focuses on first-party (Google-developed) code (unlike the previous chart that included all first-party and third-party code in Android.) We only include systems languages, C/C++ (which is primarily C++), and Rust.

The chart shows that the volume of new Rust code now rivals that of C++, enabling reliable comparisons of software development process metrics. To measure this, we use the DORA1 framework, a decade-long research program that has become the industry standard for evaluating software engineering team performance. DORA metrics focus on:

• Throughput: the velocity of delivering software changes.
• Stability: the quality of those changes.

Cross-language comparisons can be challenging. We use several techniques to ensure the comparisons are reliable.

• Similar sized changes: Rust and C++ have similar functionality density, though Rust is slightly denser. This difference favors C++, but the comparison is still valid. We use Gerrit’s change size definitions.
• Similar developer pools: We only consider first-party changes from Android platform developers. Most are software engineers at Google, and there is considerable overlap between pools with many contributing in both.
• Track trends over time: As Rust adoption increases, are metrics changing steadily, accelerating the pace, or reverting to the mean?

Throughput

Code review is a time-consuming and high-latency part of the development process. Reworking code is a primary source of these costly delays. Data shows that Rust code requires fewer revisions. This trend has been consistent since 2023. Rust changes of a similar size need about 20% fewer revisions than their C++ counterparts.

In addition, Rust changes currently spend about 25% less time in code review compared to C++. We speculate that the significant change in favor of Rust between 2023 and 2024 is due to increased Rust expertise on the Android team.

While less rework and faster code reviews offer modest productivity gains, the most significant improvements are in the stability and quality of the changes.

Stability

Stable and high-quality changes differentiate Rust. DORA uses rollback rate for evaluating change stability. Rust's rollback rate is very low and continues to decrease, even as its adoption in Android surpasses C++.

For medium and large changes, the rollback rate of Rust changes in Android is ~4x lower than C++. This low rollback rate doesn't just indicate stability; it actively improves overall development throughput. Rollbacks are highly disruptive to productivity, introducing organizational friction and mobilizing resources far beyond the developer who submitted the faulty change. Rollbacks necessitate rework and more code reviews, can also lead to build respins, postmortems, and blockage of other teams. Resulting postmortems often introduce new safeguards that add even more development overhead.

In a self-reported survey from 2022, Google software engineers reported that Rust is both easier to review and more likely to be correct. The hard data on rollback rates and review times validates those impressions.

Putting it all together

Historically, security improvements often came at a cost. More security meant more process, slower performance, or delayed features, forcing trade-offs between security and other product goals. The shift to Rust is different: we are significantly improving security and key development efficiency and product stability metrics.

Expanding Our Reach

With Rust support now mature for building Android system services and libraries, we are focused on bringing its security and productivity advantages elsewhere.

• Kernel: Android’s 6.12 Linux kernel is our first kernel with Rust support enabled and our first production Rust driver. More exciting projects are underway, such as our ongoing collaboration with Arm and Collabora on a Rust-based kernel-mode GPU driver.
• Firmware: The combination of high privilege, performance constraints, and limited applicability of many security measures makes firmware both high-risk, and challenging to secure. Moving firmware to Rust can yield a major improvement in security. We have been deploying Rust in firmware for years now, and even released tutorials, training, and code for the wider community. We’re particularly excited about our collaboration with Arm on Rusted Firmware-A.
• First-party applications: Rust is ensuring memory safety from the ground up in several security-critical Google applications, such as:
• Nearby Presence: The protocol for securely and privately discovering local devices over Bluetooth is implemented in Rust and is currently running in Google Play Services.
• MLS: The protocol for secure RCS messaging is implemented in Rust and will be included in the Google Messages app in a future release.
• Chromium: Parsers for PNG, JSON, and web fonts have been replaced with memory-safe implementations in Rust, making it easier for Chromium engineers to deal with data from the web while following the Rule of 2.

These examples highlight Rust's role in reducing security risks, but memory-safe languages are only one part of a comprehensive memory safety strategy. We continue to employ a defense-in-depth approach, the value of which was clearly demonstrated in a recent near-miss.

Our First Rust Memory Safety Vulnerability...Almost

We recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF. It was a near-miss. To ensure the patch received high priority and was tracked through release channels, we assigned it the identifier CVE-2025-48530. While it’s great that the vulnerability never made it into a public release, the near-miss offers valuable lessons. The following sections highlight key takeaways from our postmortem.

Scudo Hardened Allocator for the Win

A key finding is that Android’s Scudo hardened allocator deterministically rendered this vulnerability non-exploitable due to guard pages surrounding secondary allocations. While Scudo is Android’s default allocator, used on Google Pixel and many other devices, we continue to work with partners to make it mandatory. In the meantime, we will issue CVEs of sufficient severity for vulnerabilities that could be prevented by Scudo.

In addition to protecting against overflows, Scudo’s use of guard pages helped identify this issue by changing an overflow from silent memory corruption into a noisy crash. However, we did discover a gap in our crash reporting: it failed to clearly show that the crash was a result of an overflow, which slowed down triage and response. This has been fixed, and we now have a clear signal when overflows occur into Scudo guard pages.

Unsafe Review and Training

Operating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable. When developers must use unsafe, they should understand how to do so soundly and responsibly

To that end, we are adding a new deep dive on unsafe code to our Comprehensive Rust training. This new module, currently in development, aims to teach developers how to reason about unsafe Rust code, soundness and undefined behavior, as well as best practices like safety comments and encapsulating unsafe code in safe abstractions.

Better understanding of unsafe Rust will lead to even higher quality and more secure code across the open source software ecosystem and within Android. As we'll discuss in the next section, our unsafe Rust is already really quite safe. It’s exciting to consider just how high the bar can go.

Comparing Vulnerability Densities

This near-miss inevitably raises the question: "If Rust can have memory safety vulnerabilities, then what’s the point?"

The point is that the density is drastically lower. So much lower that it represents a major shift in security posture. Based on our near-miss, we can make a conservative estimate. With roughly 5 million lines of Rust in the Android platform and one potential memory safety vulnerability found (and fixed pre-release), our estimated vulnerability density for Rust is 0.2 vuln per 1 million lines (MLOC).

Our historical data for C and C++ shows a density of closer to 1,000 memory safety vulnerabilities per MLOC. Our Rust code is currently tracking at a density orders of magnitude lower: a more than 1000x reduction.

Memory safety rightfully receives significant focus because the vulnerability class is uniquely powerful and (historically) highly prevalent. High vulnerability density undermines otherwise solid security design because these flaws can be chained to bypass defenses, including those specifically targeting memory safety exploits. Significantly lowering vulnerability density does not just reduce the number of bugs; it dramatically boosts the effectiveness of our entire security architecture.

The primary security concern regarding Rust generally centers on the approximately 4% of code written within unsafe{} blocks. This subset of Rust has fueled significant speculation, misconceptions, and even theories that unsafe Rust might be more buggy than C. Empirical evidence shows this to be quite wrong.

Our data indicates that even a more conservative assumption, that a line of unsafe Rust is as likely to have a bug as a line of C or C++, significantly overestimates the risk of unsafe Rust. We don’t know for sure why this is the case, but there are likely several contributing factors:

• unsafe{} doesn't actually disable all or even most of Rust’s safety checks (a common misconception).
• The practice of encapsulation enables local reasoning about safety invariants.
• The additional scrutiny that unsafe{} blocks receive.

Final Thoughts

Historically, we had to accept a trade-off: mitigating the risks of memory safety defects required substantial investments in static analysis, runtime mitigations, sandboxing, and reactive patching. This approach attempted to move fast and then pick up the pieces afterwards. These layered protections were essential, but they came at a high cost to performance and developer productivity, while still providing insufficient assurance.

While C and C++ will persist, and both software and hardware safety mechanisms remain critical for layered defense, the transition to Rust is a different approach where the more secure path is also demonstrably more efficient. Instead of moving fast and then later fixing the mess, we can move faster while fixing things. And who knows, as our code gets increasingly safe, perhaps we can start to reclaim even more of that performance and productivity that we exchanged for security, all while also improving security.

Acknowledgments

Thank you to the following individuals for their contributions to this post:

• Ivan Lozano for compiling the detailed postmortem on CVE-2025-48530.
• Chris Ferris for validating the postmortem’s findings and improving Scudo’s crash handling as a result.
• Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on this post.
• Alex Rebert and Lars Bergstrom for their valuable suggestions and extensive feedback on this post.
• Peter Slatala, Matthew Riley, and Marshall Pierce for providing information on some of the places where Rust is being used in Google's apps.

Finally, a tremendous thank you to the Android Rust team, and the entire Android organization for your relentless commitment to engineering excellence and continuous improvement.

Notes

1. The DevOps Research and Assessment (DORA) program is published by Google Cloud. ↩

Antivirový program od Kaspersky Lab nově podporuje Linux. • Slibuje ochranu před malwarem a phishingem. • Podle ruské firmy objem malwaru pro Linux rychle roste.

**Antivirový program od Kaspersky Lab nově podporuje Linux. **Slibuje ochranu před malwarem a phishingem. **Podle ruské firmy objem malwaru pro Linux rychle roste.

The Washington Post is notifying nearly 10,000 employees and contractors that some of their personal and financial data has been exposed in the Oracle data theft attack. [...]

The goal of 'oxidizing' the Linux distro hits another bump

Two vulnerabilities in Ubuntu 25.10's new "sudo-rs" command have been found, disclosed, and fixed in short order.…

Intel vydal 30 upozornění na bezpečnostní chyby ve svých produktech. Současně vydal verzi 20251111 mikrokódů pro své procesory.

Kerberoasting attacks let hackers steal service account passwords and escalate to domain admin, often without triggering alerts. Specops Software shares how auditing AD passwords, enforcing long unique credentials, and using AES encryption can shut these attacks down early. [...]