Agregátor RSS

There's a huge hole and no one is patching it thus far. A critical, remote code execution (RCE) bug in Gogs, a popular open-source self-hosted Git service, can be exploited by any authenticated user - no special privileges required - on a default installation to fully compromise vulnerable servers, steal credentials and multi-factor authentication secrets, or even modify code in hosted repositories in a wide-reaching supply-chain attack. A security researcher reported the 9.4-rated flaw to project maintainers in mid-March. It still doesn’t have a patch. It does, however, have a public Metasploit module - so we’d expect reports of in-the-wild exploitation to start very soon. The vulnerability affects all supported platforms, including Windows, Linux, and macOS, and installation methods, according to Rapid7 researcher Jonah Burgess, who found and reported the bug to Gogs maintainers via GitHub (GHSA-qf6p-p7ww-cwr9) on March 17. After they initially acknowledged that they received the report on March 28, Burgess says he never heard back from the Gogs team - not when he asked them for a status update, nor when he reminded them of the vulnerability disclosure date and asked if they wanted an extension to fix the flaw before its release. “We have not received any further communication from Gogs, and the GHSA has remained unanswered since March 28,” Burgess told The Register. “Because there is currently no official patch, our team submitted a pull request with a suggested fix today [Friday], which is currently awaiting review. At this time, we have no evidence suggesting that this vulnerability is being exploited in the wild.” Gogs sponsor DigitalOcean also did not respond to The Register’s inquiries, including when the security issue would receive a patch. The vulnerability stems from an argument injection flaw in Gogs’ pull request merge flow, specifically the Merge() function in internal/database/pull.go. If a Gogs repo owner or admin enables "Rebase before merging" and a user opens a pull request, the PR's base branch name gets passed directly to a git rebase command without a -- separator to mark the end of command options. Gogs also fails to properly sanitize the input. This means an attacker can create a malicious branch (such as --exec=touch${IFS}/tmp/rce_proof), and Git treats it as an --exec flag, not a branch name, and executes the payload. For Windows installations, the payload delivery method is slightly different, and Burgess developed an exploit module to auto-implement a cross-platform approach. Until the maintainers fix the flaw, Burgess suggests Gogs’ users take the following precautions to mitigate the issue. First, and most importantly, restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts. Restricting repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to prevent users from creating their own repos also blocks the easiest attack path - creating a new repo with rebase enabled - but it won’t prevent exploitation by users with write access to existing repositories. Finally, audit rebase merge settings, and disable “Rebase before merging" under Settings > Advanced. “Note that this is not an effective defense against a malicious user who owns or has admin access to a repo, since they can re-enable rebase at will,” the threat hunter warns. “There is no global or organization-level setting to restrict this.” ®

Threat actors are abusing ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application. [...]

California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company's failure to protect sensitive customer genetic and personal information. [...]

Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. "The chatgpt.com response renderer trusts Markdown links and Markdown

Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. "The chatgpt.com response renderer trusts Markdown links and Markdown Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The Euro-Office open source productivity app suite will be available with the first stable release of the software on June 9. 

Euro-Office was unveiled in March with the aim of providing a modern, open source alternative to Microsoft and Google software for European organizations increasingly wary of a dependence on US-based suppliers. 

Euro-Office consists of four browser-based applications: a document editor, spreadsheet program, presentation tool, and a PDF editor, with each application enabling collaborative document editing. It supports Microsoft Office file formats DOCX, PPTX and XLSX, as well as Open Document Format (ODF) files such as ODS, ODT and ODP.

The software is intended to be integrated into collaboration solutions such as file-sharing platforms, online wikis or project management tools, according to Nextcloud, one of several European organizations involved in the Euro-Office project.

Nextcloud will add Euro-Office to its Nextcloud Office next month, where it will be available as an “equal option” alongside an existing open-source productivity suite based on Collabora’s software, Nextcloud CEO Frank Karlitschek said in a briefing. Pricing will depend on factors such as use case and deployment scale, but will sit in a similar range to the Collabora version.

Nextcloud plans to add desktop and mobile apps “later this summer,” said Karlitschek; these will save documents locally and sync to cloud storage tools that customers choose.

German cloud hosting provider Ionos will also integrate Euro-Office into its Nextcloud Workspace subscription at no extra cost, and as an optional paid add-on to its HiDrive and Managed Nextcloud subscriptions. (Pricing information was not immediately available.)

Nextcloud and Ionos are currently hiring a “dedicated development team” to work on Euro-Office, Nextcloud said in a blog post Thursday. Other software vendors, including Xwiki and Office.eu, are expected to incorporate Euro-Office into their products in the coming months, too.

Euro-Office is built on the open-source code base of OnlyOffice and distributed under the GNU Affero General Public License v3 (AGPL v3). 

Following the launch announcement, OnlyOffice — which is owned by Ascensio System SIA — alleged in March that Euro-Office violated its licensing terms and infringed its copyright, due to a lack of attribution to OnlyOffice.

Karlitschek said this week that the conflict with OnlyOffice is “now resolved,” following an agreement to provide attribution to OnlyOffice in Euro-Office. “We came to an agreement that the OnlyOffice people required only attribution, that you basically mention that the code is partly based on top of OnlyOffice, and we are happy to do it.”

But an OnlyOffice spokesperson denied a specific agreement had yet been reached. “OnlyOffice has not entered into any agreement with the Euro-Office project,” said Galina Goduhina, commercial director at OnlyOffice. 

“Our licensing framework is clearly defined, and compliance with its terms is not optional,” Goduhina said. “We will continue to assess the situation based on actual use of our technology.

 “This situation goes beyond attribution— it concerns transparency of technology origin, respect for the original developer — and does not meet the standards of responsible partnership we expect,” Goduhina said. “OnlyOffice remains focused on supporting its users, customers and partners and continuing to develop reliable, enterprise-grade document solutions.”

OnlyOffice recently published a blog post outlining its license and trademark policy in more detail. 

A Nextcloud spokesperson said the blog post indicated a change in the OnlyOffice license to “bring it in line” with AGPLv3. 

“We applaud the removal of the conflicting requirements around the trademark, aligning with our opinion and that of the licensing experts in the open source community,” the spokesperson said. “We will adopt their changes as they are being made to the code, of course ensuring the license compliance is preserved. With these changes we consider the matter resolved.”

The office of Rob Bonta, California's attorney general, is suing 23andMe for the data protection failings that led to the genetics company's disastrous 2023 breach. Bonta and his team claim [PDF] that 23andMe failed to implement adequate security controls for the sensitive records it stored, and misled customers about the nature of the mishap after the fact. "23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach," said Bonta on Thursday. "Our investigation found that the company failed to take basic steps to protect users' data – data including the sensitive personal information, family histories, and health conditions of consumers "The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence – and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous. Today, my office is suing 23andMe for its categorical failure to comply with California law." The lawsuit was filed against Chrome Holding Co., formerly known as 23andMe. TTAM Research Institute bought 23andMe's assets last year. TTAM Research Institute was founded and is led by Anne Wojcicki, who was also 23andMe's CEO at the time of the breach and one of the company's co-founders. The nonprofit's purchase of 23andMe assets was completed on July 14, 2025, at which time it promised to run 23andMe charitably, using its data to further medical research and education. 23andMe continues to operate as it always did, taking customers' saliva samples and turning it into fun insights, such as what percentage of their makeup is Neanderthal, and whether their DNA makes them more or less likely to enjoy a scattering of cilantro on their food. 'Disturbing' Announcing the lawsuit, Bonta's office used "disturbing" no less than three times to describe the events that transpired before and after 23andMe's mega breach. To recap, a cybercriminal going by the name Golem popped up on a forum in 2023 claiming to offer a slew of data belonging to millions of 23andMe customers. Investigations carried out by regulators later found that Golem only breached around 14,000 accounts, but because of 23andMe's DNA relatives feature, which allows users to connect with other 23andMe users who share a percentage of the same DNA, the crook was able to access the details of nearly 7 million customers. It also soon emerged that 23andMe failed to spot the intrusion for five months, and the 14,000 or so accounts Golem accessed were compromised as a result of credential-stuffing attacks. What followed was a multi-faceted game of finger-pointing. 23andMe's decision to blame customers for recycling credentials instead of admitting it should have mandated 2/MFA on all accounts by default went down about as badly as one might expect. To this day, 23andMe allows customers to use its service without 2/MFA, although it issues regular prompts to those who don't have it set up. Regulators, on the other hand, highlighted that the company's security practices were less than perfect, while security experts were divided. Many agreed there was blame to be placed on both sides. Then came the fines and the settlements. The UK's Information Commissioner hit the company with a £2.3 million ($3.09 million) fine in June 2025, three months after the bankruptcy filing. In its ruling, it echoed the findings of US authorities from 2023, accusing the company of relying on inadequate password requirements. The Information Commissioner rebuked 23andMe for failing to detect the intrusion promptly and not implementing measures to prevent bulk downloading of genetic data. 23andMe also settled a class action lawsuit for $30 million in 2024. Bonta's office alleged that 23andMe’s statements to customers were "misleading and omitted or misrepresented critical information." "While 23andMe assured the public that it had not experienced a data security incident within its systems, downplayed the sensitivity of the stolen data by claiming that the information stolen from the 'DNA Relatives' feature was essentially public, and attempted to shift blame for the breach to its customers, 23andMe was simultaneously negotiating and paying a ransom to the threat actor in exchange for, among other things, the threat actor removing damaging information regarding the breach that had been posted online and providing information about multiple 23andMe security vulnerabilities, including vulnerabilities the threat actor exploited during the data breach." The Register contacted 23andMe's publicists for a response. We only received one on behalf of the 23andMe Research Institute, which despite managing requests directed to the 23andMe platform's only press contact address, distanced itself from Chrome Holding, which, like TTAM Research Institute, does not have a public-facing contact. It also did not help us contact 23andMe's operator. The institute said: "The 23andMe Research Institute is a newly established independent nonprofit organization and is not involved in the matters described in the California Attorney General's complaint filed against Chrome Holding Co., formerly known as 23andMe. The lawsuit pertains to events and operations associated with the former commercial entity prior to the creation of the 23andMe Research Institute. The institute was not involved in the complaint and has no role in the underlying litigation. "The 23andMe Research Institute is focused on advancing nonprofit scientific and health research with a strong commitment to privacy, ethics, transparency, and responsible data stewardship." ®

Meta has raised the possibility that it could be joining the likes of Amazon, Microsoft and Google in offering cloud services at some point in the future — although potential customers shouldn’t be adding the company to their suppliers list just yet.

When asked about plans for offering such services at the company’s annual shareholders meeting,  Meta CEO Mark Zuckerberg said there was a possibility of the company competing with the major hyperscalers. “It’s definitely on the table.”

He explained that different companies were approaching Meta asking for the company to offer an API service or to buy compute services at a premium price. “We haven’t done it yet, because we think we have a use for the compute, but when we feel we have overbuilt, then that is an option that we have.”

Meta has been active in developing its data centers over the past few years, so there will be a possibility of some excess capacity. It is also developing its own AI chips.

For the moment, though, the company may well need all the capacity it can build: Zuckerberg said that the launch of Muse Spark, a new AI model from Meta Superintelligence Lab, had resulted in large increases in Meta’s AI usage.

This article first appeared on Network World.

A research project examining AI-driven recruitment hires across the US has revealed a systemic racial bias.

Researchers from Stanford University found a startling pattern of racial disparities when looking at the interview offers resulting from 4 million job applications submitted to 156 employers. The situation is aggravated by the “monoculture” in AI hiring software: More than 90% of US employers are screening job applicants with software, with 60% of Fortune 500 companies using the same tool, HireVue, the researchers found.

Applicants who applied to multiple companies using AI had all their applications rejected more often than would be expected if each company’s screening methods were independent. They calculated that Black and Asian candidates were rejected in greater numbers than baseline figures would suggest. According to the survey, 29,000 more Asians would have been interviewed if AI had not been deployed.

The researchers are concerned about the way in which AI is being used. “AI screening tools bring together three properties that should not co-exist in high-stakes decision-making: They are pervasively adopted, highly consequential, and opaque to the public,” they said in a news release presenting their work.

The effect of this will lead to workplaces dominated by a monoculture which may not be beneficial for companies going forward.

This article first appeared on CIO.

Ministerstvo spravedlnosti bylo jedním z posledních vládních webů, které přešly na jednotnou státní doménu gov.cz. Adresa msp.gov.cz už tak plně nahradila původní justice.cz. Teď má i nový design, avšak týká se to jen hlavní stránky a rozcestníku, klíčové portály jsou deset a více let staré. Na ...

I will sit right down (waiting for the gift of sound and vision)
And I will sing (waiting for the gift of sound and vision)

— David Bowie

Apple is planning to sponsor and present 14 AI research papers at the annual IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) in Denver next week, just days before it introduces major new AI features at its Worldwide Developer Conference (WWDC).

The fresh research explores topics such as using LLMs in image generation, quality testing, and user interface prototyping. For months, supply chain rumors have hinted at a radical evolution for the ubiquitous AirPods in the form of built-in ambient cameras. With this in mind, it’s noteworthy that one of the research papers, “From Where Things Are to What They’re For: Benchmarking Spatial–Functional Intelligence for Multimodal LLMs,” specifically seems to cater for such use cases. 

Accessibility for the people

In application, this tech promises profound potential for accessibility. It suggests that someone with limited vision might be able to get their AirPods to guide them through an unfamiliar room. This is something that should fit well inside the company’s ongoing narrative around machine vision intelligence and accessibility. 

Accessibility is central to a second presentation to be made during the Generative AI for Sign Language Workshop at the conference. Led by Apple’s Colin Lea, who presented a session on speech tech for people with speech disabilities at a similar event, this focus on machine vision intelligence and accessibility is entirely deliberate. 

Indeed, even though the industry and critics condemn Apple for lagging behind others in the AI space, the publication of these 14 papers at a key industry session just before WWDC shows the company has been doing a great deal of foundational work behind the scenes. We expect this work to bear its first fruit at WWDC, and it is important to understand the disclosures as a power move. Apple is using the show to celebrate its strengths in AI development, and given its decade work on Apple Car, many of those strengths relate to machine vision intelligence. 

Apple is so advanced in the field it is already deploying advanced models that empower consumers. Just last week, it promised to introduce a new tool called Image Explorer in VoiceOver to help partially sighted customers later this year. Among many other features, this will arrive alongside a system to let disabled users control compatible wheelchairs with spoken word commands. 

Apple is pushing boundaries all the way. Its paper “VSAS-Bench: Real-Time Evaluation of Visual Streaming Assistant Models,” proves it is actively refining models to process live video instantly on consumer hardware. 

What matters, the human or the machine?

The difference between Apple and its competitors is deep and philosophical. I’d argue that while others build cloud-dependent chatbots, Apple is embedding AI tools that solve real human problems in its systems. 

This extends to its plans at WWDC, where it will introduce a raft of AI tools made with help from Google Gemini and a host of AI services it has developed in house. The latter will include a great many accessibility tools of the type it will discuss at the CVPR event, the beauty of which being that they will run privately and on-device. You could argue that while other tech giants are using AI to automate white-collar jobs or build a surveillance dystopia, Apple is searching for applications of machine intelligence that solve real human problems. 

The company seems pretty realistic about the ongoing AI transformation. It recognizes that its own ecosystem must become a peer player in the emerging AI-augmented environment the tech industry seems intent on building. 

With that in mind, Apple is willing to engage in strategic, mutually beneficial partnerships, such as permitting Siri to use third-party AI services to handle requests. But even as it does that, it is also focusing on those areas in which it can make a unique difference, such as the accessibility features Apple as a platform has always provided.

Open up

As the Vision Pro demonstrated, and as these mythical video-enabled AirPods will in the future suggest, computers are steadily getting smarter. So, the way we use them is also changing as we move away from the rigid boundaries of keyboards, mice, and touchscreens. Apple’s quest for ambient computing began long before the sudden gold rush for generative AI chatbots. 

In the end, as the latter services become commodified, the way humans interact with them will define the next generation of hardware. That’s exciting for Apple, given that product design is where it excels. The era of sound and vision may finally have arrived.

You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon, and MeWe. 

Researchers in Switzerland claim to have built a perfect random number generator from two quantum superconducting chips, a 30-meter-long pipe, and some software. The resulting device could be used to generate cryptographic keys, or to offer a “public randomness service” for lotteries or blockchain applications, they say.

They’re not the first to make the claim.

Many sources of randomness are biased. For example, coins or dice tend to favor one side. “Even modern random number generators, which are based on quantum mechanical effects like the reflection of photons from beam splitters, are not entirely immune to such a systematic error or ‘bias’,” said Andreas Wallraff, one of the leaders of the research team at ETH Zurich.

Similar biases can be found in purely software-based pseudo-random number generators. This has led to security problems in IoT devices and WhatsApp, among other applications.

To get around that, the researchers set up of two supercomputing chips, each representing one qubit, cooled to near absolute zero. The chips are connected by a 30-meter-long microwave guide, similarly cooled, and the microwave photons flying between them create a situation of quantum entanglement.

The results produced by this process are then transformed via a special algorithm to generate perfect randomness. “The resulting sequence of zeros and ones is now really perfectly random, and we can even certify that,” said Renato Renner, the other team leader. “The technical improvements allowed us to create random numbers that will remain perfectly random for all eternity.”

The team published their results this week in an article entitled “Experimental randomness amplification” in Nature.

This article first appeared on CSO.

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

DDoS attacks are increasingly being sold like subscription services, complete with pricing tiers, support, and reseller programs. Flare explores how the DDoS-as-a-Service market has evolved from scattered tools into polished attack platforms. [...]

Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation. [...]

Dlouhé roky se zdálo, že plnobarevný 3D tisk zvládnou jen technologie jako třeba PolyJet od Stratasysu a desktopové FDM/FFF stroje budou navždy odkázané výhradně na diskrétní odstíny samotných filamentů. V posledních letech se ale na scéně objevilo několik komunitních nápadů, jak se i na strojích, ...

Dutch police say they dismantled a large botnet this week comprising at least 17 million infected devices. After being tipped off by a researcher at the Netherlands' National Cyber Security Centre (NCSC-NL), police began an investigation, which resulted in the discovery of 200 servers underpinning the botnet's infrastructure located in the country. Cybercrime specialists at The Hague Police Unit seized a number of servers from a hosting provider for further analysis, and the provider then shut down the botnet after realizing it was being used for "criminal purposes." Botnets can be used for various types of cybercrime, but officials did not say how this botnet in particular was used. Police merely stated the general types of abuse, which include phishing, launching DDoS attacks, and online fraud. Neither the police nor the NCSC-NL revealed the botnet's name – an oddity for takedowns of this kind – and also did not detail exactly what devices were enrolled in it. However, both organizations' announcements identified poorly secured consumer-grade kit such as routers, mobile devices, and IoT hardware as common examples. Both also advised users to stop relying on default passwords for new hardware, avoid installing apps from unofficial sources, and keep software up to date. Botnets and proxies on the rise Just before the police announced the botnet takedown, NCSC-NL published a blog highlighting a rise in residential proxy networks used for malicious purposes, calling it a "worrying trend." Botnets and residential proxy networks are often mentioned in the same breath, since both require enrolling legitimate devices into a broader network, although they are typically used for different purposes. Botnets are almost exclusively malicious, with only a few benign exceptions. Folding@home, a voluntary distributed computing project, is possibly the closest clean-living comparison. Residential proxy networks are different. They're legal, and you can find large operators advertising their services on the open web, usually promoting privacy benefits, although experts agree that these networks are a problem, and are more often abused than used for good. Willingly or not – often the latter – consumers have their IP addresses enrolled into these networks, which are also used by cybercriminals to hide the true source of malicious traffic, complicating cyber incident response. These proxies can be used for DDoS attacks, similar to how botnets rely on compromised devices, as well as other trickery such as phishing, brute-force attacks, bypassing impossible travel checks, and malware distribution, among others. "The misuse of residential proxies makes it more difficult to map digital threats and attacks," NCSC-NL wrote. "As the scale of digital attacks increases, the resilience of organizations can come under pressure. "Additionally, the devices of unsuspecting users can become part of such proxy networks, often without their knowledge. In this way, consumers are unknowingly part of cybercrime." Dutch cyberattack reports hit nine-year low On Thursday, shortly after the police announced the botnet takedown and concerns about the rise of residential proxy networks, NCSC-NL published its annual Cybercrime Monitor report, which revealed cyberattacks on Dutch companies had fallen to the lowest level in nine years. According to 2024 data, the most recent available, just four percent of organizations reported an external cyberattack compared to 11 percent in 2016. The report noted the downward trend was noticeable across all company sizes. Phishing and spoofing were by far the most common types of attack, with 23 percent of organizations experiencing this to some degree. At the other end of the scale, attacks involving DDoS, data breaches, business email compromise fraud, and ransomware were each reported by around one percent of organizations. NCSC-NL linked the improvements to wider adoption of multi-factor authentication (MFA). It said the technology is effectively universal across larger organizations, with 87 percent implementing it in 2025, up from 71 percent in 2017. For smaller organizations, the uptake was even more pronounced, more than doubling to 79 percent from 29 percent eight years prior. ®