Agregátor RSS

Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major

Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Mají sociální sítě zakázat přístup dětem do patnácti let? Podle publicisty a odborníka na internetovou bezpečnost Daniela Dočekala je debata složitější, než se zdá. Varuje před iluzí, že nové zákony problém vyřeší, i před tím, že ve snaze chránit děti můžeme otevřít dveře masovému sběru dat.

Google has only one way to measure the phenomenal AI growth it’s seen: in tokens.

The company processes 3.2 quadrillion tokens per month, Google CEO Sundar Pichai said during this week’s I/O keynote, adding, “never imagined I’d say quadrillion…, but here we are.”

Basically, tokens are a unit of measure used by large language models (LLMs) to process data.

Tokens, which have been called the “new oil” fueling the AI revolution, are also a way AI vendors can meter usage and price their services. Enterprises are lusting for tokens, and spending billions of them to grab compute time.

As with oil, the demand for tokens is seemingly insatiable — and it is straining an already short GPU supply, which in turn is increasing the cost of running AI tools.

What exactly is a token?

Similar to the way humans think, LLMs grasp the meaning of a sentence by breaking words down into tokens. Pichai described them as “the fundamental units of data our models process, many representing a problem being solved.”

The fundamental unit could be in the form of a word, a sub-word, or a string of letters, symbols, or phrases. Compound words can be split into multiple tokens.

For example, the prompt “I am running after a car” could generate “run” as one token and “ing” as the second token because it changes the meaning of the sentence. “Car” would be its own token.

“On average, one token is about three-quarters of a word, so 100 words works out to roughly 135 tokens,” said Deepak Seth, senior director analyst at Gartner.

Token prices can vary

Not all tokens are priced the same. An uploaded token to an AI system is cheaper, while downloaded tokens are more expensive. A user, for instance, might pay to upload a resume, then pay even more to download the resume polished by an LLM.

“The upload cost is less expensive than the download cost because the AI has done some work,” explained Max Leaming, head of data science and AI solutions at ManpowerGroup.

Token-based pricing is mainly used for enterprises and power users such as coders. Anthropic’s Claude Code and OpenAI’s Codex are priced in tokens, and Microsoft’s GitHub is adopting a form of token-based pricing starting June 1.

The final AI bill includes the costs of tokens and computing expenses (such as GPU time).

ManpowerGroup pays the token cost to the model provider, Leaming said, while compute costs ring up in parallel. (The company uses Microsoft Azure, which offers multiple LLMs, with Snowflake as its database.)

Some LLMs can be smarter and token friendly

Some AI models give better responses, which might represent a more efficient use of a token budget. Pichai said Google’s new Gemini 3.5 Flash — which is priced in tokens — delivers “frontier-level capabilities at less than half the price of comparable frontier models.

“We’ve heard that many companies are already blowing through their annual token budgets…,” Pichai said. “If companies use a mix of [Gemini 3.5] Flash and other frontier models, they could save a lot of money.”

Prompt efficiency matters

Using tokens inefficiently is wasteful spending, Gartner’s Seth said. One coder might use up 10,000 tokens to get his or her work done, while another might use only 1,000. But there’s no tool to measure efficiency, Seth said.

“Some companies are moving towards outcome-based pricing because when people start realizing the real cost of tokens, companies will start looking at token efficiency,” Seth said.

With that in mind, ManpowerGroup developed a dashboard that cuts the steps for clients to get data, Leaming said. New users to an internal labor-market data tool initially needed 10 follow-up questions to drill into a query. A year later, those same users averaged four follow-ups.

“They’re using fewer tokens and they’re simply more efficient,” he said. “And that, in large part, has to do with your ability to prompt efficiently.”

But there’s a flip side. AI tools such as Anthropic’s controversial Mythos LLM — which isn’t available publicly yet — might be priced astronomically high, though its superior reasoning could make it more efficient.

“Even though the per-token costs may go up, we may see overall costs go down,” Leaming said.

AI vendors and the ‘drug dealer strategy’

Top AI vendors are spending trillions to build out AI infrastructures, but they’re not charging enough on tokens, Seth said. “I feel like the OpenAIs, the Googles and the Anthropics of the world are following a drug dealer strategy: Get people addicted to AI, and then raise the price of a token,” he said.

AI vendors could also use free tokens as a way to lock in customers, Leaming said. Free tokens from AI vendors could incentivize companies to build processes and workflows around proprietary LLMs and agents. And as if to reinforce the effort, major AI vendors are now sending out engineers to deploy AI models at customer sites.

The engineers, better known as forward-deployed engineers, or FDEs, are more or less hired guns for AI deployments. They focus on helping customers roll out AI projects successfully.

FDEs can study and help set strategies, put battle plans in place, build agentic frameworks, and roll out AI in conjunction with customers’ own domain experts and engineers. They also evaluate AI models, resolve context and reasoning problems, and handle security issues.  

OpenAI, Google, and Microsoft are moving away from LLMs as the product. “Now they want to get inside of the firm and build your infrastructure for you,” Leaming said.

Free tokens, the next worker perk

Tokens are now sometimes offered as a job perk to engineers, Nvidia CEO Jensen Huang has said. Experts compare that to when companies cover cell phone bills for their workers.

Leaming, who said he hasn’t seen instances of that yet, found the idea odd. But if it is happening, much depends on who is offering free tokens.

Employers offering free OpenAI or Microsoft tokens could represent an indirect form of vendor lock-in, he said. “Then I’m incentivized. The more I’m familiar with the product, the more I’m gonna use it.”

Free tokens are also a way to spur the adoption of emerging AI technologies that are not yet safe for work. Many top tech leaders, for example, are exploring the possibilities of OpenClaw — considered a breakthrough AI technology — on their own dime because the technology is considered risky for enterprise environments.

Alex Spinelli, ARM’s senior vice president for AI and developer platforms, is one such person experimenting with OpenClaw at his own cost.

“In my OpenClaw, when I had it configured wrong, I got a bill for $500 in one weekend, and I was like, what the hell happened here? There’s no free lunch. Tokens are expensive,” Spinelli said.

Gartner’s Seth compared the free-token tactic to a cigarette company in India that once gave employees boxes of cigarettes alongside their salaries. “In addition to their salaries, they used to get a couple of boxes of cigarettes. The whole intent was they will…distribute them out and just make them more popular,” he said.

“If you give it to them, they will use it, because now it’s in lieu of money.”

Nintendo Switch 2 brzy zdraží, ale zrovna je v historicky nejlepší akci. • Konzoli můžete na Mallu koupit za 8565 Kč, jinde je minimálně o 2000 Kč dražší. • Oproti předchůdci má lepší displej i Joy-Cony a vyšší výkon.

PWNED Welcome once again to PWNED, the column where security flubs are held up to the harsh, piercing red light of the vulture signal. This week’s sad story concerns a municipality that failed to perform basic account housekeeping and paid for it dearly. Have a story about someone leaving a gaping hole in their network? Share it with us at [email protected]. Anonymity is available upon request. Our tale of tech missteps comes courtesy of Nicole Beckwith, who serves as the senior director for security engineering and operations at Cribl, an AI platform for telemetry. She used to work as a consultant, and at one point was hired to investigate breaches in an American city’s network. A threat actor took a “leisurely tour” of the city’s online resources and had started messing around with conference room projectors and other relatively harmless endpoints. Then they realized that they could change settings with the water utility where they switched many controls off, potentially endangering the water supply. When Beckwith investigated, she found that all of the mischief was performed by an account that belonged to “Greg from Auditing.” There was just one problem. Greg hadn’t worked for the city for many years. Unfortunately, even though Greg was no longer around, his account was, and it retained extensive privileges, including domain admin rights, SCADA (Supervisory Control and Data Acquisition) operator access, and even the ability to perform help desk functions. It’s unclear if someone from auditing ever needed this level of access, but a former employee definitely did not. It wasn't Greg himself who hacked the network. But he had used his work email address to sign up for various online accounts, some of which may have been exposed in previous data leaks. She speculates the hackers saw an email address with a .gov in it and decided to try their luck with the leaked password that went along with it, and that Greg likely used the same password for work that he did for these outside services. We have a few takeaways here. First, the people who ran IT security for the city should have both deleted Greg’s account when he left and done periodic audits to see who had access and whether they should still have it. Second, Greg should have kept his work credentials separate from third-party services like shopping and social media sites. And he should not have used the same password in multiple places. “The lesson, beyond the obvious 'please, for the love of all that is holy, audit your dormant accounts,' is that every forgotten user is an easy ticket to being on the 5 o’clock news,” Beckwith told The Register. “Quarterly access reviews should be mandatory because everyone seems to think when a user leaves, that is the end of it and someone surely terminated access, deprovisioned accounts, removed access to tools, mobile communications, email and other business critical systems, but sadly I’ve responded to way too many incidents like this one because of this simple control which is often overlooked." ®

GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. [...]

Česká firma First Green Industries bojuje ve finále prestižní soutěže DesignEuropa • Elektrický nakladač bez kabiny nabízí bezpečné a přesné dálkové ovládání • Široká veřejnost může pro tento inovativní stroj hlasovat až do září

AMD vydává Sorano, energeticky efektivní systémy postavené překvapivě na Zen 5. Jejich cílem jsou komunikační systémy. Po stránce energetické efektivity překonávají nabídku Intelu i Nvidie…

GitHub on Wednesday officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device involving a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension.  The development comes as the Nx team revealed that the extension, nrwl.angular-console, was breached after one of its developers' systems was hacked in the

GitHub on Wednesday officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device involving a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension.  The development comes as the Nx team revealed that the extension, nrwl.angular-console, was breached after one of its developers' systems was hacked in theRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Organizace Apache Software Foundation (ASF) vydala verzi 30 integrovaného vývojového prostředí a vývojové platformy napsané v Javě NetBeans (Wikipedie). Přehled novinek na GitHubu. Instalovat lze také ze Snapcraftu a Flathubu.

Byla vydána nová verze 7.0 svobodného open source redakčního systému WordPress. Kódové jméno Armstrong bylo vybráno na počest amerického jazzového trumpetisty a zpěváka Louise Armstronga (What A Wonderful World).

V Drupalu byla nalezena a opravena kritická zranitelnost SA-CORE-2026-004 (CVE-2026-9082). Útočník může provádět libovolné SQL dotazy na webech používajících databázi PostgreSQL.

Microsoft says it is considering a patch for a zero-day vulnerability, dubbed YellowKey, that allows attackers with access to a Windows device to bypass Bitlocker encryption protection and read and write files. The flaw was disclosed last week, and there is already a public proof of concept available.

The company issued an advisory Tuesday saying that companies should act to mitigate the issue, tracked as CVE-2026-45585, while it examines the possibility of a patch. In its advisory, it provided the immediate steps that companies should take. A key defense against possible attack is to limit access to vulnerable devices, as physical access is required for exploit.

“Organizations should start by auditing their environment for the conditions that exist that leave them vulnerable to YellowKey,” said Eric Grenier, senior director analyst at Gartner. “They should also have a clear understanding of their risk acceptance in the case of a lost/stolen device and, based on that acceptance (or non-acceptance), follow the steps such as customizing Secure Boot and ensuring firmware and Boot integrity.” .

 Karl Fosaaen, VP of research at cybersecurity company NetSPI, agreed. “Since this vulnerability requires physical access to exploit, organizations should be focusing on the physical security controls around their Windows devices,” he said. “Having strong policies and controls around physical access to devices is a good first step in helping protect the potentially vulnerable devices. If there are additional concerns about attackers being able to gain access to files on the system, organizations can look at limiting the data that they allow users to store locally.”

One of the issues facing companies is the proliferation of employees using mobile devices, which makes it harder for organizations to restrict access to them. “You’re increasingly seeing companies with corporate data on their laptops, and YellowKey can leave that data unlocked,” said Nathan Davies-Webb, principal consultant at UK-based security company Acumen. This is where tight device security policies come into play, such as prohibiting users from leaving devices unattended.

However, said Fosaaen, what makes detection of an attack particularly difficult for the individual user is that it is not immediately apparent that a device has been targeted. “If an attacker used the exploit to read files from the encrypted volume, there likely wouldn’t be any indicators to a user. If the attacker implanted malicious software, you might see increased system utilization, or other performance issues,” he noted.

To make things worse, it is also possible that Microsoft’s mitigation guidance may not be effective. In a post on a security site, researcher Will Dormann pointed out that there could be a way to override the company’s proposed solution. That being the case, IT managers will certainly be watching for a patch from Microsoft.

While Microsoft has announced that it is looking into such a patch, Davies-Webb doesn’t think a solution will be straightforward. “I would heavily speculate that this is something that is there by design,” he said. “Microsoft would be thinking ‘If I stop this happening, what would I be taking away?’ I strongly suspect that there is some functionality in Windows, maybe something in manufacturing, that could be affected by any patch.”

“Besides,” he added, “It could take some time for a patch to be released. The RedSun vulnerability [in Windows Defender] was identified last month and still hasn’t been patched.”

Cockpit 359 - RCE

BookStack 25.12.1 - Denial of Service