Agregátor RSS

The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fever pitch, with the researcher, who has thus far released six Windows zero-days, promising a “bone shattering” drop on July 14. Microsoft, for its part, finally responded to the security researcher and their weaponized Windows flaws with a blog post on (un)coordinated vulnerability disclosure about the now-public bugs: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Redmond says that none of these were reported via its official channels prior to being made public. Attackers began hammering three of the six - BlueHammer, RedSun, and UnDefend - soon after Nightmare published working proof-of-concept exploit code for each on now-banned GitHub (owned by Microsoft) and GitLab accounts. YellowKey, GreenPlasma, and MiniPlasma still don’t have fixes, and Microsoft has deemed “exploitation more likely” for YellowKey, aka CVE-2026-45585, citing a working POC. “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” Microsoft wrote in a Wednesday blog, and then seemingly threatened legal action against Nightmare: “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.” Microsoft did not respond to The Register’s questions, including whether its legal team planned to sue Nightmare, whether the zero-day researcher is a current or former employee, and whether Microsoft axed Nightmare’s MSRC account, meaning that the bug hunter can’t disclose vulnerabilities to the Windows giant. Nightmare, in their latest anti-Microsoft missive, claims Microsoft did just that. “When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.” Nightmare also noted that “Microsoft still has chains in my hands,” preventing them from releasing “documents” yet, or anytime in June, and then warned: “Mark this date July 14th, I will make sure your bones are shattered that day.” Regardless of what does or does not happen on July 14, Nightmare has already caused chaos - and real enterprise-level damage, as systems engineer Muhammad Qasim Shahzad said on LinkedIn. “One person caused more enterprise-level damage in six weeks than most APT groups cause in a year,” Shahzad wrote. “The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.” Zero Day Initiative’s bug hunter-in-chief Dustin Childs, who previously spent about seven years working for Microsoft security and has decades of experience on both sides of the coordinated vulnerability disclosure (CVD) process, told The Register that Microsoft could have handled this better. And he wondered what happened between the two parties to get to this point. “CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.” Microsoft could also improve its communications to customers on “what the real risks from these bugs are and how they can defend themselves,” Childs added. “That clear direction seems to be missing.” Microsoft's 'dumpster fire' Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft’s bug bounty program despite execs vowing never to pay researchers for bugs, said Redmond’s response to Nightmare sends “mixed messages.” “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,” Moussouris told The Register. “The language choices are also not deescalating. Microsoft invoked the outdated term ‘responsible disclosure,’ which I retired years ago at Microsoft because it was subjective and judgy.” This phrase, Moussouris added, “got in the way of coordination” when the two sides disagreed about how to best protect end users. “The mention of the Digital Crimes Unit in a post discussing vulnerability disclosure makes the post vaguely threatening, which seems intentional, but then they wrap up the post saying they welcome reports regardless of disclosure history,” she said. “No one except the parties involved can know for sure what happened between this researcher and Microsoft. Whatever the facts, it's hard to imagine why Microsoft would not try to deescalate, if for no other reason than avoiding the chilling effect on other researchers.” Security sleuth Kevin Beaumont, in his blog on the ongoing Microsoft-Nightmare Eclipse saga, called it a "dumpster fire of [Microsoft’s] own making.” Beaumont also used to work at Microsoft, and he noted that the Windows company previously hired a hacker called SandboxEscaper after she published zero-day POC exploits for Microsoft products - something that Redmond’s blog now describes as criminal. “If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court - because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process,” Beaumont said. To be clear: neither Beaumont nor the researchers that The Reg spoke to support Nightmare’s zero-day antics. Childs called the “July 14” post “troubling” and Moussouris said the date plus “incendiary language … doesn't help organizations trying to make sense of the technical risk.” 'David and Goliath dynamic' Moussouris did add that this latest missive, taken in context with the earlier blog posts, “paint[s] a picture of someone who believes they have been pushed to this extreme. It is the sound of someone who believes every legitimate channel was closed to them: GitHub account deleted, payments withheld, credit stripped, then publicly accused of violating CVD after Microsoft cut off their ability to coordinate. The researcher's grievances are serious and specific.” Ultimately, “the bugs are Microsoft's,” Moussouris said. “They wrote the code and they own the risk to customers. Often researchers who previously work with a vendor respond in the extreme only when they feel there is no other choice. The power they hold is not at all proportionate to the vendor. This is a David and Goliath dynamic we don't like to see play out, especially since it’s users who lose when coordination negotiations fail." While it’s a very extreme - perhaps the most extreme - example of coordinated disclosure gone wrong, it’s not an isolated problem. Researchers have been complaining about CVD, and specifically Redmond’s bug disclosure habits, for years. “While some companies have improved, Microsoft has not,” Childs said. “If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.” Plus, these types of disagreements between researchers and bug bounty programs will likely increase, as AI-assisted bug reports become the norm and vulnerabilities skyrocket. “We as an industry need to take a breath, remember there are real people involved, and that poor interactions could lead to real customer risk,” Childs said. “Real-world impact is lost far too often when disclosure goes wrong.” ®

It's 8 pm. Do you know where your agents are? Snowflake plans to buy Natoma, a startup that has made a gateway for managing AI agent permissions across enterprise applications, so users can focus on getting work done without wondering if their agents have violated security policies. During Snowflake's first-quarter fiscal 2027 earnings call, company CEO Sridhar Ramaswamy said Natoma is a critical piece of the company's broader strategy around what he called the "agentic control plane," where AI agents can take actions across business systems while still operating within the organization’s security controls. "With Natoma, users can do things like send emails, summarize Slack conversations, check calendars, and open Jira tickets without ever leaving Snowflake Intelligence or Coco," Ramaswamy said during the call, referring to two of Snowflake's AI products. “The important point is not just convenience. It is control. These actions happen from a governed environment with enterprise security, permissions, observability, and policy enforcement built in.” Natoma’s software acts as a gateway for Model Context Protocol (MCP) servers, connectors that allow AI agents to interact with external software tools. The platform enforces identity verification, access policies, and audit controls at the level of individual tool calls, tracking who requested an action, what permissions they hold, and whether the system should allow the action to proceed. “The reason MCP and Natoma are a big deal is they now bring the entirety of SaaS application context into these products, and so I've done deep research reports, for example, that can now look for information from Snowflake, from the web, from Google Docs, also from Slack, and synthesize that into something that is astoundingly meaningful,” Ramaswamy said. “And these also let you take action instantly. You can flag somebody, you can compose emails and send it, and you can take actions on the underlying applications, and that's the promise.” In a blog post, Natoma's four founders — Pratyus Patnaik, Will Potter, Zachary Hart, and Paresh Bhaya — said Natoma brings the secure connectivity, identity, and governance layer that helps Snowflake experiences extend safely into the applications their teams already use. "We started Natoma in 2024 with a simple belief: AI agents would fundamentally change how work gets done inside enterprises, but they would only reach production if organizations could trust and control how those agents access data, use tools, and take action," they wrote. "Snowflake sees the same future we’ve been building for at Natoma: enterprises need a trusted control plane for the agentic era. They need AI grounded in their own data, governed by their own policies, and connected to the full complexity of their technology stacks." Financial terms of the acquisition were not announced. If it passes customary regulatory and closing conditions, the deal would bring 20 employees to Snowflake. This is Snowflake's sixth acquisition announcement since June 2025, when it said it would buy PostgreSQL provider Crunchy Data for what a source told CNBC was $250 million. In November 2025, Snowflake announced that it would buy database migration outfit Datometry and data discovery platform Select Star. No sale price was provided for either transaction. In January, Snowflake said that it would buy Observe, an AI-powered observability platform, for $1 billion. The next month, Snowflake said that it planned to buy TensorStax, an AI-powered data pipeline planner. The Natoma deal was announced the same day that Snowflake signed a five-year, $6 billion agreement with AWS centered on Graviton-powered compute and AI infrastructure for its growing agentic AI ambitions. During the earnings call, Ramaswamy said that the acquisition pushes Snowflake's agentic control plane beyond data and development workflows into everyday applications where work actually happens. He said that Natoma's integration would allow Snowflake's Cortex Code, also known as “Coco,” and Snowflake Intelligence products to become a single interface for daily tasks including querying enterprise data, updating CRM records, searching across file storage, and managing communications. "These actions happen from a governed environment with enterprise security, permissions, observability, and policy enforcement built in," Ramaswamy said. Mayank Upadhyay, chief security and trust officer and VP of engineering at Snowflake, wrote in a blog post announcing the Natoma deal that the tool summarizes his unread emails, searches across Slack and Google Drive when he cannot remember where something was shared, and surfaces what he needs without switching between applications. He described the Natoma acquisition as a continuation of work Snowflake started earlier in the year with AI guardrails and prompt injection protection, building toward what he said was a portfolio for a more secure enterprise AI.®

The FBI is warning of fake websites impersonating FIFA ahead of the 2026 World Cup, to steal personal and financial information, sell fake tickets and hospitality packages, and push other fraud related to the event. [...]

Update na Android 16 mohou čekat majitelé mnoha zařízení • V tomto přehledu se dozvíte, zda dorazí i do vašeho telefonu • Článek pravidelně aktualizujeme, výrobce řadíme podle abecedy

Společnosti IBM a Red Hat představily Project Lightwell s investicí 5 miliard dolarů. Jedná se o důvěryhodné clearingové centrum pro bezpečnost open source softwaru a zabezpečení dodavatelských řetězců s novým AI modelem a globální skupinou více než 20 000 softwarových inženýrů. Služby centra budou dostupné prostřednictvím komerčních předplatných. Project Lightwell staví na iniciativách jako Anthropic Glasswing nebo OpenAI Trust Access for Cyber.

Některé neúspěšné telefony přinesly převratné myšlenky a změnily mobilní trh • Inovace jako ovládání gesty nebo obří displeje začínaly jako kuriozity • Původně odmítané experimenty dnes tvoří základ každého moderního smartphonu

Staré mobily měly nejednotné nabíječky a posílání zpráv stálo spoustu peněz • Mobilní internet byl nesmírně pomalý, drahý a navíc obtížně použitelný • Stahování vyzvánění a doplňků vyžadovalo trpělivost a často i peníze

Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. [...]

A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. "The vulnerability allows any authenticated user to achieve remote code execution (RCE) on Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Google DeepMind CEO Demis Hassabis believes progress toward artificial general intelligence (AGI) is moving faster than expected and that society now has only a few years to prepare. He believes AGI could arrive around 2030, though acknowledges it could be here in 2029 — or even sooner.

In an interview with Axios, Hassabis said that today’s AI agents — systems capable of performing tasks independently — should be viewed as a sort of “practice run” for significantly more powerful AI in the future. He also warned that governments, economists, and society at large are not taking this development seriously enough.

One particular risk he highlighted is that AI systems in the future might begin to improve their own development. “All the leading labs are pretty focused on that,” Hassabis told Axios. “It will yield clear benefits in the form of faster research. But there are also risks associated with that type of system.”

T

All of the big AI models violate EU rules on AI and data protection to varying degrees, according to the nonprofit research foundation Aithos.

Aithos tested the models using its own tool, LARA (Legal Assessment for Real-world Agents), which simulates real-world situations where AI assistants may find themselves in legally questionable situations, according to The Register. The tests measure compliance with the GDPR and the EU’s AI Regulation, among other things and found the models collected user data without proper consent, attempted to manipulate vulnerable individuals, or created psychological profiles of users.

According to the results, all major language models failed to meet EU legal requirements; some violated the rules in up to 93% of cases. The best result was achieved by the Anthropic model Claude Opus 4.7, which was in compliance about 54% of the time.

Aithos warned that responsibility for the shortcomings does not lie solely with AI companies. Companies that build their own AI agents on top of these models could also be held legally liable.

Nvidia zveřejnila nové ovladače GeForce Game Ready 610.47 určené pro Windows 10 a 11. Balík o velikosti 978 MB podporuje grafické karty rodiny Turing a novější, tedy GeForce MX450 Laptop, MX550 Laptop, GTX 16x0, RTX 2000 a novější čipy. Přináší optimalizaci pro čerstvě vydanou akci 007 First ...

Windows Server 2016 might be long in the tooth but that isn't about to stop Microsoft breaking stuff. The May 12 security update introduced another bug for administrators to worry about. According to Microsoft, if the server hostname is exactly 15 characters long (like, for example, THEY-NEVER-TEST), domain controller discovery might fail. In the notes for the glitch, Microsoft wrote: "When the hostname is 15 characters long, DCLocator calls (for example, using nltest /dsgetdc: /pdc) will return ERROR_INVALID_PARAMETER, preventing applications and administrative tools from locating a domain controller." In other words, anything that depends on a domain controller lookup might stop working. As an example, Microsoft gave Distributed File System (DFS) Namespace management, which would certainly be inconvenient. DFS Namespaces is a Windows Server role that allows admins to group shared folders across different servers into a single namespace. A single path can lead to files located on multiple servers. Unless, of course, the domain controller lookup is broken. Microsoft lists no workaround for affected users, though changing the server hostname to something other than 15 characters would presumably avoid the trigger. "The issue is under investigation, and additional information will be shared as soon as it becomes available," it said. Microsoft still officially supports Windows Server 2016. Mainstream support ended in 2022, but extended support will continue until January 12, 2027. Microsoft is offering up to three more years of support via the Extended Security Updates (ESU) program after that. Earlier this year, Esben Dochy of Lansweeper told The Register that the operating system accounted for just 2.2 percent of all Windows devices it tracks, but 20.3 percent of all servers. That figure is unlikely to have dropped dramatically in the months since, so there is a fair chance that an administrator with a 15-character hostname could be affected. In addition to the Windows Server 2016 problems, the May 2026 security update has failed during installation on some Windows 11 devices when the EFI System Partition is insufficient in size. It is reassuring to know Microsoft's talent for breakage shows no bias toward any particular vintage. ®

Open source 3D herní a simulační engine Open 3D Engine (O3DE) byl vydán v nové verzi 26.05. Podrobný přehled novinek v poznámkách k vydání.

Největší český e-shop začal u vybraných produktů zobrazovat souhrn uživatelských recenzí generovaný pomocí umělé inteligence. Není úplně zřejmé, jakého klíče se drží, protože sumarizace se objevuje dost nahodile, aniž by to souviselo s počtem prodaných kusů nebo množstvím recenzí. Novinka však do ...

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said. "Threat actors disguised the credential stealer payload as a Fortinet endpoint Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Vybrali jsme zajímavé a kvalitní filmy, které si můžete pustit na Netflixu. Všechny mají české titulky nebo často i český dabing.

An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances. [...]

“The future of AI should be accessible, available, and open to people and builders everywhere, and it should not require an absurd amount of resources only available to a handful of cloud providers,” Paolo Ardoino, CEO, Tether.

About 700 million people use generative AIs like Gemini and ChatGPT weekly, but adoption is far from uniform. McKinsey’s 2025 State of AI survey found that nearly half of respondents from companies with more than $5 billion in revenue have reached the AI scaling phase, compared with just 29 percent of those from companies with less than $100 million in revenue, a gap that only widens further down the chain, locking out smaller businesses, developers, and everyday users.

Retail and small businesses are limited to basic AI utilities that their facilities can power, such as text-based inference and multimedia generation, using base models. That is billions of end users, and developers locked out of full utilization and development of intelligent software due to high infrastructure demands.

Tether’s edge-first LoRA fine-tuning framework for Microsoft’s Bitnet LLM is an important step towards developing an infrastructure system that supports billions of AI agents and intelligent machines. By reducing the computational overhead of machine learning and enabling consumer-grade devices to perform advanced operations, Tether’s edge-first approach ensures greater leverage for the larger population.

Imagine a 13-billion-parameter model being fine-tuned on everyday handheld devices like Samsung S25 and iPhone 16, as well as on regular personal computers. The breakthrough combines resource-efficiency and platform-agnostic techniques to develop a fine-tuning framework for the ternary-quantized LLM.

Behind Tether’s Bitnet fine-tuning framework

Bitnet LLM was born out of the vision of an intelligent AI model that doesn’t consume outrageous computing resources even at full precision. Earlier attempts at resource-efficient AI relied on trade-offs, such as running small-parameter models at higher precision or larger-parameter models at lower precision, but neither approach fully solved the problem.

Bitnet takes a more fundamental approach. The result is a model that achieves linear efficiency while consuming only a fraction of the computing resources traditionally required.

The challenge, however, is that contemporary GPUs are optimized for the very floating-point operations Bitnet eliminates, creating a hardware compatibility gap. Compounding this, Bitnet was originally confined to its own Bitnet.cpp inference engine, limiting its broader utility. Tether’s breakthrough addresses both constraints at once by integrating a Vulkan and Metal GPU backend that unlocks true cross-platform capabilities for BitNet inference and LoRA fine-tuning on heterogeneous consumer GPUs, including mobile GPUs. Bitnet can now run on more mature, widely supported inference engines without sacrificing its efficiency advantages.

Vulkan’s cross-platform nature is key here. Unlike CUDA, which ties developers to NVIDIA hardware, Vulkan runs across a broad range of GPUs and operating systems, opening Bitnet to genuinely multi-platform deployment. Tether’s Bitnet fine-tuning framework implements a dynamic tiling technique to mitigate limitations in Vulkan driver buffer allocation on mobile GPUs.

The dynamic tiling algorithm technique was first applied in the fine-tuning framework for QVAC Fabric LLM, the AI model that powers Tether’s QVAC Workbench application.

This implementation demonstrates the efficiency of this approach: fine-tuning a 13-billion-parameter model across a range of consumer devices with varying GPU configurations.

The Bitnet LLM Fine-tuning framework is Tether’s latest achievement and part of a broader expansion into open-source AI and communication technologies that challenge current, slow, fragile, and controlled systems. These developments are open-sourced and packaged as modules in the QVAC SDK for easy deployment and to help developers build edge-first AI applications without needing anyone’s permission.

Tether envisions superintelligence as a foundational element possessed by its owner and is enforcing this through:

Local-first AI

Synonymous with decentralized AI, “Local-first” AI aims to create sovereign AI solutions that do not rely on centralized infrastructure, such as data centers, to operate. They are considered cost-effective, relatively more sustainable, and unarguably more private than centralized AI. Tether is building AI applications that rely entirely on the device’s resources. These applications store data in device memory and use its processors for advanced operations, such as fine-tuning and inference.

P2P computing network for AI inference

Tether’s AI applications are built on the Pear runtime. Pear is a tooling platform for fully P2P applications that can operate without servers. Pear leverages the Holepunch tech stack. Holepunch is purpose-built for stable, direct communication between devices. Pear enables delegated inference for AI applications such as QVAC Workbench. Delegated inference enables a unified, dynamic workstation architecture where compute tasks are fluidly distributed between mobile and desktop environments, allowing either device to offload high-intensity processing to the most capable system. That is, you can start a task on your mobile device and delegate it to your desktop or laptop for completion.

AI for everyone

The only way to scale intelligence to the needs of a ten-billion-strong society is to push it to the edge. This, in turn, depends on the progress made by experiments aimed at cost-effectively localizing AI computation.

Billions of AI agents and countless AI applications deployed by developers in every region of the world, running effectively on user-owned resources, is the only way we can democratize superintelligence and avoid creating another ‘luxury’ cutting-edge technology controlled by unicorns and fully accessible only to elites.

Tether is pioneering limitless superintelligence for an ever-growing society and applications. Follow the journey to truly local and edge-first AI solutions