Agregátor RSS

NASA Jet Propulsion Laboratory testuje pohon využívající lithium. VUT a Univerzita obrany otestovaly první vysokorychlostní přenos dat s kvantově odolným šifrováním. Vakuové fluktuace v optických dutinách odhalují skryté vlastnosti vložených materiálů. Objevili nový důkaz existence černých děr střední hmotnosti.

Život je změna. Ví to i současná vláda a tak pravděpodobně dojde k odsunutí účinnosti jedné z větších plánovaných úprav, které se dotýkají důchodů.

AI modely při generování kódu opakovaně navrhují závislosti na balíčcích, které na npm ani PyPI neexistují. Útočníci takové názvy mohou registrovat a v některých případech je už naplnili škodlivým kódem.

V moři je spousta energie, ale těžit ji není snadné. Španělská společnost IDOM vyvíjí konvertor energie vln, který se jako veliký válec pohupuje na vlnách. V současné době testují u pobřeží Biskajského zálivu prototyp MARMOK-A-5 o celkové výšce 42 metrů a výkonu asi 30 kW

x86 procesory se pomalu přesouvají do 2nm éry. AMD totiž oficiálně zahájila produkční výrobu procesorů architektonické generace Zen 6 na 2nm tchajwanských linkách TSMC…

A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation.

You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account. Bad news: According to security researchers at Aikido, people can use the API keys for up to 23 minutes after a user deletes them, creating a window of opportunity that, when combined with Google’s automatic billing tier upgrades, can devastate victims. “We've identified a substantial window where an attacker with access to a leaked Google API key can continue to misuse that credential, after the user believes the key is revoked,” Joseph Leon, a security researcher with Aikido, told The Register. “In that window, an attacker could run up charges, pull sensitive files uploaded to Gemini, and exfiltrate cached context.” Aikido tested the gap during 10 trials over two days. In each trial, researchers created an API key, deleted it, and then sent three to five authenticated requests per second until no valid response came back for several minutes. From the time a user deletes the Google API key to when it can no longer be used propagates gradually across Google's infrastructure, he said. Some servers reject the key within seconds while others keep accepting it for 23 minutes. What this means is that an attacker holding a deleted key can repeatedly send requests until one reaches a server that has not caught up, Leon said. If Gemini is enabled on the project, they can dump files that were uploaded and exfiltrate cached conversations. The paper cited a similar problem researchers disclosed in December involving AWS keys. In that case, after deletion, attackers had a four-second window to exploit, and researchers showed how they could create new credentials in that time. “Four seconds was enough to matter on AWS,” Leon wrote in the paper. “Given recent attention to Google API keys used to access Gemini, we set out to measure how long Google's API key revocation window remains open.” Flaws can hit devs with huge surprise bills The Register has reported numerous cases of Google API key abuse in which developers are suddenly hit with five figure bills after their credentials are compromised. The problem was compounded in April after Google reworked its billing policy to include spending tiers for users. While developers initially thought of it as a way to limit costs, Google automatically upgrades that spending tier to the next highest level without their knowledge. For users who have been working with Google for more than 30 days and have spent more than $1,000 over the lifetime of the account, their cap can be increased from $250 to $100,000 if their usage spikes – a windfall for crooks if the credentials fall into the wrong hands. Developers whose Google API keys were stolen told The Register that their bills rocketed up to five figures minutes after their credentials were stolen, as bad actors loaded up on Google’s Gemini models such as Nano Banana and its video production model Veo 3. Google issued refunds in the three instances that The Register brought to its attention, returning $154,000 to those developers. The victims told The Register that, during the attack, they were frantically trying to shut down the spending and turn off access to their projects even as costs climbed by thousands of dollars. Leon said in cases where a Google developer tries to shut off access to their account, deleting the API key will still give crooks time to inflict damage. “It's hard to put a dollar figure on it,” Leon told us. “The window averaged 16 minutes in our testing and stretched to nearly 23 at the worst. During that window, the success rate is wildly unpredictable. We saw minutes where over 90% of requests still authenticated, and others where fewer than 1% did. An attacker who knows this can send requests at high volume to maximize their odds of hitting a server that hasn't caught up. For Google API keys with Gemini access, the damage isn't just a compute bill. It's the files and cached context an attacker can exfiltrate before the key actually dies.” Using VMs, Aikido tested its findings across three Google Cloud regions – east coast US, western Europe, and southeast Asia – then they spot checked those results on different dates. For each trial, Aikido deleted a single API key and sent requests from each of the three VMs in parallel, Leon wrote in the paper. “VMs further from the US picked up the deletion faster, which is the opposite of what you'd expect. We can't say exactly why from the outside. Google's request routing is more complex than ‘VM region equals server region,’ and a VM in Singapore isn't necessarily talking to servers in Singapore,” the paper states. “But the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference.” The trial used keys with access to Gemini, but he observed the same behavior with keys scoped to other GCP APIs, such as BigQuery and Maps. Google has built faster revocation for other credential types, Leon said. He said Google’s service account API credential revocations propagate in about 5 seconds. Gemini's newer API key format – the one that starts with AQ – propagates in about a minute. “Both run at Google scale. Both suggest this is technically solvable for Google API keys, too,” Leon wrote. But Google told Aikido it has no plans to address the 23-minute gap researchers found with its other API keys. “After reviewing our report, they closed it as ‘Won't Fix (Infeasible)’ with the comment ‘the delay due to propagation of the deletion of these keys is working as intended,’ “ Leon told us. The Register has reached out to Google about this research, but has not yet received a response. ®

Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. 

Ve FreeBSD byla nalezena a opravena zranitelnost FatGid aneb CVE-2026-45250. Jedná se o lokální eskalaci práv. Neprivilegovaný uživatel se může stát rootem.

Finding vulns just doesn't pay like it used to. At least one bug hunter who found an open source security flaw and reported it months ago via HackerOne’s backlogged Internet Bug Bounty (IBB) program finally got paid for his work - but at a drastically reduced reward rate. The security researcher found a medium-severity vulnerability that previously paid $1,843. As of Monday, HackerOne’s IBB pays $297 for the same severity level. Similarly, the new IBB cash prize for a critical vulnerability is $2,257, compared to the previous $9,250 reward. High-severity bugs now fetch $1,009, while they used to earn a $4,429 payout. And low-severity bugs earn researchers $68, compared to the previous $597 reward. HackerOne’s IBB remains on a break, and is not accepting new submissions. “The IBB program is currently paused while we evaluate adjustments to the program that will maximize value to researchers, sponsors, and the open-source ecosystem,” a spokesperson told us. “We remain committed to strengthening open source security through ethical security research.” When asked if AI-generated reports played a role in the pause and reduced reward amounts, a spokesperson didn’t give us a direct answer. “The Internet Bug Bounty is a unique, dynamic program where bounty levels automatically adjust based on the contributions from active participating sponsors,” the HackerOne spokesperson said. “Payouts under this program are regularly adjusted accordingly, as provided in the IBB program description.” Tale of two hackers Back in January, The Register talked with hacker Jakub Ciolek, who told us he reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne’s IBB program last fall. Both were assigned CVEs and fixed. Ciolek expected to receive about $8,500 for the two flaws - but instead HackerOne ghosted him for months, finally sending him an email after The Register reached out to the bug bounty platform. HackerOne thanked him for his patience and said his bug reports remain "pending reward processing due to a temporary operational backlog." Shortly after, we heard from another researcher in a similar situation. “I still hope to get some bounty some day for it,” the bug hunter told The Reg, noting that HackerOne set an end-of-March deadline to sort the backlog. On Wednesday, this hacker told us he finally received a bounty announcement and payout from HackerOne, although at $297, it was less than expected, as the payout amounts changed after they submitted their report. “I am glad I finally got something,” they said. Ciolek said he’s still waiting for any word from HackerOne, and told us repeatedly that this isn’t about the money. “The reduced payout is a symptom,” he said. “The economics of vulnerability reporting are changing very quickly.” Until just a few months ago, project maintainers - and bug hunters themselves, Ciolek included - dismissed this as an AI-slop problem. Recently, however, as models have gotten exponentially better at writing code and exploits, open source projects can’t keep up with the pace of bug reports, which still require humans to evaluate them. "Over the last few months, we have stopped getting AI slop security reports in the curl project,” Daniel Stenberg, founder and lead developer of curl, famously said in a social media post. "They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI." Linux kernel maintainer Greg Kroah-Hartman also noted in an interview with The Register how AI-assisted bug reports contained less slop and more valid concerns. On Sunday, Linux kernel boss Linus Torvalds declared that the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports. “The recent Linux security mailing list situation is a clear signal: AI-assisted reports are increasingly real enough to matter, but numerous enough to overwhelm the people who have to validate and fix them,” Ciolek told us. “Bug bounties were supposed to reward what was scarce,” he continued. “That used to be discovery. Today, finding plausible bugs is becoming much cheaper, and generating reports is easy to scale. The expensive part is still very human: someone has to verify impact, deduplicate reports, decide whether something really crosses a security boundary, coordinate disclosure, and get a safe fix shipped.” While Ciolek says he’s sympathetic to changing economics, and overworked, underpaid open source project maintainers' capacity to investigate every serious-looking security report, the trust issue between researchers and bug bounty programs remains. “The trust issue here is that the change was effectively applied long after the work was already done, fixed, and publicly credited under a different expectation,” Ciolek said. “Responsible disclosure depends on researchers believing the process is predictable. The rules should not change after the work is complete. Serious researchers will price that in as risk, or they will stop participating.” Ciolek says he’s no longer actively doing bug bounty research - but will report serious issues as he finds them. “With the current flood of findings, I don't want to add more volume unless I'm confident the issue is serious enough,” Ciolek said. “In this AI-assisted era, the valuable work is no longer just ‘I found another bug.’ It is ‘I verified this matters and helped get it fixed.’ I think the original discovery-first bug bounty model is becoming obsolete. The next model has to reward more of the remediation cycle, not only the finding.” ®

Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. [...]

Sony dlouhé roky definovalo, jak mají vypadat prémiová Bluetooth sluchátka s ANC. Jenže trh se mezitím změnil. Nová výroční řada 1000X THE COLLEXION proto necílí jen na co nejlepší potlačení hluku nebo funkce, ale také na zákazníky, kterým běžná plastová prémiová sluchátka už jednoduše nestačí. ...

Vybrali jsme nejlepší navigační aplikace pro Android a iOS • Využijí je řidiči, cyklisté i chodci • Většinu aplikací lze používat zdarma

The European Union has stepped up efforts to grow its homegrown tech sector and reduce dependence on US firms, advancing plans this week for a €5 billion ($5.8 billion) fund to help startups scale in Europe rather than seek capital or buyers abroad.

Analysts welcomed the initiative, but said its success will depend on whether it can spur wider private investment in European tech companies.

The European Commission this week selected Swedish investment firm EQT — one of Europe’s largest private market investors, with $311 billion in assets — to manage the fund; first investments are expected this autumn. The fund is backed by the Commission and private investors, including Allianz, CriteriaCaixa, and Novo Holdings.

The effort is part of a broader push to strengthen the EU’s tech sector following the 2024 Draghi report on competitiveness. Other initiatives include EU Inc proposals aimed at reducing red tape for startups and a Tech Sovereignty Package due May 27 that’s expected to include measures to support domestic technology firms.

The push reflects concerns that Europe has struggled to produce and retain globally competitive tech companies. Only around 8% of global scale-up firms are headquartered in the EU, according to European Commission data, compared to roughly 60% in North America. And many promising startups are acquired by larger US firms before they reach the scale needed to compete globally; Google’s 2014 buyout of DeepMind is a notable example.

“Europe produces world-class deep-tech innovation and has a strong pipeline of early-stage startups, but has consistently struggled to convert that pipeline into globally competitive companies at scale,” said Richard Stevens, associate vice president of IDC’s IDC4EU European Government Consulting unit.

EU-based startups face a variety of barriers, including fragmented capital markets across member states. That can make it difficult to assemble larger funding rounds in the the $58 million to $347 million range tech firms need to compete with US and Chinese peers, said Stevens. Varying regulatory environments across EU member states are another factor.

“The cumulative effect is that many of Europe’s most promising technology companies either relocate to the US to access deeper capital markets, or get acquired by non-European players before they reach their full strategic potential,” said Stevens.

European tech startups suffer from a “poor culture of private funding for entrepreneurship” in the EU, said Forrester senior analyst Dario Maisto, who focuses on cloud computing and digital sovereignty. Public funding mechanisms often reward administrative compliance rather than commercially viable businesses, he said.

Stevens said the €5 billion target would make the Scaleup Europe Fund the largest dedicated scale-up investment vehicle assembled in Europe — and the appointment of EQT as fund manager sends an important signal. 

“The EU’s decision to structure this on commercial terms, with market-standard governance and a competitive selection process, reflects a deliberate move away from traditional grant-based instruments toward a model designed to mobilize private capital at scale. That is significant,” he said. 

“Picking a commercially-minded manager like EQT, rather than a state-backed institution, suggests the Commission wants returns as well as strategic impact,” said Miguel Meuleman, professor for entrepreneurship at Vlerick Business School in Belgium. “The question now is whether private co-investors follow with serious capital, or whether this stays largely a public initiative. The €5 billion is a lever, not the load.”

The €5 billion should be considered a starting point, analysts said, with significantly higher levels of capital needed to put the European technology sector on par with the US — where deployed venture and growth capital annually runs into the hundreds of billions of dollars – and China – which benefits from state-backed investments.

“The €5 billion mark is a drop in the sea,” said Maisto, “but it will help build a more stable scale-up ecosystem if implemented well.”  He warned that the EU is attempting to address structural problems primarily through funding, even though bureaucratic processes still risk undermining its efforts.

Stevens said the scale-up fund’s value will be measured by its ability to keep high-potential European companies “anchored on the continent” and attract co-investment from institutional and corporate investors.

He also pointed to the potential for a “self-reinforcing ecosystem effect” in sectors including AI, quantum computing, clean energy, biotech and space technology — areas where Europe already has strong technological capabilities and where IDC expects strong  growth over the next five years.

“A €5 billion fund cannot close the gap with the US and China alone, but if it catalyzes broader structural changes in how European capital is deployed and attracts momentum from the surrounding investment community, it could be genuinely transformative,” said Stevens.

You can usually measure a society by the way it treats its most vulnerable populations, and technology often can help people live better, more autonomous lives. Apple firmly believes that, and this year’s raft of accessibility announcements introduced to mark Global Accessibility Awareness Day shine a light on that belief. 

The company has won a string of awards that recognize its work, including praise from the National Federation of the Blind, the American Foundation for the Blind, the Cerebral Palsy Foundation, and the National Association of the Deaf. These tools matter to everyone, of course; as we age and our faculties decline, the accessibility solutions Apple creates today promise better tomorrows.

AI + Accessibility + Apple 

With WWDC just weeks away, Apple’s latest accessibility features promise powerful technologies for all. Most will arrive with the 27 series of Apple operating systems — and many of the most powerful tools lean deeply into AI and Apple Intelligence.

“The accessibility features our users rely on every day become even more powerful with Apple Intelligence,” said Sarah Herrlinger, Apple’s senior director of Global Accessibility Policy and Initiatives. “With these updates, we’re bringing new, intuitive options for input, exploration, and personalization, designed to protect users’ privacy at every step.”

They also give us a glimpse at what Apple has planned across its operating systems in terms of improved contextual intelligence in Siri. For example, a new tool called Image Explorer in VoiceOver lets you use Apple Intelligence to generate detailed descriptions of images held across your system, and those images can be documents, bills, receipts.

The idea is that you can hold up your iPhone, point your camera at the item and ask Apple Intelligence to describe what it is, read it to you, ask questions about what’s there, and even ask follow-up questions about what it sees. This will make a huge difference for disabled people who use voice to control their iPhone or iPad. (It remains unknown whether these services will also be available on Mac.)

All the same, the fact that these new accessibility improvements work on device mean you can use them in complete privacy, which makes them even more compelling.

See it, say it, do it

While Apple hasn’t said anything specific, it’s hard to ignore that this feature could be of use in a more context-savvy Siri. If you think about it, what you see on your iPhone display is also an image; it seems plausible you’ll be able to use Siri to get things done on your device pretty soon.

That’s certainly true of a second accessibility improvement Apple introduced — Voice Control, which will let you navigate your device using natural speech. This is great for those of us who cannot easily use touch to navigate a device, and in combination with Image Explorer suggests deep use cases for all of us. After all, if Siri can open files with a voice command, why not with a text prompt? And if that file happens to be a workflow or agentic action, this could utterly transform the iPhone UI.

AI that solves real problems

Apple is also putting more intelligence into Accessibility Reader, an invaluable tool for users with low vision or dyslexia that reads text to them. Now boosted by AI, this can handle far more complex source materials, including tables and multi-column layouts.

Accessibility Reader also takes a leap beyond just simply reading such material; thanks to AI, it can now generate on-demand summaries and even live translation of the text you choose to read. There’s intelligence in FaceTime conversations, too. Apple intends to introduce a new API for sign language interpretation app developers that lets users add human interpreters to ongoing calls.

AI is also available in video, meaning your device will automatically generate subtitles for spoken dialog for any content, including videos shared by family and friends. Apple’s on-device speech recognition means subtitles can be generated privately and appear automatically for uncaptioned videos on iPhone, iPad, Mac, Apple TV, and Apple Vision Pro.

Mobility transformed with Vision Pro

Apple introduced a version of the Apple Watch Activity app for wheelchair users  in 2016. This was a new first, as there had never been an accurate fitness tracker for wheelchair users before. The team building the solution had to create brand new algorithms and engage in massive tests to ensure it got this right.

Ten years later, and Apple has introduced something new: the capacity to control compatible power wheelchairs using the calibration-free eye-tracking capabilities of Apple Vision Pro. While this is interesting from a technical point of view, for some wheelchair users — particularly for those who cannot use a joystick to control their system — it’s a major benefit.

Pat Dolan is the founder of GeoALS, which works to improve care, accelerate research, and advocate for the Amyotrophic lateral sclerosis (ALS) community. ALS is a progressive neurodegenerative disease that affects nerve cells in the brain and spinal cord. Dolan, who has lived with ALS for a decade said: “The option to control my power wheelchair on my own is gold to me; Apple is developing life-enhancing technology for the people who need it most.”

For the many

In many ways, these features open up new opportunities for people who are customarily denied at least some of the chances many of us take for granted.

Apple CEO Tim Cook in 2018 explained why Apple places so much focus on accessibility within its platforms. “It’s a basic core value of Apple,” he said. “We don’t make products for a particular group of people; we make products for everybody. We feel very strongly that everyone deserves an equal opportunity and equal access.”

Ultimately, that’s the point with Apple’s approach to accessibility. The company builds all these features into its basic devices, which means people who need them aren’t forced into paying an accessibility tax in order to access the features they need. 

“Apple’s approach to accessibility is unlike any other,” said Cook in a statement. “Now, with Apple Intelligence, we are bringing powerful new capabilities into our accessibility features while maintaining our foundational commitment to privacy by design.”

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Apple revealed that it blocked over $11 billion in fraudulent App Store transactions over the last six years, more than $2.2 billion in potentially fraudulent App Store transactions in 2025 alone. [...]

U monitorů do kanceláře, na hraní i na profi grafiku si všímejte jiných parametrů. • Levné modely nemusí mít špatný obraz, ale budou mít horší výbavu. • Poradíme vhodnou úhlopříčku, rozlišení, typ panelu a frekvenci pro každý scénář.

Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen

Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]