Agregátor RSS

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

It’s no big deal, you’d think, that researchers have found a way to reduce the computing requirements for one of the many steps involved in training an AI model to help robots manipulate simple geometric objects.

Yet such is the concern about the rising cost of powering data centers for AI applications that this one small and largely unremarkable finding prompted breathless news headlines such as “100x Less Power: The Breakthrough That Could Solve AI’s Massive Energy Crisis.”

Don’t believe the hype

No-one’s disputing the researchers’ findings, but reports about them may be somewhat exaggerated: “The leap from the research conducted in the arXiv study to the conclusion in the associated news articles is the stuff of myth. It’s the kind of hype that Gartner warns clients to avoid,” said Gartner VP analyst Nader Henein.

The researchers, from Human-Robot Interaction Lab at Tufts University in the US and the Center for Vision, Automation, and Control in Vienna, Austria, compared the training cost and performance of vision-language-action (VLA) models with that of a neuro-symbolic architecture using PDDL-based symbolic planning, reporting the results in a paper, The Price Is Not Right: Neuro-Symbolic Methods Outperform VLAs on Structured Long-Horizon Manipulation Tasks with Significantly Lower Energy Consumption. The paper has been accepted for presentation at the IEEE International Conference on Robotics and Automation.

Yuri Goryunov, who is the CIO for consulting firm Acceligence, also questioned whether the study’s energy-saving findings are applicable to broader problems in the enterprise.

“The ‘100x less power’ headline is misleading. What the researchers actually showed is that a rule-based system uses less energy than a neural model on a single puzzle. And it was in simulation, with the rules hand-coded by experts in advance,” Goryunov said. “That’s not a breakthrough. That’s a calculator beating a supercomputer at arithmetic.”

Goryunov argued that “the savings disappear the moment you hit real-world complexity. Disparate data sources and messy inputs, ambiguous situations without clear rule sets, or actually any domain where the rules aren’t already obvious. And someone still has to write all those rules.”

Matthias Scheutz, one of the paper’s authors, disputed some of Goryunov’s analysis.

Goryunov’s remark about the need to hand-code rules is incorrect, Scheutz said via email. “The innovation is that we can quickly ‘co-learn’ those rules (symbolic domain models, to be precise) together with the control laws to guide robot behavior in a robot-independent fashion. Moreover, what we show is that our system can generalize the results to cases not seen in the training data (in the “Towers of Hanoi” task that is more disks) while the VLA cannot.”

Scheutz agreed that headlines about using 100x less power were misleading: “We would never had made that claim because we were targeting a special case,” he said. But he insisted that, for some applications, “There are alternatives to generative AI models that come with a host of benefits: less power, fewer compute and training data demands, faster and better learning, better generalizations to related problems and different robot platforms, and introspectible representations that make the system explainable and in some cases provides firm provable behavior guarantees — VLAs (or any foundation model for that matter) cannot do any of that!”

The researchers might see eye-to-eye with Goryunov on one thing, though: the challenge of applying simple procedures to complex real-world problems. In the conclusion of their paper they state, “These results highlight important trade-offs between end-to-end foundation-model approaches and structured reasoning architectures. For manipulation tasks governed by explicit procedural constraints, incorporating symbolic structure can yield substantial advantages in reliability, data efficiency, and energy consumption.”

Some of these discussed hypothetical new approaches to AI do have potential, Goryunov said, specifically citing research work done by Google. “Google’s approach is to make the AI we’re already running dramatically cheaper and faster. Tufts’ approach is to replace it with something architecturally different for a narrow class of tasks. From an enterprise standpoint, there’s no contest. You can deploy Google’s findings tomorrow through your existing model providers. Tufts requires you to rewrite your architecture, hand-code your domain rules, and hope your problem looks like a puzzle.”

The benefits of short-termism

Nathan Marlor, the head of data and AI at Irish consulting firm Version 1, said that even though the Tufts research may not have immediate applicability to enterprise IT deployments, it could impact pricing negotiations with hyperscalers.

“For enterprise IT there’s nothing to do here. Nobody’s building PDDL planners in-house. But the cost angle matters if you’re watching AI compute bills climb and vendors keep telling you the answer is more GPUs. This is one more reason to push back on that,” Marlor said. “If hybrid architectures prove out more broadly, it shows up downstream as cheaper inference and lower cloud bills. But that’s on the platform and hyperscalers to figure out and not enterprise IT teams.”

Another consultant, Brian Levine, executive director of FormerGov, agrees that the Tufts report could color how IT views future AI pricing.

Enterprise IT executives “should absolutely track this space, not because they’ll deploy these models next quarter, but because the economics of AI are getting even more volatile. Enterprises need to stay flexible with their AI vendors,” Levine said. “This market can pivot on a dime. Locking yourself into a single hyperscaler’s stack or a single model architecture is a recipe for regret when breakthroughs like this start to commercialize.” Levine advocated staying flexible and avoiding long-term obligations. “This is a reason to avoid overcommitting to any one vendor’s roadmap. The ground under AI is shifting faster than most procurement cycles. The winners will be the CIOs and orgs that build for portability, negotiate for flexibility, and assume that today’s state of the art may look outdated sooner than anyone expects.”

This article was updated on April 3 to include comment from one of the researchers.

Vybrali jsme nejzajímavější bluetoothové reproduktory. Od malých do kapsy až po větší do domácnosti, které nabízejí výborný poměr cena/výkon.

Česká správa sociálního zabezpečení minulý týden spustila nový portál Moje konto. Slouží pro přehled dob důchodového pojištění evidovaných na úřadě, případně jejich doplnění a úpravu. ČSSZ už nemá povinnost každoročně zasílat osobní list důchodového pojištění, protože tato elektronická forma ji ...

The recent supply-chain attack against axios, a widely used open-source HTTP client, highlights a strategic weakness in the global technology stack: critical digital infrastructure is increasingly maintained by under‑resourced individuals, and its failure has systemic economic and national security consequences — even for tech giants like Apple.

At the center of your code

Axios is a programming library that helps JavaScript code communicate with websites and is heavily used by Mac, Linux, and Windows developers to do that task within their applications. There’s a good explanation of what that means here. The well-executed attack used stolen credentials to distribute malware capable of exfiltrating data from impacted machines.

The nature of this attack was sophisticated to say the least. Not only did the attacker first steal the credentials belonging to the project’s lead developer, but they also locked them out, changed the email address, and even initially uploaded legitimate software to the code repository first to fool security monitoring systems into seeing them as trustworthy. The malware-infested code followed that. 

While the attack was quickly spotted and developers were eventually able to mitigate the compromise, it isn’t known how many people may have been affected. 

The attack illustrates the extent to which Big Tech relies on open-source software. Without the many contributions of open-source developers, Apple, Amazon, Google, Microsoft, and everyone else would need to invest vast sums in building more of the infrastructure of our digital world.

This leaves a big weakness in tech that sophisticated attackers quite certainly recognize: under-resourced open-source software, developers, and repositories are potentially vulnerable. After all, when you leave relatively small numbers of not terribly well-resourced volunteers to look after critical infrastructure, it gives attackers a very short list of potential targets.

Hack a key developer to hack the ‘net. 

We must incentivize security

It’s easy to have opinions. Of course Big Tech should better fund open-source developers so they can protect themselves and finance their work, but current incentive structures don’t seem to encourage this.

So, what happens next?

These sometimes obscure open-source tools are critical to everything on a digitized planet and should be given ample access to the finance and security infrastructure with which we protect everything else. That’s going to require investment at a government level. To be fair, we do have some evidence that investment is taking place. The EU’s Cyber Resilience Act, Germany’s Sovereign Tech Fund, and the US-funded Open Source Security Initiative (OS3I) all demonstrate understanding that the security of open-source code is both a national and international strategic necessity. 

Despite these investments, the amount going toward securing the open-source stack is dwarfed by the estimated $8.8 trillion value open-source software generates for the global economy. This creates a situation in which more than a third of the 500 OSS maintainers surveyed by the Sovereign Tech Agency in 2024 said they are not paid for the work they do maintaining the standards we all rely on. (One-third more said they make some money, but not enough to make a living.)

One final point illustrates the vulnerability of the sector: almost three-quarters of the survey respondents said their open-source projects are maintained by three people or fewer. That makes it possible the attackers deliberately targeted small open-source developers to penetrate the code repositories in a highly sophisticated, planned, and executed hit.

It’s impossible to definitively reject the idea that such a well-executed attack was sponsored by some government-sponsored agency, particularly as the world appears to be at war. 

Time to Lockdown

But the story also demonstrates that Apple’s own security remains as weak as its weakest part, which in this case was a reliance on open-source tech. Now that this vulnerability has been proven, don’t be too surprised if criminals intensify attempts to penetrate these components in future. Apple, along with every operating system manufacturer, will probably lose sleep.

And developers should probably join the growing number of high-value targets using Lockdown Mode.

You can follow me on social media! Join me on Bluesky,  LinkedIn, and Mastodon.

AI agent risk isn't equal, it scales with access to systems and level of autonomy. Token Security explains how CISOs should categorize agents and prioritize what to secure first. [...]

Pokud jste si někdy říkali, jak by to asi dopadlo kdyby se potkaly systémy Linux a BeOS a měli spolu potomka, pak již nemusíte déle hádat, potomek je zde. Jmenuje se VitruvianOS.

Hackers hijacked the npm account of the Axios package, a JavaScript HTTP client with 100M+ weekly downloads, to deliver remote access trojans to Linux, Windows, and macOS systems. [...]

Fázové singularity představují body ve světelných vlnách s nulovou amplitudou • Nehmotné anomálie nenesou energii a mohou se pohybovat nadsvětelnou rychlostí • Tento unikátní jev vědci zaznamenali uvnitř krystalu hexagonálního nitridu boru

Cybersecurity researchers have disclosed a security "blind spot" in Google Cloud's Vertex AI platform that could allow artificial intelligence (AI) agents to be weaponized by an attacker to gain unauthorized access to sensitive data and compromise an organization's cloud environment. According to Palo Alto Networks Unit 42, the issue relates to how the Vertex AI permission model can be misused

Cybersecurity researchers have disclosed a security "blind spot" in Google Cloud's Vertex AI platform that could allow artificial intelligence (AI) agents to be weaponized by an attacker to gain unauthorized access to sensitive data and compromise an organization's cloud environment. According to Palo Alto Networks Unit 42, the issue relates to how the Vertex AI permission model can be misused Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Nová generace modelu Vertical nadchne displejem a extrémně dlouhou výdrží • Cílí na náročné i profesionální sportovce, kteří hledají víc outdoorové než chytré hodinky • Na jedno nabití mohou vydržet přes měsíc

Copilot automaticky vkládal do pull requestů 'propagační tipy', reklamní text se na GitHubu objevil ve více než jedenácti tisících pull requestech. Po vlně kritiky byla tato funkce zablokována a produktový manažer Tim Rogers připustil, že umožnit Copilotovi upravovat cizí pull requesty bez vědomí autorů byla chyba.

AI vendors selling to the California state government must prove they have safeguards against algorithmic bias, civil rights violations, and illegal content, or risk being barred from state contracts, under an executive order signed by Governor Gavin Newsom.

The order directs the Department of General Services and the California Department of Technology to develop new vendor certifications within 120 days.

Companies seeking state contracts would be required to attest to safeguards covering the “exploitation or distribution of illegal content, such as child sexual abuse material and non-consensual intimate imagery,” the “utilization of models that display harmful bias or lack governance to reduce the risk of such harmful bias,” and “violation of civil rights and civil liberties such as free speech, voting, human autonomy, and protections against unlawful discrimination, detention, and surveillance,” the order noted.

The order also directed the Government Operations Agency, within the same 120-day window, to recommend reforms that would bar entities “judicially determined to have unlawfully undermined privacy or civil liberties” from state contracts. That threshold goes beyond the financial stability, security certifications, and past-performance criteria that typically govern vendor eligibility in government procurement, the order added.

“California leads in AI, and we’re going to use every tool we have to ensure companies protect people’s rights, not exploit them or put them in harm’s way,” Newsom said in a statement accompanying the order.

The order’s reach is amplified by California’s position in the global AI market. The state is home to 33 of the world’s top 50 privately held AI companies and accounts for 25% of US AI patents, Newsom’s office said in a statement.

“California essentially wants to set a benchmark for de facto AI standards when it comes to procurement, safety, and ethics,” said Neil Shah, VP for research and partner at Counterpoint Research.

Decoupling from federal oversight

Beyond vendor certification, the order gives California’s State Chief Information Security Officer authority to review federal supply chain risk designations. Where the CISO concludes a federal ban is improper, the Department of General Services (DGS) and the California Department of Technology (CDT) must “jointly issue guidance ensuring that departments and agencies can continue to easily procure from that company,” the order said.

Shah said the CISO override mechanism reduces geopolitical risk for vendors. “The new state legislation effectively overrides federal sanctions, if any, protecting or giving one more chance to vendors that were rejected elsewhere,” he said.

Newsom signed the order against a backdrop of retreating federal AI oversight. President Trump revoked Biden’s 2023 executive order on the safe and trustworthy development of AI in January 2025, eliminating mandatory red-teaming for high-risk models, structured oversight for AI in critical infrastructure, and safety reporting requirements for frontier developers.  His replacement order reoriented federal policy toward deregulation. In December 2025, Trump directed the Justice Department to challenge state AI laws deemed inconsistent with federal policy, but explicitly exempted state government procurement from that preemption push.

Watermarking, genAI tools, data minimization

The order goes beyond vendor oversight. It directs the California Department of Technology to issue best-practice guidance for watermarking “AI-generated or significantly manipulated images or video” consistent with state law. Newsom’s office said the requirement is the first of its kind in the US.

The order also directs state agencies to give employees access to vetted GenAI tools with “appropriate privacy and cybersecurity safeguards,” pilot a GenAI application for resident-facing government services, and publish a data minimization toolkit for departments handling sensitive data.

Part of a longer California push

The order is not Newsom’s first move on AI governance.

In September 2025, he signed the Transparency in Frontier AI Act, which required large frontier AI developers to publish safety frameworks and report critical safety incidents, with fines of up to $1 million per violation. More than 20 California AI statutes covering employment, healthcare, education, and pricing algorithms took effect in January 2026.

The European Commission has pursued a similar procurement-as-governance approach through its Model Contractual Clauses for AI, updated in March 2025 to align with the EU AI Act, though those clauses remain advisory for member-state buyers.

“California government is essentially adding a third vector for CIOs and CISOs for enterprise procurement of ethical governance beyond uptime and pricing,” Shah said. He added that the new certification requirements could drive greater complexity and fragmentation, particularly for smaller vendors. “This can drive a greater compliance burden to get ‘California certified.’ However, once proven, it also sets a strong precedent for these players to expand globally relatively smoothly,” he said.

​Microsoft has resolved a known issue that rendered the classic Outlook email client unusable for users who enabled the Microsoft Teams Meeting Add-in. [...]

The cybersecurity landscape is accelerating at an unprecedented rate. What is emerging is not simply a rise in the number of vulnerabilities or tools, but a dramatic increase in speed. Speed of attack, speed of exploitation, and speed of change across modern environments. This is the defining challenge of the new era of digital warfare: the weaponization of Artificial Intelligence. Threat actors

The cybersecurity landscape is accelerating at an unprecedented rate. What is emerging is not simply a rise in the number of vulnerabilities or tools, but a dramatic increase in speed. Speed of attack, speed of exploitation, and speed of change across modern environments. This is the defining challenge of the new era of digital warfare: the weaponization of Artificial Intelligence. Threat [email protected]

Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT. "The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating

Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT. "The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonatingRavie Lakshmananhttp://www.blogger.com/profile/[email protected]