Agregátor RSS

Výprodeje se rozjíždějí naplno – tentokrát najdete nabídky od e-shopů s módou a optikou přes zahradu a domácnost až po bankovní bonusy. Přinášíme přehled těch nejzajímavějších akcí tohoto týdne.

Notepad++ 8.9.6 - Arbitrary Code Execution

YAMCS yamcs-core 5.12.7 - No Rate Limiting

YAMCS yamcs-core 5.12.7 - User Enumeration

YAMCS yamcs-core 5.12.7 - LDAP Injection

Sodium-ion batteries are rapidly gaining on lithium in consistency and fast charging.

As demand for electric vehicles and grid storage surges, battery makers are searching for alternatives to lithium that are cheaper and easier to source. New research suggests sodium-ion batteries, which have long been heralded as a promising alternative, may be maturing faster than expected.

Lithium-ion batteries dominate the market thanks to their excellent energy density and well-developed supply chains. But lithium prices have been swinging wildly in recent years, and there are concerns about lithium market concentration—the vast majority of extraction happens in a handful of countries, like Australia and Chile, and China dominates lithium processing.

This has driven interest in novel chemistries. Sodium is a leading contender due its low price and abundant deposits all over the globe, but performance concerns have held back adoption.

Chinese companies, however, have begun to take sodium batteries seriously. And in a new analysis in Cell Reports Physical Science, German scientists found that cells made by the Chinese manufacturer HiNa compare favorably to the lithium-ion batteries Tesla uses in its cars.

“The combination of good uniformity, high power capability, and strong low‑temperature performance makes these cells attractive for stationary storage, grid services, and shorter‑range or commercial vehicles where potential lower cost and resource availability matter more than maximum driving range,” Moritz Schütte, a battery researcher at RWTH Aachen University who co-led the study, said in a press release.

A good battery needs uniform cells. If some cells are weaker than others, it can degrade the entire battery over multiple charge and discharge cycles, and it also makes it harder to control and optimize power flow in and out of the pack. It’s also a key indicator of a mature production process.

To see how the HiNa batteries stacked up, the researchers tested 120 individual sodium-ion cells using a non-destructive technique called impedance spectroscopy. Here, they applied a current across various frequencies to probe the internal physical chemical properties of the device.

The team then tested the cells at varying currents and temperatures from -4 to 113 degrees Fahrenheit to get a picture of their power performance under a wide range of conditions. They also used X-rays to probe the batteries’ internal structure, before opening them up to analyze the size and composition of various components in more detail.

Across the 120 cells, resistance varied by just 5.3 percent—a level of consistency the researchers say is comparable to well-established lithium-ion production lines. And while fast charging can rapidly degrade performance, the cells maintained full capacity at charge rates high enough to fill the battery in just 15 minutes.

Low temperature also reduces capacity by slowing down a battery’s chemical reactions. But the researchers found the HiNa device discharged over 80 percent of its usable energy at -4 degrees Fahrenheit after charging at roughly room temperature. That figure fell to 56 percent, however, when it was also charged at -4 degrees Fahrenheit (as opposed to room temperature).

The batteries didn’t get a universally glowing report. The team found energy density still lags the best lithium-ion cells, and as noted, charging at low temperatures remains a problem. “The high‑power performance was better than one might expect from an early commercial sodium‑ion product,” said Schütte. “However, for applications that require frequent charging at low ambient temperatures, appropriate thermal management or operating strategies will be important.”

But given the technology’s other attractive characteristics, the battery industry appears to be forging ahead. Chinese automaker Changan Automobile recently began selling the Nevo A06, which is fitted with a sodium-ion battery made by CATL, the world’s dominant battery manufacturer.

According to Bloomberg, CATL’s chief technology officer recently told a media event that the company will begin mass-producing sodium-ion cells in the fourth quarter of this year, declaring “the era of sodium and lithium shining together has arrived.”

A typical SUV powered by a sodium-ion battery would only have a range of around 215 miles, compared to the 250 to 370 miles for a lithium-ion powered vehicle, according to calculations from the International Energy Agency. But that’s nothing to turn your nose up at, particularly considering the fast-charging capabilities discovered by the RWTH researchers.

Whether the technology establishes a commercial foothold may well depend more on the vagaries of geopolitics than its inherent qualities. But cheaper, easier to source batteries can only be a win for the planet.

The post Sodium Is Cheap, Abundant, and Now Powering Batteries That Could Rival Lithium appeared first on SingularityHub.

Ucelený přehled článků, zpráviček a diskusí za minulých 7 dní.

Uvidíte modrý úplněk, který ve skutečnosti modrý nebude, zato bude mikroúplňkem.

Kde sídlí biologický kompas zvířat? A na jakém principu funguje? Nová studie přináší nečekaný objev, který hledání odpovědí ještě více zkomplikoval.

Na sklonku roku 2019 ulovili australští astronomové podivuhodnou událost gravitačního mikročočkování. Mezi Zemí a jistou hvězdou ve Velkém Magellanově oblaku prolétl objekt, jehož hmota odpovídala asi trojnásobku našeho Měsíce. Vyklubala se z toho jedna z nejzajímavějších hádanek současné astronomie.

A single npm user on Thursday published 14 malicious packages within a four-hour window, all mimicking popular OpenSearch, Elasticsearch, DevOps, and environment-configuration libraries, according to Microsoft. It’s the latest in a seemingly never-ending string of supply chain attacks targeting developer tools, and stealing cloud credentials and CI/CD pipeline secrets in its wake. Using a newly created maintainer alias, vpmdhaj (a39155771@gmail[.]com), the threat actor published 14 packages impersonating legitimate libraries from the @opensearch and @elastic ecosystems and targeting Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself. This suggests that the attacker “likely chose a developer audience to have AWS and Elastic cloud credentials in their environments,” Microsoft warned in a Thursday blog. All of the malicious packages include the same install-time stager and the same Bun-compiled, second-stage payload: a 195 KB credential harvester purpose-built for cloud and CI/CD environments. Plus, as we’ve seen with all of the other open source supply chain attacks of late, after stealing tokens and other secrets, the attacker can move laterally across cloud environments, steal additional sensitive data, and push even more poisoned updates to packages owned by hijacked maintainer identities, thus expanding the attack beyond the initial 14. All of the malicious libraries have since been removed, and Microsoft published a list of all 14 in its blog. Give that a read to help identify systems that installed or built affected package versions on or after May 28. Be sure to also rotate an AWS IAM/STS, HashiCorp Vault, npm publish, and GitHub Actions tokens that may have been exposed. To trick users into installing these developer tools and search engines, the attacker used typosquatting - naming a package one or two letters off from the legitimate one - or lookalike naming (such as opensearch-setup-tool, opensearch-config-utility, and elastic-opensearch-helper) to impersonate well-known libraries. In addition to this social engineering technique, used to drive installs through users’ typing mistakes or trust, the attacker also used two other techniques to make the supply chain attack more believable. This includes spoofing upstream metadata. “Every unscoped package sets its package.json homepage, repository, and bugs fields to the legitimate github.com/opensearch-project/opensearch-js project,” Microsoft’s threat hunters explained. And finally, they inflated version numbers, so the phony “releases” jump straight to 1.0.7265, 1.0.9108, or 2.1.9201 to indicate a mature release history. After tricking users into installing the npm packages - all 14 are listed in the blog, so give that a read - the credential-stealing payloads automatically execute through preinstall hooks as soon as the victim runs npm install. For this, the attacker used one of two stagers. The Gen-1 stager uses install, preinstall, and postinstall hooks that all invoke preinstall.js, and then collects a ton of host information including hostname, platform, arch, Node version, USER/USERNAME, cwd, INIT_CWD, npm_package_name, npm_package_version. It then base64-encodes the JSON, and POSTs it to the actor’s command-and-control server, which then serves a second-stage payload, written to payload.bin in the package install directory. “The package’s index.js re-launches the same payload.bin on every subsequent require() of the module – a quiet persistence mechanism that survives across CI build stages and developer rebuild loops,” according to Microsoft. The later Gen-2 stager replaces the install-time C2 roundtrip with a stealthier loader that checks whether bun is already present on the host. If not, it downloads the legitimate Bun runtime v1.3.13, and then executes the second-stage payload, which sets to work stealing credentials across AWS, HashiCorp Vault, npm, GitHub Actions, and other CI/CD environments.®

If you thought US Immigration and Customs Enforcement’s widespread use of face recognition apps was a privacy violation, you’re about to get eye-rate over a new $25 million contract. According to a largely unreported contract summary published last week by ICE parent agency the Department of Homeland Security, US immigration cops have doled out about $25.1 million to a company called Bi2 Technologies for 1,570 biometric recognition devices able to identify people through fingerprints, iris scans, and facial recognition. Additional procurement data indicates that the devices can be used in the field in both mobile and stationary configurations, and they provide ICE agents with access to Bi2’s Inmate Recognition and Identification System (IRIS), which matches biometrics to a database of more than five million booking, arrest, and incarceration records from 47 US states. The Bi2 system is also able to access driver’s license and vehicle plate info. The deal was made without seeking any competing bids, and ICE justified the sole-source acquisition by pointing not only to Bi2’s capabilities being “unmatched by any competitor,” but also to a contract from last year in which it paid the company $4.6 million for what now appears to have been a one-year trial run of its technology on a much smaller scale. Per the FY 2025 contract, which expires at the end of this coming September, ICE got similar access to the IRIS database and mobile/stationary biometric scanning technology as this year’s award, but only 200 devices were deployed across the US. With the addition of this contract, 1,770 of the devices could now be on American streets by the end of May 2027. While the Bi2 contracts have yet to cause a stir on the level of other ICE biometric surveillance technologies, the widespread deployment of eyeball scanners linked to law enforcement databases and other forms of government documentation could end up stirring up more controversy. Senate Democrats have been railing against ICE’s use of biometric identification technology like Mobile Fortify, an app reportedly used by DHS under the Trump administration’s immigration enforcement push to identify people suspected of immigration violations and, potentially, protesters. In a letter last September, senators demanded ICE immediately cease using Mobile Fortify over concerns that the app could be inaccurate, biased, and might have a chilling effect on the legal expression of protected civil rights in the US. Neither ICE nor DHS responded to questions for this story. ®

Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center.

The action, announced Thursday, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands.

Used for criminal purposes

“The police then seized several botnet servers from a hosting provider for investigation,” the NCSC said. “The botnet was taken offline by the provider because it was used for criminal purposes.”

Read full article

Comments

There's a huge hole and no one is patching it thus far. A critical, remote code execution (RCE) bug in Gogs, a popular open-source self-hosted Git service, can be exploited by any authenticated user - no special privileges required - on a default installation to fully compromise vulnerable servers, steal credentials and multi-factor authentication secrets, or even modify code in hosted repositories in a wide-reaching supply-chain attack. A security researcher reported the 9.4-rated flaw to project maintainers in mid-March. It still doesn’t have a patch. It does, however, have a public Metasploit module - so we’d expect reports of in-the-wild exploitation to start very soon. The vulnerability affects all supported platforms, including Windows, Linux, and macOS, and installation methods, according to Rapid7 researcher Jonah Burgess, who found and reported the bug to Gogs maintainers via GitHub (GHSA-qf6p-p7ww-cwr9) on March 17. After they initially acknowledged that they received the report on March 28, Burgess says he never heard back from the Gogs team - not when he asked them for a status update, nor when he reminded them of the vulnerability disclosure date and asked if they wanted an extension to fix the flaw before its release. “We have not received any further communication from Gogs, and the GHSA has remained unanswered since March 28,” Burgess told The Register. “Because there is currently no official patch, our team submitted a pull request with a suggested fix today [Friday], which is currently awaiting review. At this time, we have no evidence suggesting that this vulnerability is being exploited in the wild.” Gogs sponsor DigitalOcean also did not respond to The Register’s inquiries, including when the security issue would receive a patch. The vulnerability stems from an argument injection flaw in Gogs’ pull request merge flow, specifically the Merge() function in internal/database/pull.go. If a Gogs repo owner or admin enables "Rebase before merging" and a user opens a pull request, the PR's base branch name gets passed directly to a git rebase command without a -- separator to mark the end of command options. Gogs also fails to properly sanitize the input. This means an attacker can create a malicious branch (such as --exec=touch${IFS}/tmp/rce_proof), and Git treats it as an --exec flag, not a branch name, and executes the payload. For Windows installations, the payload delivery method is slightly different, and Burgess developed an exploit module to auto-implement a cross-platform approach. Until the maintainers fix the flaw, Burgess suggests Gogs’ users take the following precautions to mitigate the issue. First, and most importantly, restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts. Restricting repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to prevent users from creating their own repos also blocks the easiest attack path - creating a new repo with rebase enabled - but it won’t prevent exploitation by users with write access to existing repositories. Finally, audit rebase merge settings, and disable “Rebase before merging" under Settings > Advanced. “Note that this is not an effective defense against a malicious user who owns or has admin access to a repo, since they can re-enable rebase at will,” the threat hunter warns. “There is no global or organization-level setting to restrict this.” ®

Threat actors are abusing ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application. [...]

California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company's failure to protect sensitive customer genetic and personal information. [...]

Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. "The chatgpt.com response renderer trusts Markdown links and Markdown

Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. "The chatgpt.com response renderer trusts Markdown links and Markdown Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The Euro-Office open source productivity app suite will be available with the first stable release of the software on June 9. 

Euro-Office was unveiled in March with the aim of providing a modern, open source alternative to Microsoft and Google software for European organizations increasingly wary of a dependence on US-based suppliers. 

Euro-Office consists of four browser-based applications: a document editor, spreadsheet program, presentation tool, and a PDF editor, with each application enabling collaborative document editing. It supports Microsoft Office file formats DOCX, PPTX and XLSX, as well as Open Document Format (ODF) files such as ODS, ODT and ODP.

The software is intended to be integrated into collaboration solutions such as file-sharing platforms, online wikis or project management tools, according to Nextcloud, one of several European organizations involved in the Euro-Office project.

Nextcloud will add Euro-Office to its Nextcloud Office next month, where it will be available as an “equal option” alongside an existing open-source productivity suite based on Collabora’s software, Nextcloud CEO Frank Karlitschek said in a briefing. Pricing will depend on factors such as use case and deployment scale, but will sit in a similar range to the Collabora version.

Nextcloud plans to add desktop and mobile apps “later this summer,” said Karlitschek; these will save documents locally and sync to cloud storage tools that customers choose.

German cloud hosting provider Ionos will also integrate Euro-Office into its Nextcloud Workspace subscription at no extra cost, and as an optional paid add-on to its HiDrive and Managed Nextcloud subscriptions. (Pricing information was not immediately available.)

Nextcloud and Ionos are currently hiring a “dedicated development team” to work on Euro-Office, Nextcloud said in a blog post Thursday. Other software vendors, including Xwiki and Office.eu, are expected to incorporate Euro-Office into their products in the coming months, too.

Euro-Office is built on the open-source code base of OnlyOffice and distributed under the GNU Affero General Public License v3 (AGPL v3). 

Following the launch announcement, OnlyOffice — which is owned by Ascensio System SIA — alleged in March that Euro-Office violated its licensing terms and infringed its copyright, due to a lack of attribution to OnlyOffice.

Karlitschek said this week that the conflict with OnlyOffice is “now resolved,” following an agreement to provide attribution to OnlyOffice in Euro-Office. “We came to an agreement that the OnlyOffice people required only attribution, that you basically mention that the code is partly based on top of OnlyOffice, and we are happy to do it.”

But an OnlyOffice spokesperson denied a specific agreement had yet been reached. “OnlyOffice has not entered into any agreement with the Euro-Office project,” said Galina Goduhina, commercial director at OnlyOffice. 

“Our licensing framework is clearly defined, and compliance with its terms is not optional,” Goduhina said. “We will continue to assess the situation based on actual use of our technology.

 “This situation goes beyond attribution— it concerns transparency of technology origin, respect for the original developer — and does not meet the standards of responsible partnership we expect,” Goduhina said. “OnlyOffice remains focused on supporting its users, customers and partners and continuing to develop reliable, enterprise-grade document solutions.”

OnlyOffice recently published a blog post outlining its license and trademark policy in more detail. 

A Nextcloud spokesperson said the blog post indicated a change in the OnlyOffice license to “bring it in line” with AGPLv3. 

“We applaud the removal of the conflicting requirements around the trademark, aligning with our opinion and that of the licensing experts in the open source community,” the spokesperson said. “We will adopt their changes as they are being made to the code, of course ensuring the license compliance is preserved. With these changes we consider the matter resolved.”