Agregátor RSS

Dnes a zítra probíhá Ubuntu Summit 26.04. Na programu je řada zajímavých přednášek. Sledovat je lze na YouTube. Úvodní slovo měli Mark Shuttleworth a Jon Seager.

eDoklady mají tento týden miliontého uživatele. • V systému už je také přes 48 tisíc ověřovatelů. • Podzimní komunální volby by se měly obejít bez problémů s kapacitou.

A security researcher found a foolproof way to guarantee tech conferences accept his speaker submissions: hack their systems. CVE-2026-41241 is a stored cross-site scripting (XSS) vulnerability in pretalx, a popular open source tool that conference organizers use to manage speaker submissions and schedules, that could allow attackers to effectively take over an organizer's session. Any user controlling searchable fields – including submission titles, speaker display names, and user names or email addresses – could inject arbitrary HTML or JavaScript. When an organizer's search query matched the malicious record, the payload would execute in the organizer interface. "Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's [Cross-Site Request Forgery] CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim," according to pretalx's security advisory. Project maintainers patched the flaw in April, and it has been fixed in pretalx 2026.1.0. Elad Meged, founding engineer and security researcher at AI penetration-testing and offensive-security startup Novee, found and disclosed the flaw when he was preparing conference speaker submissions. He noticed the exact same call for proposals (CFP) submission form appearing underneath all of these different hacker conferences and academic symposiums' logos. 'One codebase serving them all' While the events are unique, with different parent companies and organizers, "underneath, it is one codebase serving them all," Meged said in research published on Wednesday and shared in advance with The Register. Meged then used the flaw to auto-apply for 40 conferences - and got accepted to present his proposed talk, "Securing Modern Web Apps," at every single one of them. While Meged did submit real entries, he did not submit a live exploit payload into the conference systems. The Novee team validated all of their findings on a local instance. They didn't do any testing on pretalx.com or a third-party-hosted instance. "The goal was to validate the vulnerable workflow in the exact real-world setup while avoiding unnecessary harm," Meged told The Register. "So, we used realistic, normal-looking talk submissions and then validated exploitability through controlled, version-specific testing." Some of the events that use pretalx-based CFP infrastructure include OffensiveCon, TROOPERS, FOSDEM, HEXACON, and Recon, he told us, stressing that this does not mean any of these conferences were actively exploited or compromised. For any conferences that used pretalx for talk submissions, but weren't accepting submissions at the time, Meged followed up with them via responsible disclosure. And yes, Meged admits that he could have had more fun with the talk title, but he wanted to make it "intentionally boring and plausible," to blend in with other proposals. "I agree something outrageous would have been funnier, but it would also have been less responsible," he said. Human led, AI agent assist Meged described the research as "human-led vulnerability research, agent-assisted at internet scale." Once they understood the type of vulnerability, any "capable web security researcher" could reproduce the exploit, he said, adding "this would not require nation-state-level skill." Scaling the attack, reliably reproducing it, and adjusting the attack chain to each real-world pretalx deployment, however, benefited from an agentic AI assist – and this wasn't "a one-off script or a prank CFP submission," he told us. "Different pretalx versions, deployment choices, and enabled features can change the behavior," Meged said. "Something that works on one instance may fail on another or require a different validation path." Plus, some conferences use hosted infrastructure, while others run their own self-hosted instances. So the security shop built an agentic fingerprinting and validation system to scan the internet for public-facing, vulnerable systems, learn as much as possible about the version and configuration, and find the best way to exploit them. 'This type of work does not scale manually' "This type of work does not scale manually," Meged said. "A human can find the core idea, understand the primitive, and make the responsible disclosure decisions. But mapping internet-wide exposure, fingerprinting many deployments, comparing versions, modeling behavior, adjusting validation logic, and organizing disclosure steps is exactly where AI agents become useful. The agents helped with discovery, fingerprinting, version comparison, environment modeling, controlled validation, note-taking, and disclosure workflow management." After finding and fingerprinting public pretalx deployments, and identifying version-specific behavior, the agents selected the best non-destructive validation path for each one. While there's no indication that attackers found and exploited the security issue before Novee's team, it's serious in that it could have granted organizer-level access to the conference call-for-proposal and scheduling system - these typically contain speaker identities, submissions, acceptance decisions, and private communications between conference organizers and speakers. Gaining access to this type of information could have allowed for targeted phishing or other trust-based attacks impersonating a well-known industry event. "With organizer-level access, an attacker could potentially read or modify submissions, interfere with the review process, impersonate conference staff, alter CFP data, or communicate with speakers and submitters from a trusted conference context," Meged said. "The most realistic abuse case is targeted phishing or lateral movement through trust. If a speaker, sponsor, reviewer, or attendee receives a link or request from what appears to be a legitimate conference system, they are much more likely to trust it," he added. "So the story is not just: Someone could get a fake talk accepted. The bigger risk is that a trusted conference platform could become a launchpad for attacks against the entire event ecosystem." Tobias Kunze, a developer who created pretalx, told The Register that Meged reported 11 security findings on April 14, he assessed all of these and classed one as a serious vulnerability and five as non-vulnerability bugs – but with fixes – and five more as non-critical or intended behavior. "Contact with Elad was very positive and professional," Kunze told us. "We discussed the severity and impact of his findings, and it was as good a report as a small open source project like pretalx can hope to receive." ®

The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. [...]

CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm, a persistent software chain campaign targeting software developers through malicious packages and extensions. "Since at least early 2025, GlassWorm operators have systematically targeted software developers, a Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Most organizations still picture cyber defense as a fortress problem: build stronger walls, add more guards, buy another detection engine. But modern incidents rarely crash through the front gate. They drift in disguised as routine activity, hide inside legitimate processes, and quietly accumulate risk long before anyone labels them an "incident." That changes the role of the SOC entirely. [email protected]

Apple has spent billions of dollars to develop satellite connectivity for iPhone; I very much doubt it did so solely to rescue stranded hikers. The company will most certainly have had a bigger prize in its sights when it first began working with GlobalStar (now owned by Amazon).

The most logical reason to invest in satellite coverage for its devices is the most obvious — to provide network infrastructure for new breeds of device and new service models. You don’t acquire access to massive amounts of bandwidth for nothing. And Apple’s steady introduction of new satellite-supported services shows it is interested in introducing these services, even though the offer isn’t extensive enough yet to require iPhone users to pay for access, yet.

The decision not to charge for those satellite services suggests they’re just the thin end of the company’s plans for satellite deployment.

It’s possible the company’s ambitions were limited by GlobalStar’s ability to put satellite constellations in orbit. That work was ongoing last time I looked, and I fully expect existing Apple satellite services will be extended to new nations, even under Amazon’s watch.

Amazon enters the room

Amazon’s recent $11.6 billion acquisition of GlobalStar is interesting. You can see that Apple is now forced to work with its old frenemy, even as both partners already profit from strong, steady Apple hardware sales via the online retailer. So they know they can make money together.

“Apple and Amazon have a long and proven track record of working together through Amazon’s core infrastructure services, and we look forward to building on that collaboration with Amazon Leo,” Greg Joswiak, Apple’s senior vice president of worldwide product marketing, said when the deal was announced. (The transaction isn’t expected to close until next year.)

Making money together is often seen as a strength in business relationships and Amazon has agreed to continue supporting Apple products and to collaborate with Apple on future satellite services.

When it comes to mobile telecoms, Amazon isn’t the only game in town, and neither is Starlink. Cellular operators are inking deals with satellite providers all over the world, all with the intention of bringing network access to those who otherwise can’t get a decent connection.

Just today in the UK, Virgin Media O2 announced plans to switch on the O2 Satellite service for iPhone users tomorrow, enabling customers — particularly in rural areas — to get a satellite connection where traditional cellular coverage is unavailable. It could simply identify new ways to enhance the Find My service.

Orange last year offered its own satellite comms to French customers, while Deutsche Telekom partners with others to provide SMS via satellite in Europe and the US. You’ll find similar alliances in most key territories, including Australia and Japan. The direction of travel exposes an industry embracing satellite as a way to widen existing cellular infrastructure, which makes sense given the relative cost of installing conventional masts in some regions. 

Many ways to crack it

There’s speculation Apple could become a satellite carrier, a move that would put it in competition with carrier partners. But Apple doesn’t need to do to provide satellite communication services to iPhone users, nor would it want to relinquish the symbiotically profitable relationships it’s developed with carriers.

It could, for example provide satellite calling as a hardware feature available with every iPhone across all supported carriers, possibly as an additional service that guarantees customers can get a connection, even in the countryside. It could evangelize the service as being “Private by Design,” and supplement this with data over satellite to support apps, particularly agentic AI apps. 

Combined with the next wave of AI enhancements Apple is expected to deliver for its systems, the combination of an always-on, resilient, private data connection and AI could prove invaluable to many customers. That’s particularly true for enterprise customers seeking global solutions that respect sovereign data, privacy, data retention policy and managed AI services – especially as terrestrial infrastructure becomes an attack target. Such scenarios will only become more widely understood as 6G emerges, with its built-in support for satellite infrastructure.

What will Apple do?

Will Apple move in that direction, or maintain its focus on the consumer markets? Will it decide that rather than deploying its own part-owned satellite constellations as it was with GlobalStar, it is better to work with carrier partners? Will it wait for 6G with its enhanced, standards-based support for satellite communications? 

Those are answers we don’t yet have. But it is quite clear that as satellite communications truly enter the mass market, Apple has put together many of the technical, hardware, software and infrastructure pieces it will need to ensure the iPhone is a peer player in whatever use cases emerge. 

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Xiaomi Smart Air Circulation Fan zlevnil na 1399 Kč ve stolní a 1499 Kč v podlahové verzi. • Oba ventilátory jsou tiché, výkonné a otáčejí se horizontálně i vertikálně. • Přes Wi-Fi se spojí s mobilem nebo chytrou domácností.

Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. The vulnerability, tracked as CVE-2026-27771 (CVSS score: 8.2), affects all versions of Gitea prior to 1.26.2Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks. [...]

Český klub Sisyfos každý rok rozděluje Bludné balvany – anticenu za významné příspěvky ke klamání veřejnosti. Satirickou formou upozorňuje na „nejzasloužilejší" jednotlivce a skupiny, kteří v uplynulém roce vynikli v oblasti pseudovědy, dezinformací a tvůrčího zacházení s realitou. V pondělí 25. ...

Google’s shiny new Android 17 update may be on the brink of making its way out into world, but one of the most consequential Android notification upgrades I’ve seen in ages is actually available for anyone, on any device, this instant.

It’s one of those things you don’t even realize is missing — and awkwardly has been, all this time — until you have it in front of you and see just how helpful and at times even invaluable it is.

And that’s the ability to have any or all of your notifications saved and restored whenever you restart whatever Android device you’re using — so that nothing important gets awkwardly tossed aside, lost, and forgotten, likely without your ever even noticing or being aware of what you’ve missed.

How many potentially important pending alerts have you lost as a result of that reboot trash chute? I couldn’t even begin to count, myself, and am slightly terrified to think of the answer. But with this easy new improvement in place, it’ll never happen again.

And best of all? It’ll take you roughly two minutes, once, to set up and then forget about and just know it’s working on your behalf from that moment forward.

Lemme show ya how.

[Keep the off-the-beaten-path knowledge coming with my free Android Intelligence newsletter — three new things to try every Friday and my Android Notification Power-Pack as a special welcome bonus!]   

Your new Android notification safety net

The secret sauce that makes this sorcery possible comes not from Google itself but from a crafty independent developer who’s been expanding our Android notification smarts for many a moon now.

His app is called BuzzKill. You’ve probably heard me rave about it before, with other noteworthy features and additions it’s introduced over time.

Whether you already have BuzzKill on your device or this is your first time encountering it, though, it’s well worth your while to take note of this new capability that snuck into the app not long ago.

First, a quick primer/refresher on what BuzzKill is, in case you aren’t already familiar: BuzzKill is essentially a way to create Gmail-like filters for your Android notifications. You use it to create simple custom rules for what happens when different types of notifications arrive — in an intuitive “if this, then that”-style form — with all kinds of interesting and advanced options for making your alerts more effective.

The latest addition to the app is an experimental option called, appropriately enough, “Restore after reboot.” And it does exactly what you’d expect: Anytime your device restarts, it automatically swoops in to save any active notifications that fit the parameters you select and then instantly restores ’em back into active status once your phone is back up and running.

Without such a system in place, any notifications that you either hadn’t yet looked at or maybe had glanced at and left pending as a reminder to deal with later would more often than not just vanish entirely — and you’d have no easily visible record of their presence or any real indication that they’d been there at all. That’s a dangerous recipe for forgetting something important, whether it’s an email you intended to engage with, a Slack message you needed to acknowledge, or even a task of some sort that had popped up for you to ponder.

The beauty of the BuzzKill approach to fixing this is that it really is a “set it and forget it” sort of system: You just create whatever rule you want now, get it up and running, and then rest easy knowing it’ll always find and restore any active notifications anytime your device restarts — as Android itself should but for whatever reason does not.

2 minutes to auto-restored Android notifications

All right — here are the specific steps to getting your new notification safety net in place:

• First, go download BuzzKill from the Play Store, if you don’t already have it.
  • The app costs four bucks as a one-time purchase, which — believe me — is nothing compared to the ongoing value it’ll give you with this and its many other notification-enhancing possibilities.
  • It doesn’t require any unusual permissions, doesn’t collect any form of data from your phone, and doesn’t have any manner of access to the internet — meaning it’d have no way of sharing your information even if it wanted to. 
• Once you’ve gone through the app’s initial setup and made your way to its main screen, tap on the circular button in the lower-right corner of the screen to create a new rule.
• On the screen that comes up next, consider which specific sorts of notifications you want to have restored whenever your device restarts.
  • You could always start with any and all notifications and then go back in to refine and limit the rule more once you see how it works. You might eventually want to ask it to avoid restoring alerts from certain low-priority apps — like, say, Google Photos — so that it doesn’t bother bringing back stuff that you don’t actually need.
  • If/when you want to create any such restrictions, tap the text that says “any app” to change which apps will be included and/or tap the text that says “contains anything” if you want to restrict based on what specific text a notification does or doesn’t include.
  • If you don’t want to create any limitations and just want all of your active notifications to be restored, at least to start, leave those lines alone and mosey on down to our next step.

BuzzKill’s simple “if this, then that” formatting gives you lots of flexibility with how and when your rule works.

JR Raphael, Foundry

• Tap the line that says “do nothing” and scroll down to find the “Restore after reboot” option. It’ll be toward the bottom of the list, within the “System actions” section.

The “Restore after reboot” action is described as experimental, but it seems to work quite well in my experience so far.

JR Raphael, Foundry

• Tap that, then tap “Pick action” to confirm.
• And last but not least, tap “Save rule” to, y’know, save your rule and set it into action.

The BuzzKill notification restoration equation, in its simplest possible form.

JR Raphael, Foundry

You should then see the rule showing up as active and running on the main BuzzKill screen.

Notification restoration — active and ready to spring into action whenever your phone restarts.

JR Raphael, Foundry

And that really is all there is to it: Whenever your phone next restarts, any notifications that were visible and active at the time of the restart should just show back up via BuzzKill as soon as things boot back up. If you want to get fancy, you could even make certain especially important notifications “sticky” in general, so that if you inadvertently swipe ’em away while your phone is running normally, they’ll automatically come right back even in that scenario.

It’s not the flashiest feature you’ll see this year, and it doesn’t have any whizbang AI shenanigans to make it seem headline-worthy by current-day standards. But it will work and quite possibly be one of the most practical, actually helpful additions you make to your phone all year — even if and arguably especially if you only think about it once in a great while, when you notice it working its magic and saving you from losing something significant.

Discover even more life-enhancing Android treasures with my free Android Intelligence newsletter — three new things to try every Friday and my free Android Notification Power-Pack today.

The Dutch National Police arrested a 35-year-old man suspected of hacking the professional football club Ajax Amsterdam (AFC Ajax) earlier this year. [...]

Na kyberkriminálním fóru se objevila nabídka k prodeji databáze s údaji 340 milionů uživatelů a tvůrců platformy OnlyFans. Útočníci si za ni účtují 0,313 bitcoinu (aktuálně cca 1,6 milionu korun). Společnost Fenix International, která platformu provozuje, však narušení svých interních systémů ...

Na kyberkriminálním fóru se objevila nabídka k prodeji databáze s údaji 340 milionů uživatelů a tvůrců platformy OnlyFans. Útočníci si za ni účtují 0,313 bitcoinu (aktuálně cca 1,6 milionu korun). Společnost Fenix International, která platformu provozuje, však narušení svých interních systémů ...

Microsoft has released the KB5089573 preview cumulative update for Windows 11 versions 25H2 and 24H2, which comes with 30 changes, including performance and reliability improvements. [...]

CEO Intelu Lip-Bu Tan v rozhovoru pro CNBC zkritizoval předchozí vedení společnosti a prohlásil, že do konce června bude mít připraven nový tým, který bude pracovat rychlostí světla…