news aggregator

We're not half way there, we're still livin' on a prayer

IPv6 carried half of global traffic for a single day in March, according to Google.…

An anonymous reader quotes a report from Ars Technica: Two years ago, Microsoft launched its first wave of "Copilot+" Windows PCs with a handful of exclusive features that could take advantage of the neural processing unit (NPU) hardware being built into newer laptop processors. These NPUs could enable AI and machine learning features that could run locally rather than in someone's cloud, theoretically enhancing security and privacy. One of the first Copilot+ features was Recall, a feature that promised to track all your PC usage via screenshot to help you remember your past activity. But as originally implemented, Recall was neither private nor secure; the feature stored its screenshots plus a giant database of all user activity in totally unencrypted files on the user's disk, making it trivial for anyone with remote or local access to grab days, weeks, or even months of sensitive data, depending on the age of the user's Recall database. After journalists and security researchers discovered and detailed these flaws, Microsoft delayed the Recall rollout by almost a year and substantially overhauled its security. All locally stored data would now be encrypted and viewable only with Windows Hello authentication; the feature now did a better job detecting and excluding sensitive information, including financial information, from its database; and Recall would be turned off by default, rather than enabled on every PC that supported it. The reconstituted Recall was a big improvement, but having a feature that records the vast majority of your PC usage is still a security and privacy risk. Security researcher Alexander Hagenah was the author of the original "TotalRecall" tool that made it trivially simple to grab the Recall information on any Windows PC, and an updated "TotalRecall Reloaded" version exposes what Hagenah believes are additional vulnerabilities. The problem, as detailed by Hagenah on the TotalRecall GitHub page, isn't with the security around the Recall database, which he calls "rock solid." The problem is that, once the user has authenticated, the system passes Recall data to another system process called AIXHost.exe, and that process doesn't benefit from the same security protections as the rest of Recall. "The vault is solid," Hagenah writes. "The delivery truck is not." The TotalRecall Reloaded tool uses an executable file to inject a DLL file into AIXHost.exe, something that can be done without administrator privileges. It then waits in the background for the user to open Recall and authenticate using Windows Hello. Once this is done, the tool can intercept screenshots, OCR'd text, and other metadata that Recall sends to the AIXHost.exe process, which can continue even after the user closes their Recall session. "The VBS enclave won't decrypt anything without Windows Hello," Hagenah writes. "The tool doesn't bypass that. It makes the user do it, silently rides along when the user does it, or waits for the user to do it." A handful of tasks, including grabbing the most recent Recall screenshot, capturing select metadata about the Recall database, and deleting the user's entire Recall database, can be done with no Windows Hello authentication. Once authenticated, Hagenah says the TotalRecall Reloaded tool can access both new information recorded to the Recall database as well as data Recall has previously recorded. "We appreciate Alexander Hagenah for identifying and responsibly reporting this issue. After careful investigation, we determined that the access patterns demonstrated are consistent with intended protections and existing controls, and do not represent a bypass of a security boundary or unauthorized access to data," a Microsoft spokesperson told Ars. "The authorization period has a timeout and anti-hammering protection that limit the impact of malicious queries."

Read more of this story at Slashdot.

Bug or feature?

A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic's official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.…

OpenAI is updating Codex with more agent-like capabilities, positioning it as a more direct rival to Anthropic's Claude Code. Some of the new features include the ability to operate macOS desktop apps, browse the web inside the app, generate images, use new workplace plug-ins, and remember useful context from past tasks. The Verge reports: Codex will now be able to operate desktop apps on your computer, OpenAI says in a blog post announcing the update. It can work in the background, meaning it won't interfere with your own work in other apps, and multiple agents can work in parallel. For developers, OpenAI says "this is helpful for testing and iterating on frontend changes, testing apps, or working in apps that don't expose an API." The feature will start rolling out to Codex desktop app users signed in with ChatGPT today and will initially be limited to macOS. OpenAI did not indicate a timeline for when use will expand to other operating systems. EU users will also have to wait, it said, adding that the update will roll out to users there "soon." Codex is also getting the ability to generate and iterate on images with gpt-image-1.5, new plug-ins for tools like GitLab, Atlassian Rovo, and Microsoft Suite, and native web browsing through an in-app browser, "where you can comment directly on pages to provide precise instructions to the agent." OpenAI also said it will also be easier to automate tasks, with users able to re-use existing conversation threads and Codex now able to schedule future work for itself and wake up automatically to continue on a long-term task. Codex will also be getting a memory feature allowing it to remember useful context from past experience, such as personal preferences, corrections, and information that took time to gather. OpenAI said it hopes the opt-in feature, which will be released as a preview, will help future tasks complete faster and to a quality that previously required detailed custom instructions. The personalization features will roll out to Enterprise, Edu, and EU users "soon."

Read more of this story at Slashdot.

Client connects to deepset's Haystack platform

Mozilla has declared war on OpenAI, Microsoft, and other firms flogging enterprise AI platforms with an open-source alternative it says provides data privacy guarantees proprietary products never could. …

'I think you can run this thing on a potato,' NodeWeaver CTO Alan Conboy said.

Broadcom's price increases and policy changes have led many VMware customers to look for other options. Nodeweaver is positioning itself as an alternative for customers running computing workloads in far-flung edge locations, from cruise ships to solar farms in Sub-Saharan Africa, and it is taking cost out of the hardware needed as well.…

BrianFagioli writes: The developers behind Linux Mint say the project is rethinking its release strategy and moving toward a longer development cycle, with the next version now expected around Christmas 2026. In a monthly update, project lead Clement Lefebvre said the team reached a "crossroads" and needs more flexibility to fix bugs, improve the desktop, and adapt to rapid changes across the Linux ecosystem. The upcoming development build, temporarily called Mint 23 "Alfa," is currently based on Ubuntu 26.04 LTS and includes Linux kernel 7.0, an unstable build of Cinnamon 6.7, and early Wayland related work. Mint is also replacing the long used Ubiquity installer with "live-installer," the same tool used by Linux Mint Debian Edition, allowing the project to unify installation infrastructure across its Ubuntu based and Debian based variants. While the team frames the changes as an opportunity to improve quality and reduce maintenance overhead, the shift has raised questions about the project's long term direction and whether Linux Mint may eventually lean more heavily on its Debian roots rather than its traditional Ubuntu base.

Read more of this story at Slashdot.

Large organizations pushed toward metered pricing

UPDATED More bad news for Claude users. Anthropic has revised its seat-based pricing for enterprise customers, shifting them to a new pricing plan upon contract renewal.…

The head of the International Energy Agency warned that Europe may have only "six weeks or so" of jet fuel left if oil supplies remain blocked by the Iran war and the Strait of Hormuz stays disrupted. The Associated Press reports: IEA Executive Director Fatih Birol painted a sobering picture of the global repercussions of what he called "the largest energy crisis we have ever faced," stemming from the pinch-off of oil, gas and other vital supplies through the Strait of Hormuz. "In the past there was a group called 'Dire Straits.' It's a dire strait now, and it is going to have major implications for the global economy. And the longer it goes, the worse it will be for the economic growth and inflation around the world," he told The Associated Press. The impact will be "higher petrol (gasoline) prices, higher gas prices, high electricity prices," said Birol, speaking in his Paris office looking out over the Eiffel Tower. Economic pain will be felt unevenly and "the countries who will suffer the most will not be those whose voice are heard a lot. It will be mainly the developing countries. Poorer countries in Asia, in Africa and in Latin America," said the Turkish economist and energy expert who has led the IEA since 2015. But without a settlement of the Iran war that permanently reopens the Strait of Hormuz, "Everybody is going to suffer," he added. "Some countries may be richer than the others. Some countries may have more energy than the others, but no country, no country is immune to this crisis," he said.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: Alphabet's Google is negotiating an agreement with the Department of Defense that would allow the Pentagon to deploy its Gemini AI models in classified settings, the Information reported on Thursday, citing two people with direct knowledge of the discussions. The two parties are discussing an agreement that would allow the Pentagon to use Google's AI for all lawful uses, according to the report. During the negotiations, Google has proposed additional language in its contract with the department to prevent its AI from being used for domestic mass surveillance or autonomous weapons without appropriate human control, the Information reported. The Pentagon will continue to deploy frontier AI capabilities through strong industry partnerships across all classification levels, a Pentagon official said, without confirming any talks with Google.

Read more of this story at Slashdot.

If there's one thing folks want less than Copilot in their taskbar, it's a bit barn in their backyard

Loud, thirsty, power hungry, and intensely unpopular with neighboring residents: datacenters are becoming the new nuclear waste dump. And many localities are now saying "not in my backyard."…

Social engineering: 'low-cost, hard to patch, and scales well'

North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.…

IPv6 usage briefly reached 50% across Google services for the first time, marking a major milestone for a protocol created in 1998 to solve IPv4's address shortage. Tom's Hardware reports: [...] IPv6 was dismissed early on as a headache-inducing, hard-to-implement complication that would hardly ever gain any traction -- despite offering 2^128 possible numbers, solving all network number assignments in one fell swoop. That changed over time by force of necessity, and Google's tracking graph shows that for a brief moment in time on March 28, 50% of worldwide users accessed the service over an IPv6 connection, marking a historic first. APNIC's stats show that the protocol is in use by 43% of the world, with Asia and the Americas inching ever close to those 50%. Cloudflare, meanwhile, shows that 40% of traffic is done in IPv6, an actually impressive figure if you consider it's measuring actual transferred packets rather than just counting addresses. The tried-and-true IPv4 and its well-known 123.456.789.123 format from 1980 offers ~4.3 billion addresses in theory, and around 3.7 billion in practice. That always sounded like a lot, but nobody could have predicted just how rapid the explosion of the Internet would be. IANA, the entity controlling the North-American IPv4 space, ran out of IPv4 addresses around 2011, while its European equivalent RIPE NCC could spare no more four-octet addresses nearly seven years ago in 2019. Asian, African, and Latin-American IP registries equally ran out during that timeframe.

Read more of this story at Slashdot.

Worse: Anthropic is using Persona, a privacy checker that rings alarm bells for the paranoids on Reddit

Anthropic may check your ID before letting you access certain Claude features, and the verification vendor it has picked is the same outfit that sparked controversy when Discord tested similar checks.…

Anthropic released Claude Opus 4.7, calling it its strongest generally available model and an improvement over Opus 4.6 in areas like software engineering, instruction-following, tool use, and agentic coding. But the company says it is "less broadly capable" than the restricted Claude Mythos Preview, "which Anthropic rolled out to a select group of companies as part of a new cybersecurity initiative called Project Glasswing earlier this month," reports CNBC. From the report: The launch of Claude Opus 4.7 on Thursday comes after Anthropic launched Claude Opus 4.6 in February. Anthropic said the new model outperforms Claude Opus 4.6 across many use cases, including industry benchmarks for agentic coding, multidisciplinary reasoning, scaled tool use and agentic computer use, according to a release. Anthropic said it experimented with efforts to "differentially reduce" Claude Opus 4.7's cyber capabilities during training. The company encouraged security professionals who are interested in using the model for "legitimate cybersecurity purposes" to apply through a formal verification program. Claude Opus 4.7 is available across all of Anthropic's Claude products, its application programming interface and through cloud providers Microsoft, Google and Amazon. The new model is the same price as Claude Opus 4.6, Anthropic said.

Read more of this story at Slashdot.

Batching teensy changes in chunks creates massive performance boost, DuckDB Labs team claims

The team behind in-process OLAP database DuckDB has put forward a solution to the "small changes" problem that they say plagues lakehouse implementations of the kind based on technologies from Databricks, Snowflake, Google, and others.…

The EU says a new age-verification app is technically ready and could let users prove they are old enough to access restricted online content without revealing their identity or personal data. Deutsche Welle reports: Once released, users will be able to download the app from an app store and set it up using proof of identity, such as a passport or national ID card. They can then use it to confirm they are above a certain age when accessing restricted content, without revealing their identity. According to the Commission, the system is similar to the digital certificates used during the COVID-19 pandemic, which allowed people to prove their vaccination status. The app is expected to support enforcement of the bloc's Digital Services Act, which aims to better regulate online platforms. This includes restricting access to content such as pornography, gambling and alcohol-related services. Officials say the app will be "completely anonymous" and built on open-source technology, meaning it could also be adopted outside the EU. [...] While there is no binding EU-wide law yet, the European Parliament has called for a minimum age of 16 for social media access. For now, enforcement would largely fall to individual member states, but the new app is intended to help platforms comply with future national and EU rules.

Read more of this story at Slashdot.

Shame about the internet blackouts and airstrikes

North America has some of the world's most expensive broadband, according to a new study, while Iran has the cheapest.…

Fortune 500 companies and one US defense contractor got taken for $5m in four-year scam

Two Americans have been jailed for a combined 200 months for helping North Korea generate $5 million through fraudulent IT worker schemes.…

An anonymous reader quotes a report from UploadVR: A group of independent researchers built a device that can artificially induce smell using ultrasound, with no consumable cartridges required. [...] The team of four are Lev Chizhov, Albert Yan-Huang, Thomas Ribeiro, Aayush Gupta. Chizhov is a neurotech entrepreneur with a background in math and physics, Yan-Huang is a researcher at Caltech with a background in computation and neural systems, and Ribeiro and Gupta are co-researchers on the project with software engineering and AI expertise. Instead of targeting your nose at all, the device directly targets the olfactory bulb in your brain with "focused ultrasound through the skull." The researchers say that as far as they're aware, no one has ever done this before, even in animals. A challenge in targeting the olfactory bulb is that it's buried behind the top of your nose, and your nose doesn't provide a flat surface for an emitter. Ultrasound also doesn't travel well through air. The solution the researchers came up with was to place the emitter on your forehead instead, with a "solid, jello-like pad for stability and general comfort," and the ultrasound directed downward towards the olfactory bulb. To determine the best placement, they say they used an MRI of one of their skulls to "roughly determine where the transducer would point and how the focal region (where ultrasound waves actually concentrate) aligned with the olfactory bulb (the target for stimulation)". [...] According to the researchers, they were able to induce the sensation of fresh air "with a lot of oxygen", the smell of garbage "like few-day-old fruit peels," an ozone-like sensation "like you're next to an air ionizer," and a campfire smell of burning wood. While technically head-mounted, the current device does require being held up with two hands. But as with all such prototypes, it likely could be significantly miniaturized.

Read more of this story at Slashdot.