Microsoft warns on-prem SharePoint users of a zero-day, won’t patch it though

Posted on by

Microsoft has warned users of SharePoint Server that three on-prem versions of the product include a zero-day flaw that is under attack – and that its own failure to completely fix past problems is the cause.

In a July 19 security note, the software giant admitted it is “… aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”

The attack targets CVE-2025-53770, a flaw rated 9.8/10 on the CVSS scale as it means “Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.”

The US Cybersecurity and Infrastructure Security Agency (CISA) advises CVE-2025-53770 is a variant of CVE-2025-49706, a 6.3-rated flaw that Microsoft tried to fix in its most recent patch Tuesday update.

The flaw is present in SharePoint Enterprise Server 2016. SharePoint Server 2019, and SharePoint Server Subscription Edition. At the time of writing, Microsoft has issued a patch for only the latter product.

That patch addresses a different vulnerability – the 6.3-rated path traversal flaw CVE-2025-53771 which mitigates that flaw and the more dangerous CVE-2025-53770. While admins wait for more patches, Microsoft advised them to ensure the Windows Antimalware Scan Interface (AMSI) is enabled and configured correctly, alongside an appropriate antivirus tool. Redmond also wants users to watch for suspicious IIS worker processes, and rotate SharePoint Server ASP.NET machine keys.

CISA has also issued its own warning. “Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025,” it said. “Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.”

Source: Microsoft warns on-prem SharePoint users of a zero-day • The Register

As site blocks pile up, European Commission issues subtle slapdown to Italy’s Piracy Shield

Posted on by

As numerous Walled Culture posts attest, site blocking is in the vanguard of the actions by copyright companies against sites engaged in the unauthorised sharing of material. Over the past few months, this approach has become even more pervasive, and even more intrusive. For example, in France, the Internet infrastructure company Cloudflare was forced to geoblock more than 400 sports streaming domain names. More worryingly, leading VPN providers were ordered to block similar sites. This represents another attack on basic Internet infrastructure, something this blog has been warning about for years.

In Spain, LaLiga, the country’s top professional football league, has not only continued to block sites, it has even ignored attempts by the Vercel cloud computing service to prevent overblocking, whereby many other unrelated sites are knocked out too. As TorrentFreak reported:

the company [Vercel] set up an inbox which gave LaLiga direct access to its Site Reliability Engineering incident management system. This effectively meant that high priority requests could be processed swiftly, in line with LaLiga’s demands while avoiding collateral damage.

Despite Vercel’s attempts to give LaLiga the blocks it wanted without harming other users, the football league ignored the new management system, and continued to demand excessively wide blocks. As Walled Culture has noted, this is not some minor, fringe issue: overblocking could have serious social consequences. That’s something Cloudflare’s CEO underlined in the context of LaLiga’s actions. According to TorrentFreak, he warned:

It’s only a matter of time before a Spanish citizen can’t access a life-saving emergency resource because the rights holder in a football match refuses to send a limited request to block one resource versus a broad request to block a whole swath of the Internet.

In India, courts are granting even more powerful site blocks at the request of copyright companies. For example, the High Court in New Delhi has granted a new type of blocking order significantly called a “superlative injunction”. The same court has issued orders to five domain registrars to block a number of sites, and to do so globally – not just in India. In America, meanwhile, there are renewed efforts to bring in site blocking laws, amidst fears that these too could lead to harmful overblocking.

The pioneer of this kind of excessive site blocking is Italy, with its Piracy Shield system. As Walled Culture wrote recently, there are already moves to expand Piracy Shield that will make it worse in a number of ways. The overreach of Piracy Shield has prompted the Computer & Communications Industry Association (CCIA) to write to the European Commission, urging the latter to assess the legality of the Piracy Shield under EU law. And that, finally, is what the European Commission is beginning to do.

A couple of weeks ago, the Commission sent a letter to Antonio Tajani, Italy’s Minister of Foreign Affairs and International Cooperation. In it, the European Commission offered some comments on Italy’s notification of changes in its copyright law. These changes include “amendments in the Anti-Piracy Law that entrusted Agcom [the Italian Authority for Communications Guarantees] to implement the automated platform later called the “Piracy Shield”.” In the letter, the European Commission offers its thoughts on whether Piracy Shield complies with the Digital Services Act (DSA), one of the key pieces of legislation that regulates the online world in the EU. The Commission wrote:

The DSA does not provide a legal basis for the issuing of orders by national administrative or judicial authorities, nor does it regulate the enforcement of such orders. Any such orders, and their means of enforcement, are to be issued on the basis of the applicable Union law or national law in compliance with Union law

In other words, the Italian government cannot just vaguely invoke the DSA to justify Piracy Shield’s extended powers. The letter goes on:

The Commission would also like to emphasise that the effective tackling of illegal content must also take into due account the fundamental right to freedom of expression and information under the Charter of Fundamental Rights of the EU. As stated in Recital 39 of the DSA “[I]n that regard, the national judicial or administrative authority, which might be a law enforcement authority, issuing the order should balance the objective that the order seeks to achieve, in accordance with the legal basis enabling its issuance, with the rights and legitimate interests of all third parties that may be affected by the order, in particular their fundamental rights under the Charter”.

This is a crucial point in the context of overblocking. Shutting down access to thousands, sometimes millions of unrelated sites as the result of a poorly-targeted injunction, clearly fails to take into account “the rights and legitimate interests of all third parties that may be affected by the order”. The European Commission also has a withering comment on Piracy Shield’s limited redress mechanism for those blocked in error:

the notified draft envisages the possibility for the addressee of the order to lodge a complaint (“reclamo”) within 5 days from the notification of the order, while the order itself would have immediate effect. The Authority must then decide on these complaints within 10 days as laid down in Article 8-bis(4), 9-bis(7) and Article 10(9) of the notified draft. The Commission notes that there do not seem to be other measures available to the addressee of the order to help prevent eventual erroneous or excessive blocking of content. Furthermore, as also explained in the Reply, the technical specifications of the Piracy Shield envisage unblocking procedures limited to 24 hours from reporting in the event of an error. This limitation to 24 hours does not seem, in principle, to respond to any justified need and could lead to persisting erroneous blockings not being resolved.

The letter concludes by inviting “the Italian authorities to take into account the above comments in the final text of the notified draft and its implementation.” That “invitation” is, of course, a polite way of ordering the Italian government to fix the problems with Piracy Shield that the letter has just run through. They may be couched in diplomatic language, but the European Commission’s “comments” are in fact a serious slapdown to a bad law that seems not to be compliant with the DSA in several crucial respects. It will be interesting to see how the Italian authorities respond to this subtle but public reprimand.

Source: As site blocks pile up, European Commission issues subtle slapdown to Italy’s Piracy Shield – Walled Culture

Nobel Prize-Winning Physicist Is Stripped of Dutch Citizenship due to stupid xenophobic Dutch rules

Posted on by
In 2010, he and his colleague Konstantin Novoselov — who were by then working in England — won the Nobel Prize in Physics for their experiments creating graphene, the world’s thinnest and strongest material.
His list of honors goes on and on, and Mr. Geim has the unique distinction of having been awarded both a Nobel and an Ig Nobel, a satirical honor for strange scientific achievements (in his case, levitating a frog) that seem laughable but prompt thought.
Dutch authorities were happy to claim him as Dutch. The Netherlands knighted him for his contributions to science, an honor that is officially described as “rare, being given for example to Dutch Nobel Prize laureates.” He was made a corresponding member of the Royal Netherlands Academy of Arts and Sciences.
“My bronze bust is somewhere in Den Haag to show off,” he said, referring to The Hague.
Mr. Geim moved to Britain in 2001 to work at the University of Manchester, where he remains today. His trouble began after he was offered a British knighthood, though he would not discover it until more than a dozen years later.
 
A non-Briton can receive a British knighthood, but only a British citizen is entitled to use the accompanying title, Sir or Dame. So he obtained citizenship.
“I took it to get the U.K. knighthood and to be called officially ‘Sir Andre,’ prestigious in the U.K.,” he said. “I took it only to receive the British knighthood.”
But by adopting British citizenship, he ran afoul of rules in the Netherlands, which seeks to limit dual nationalities. Voluntarily acquiring another citizenship can set off an automatic loss of Dutch citizenship.
The Dutch citizenship rules are not new, and there is a movement to loosen them. Within the European Union, multiple citizenship is fairly common, but people can also move freely from one country to another, living and working in a new home without needing a new legal status. Britain officially left the union in 2020.
In retrospect, Mr. Geim says, he might have made a different choice. “I would probably decline this knighthood if I knew the consequences for my Dutch nationality, but that was before Brexit and no one informed me about the consequences at that time.”
 
Though he says he got no practical benefit from his Dutch nationality, and did not expect to do so in the future, Mr. Geim has long seen himself as European above all else.
In an essay he wrote when he received the Nobel Prize, the physicist described growing up in Russia and experiencing discrimination in his education because of his family’s German roots, concluding that, after moving to the West in 1990, his life and work improved.
“I consider myself European and do not believe that any further taxonomy is necessary,” he wrote.
His loss is far from being the most severe at a time when migrants face increasing pressure around the world, risking — and sometimes losing — their lives to reach new shores and borders, or having rights like birthright citizenship in the United States challenged.
But his struggle with the Dutch authorities does hint at the complications immigrants face everywhere in contending with conflicting and opaque requirements, politics and unforeseeable consequences. And his difficulties show that no one is exempt from bureaucracy.
Mr. Geim — Sir Andre — says he has “spent thousands” in legal fees trying to convince Dutch authorities to let him keep his citizenship, including by citing an exception to the rule if it is in “the interest of the Dutch state,” to no avail.
Nobel or not, he said, “I was kicked out of the country as a useless thing.”

Source: Nobel Prize-Winning Physicist Is Stripped of Dutch Citizenship – The New York Times

There is a Dutch minority opinion buy the anti-islamist Geert Wilders which has become some sort of unassailable mantra that multiple citizenship is some sort of traitorous thing and the Netherlands has been tightening the rules more and more.

Edit: There are two laws going through the system, one since 2016 (!) and the other from 2023, aiming to allow multiple nationalities without having to give up the Dutch one:

Wetsvoorstel : Initiatiefvoorstel van Rijkswet-Paternotte en Mutluer opzegging hoofdstuk I Verdrag beperking van gevallen van meervoudige nationaliteit en militaire verplichtingen

and

34 632 (R2080) Voorstel van Rijkswet van de leden Sjoerdsma en Kuiken tot wijziging van de Rijkswet op het Nederlanderschap teneinde het nationaliteitsrecht te moderniseren, alsmede tot de in verband daarmee houdende goedkeuring van het voornemen tot opzegging van hoofdstuk I van het op 6 mei 1963 te Straatsburg tot stand gekomen Verdrag betreffende beperking van gevallen van meervoudige nationaliteit en betreffende militaire verplichtingen in geval van meervoudige nationaliteit (Trb. 1964, 4) en daarmee van het daarbij behorende Tweede Protocol (Trb. 1994, 265)

Let’s hope they can get through and end the ridiculousness.

NB Andre Geim is also the Winner of an Ig Nobel Prize

Better Airplane Navigation Using Quantum Sensing of a map of the Earth’s Crust

Posted on by
Airbus’s Silicon Valley-based innovation center, Acubed, and artificial intelligence and quantum-focused Google spinout SandboxAQ are on a mission to demonstrate an alternate way. It involves a small, toaster-size box, lasers, a single GPU chip and a deep knowledge of the Earth’s magnetic field.
The technology, known as quantum sensing, has been in development for decades at a number of companies and is now inching closer to commercialization in aerospace.

SandboxAQ’s MagNav quantum-sensing device.

Acubed recently took MagNav, SandboxAQ’s quantum-sensing device, on a large-scale test, flying with it for more than 150 hours across the continental U.S. on a general aviation aircraft that Acubed calls its “flight lab.”
MagNav uses quantum physics to measure the unique magnetic signatures at various points in the Earth’s crust. An AI algorithm matches those signatures to an exact location. During the test, Acubed found it could be a promising alternative to GPS in its ability to determine the plane’s location throughout the flights.
“The hard part was proving that the technology could work,” said SandboxAQ Chief Executive Jack Hidary, adding that more testing and certifications will be required before the technology makes it out of the testing phase. SandboxAQ will target defense customers first but then also commercial flights, as a rise in GPS tampering makes the need for a backup navigation system on flights more urgent.
[…]
The quantum sensing device is completely analog, making it essentially unjammable and unspoofable, SandboxAQ’s Hidary said. Unlike GPS, it doesn’t rely on any digital signals that are vulnerable to hacking. The information it provides is generated entirely from the device on board, and leverages magnetic signatures from the Earth, which cannot be faked, he said.
Quantum sensing will likely not replace all the applications of traditional GPS, but it can be a reliable backup and help pilots actually know when GPS is being spoofed, Hidary said.
How it works
Inside SandboxAQ’s device, essentially a small black box, a laser fires a photon at an electron, forcing it to absorb that photon. When the laser turns off, that electron goes back to its ground state, and releases the photon. As the photon is released, it gives off a unique signature based on the strength of the Earth’s magnetic field at that particular location.
Every square meter of the world has a unique magnetic signature based on the specific way charged iron particles in the Earth’s molten core magnetize the minerals in its crust. SandboxAQ’s device tracks that signature, feeds it into an AI algorithm that runs on a single GPU, compares the signature to existing magnetic signature maps, and returns an exact location.

The flight paths used in the tests of SandboxAQ’s quantum-sensing device, MagNav.

The Federal Aviation Administration requires that while planes are en route they must be able to pinpoint their exact location within 2 nautical miles (slightly more than 2 miles). During Acubed’s testing, it found that MagNav could pinpoint location within 2 nautical miles 100% of the time, and could even pinpoint location within 550 meters, or a bit more than a quarter of a nautical mile, 64% of the time.
“It’s the first novel absolute navigation system to our knowledge in the last 50 years,” Hidary said.
What else can quantum sensing do?
EY’s Global Chief Innovation Officer Joe Depa said the applications for quantum sensing go beyond aerospace. In defense, they can also be used to detect hidden submarines and tunnels.
And in healthcare, they can even detect faint magnetic signals from the brain or heart, theoretically allowing for better diagnosis of neurological and cardiac conditions without invasive procedures.
While the technology has been in the lab for decades, we are starting to see more examples of quantum sensing entering the real world, Depa said.
Some analysts estimate the quantum-sensing market could reach between $1 billion and $6 billion by 2040, he said.

Source: Exclusive | The Secret to Better Airplane Navigation Could Be Inside the Earth’s Crust – WSJ

Cloudflare: Config change borked net access for all

Posted on by

There was a disturbance in the force on July 14 after Cloudflare borked a configuration change that resulted in an outage, impacting internet services across the planet.

In a blog post, the content delivery network services biz detailed the unfortunate series of events that led to Monday’s disruption.

On the day itself, “Cloudflare’s 1.1.1.1 Resolver service became unavailable to the internet starting at 21:52 UTC and ending at 22:54 UTC. The majority of 1.1.1.1 users globally were affected. For many users, not being able to resolve names using the 1.1.1.1 Resolver meant that basically all Internet services were unavailable,” Cloudflare said.

But the problem originated much earlier.

The outage was caused by a “misconfiguration of legacy systems” which are used to uphold the infrastructure advertising Cloudflare’s IP addresses to the internet.

“The root cause was an internal configuration error and not the result of an attack or a BGP hijack,” the corp said.

Back on June 6 this year, as Cloudflare was preparing a service topology for a future Data Localization Suite (DLS) service, it introduced the config gremlin – prefixes connected to the 1.1.1.1 public DNS Resolver were “inadvertently included alongside the prefixes that were intended for the new DLS service.”

“This configuration error sat dormant in the production network as the new DLS service was not yet in use,  but it set the stage for the outage on July 14. Since there was no immediate change to the production network there was no end-user impact, and because there was no impact, no alerts were fired.”

On July 14, a second tweak to the service was made: Cloudflare added an offline datacenter location to the service topology for the pre-production DNS service in order “to allow for some internal testing.” But the change triggered a refresh of the global configuration of the associated routes, “and it was at this point that the impact from the earlier configuration error was felt.”

Things went awry at 2148 UTC.

“Due to the earlier configuration error linking the 1.1.1.1 Resolver’s IP addresses to our non-production service, those 1.1.1.1 IPs were inadvertently included when we changed how the non-production service was set up… The 1.1.1.1 Resolver prefixes started to be withdrawn from production Cloudflare datacenters globally.”

Traffic began to drop four minutes later and internal health alerts started to emerged. An “incident” was declared at 2201 UTC and a fix dispatched at 2220 to restore the previous configuration.

“To accelerate full restoration of service, a manually triggered action is validated in testing locations before being executed,” Cloudflare said in its explanation of the outage. Revolver alerts were cleared by 2254 UTC and DNS traffic on Resolver prefixes went back to typical levels, it added.

Data on DNSPerf shared with us by a reader indicates a length of the disruption of around three hours, far longer than Cloudflare’s summary suggests.

As a Reg reader pointed out: “Remember this is a DNS service. Every person using the service would have had no ability to use the internet. Every business using Cloudflare had no internet for the length of the outage. NO DNS = NO INTERNET.” ®

Source: Cloudflare: Config change borked net access for all • The Register

UK F-35 fleet poorly supported, can’t use vital weapons, shows NAO

Posted on by

The F-35 stealth fighter is not meeting its potential in British service because of availability issues, a shortage of support personnel, and delays in integrating key weapons that are limiting the aircraft’s effectiveness.

The various problems are highlighted in a reality check from the UK’s National Audit Office (NAO) that offers a contrast to the typically measured tone of official government communications when it comes to the state of the country’s armed forces.

Its report calls on the Ministry of Defence (MoD) to address these problems in the F-35 fleet: firstly to increase the effectiveness of the aircraft but also to demonstrate the program is delivering value for the huge cost it represents to the taxpaying public.

Britain currently has 37 of the F-35B variant of the aircraft, which is designed for short take-off and vertical landing (STOVL) operations like the Harrier it effectively replaces in Royal Air Force (RAF) and Royal Navy service.

The NAO, a public sector spending watchdog, starts by noting that the F-35 offers capabilities “significantly superior to any previous UK aircraft,” not just because of its low radar observability, but due to its advanced sensor suite including an electro-optical targeting system and long-range infrared target sensors, which are combined to provide the pilot with an integrated picture of the space surrounding them.

However, the report finds the MoD has not been able to deliver on its own targets for aircraft availability – the proportion of time each aircraft is ready to fly – despite these targets being lower than those for the global program.

It claims that last year, the UK F-35 fleet had a mission-capable rate (the ability of an aircraft to perform at least one of its seven defined missions) about half of the MoD’s target. The full mission capable rate (the ability of an F-35 to perform all required missions) was only about one third of the MoD’s target and significantly lower than for F-35B aircraft operated by other nations.

Some reasons behind this poor performance are cited as a shortage of engineers able to work on the F-35 in Britain’s forces, plus a global shortage of F-35 spare parts.

In fact, the UK Lightning Force faces “major personnel shortages across a range of roles,” which the NAO says are not likely to be resolved for several years, although it notes the MoD is recruiting to fill some of these gaps.

According to the report, the MoD has previously underestimated the number of engineers and other staff required to support F-35 aircraft during operations.

This was highlighted during Operation Fortis, the UK-led carrier strike group deployment to the Pacific in 2021, when an aircraft was lost after a protective engine blank was erroneously left in one of the air intake ducts. This led to the aircraft not being able to generate enough thrust for take-off and ditching in the sea immediately after leaving the flight deck of HMS Queen Elizabeth.

As reported by Navy Lookout, the US Marines F-35 squadron that was onboard the carrier at the same time had 25 personnel for each jet, while the British squadron had only 14.

Just as worrying are the ongoing delays in getting key weapons integrated with the F-35 so that they can be used in operations. The report states that the original support date for the Spear 3 air-to-surface cruise missile and the Meteor medium range air-to-air missile was December last year, but the F-35 is not expected to get these until the early 2030s.

These delays have been caused by “poor supplier performance,” the NAO says, referring to the US defense firm responsible for the F-35, Lockheed Martin. However, it also criticizes Britain’s MoD for “negotiating commercial arrangements that failed to prioritize delivery” and the low priority given to Meteor by the global program.

This means that UK F-35s are currently only capable of operating with the Paveway IV laser-guided bomb and US-made missiles such as the AIM-120D.

Part of the problem is that support for many of the key weapons British forces wish to use was planned for the Block 4 upgrades to the aircraft’s systems software, and these have been massively delayed. Much of the blame for this lies with Lockheed Martin and the Joint Program Office (JPO), the agency within the US Department of Defense (DoD) responsible for overseeing the F-35 program.

It was originally expected that this would be fully delivered by 2022, but the NAO says that in 2023 the US Government Accountability Office (GAO) found that it would not be delivered until 2029, and now the JPO doesn’t expect Block 4 to be completely delivered before 2033.

There has been a certain suspicion that the US doesn’t see supporting European-made weapons as a priority, especially when F-35 operators are then forced to buy American kit instead.

Small wonder, perhaps, that Britain is pushing ahead with a program for its planned next-generation fighter – currently codenamed Tempest – that does not involve any US defense companies but partners with Japan and Italy instead.

[…]

The UK government has, however, recently disclosed that it intends to procure a new tranche of F-35 aircraft which will comprise a dozen of the F-35A version, which operates from an airfield, along with another 15 F-35B, although delivery of these is not expected until the end of the decade.

Adding another variant of the F-35 is unlikely to help with the engineer shortage, since there are significant differences between the two versions.

Meanwhile, the MoD is also behind in delivering the Aircraft Signature Assessment Facility, which is needed to check that the F-35’s much-vaunted stealth technology is doing its job and has not been degraded by the harsh conditions of operating at sea.

[…]

 

Source: UK F-35 fleet poorly supported, can’t use vital weapons • The Register

This ‘Molecular Shield’ Might Stop Pollen Before It Wrecks Your Nose

Posted on by

what if, by spraying something akin to a nasal spray, you could thwart the onslaught of those pesky allergens before they latch onto your sensitive nasal passages?

This was the “simple but powerful idea” that inspired Kaissar Tabynov, who led the efforts to create a “molecular shield” that intercepts allergens the moment they approach our airways. For the experiment, they targeted mugwort pollen, which is the most common cause of pollen allergy in Central Asia and Europe. Tabynov and colleagues reported the first proof-of-principle for this technology, in this instance with mice, in a paper published today in Frontiers in Immunology.

[…]

Here’s how the “shield” works. Researchers first develop a monoclonal antibody, or a lab-made protein designed to attach to a specific molecule. In this case it’s aimed at a major allergy-causing protein found in mugwort pollen. These antibodies are applied to the nose, effectively snatching the allergens away from our natural antibodies, which trigger allergic responses when bound with allergens.

The immune system is an intricate network of cells and hormones, so adjusting the treatment such that it wouldn’t disrupt the natural system of mice proved to be a major challenge, explained Tabynov. Not only that, mugwort pollen is actually a combination of multiple allergy-causing particles (partly the reason they’re so insufferable), meaning Tabynov’s team had to focus on the most clinically relevant parts of the allergen complex.

After several adjustments, the team succeeded in making an antibody treatment that curbed nasal inflammation and asthma symptoms in mice, and it did so without harming the animals’ natural antibodies. Although the duration of the treatment was shorter than Tabynov hoped, he told Gizmodo that he and his team have already devised a strategy to potentially make the treatment last longer.

“What’s exciting about our approach is that it shows how precise, targeted biologics can be used not just for chronic therapy but for prevention, delivered right where allergens strike,” Tabynov added. “Our approach is non-invasive, needle-free, and fast-acting [and] reduces the allergen load on the immune system and may help prevent the progression of allergic rhinitis into more severe conditions such as bronchial asthma.”

[…]

Source: This ‘Molecular Shield’ Might Stop Pollen Before It Wrecks Your Nose

Bug Hunters Gain Access to 64 Million McDonald’s Job Applicants’ Info by Using the Password ‘123456’

Posted on by

A recruitment platform used by McDonald’s is alleged to have had such poor cybersecurity that researchers were able to log into it using a non-password and thus gain access to information on tens of millions of job applicants, including contact details and chat logs between the user and the restaurant’s AI bot.

The platform in question, called McHire, operates a chatbot, dubbed Olivia. Job applicants chat with Olivia, who, in an effort to decide whether they’re worthy of flipping hamburgers or not, assesses them via a personality test. The bot was created by a company called Paradox.ai.

Security researchers Sam Curry and Ian Carroll found that, using the username/password combination 123456/123456, they were able to log into the application, where they were given access to a treasure trove of information on job applicants. Indeed, Curry and Carroll were able to “retrieve the personal data of more than 64 million applicants,” the researchers write.

Their write-up is as hilarious as it is disturbing. The duo notes:

“Without much thought, we entered “123456” as the username and “123456” as the password and were surprised to see we were immediately logged in! It turned out we had become the administrator of a test restaurant inside the McHire system.

The information included names, email addresses, phone numbers, addresses, the state where the job candidate lived, and the auth token they used to gain access to the website. Additionally, Curry and Carroll could see “every chat interaction [from every person] that has ever applied for a job at McDonald’s.”

[…]

Source: Bug Hunters Gain Access to 64 Million McDonald’s Job Applicants’ Info by Using the Password ‘123456’

Watch out, another max-severity Cisco bug on the loose

Posted on by

Cisco has issued a patch for a critical 10 out of 10 severity bug in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to run arbitrary code on the operating system with root-level privileges.

ISE is a network access control and security policy management platform, and ISE-PIC centralizes identity management across security tools. And this vulnerability, tracked as CVE-2025-20337, is about the worst of the worst, allowing miscreants to take total control of compromised computers easily. In other words – patch now.

The vendor disclosed CVE-2025-20337 on Wednesday in an update to a June security advisory about two other max-severity flaws in the same products. The new bug is related to CVE-2025-20281, one of the two disclosed in June, which also received a 10 CVSS rating and affects ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration.

“These vulnerabilities are due to insufficient validation of user-supplied input,” Cisco noted. “An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.”

There are no workarounds, but Cisco has released a software update that fixes both flaws, along with another critical-rated bug tracked as CVE-2025-20282 disclosed in June.

The vendor noted that since the original publication of the security advisory last month, “improved fixed releases have become available” and customers should upgrade as follows:

  • If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary.
  • If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.
  • If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337.
  • […]

Source: Watch out, another max-severity Cisco bug on the loose • The Register

Google Ordered to Pay $314M for Misusing Android Users’ Cellular Data Without Permission – calling home 389 times per day even when completely idle and all google apps closed!

Posted on by

Google has been ordered by a court in the U.S. state of California to pay $314 million over charges that it misused Android device users’ cellular data when they were idle to passively send information to the company.

The verdict marks an end to a legal class-action complaint that was originally filed in August 2019.

In their lawsuit, the plaintiffs argued that Google’s Android operating system leverages users’ cellular data to transmit a “variety of information to Google” without their permission, even when their devices are kept in an idle state.

“Although Google could make it so that these transfers happen only when the phones are connected to Wi-Fi, Google instead designed these transfers so they can also take place over a cellular network,” they said.

“Google’s unauthorized use of their cellular data violates California law and requires Google to compensate Plaintiffs for the value of the cellular data that Google uses for its own benefit without their permission.”

The transfers, the plaintiffs argued, occur when Google properties are open and operating in the background, even in situations where a user has closed all Google apps, and their device is dormant, thereby misappropriating users’ cellular data allowances.

In one instance, the plaintiffs found that a Samsung Galaxy S7 device with the default settings and the standard pre-loaded apps, and connected to a new Google account, sent and received 8.88 MB/day of cellular data, out of which 94% of the communications were between Google and the device.

The information exchange happened approximately 389 times within a span of 24 hours. The transferred information mainly consisted of log files containing operating system metrics, network state, and the list of open apps.

“Log files are typically not time-sensitive, and transmission of them could easily be delayed until Wi-Fi is available,” according to court documents.

“Google could also program Android to allow users to enable passive transfers only when they are on Wi-Fi connections, but apparently it has chosen not to do so. Instead, Google has chosen to simply take advantage of Plaintiffs’ cellular data allowances.”

That’s not all. The court complaint also cited another 2018 experiment that found that an Android device that was “outwardly dormant and stationary” but had the Chrome web browser app opened and in the background resulted in about 900 passive transfers in 24 hours.

[…]

Source: Google Ordered to Pay $314M for Misusing Android Users’ Cellular Data Without Permission

Wow! And when did anyone agree to send this much data about their phone to Google then?

Synology starts selling overpriced underperforming 1.6 TB SSDs for $535 — self-branded, archaic PCIe 3.0 SSDs the only option to meet ‘certified’ criteria being enforced on newer NAS models

Posted on by

Synology has begun selling its newest SNV5400 enterprise NAS SSDs, and the asking prices for what you receive are nothing short of shocking. For a 1.6 TB NVMe SSD at PCIe Gen3 speeds, Synology is asking $535 on B&H Photo Video, while many competing devices retail for around $100. The new SNV5400 family, which also includes 400GB and 800GB models, is one of only a few Synology-branded SSD families compatible with certain Synology NAS models due to the company’s new restrictive compatibility requirements.

Synology recently announced its plans to require the use of approved SSDs for certain NAS systems. To date, only Synology-branded SSDs have received the stamp of approval from the company. While previous SSD releases from Synology have remained marginally in line with market rates for SSDs, the SNV5400 family significantly exceeds the comparative pricing of the market.

Synology’s newest drives, which were first seen online at a gobsmacking €620 from one Newegg shop, are priced comfortably above any other similar models in the industry

[…]

The unfortunate thing about the Synology SNV5400 family is that it feels like it arrived several years too late. PCIe 3.0 has largely been left behind, as most storage manufacturers are now transitioning to PCIe 5.0, leaving PCIe 4.0 also in the dust. What’s more, the SNV5420’s endurance is vastly outclassed by its competitors; Western Digital’s WD Red SN700 SSD, another PCIe 3.0 NAS drive, advertises a TBW of 5100TB, nearly double what Synology offers.

[…]

While some loopholes exist for using non-approved drives in newer Synology NAS units (like this one written in German), eventually Synology customers may be forced to pay the hefty Synology tax for their off-the-shelf NAS solutions. Perhaps independent testing reveals some fairy dust in the new units that deserves its hefty upcharge, but we haven’t found any from Synology’s own site just yet.

Source: Synology starts selling overpriced 1.6 TB SSDs for $535 — self-branded, archaic PCIe 3.0 SSDs the only option to meet ‘certified’ criteria | Tom’s Hardware

Your Samsung phone has a secret Wi-Fi menu. Here’s how to find it

Posted on by

One such example is the “Connectivity Labs” Wi-Fi settings menu. It’s buried deep in the Settings app on your Samsung phone, and it’s something I didn’t know existed until just the other day. Which is a shame, because there’s some really cool stuff in here. Let me show you.

How to find Samsung’s secret Wi-Fi settings

Connectivity Labs toggle on a Samsung phone.

So, where is this hidden Wi-Fi settings menu? Here’s how to find and activate it:

  1. Open the Settings app on your Samsung phone.
  2. Tap Connections.
  3. Tap Wi-Fi.
  4. Tap the three dots in the upper-right corner.
  5. Tap Intelligent Wi-Fi.

From this page, find the Intelligent Wi-Fi button at the bottom and repeatedly tap it. You’ll see a pop-up letting you know that Connectivity Labs will be enabled if you keep tapping, so keep on doing that until you see the new Connectivity Labs option appear below Intelligent Wi-Fi.

It seems that Connectivity Labs was quietly added sometime in 2023, and it recently garnered a fresh batch of attention over the weekend on the r/SamsungGalaxy subreddit.

I’ve confirmed that Connectivity Labs is available on Samsung phones running One UI 7 and the One UI 8 Beta. Given that Connectivity Labs was introduced in 2023, it should also be present on Samsung phones that still have One UI 6.

The best Connectivity Labs features you should try

Samsung Connectivity Labs page.

Once Connectivity Labs is enabled, you’ll find a swath of new settings to play around with. The page starts by showing a graph of your Wi-Fi time and usage over the past week, including which specific bands you were using. It’s neat, but there are far more interesting things to check out.

Scroll past this graph, and you’re met with a laundry list of settings and toggles. You can play with all of them if you want, but I want to highlight a few of my favorites.

The first option on the list, Home Wi-Fi inspection, is particularly cool. Once you select it and tap on your home Wi-Fi network, you’re asked to walk around your house while the feature tests all the different access points and bands of your router, determining if there are any weak signal areas.

There are also some helpful toggles to configure how your phone stays connected to Wi-Fi networks and when it disconnects from them. The Switching to mobile data faster toggle, for example, will stop your phone from holding onto a weak Wi-Fi signal for too long and jump to your mobile data sooner than it typically does — something you may want to enable if you have an unlimited data plan and aren’t worried about your mobile data useage.

Auto reconnect to carrier Wi-Fi is another interesting setting. If you have a carrier like Xfinity Mobile or Spectrum Mobile, your phone probably automatically connects to your carrier’s public Wi-Fi hotspots to supplement your cell coverage. This is enabled by default, but if you don’t want that to happen, you can easily disable it from this menu.

I also quite like the Customize Wi-Fi list settings page. From here, you can enable a filter button on your main Wi-Fi networks page. When you tap it, you can choose to only see secured networks, Wi-Fi 6 connections, etc.

Finally, if you tap Wi-Fi developer options at the bottom of the Connectivity Labs page, you’ll find an entirely new menu of even more Wi-Fi settings to fiddle with.

Wi-Fi information page in Samsung's Connectivity Labs.

You can probably ignore most of these, but the Nearby Wi-Fi information page is quite helpful. It displays a list of all nearby Wi-Fi networks, along with their signal strengths, categorized as Best, Good, Bad, and Worst. If you’re in an area with a lot of public Wi-Fi networks to choose from, this could be a great way to ensure you choose the best one.

Who knew this was here?

Wi-Fi settings toggles in Samsung's Connectivity Labs page.

Had I not stumbled across that recent Reddit thread, I probably never would have known that Connectivity Labs existed. And given the small amount of reporting/discussion there is about Connectivity Labs online, it seems that most people don’t know about it either.

I’m not sure why Samsung has these settings buried so deeply and behind so many sub-menus. There’s genuinely useful stuff here, and while some of the settings are a bit technical, almost anyone can benefit from features like the home Wi-Fi inspection and the Wi-Fi filter menu.

I’d love to see Samsung make some of these settings more obvious, but until that happens, hopefully, this article helped you find them.

Source: Your Samsung phone has a secret Wi-Fi menu. Here’s how to find it

Someone Built a Concept Ad Blocker for Real Life, and I Can’t Wait to Try It

Posted on by

I use as many ad-blocking programs as possible, but no matter how many I install, real-life advertising is still there, grabbing my attention when I’m just trying to go for a walk. Thankfully, there may be a solution on the horizon. Software engineer Stijn Spanhove recently posted a concept video showing what real-time, real-life ad-blocking looks like on a pair of Snap Spectacles, and I really want it. Check it out:

The idea is that the AI in your smart glasses recognizes advertisements in your visual field and “edits them out’ in real time, sparing you from ever seeing what they want you to see.

While Spanhove’s video shows a red block over the offending ads, you could conceivably cover that Wendy’s ad with anything you want—an abstract painting, a photo of your family, an ad for Arby’s, etc.

Source: Someone Built an Ad Blocker for Real Life, and I Can’t Wait to Try It

Note – it looks like Stijn took everything related to this down. So it’s probably just a concept. But it’s a really cool concept!

Proton joins anti-Apple lawsuit to force App Store changes in the US

Posted on by

Secure comms biz Proton has joined a lawsuit that alleges Apple’s anticompetitive ways are harming developers, consumers, and privacy.

Proton is a Switzerland-based (for now) provider of encrypted communications services and on Monday filed a legal complaint [PDF] against Apple, claiming the iGiant is abusing its control of iOS and the App Store in ways that reduce competition.

Apple has been fighting legal battles on this front for some time. Most notably, Epic Games sued in 2020 to try and allow itself and other app makers to sell its wares for use on Apple devices through channels other than Apple’s own App Store and payment systems. While Apple mostly won that case, the court said it had to allow third-party developers to inform customers of payment systems other than Apple’s own. (A judge recently questioned whether Apple has complied and pondered whether the company is in contempt of court.)

In Europe, regulators have taken a harder line, forcing the mega-biz to allow sales of iOS apps on third-party app stores.

Proton would like to see that happen in the US and has therefore asked the US District court for Northern California to require Apple to get out of the way and give app developers direct access to customers. The company’s filing suggests making that happen by requiring Apple to allow alternative app stores, expose those stores through its own Apple App Store, plus allowing developers to disable Apple’s in-app payment system and to gain fill access to Apple APIs.

[…]

Secure comms biz Proton has joined a lawsuit that alleges Apple’s anticompetitive ways are harming developers, consumers, and privacy.

Proton is a Switzerland-based (for now) provider of encrypted communications services and on Monday filed a legal complaint [PDF] against Apple, claiming the iGiant is abusing its control of iOS and the App Store in ways that reduce competition.

Apple has been fighting legal battles on this front for some time. Most notably, Epic Games sued in 2020 to try and allow itself and other app makers to sell its wares for use on Apple devices through channels other than Apple’s own App Store and payment systems. While Apple mostly won that case, the court said it had to allow third-party developers to inform customers of payment systems other than Apple’s own. (A judge recently questioned whether Apple has complied and pondered whether the company is in contempt of court.)

In Europe, regulators have taken a harder line, forcing the mega-biz to allow sales of iOS apps on third-party app stores.

Proton would like to see that happen in the US and has therefore asked the US District court for Northern California to require Apple to get out of the way and give app developers direct access to customers. The company’s filing suggests making that happen by requiring Apple to allow alternative app stores, expose those stores through its own Apple App Store, plus allowing developers to disable Apple’s in-app payment system and to gain fill access to Apple APIs.

Rather than suing anew, Proton is joining a group of Korean developers that took Apple to a US court in May [PDF] on similar grounds.

“We believe that Apple’s conduct constitutes further violations of US antitrust law,” Proton said in a blog post.

“Without this case, Apple could get away with behavior in the US that is already outlawed in the European Union. If this were to happen, American consumers, and developers focused on the American market, would have to pay higher prices for fewer choices, and be left at a disadvantage.”

Proton’s complaint covers many of the same issues raised by Epic and other app makers, and adds a novel argument that Apple’s system also harms user privacy. The Swiss company argues that developers of free apps usually harvest user data and sell that to cover their bills. Companies like Proton that don’t collect or sell user data have no choice but to charge subscriptions for revenue. Apple’s pricing model particularly penalizes these companies by taking a cut of annual subscriptions sold on its App Store.

The post also revisits Proton’s 2020 run-in with Apple that saw the iBiz reject an update to Proton’s VPN after the Swiss company pointed out it could be used to “unblock censored web sites.” Apple eventually relented but the episode shows how Apple puts profit before privacy, Proton argued.

“We don’t question Apple’s right to act on behalf of authoritarians for the sake of profit, but Apple’s monopoly over iOS app distribution means it can enforce this perverse policy on all app developers, forcing them to also be complicit,” it wrote.

[…]

Source: Proton joins anti-Apple lawsuit to force App Store changes • The Register

A tiny implant just helped paralyzed rats walk again—is human recovery next? | ScienceDaily

Posted on by

A groundbreaking study from the University of Auckland and Chalmers University of Technology is offering new hope for spinal cord injury patients. Researchers have developed an ultra-thin implant that delivers gentle electric currents directly to the injured spinal cord. This device mimics natural developmental signals to stimulate nerve healing, and in animal trials, it restored movement and touch sensation in rats—without causing inflammation or damage.

[…]

Spinal cord injuries shatter the signal between the brain and body, often resulting in a loss of function.”Unlike a cut on the skin, which typically heals on its own, the spinal cord does not regenerate effectively, making these injuries devastating and currently incurable,”

[…]

“We developed an ultra-thin implant designed to sit directly on the spinal cord, precisely positioned over the injury site in rats,” Dr Harland says.

The device delivers a carefully controlled electrical current across the injury site. “The aim is to stimulate healing so people can recover functions lost through spinal-cord injury,” Professor Darren Svirskis, director of the CatWalk Cure Program at the University’s School of Pharmacy says.

[…]

After four weeks, animals that received daily electric field treatment showed improved movement compared with those who did not.

Throughout the 12-week study, they responded more quickly to gentle touch.

“This indicates that the treatment supported recovery of both movement and sensation,” Harland says. “Just as importantly, our analysis confirmed that the treatment did not cause inflammation or other damage to the spinal cord, demonstrating that it was not only effective but also safe.”

[…]

Source: A tiny implant just helped paralyzed rats walk again—is human recovery next? | ScienceDaily

Scientists Discover Unknown Organelle Inside Our Cells

Posted on by

The organelle, a type of specialized structure, has been dubbed a “hemifusome” by its discoverers at the University of Virginia School of Medicine and the National Institutes of Health. This little organelle has a big job helping our cells sort, recycle and discard important cargo within themselves, the scientists say. The new discovery could help scientists better understand what goes wrong in genetic conditions that disrupt these essential housekeeping functions.

“This is like discovering a new recycling center inside the cell,” said researcher Seham Ebrahim, PhD, of UVA’s Department of Molecular Physiology and Biological Physics. “We think the hemifusome helps manage how cells package and process material, and when this goes wrong, it may contribute to diseases that affect many systems in the body.”

[…]

UVA’s expertise in cryo-electron tomography (cryo-ET) – a powerful imaging method that “freezes” cells in time – to create striking images of the organelle.

The scientists believe hemifusomes facilitate the formation of vesicles, tiny blister-like sacs that act as mixing bowls, and of organelles made up of multiple vesicles. This process is critical to cellular sorting, recycling and debris disposal, the researchers report.

“You can think of vesicles like little delivery trucks inside the cell,” said Ebrahim, of UVA’s Center for Membrane and Cell Physiology. “The hemifusome is like a loading dock where they connect and transfer cargo. It’s a step in the process we didn’t know existed.”

While the hemifusomes have escaped detection until now, the scientists say they are surprisingly common in certain parts of our cells.

[…]

“Now that we know hemifusomes exist, we can start asking how they behave in healthy cells and what happens when things go wrong. That could lead us to new strategies for treating complex genetic diseases.”

Findings Published

The researchers have published their findings in the scientific journal Nature Communications. The research team consisted of Amirrasoul Tavakoli, Shiqiong Hu, Ebrahim and Kachar.

The research was supported by the NIH’s National Institute on Deafness and Other Communications Disorders, grant Z01-DC000002; the Owens Family Foundation; and a startup grant from UVA’s Center for Cell and Membrane Physiology.

Source: Scientists Discover Unknown Organelle Inside Our Cells

Update your Brother printer: Multiple Critical Vulnerabilities found

Posted on by

Rapid7 conducted a zero-day research project into multifunction printers (MFP) from Brother Industries, Ltd. This research resulted in the discovery of 8 new vulnerabilities. Some or all of these vulnerabilities have been identified as affecting 689 models across Brother’s range of printer, scanner, and label maker devices. Additionally, 46 printer models from FUJIFILM Business Innovation, 5 printer models from Ricoh, 2 printer models from Toshiba Tec Corporation, and 6 models from Konica Minolta, Inc. are affected by some or all of these vulnerabilities. In total, 748 models across 5 vendors are affected. Rapid7, in conjunction with JPCERT/CC, has worked with Brother over the last thirteen months to coordinate the disclosure of these vulnerabilities.

The most serious of the findings is the authentication bypass CVE-2024-51978. A remote unauthenticated attacker can leak the target device’s serial number through one of several means, and in turn generate the target device’s default administrator password. This is due to the discovery of the default password generation procedure used by Brother devices. This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device’s unique serial number, during the manufacturing process. Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models. Only affected models that are made via this new manufacturing process will be fully remediated against CVE-2024-51978. For all affected models made via the old manufacturing process, Brother has provided a workaround.

A summary of the 8 vulnerabilities is shown below:

CVE Description Affected Service CVSS
CVE-2024-51977 An unauthenticated attacker can leak sensitive information. HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) 5.3 (Medium)
CVE-2024-51978 An unauthenticated attacker can generate the device’s default administrator password. HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) 9.8 (Critical)
CVE-2024-51979 An authenticated attacker can trigger a stack based buffer overflow. HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) 7.2 (High)
CVE-2024-51980 An unauthenticated attacker can force the device to open a TCP connection. Web Services over HTTP (Port 80) 5.3 (Medium)
CVE-2024-51981 An unauthenticated attacker can force the device to perform an arbitrary HTTP request. Web Services over HTTP (Port 80) 5.3 (Medium)
CVE-2024-51982 An unauthenticated attacker can crash the device. PJL (Port 9100) 7.5 (High)
CVE-2024-51983 An unauthenticated attacker can crash the device. Web Services over HTTP (Port 80) 7.5 (High)
CVE-2024-51984 An authenticated attacker can disclose the password of a configured external service. LDAP, FTP 6.8 (Medium)

[….]

Source: Multiple Brother Devices: Multiple Vulnerabilities (FIXED) – Rapid7 Blog

Ahold Delhaize says 2.2M affected after cyberattack

Posted on by

Multinational grocery and retail megacorp Ahold Delhaize says upwards of 2.2 million people had their data compromised during its November cyberattack with personal, financial and health details among the trove.

Ahold Delhaize operates a network of stores in Europe and the US via brands including Food Lion, Stop & Shop and Giant. It also has a substantial web business. It employs more than 400,000 staff and serves around 63 million customers a week.

The digital break-in late last year caused disruption across its organization, with some Stop & Shop stores struggling to fill prescriptions due to IT issues, while Food Lion employees took to social media complaining about delayed and missing deliveries.

Now Ahold Delhaize has confirmed more details via a notification filed with the Office of the Maine Attorney General, revealing the data of more than 2.24 million individuals was exposed.

Different people will have had different data points compromised, it added, and said the following may be in the wrong hands:

  • Names
  • Contact information (postal address, email address, and telephone number)
  • Dates of birth
  • Government-issued identification numbers (Social Security, passport and driver’s license numbers)
  • Financial account information (including bank account numbers)
  • Health information (workers’ compensation information and medical information contained in employment records)
  • Employment-related information

In a “Notice of Data Breach” letter sent to impacted individuals, Ahold Delhaize made no reference to customer data, saying only that investigations revealed “personal information contained in employment records related to you or your family member” may have been accessed.

This indicates the breach involved current and former staff.

[…]

Source: Ahold Delhaize says 2.2M affected after cyberattack • The Register

Android 16 can warn you that you might be connected to a fake cell tower

Posted on by

[…] Google has been working on ways to warn Android users or prevent them from sending communications over insecure cellular networks.

Win $5,000!

See all deals

  • Limited Time!

With the release of Android 12, for example, Google added support for disabling 2G connectivity at the modem level. In Android 14, the company followed up by supporting the disabling of connections that use null ciphers — a form of unencrypted communication. More recently, Android 15 added support for notifying the OS when the network requests a device’s unique identifiers or tries to force a new ciphering algorithm. These features directly counter the tactics used by commercial “stingrays,” which trick devices into downgrading to 2G or using null ciphers to make their traffic easier to intercept. Blocking these connections and notifying the user about these requests helps protect them from surveillance.

2G network protection toggle in Android 16
The toggle to disable 2G networks in Android 16 on a Pixel 9a.

Unfortunately, only one of these three features is widely available: the ability to disable 2G connectivity. The problem is that implementing these protections requires corresponding changes to a phone’s modem driver. The feature that notifies the OS about identifier requests, for example, requires a modem that supports version 3.0 of Android’s IRadio hardware abstraction layer (HAL). This dependency is why these security features are missing on current Pixel phones and other devices, and it’s also likely why Google delayed launching the dedicated “mobile network security” settings page it planned for Android 15.

Since upcoming devices launching with Android 16 will support version 3.0 of Android’s IRadio HAL, Google is reintroducing the “mobile network security” settings page in the Safety Center (Settings > Security & privacy). This page contains two subsections:

  • Notifications
    • This subsection contains a “Network notifications” toggle. When enabled, it allows the system to warn you if your device connects to an unencrypted network or when the network requests your phone’s unique identifiers. This toggle is disabled by default in Android 16.
  • Network generation
    • This subsection features a “2G network protection” toggle that enables or disables the device’s 2G connectivity. This is the same toggle found in the main SIM settings menu, and it is also disabled by default in Android 16.
Mobile network security settings in Android 16

The “Mobile network security” page will only appear on devices that support both the “2G network protection” toggle and the “network notifications” feature. This is why it doesn’t appear on any current Pixel devices running Android 16, as they lack the necessary modem support for the network notifications feature.

When the “Network notifications” feature is enabled, Android will post a message in the notification panel and the Safety Center whenever your device switches from an encrypted to an unencrypted network, or vice versa. It will also post an alert in both places when the network accesses your phone’s unique identifiers, detailing the time and number of times they were requested.

[…]

Source: Android 16 can warn you that you might be connected to a fake cell tower – Android Authority

The Conservatives On The Supreme Court Are So Scared Of Nudity, They Threw Out The First Amendment

Posted on by

he Supreme Court this morning took a chainsaw to the First Amendment on the internet, and the impact is going to be felt for decades going forward. In the FSC v. Paxton case, the Court upheld the very problematic 5th Circuit ruling that age verification online is acceptable under the First Amendment, despite multiple earlier Supreme Court rulings that said the opposite.

Justice Thomas wrote the 6-3 majority opinion, with Justice Kagan writing the dissent (joined by Sotomayor and Jackson). The practical effect: states can now force websites to collect government IDs from anyone wanting to view adult content, creating a massive chilling effect on protected speech and opening the door to much broader online speech restrictions.

Thomas accomplished this by pulling off some remarkable doctrinal sleight of hand. He ignored the Court’s own precedents in Ashcroft v. ACLU by pretending online age verification is just like checking ID at a brick-and-mortar store (it’s not), applied a weaker “intermediate scrutiny” standard instead of the “strict scrutiny” that content-based speech restrictions normally require, and—most audaciously—invented an entirely new category of “partially protected” speech that conveniently removes First Amendment protections exactly when the government wants to burden them. As Justice Kagan’s scathing dissent makes clear, this is constitutional law by result-oriented reasoning, not principled analysis.

[…]

The real danger here isn’t just Texas’s age verification law—it’s that Thomas has handed every state legislature a roadmap for circumventing the First Amendment online. His reasoning that “the internet has changed” and that intermediate scrutiny suffices for content-based restrictions will be cited in countless future cases targeting online speech. Expect age verification requirements to be attempted for social media platforms (protecting kids from “harmful” political content), for news sites (preventing minors from accessing “disturbing” coverage), and for any online speech that makes moral authorities uncomfortable.

And yes, to be clear, the majority opinion seeks to limit this just to content deemed “obscene” to avoid such problems, but it’s written so broadly as to at least open up challenges along these lines.

Thomas’s invention of “partially protected” speech, that somehow means you can burden those for which it is protected, is particularly insidious because it’s infinitely expandable. Any time the government wants to burden speech, it can simply argue that the burden is built into the right itself—making First Amendment protection vanish exactly when it’s needed most. This isn’t constitutional interpretation; it’s constitutional gerrymandering.

The conservative justices may think they’re just protecting children from pornography, but they’ve actually written a permission slip for the regulatory state to try to control online expression.

[…]

By creating his “partially protected” speech doctrine and blessing age verification burdens that would have been unthinkable a decade ago, Thomas has essentially told state governments: find the right procedural mechanism, and you can burden any online speech you dislike. Today it’s pornography. Tomorrow it will be political content that legislators deem “harmful to minors,” news coverage that might “disturb” children, or social media discussions that don’t align with official viewpoints.

The conservatives may have gotten their victory against online adult content, but they’ve handed every future administration—federal and state—a blueprint for dismantling digital free speech. They were so scared of nudity that they broke the Constitution. The rest of us will be living with the consequences for decades.

Source: The Conservatives On The Supreme Court Are So Scared Of Nudity, They’ll Throw Out The First Amendment | Techdirt

Denmark to tackle deepfakes by giving people copyright to their own features

Posted on by

The Danish government is to clamp down on the creation and dissemination of AI-generated deepfakes by changing copyright law to ensure that everybody has the right to their own body, facial features and voice.

The Danish government said on Thursday it would strengthen protection against digital imitations of people’s identities with what it believes to be the first law of its kind in Europe.

[…]

It defines a deepfake as a very realistic digital representation of a person, including their appearance and voice.

[…]

“In the bill we agree and are sending an unequivocal message that everybody has the right to their own body, their own voice and their own facial features, which is apparently not how the current law is protecting people against generative AI.”

He added: “Human beings can be run through the digital copy machine and be misused for all sorts of purposes and I’m not willing to accept that.”

[…]

The changes to Danish copyright law will, once approved, theoretically give people in Denmark the right to demand that online platforms remove such content if it is shared without consent.

It will also cover “realistic, digitally generated imitations” of an artist’s performance without consent. Violation of the proposed rules could result in compensation for those affected.

The government said the new rules would not affect parodies and satire, which would still be permitted.

[…]

Source: Denmark to tackle deepfakes by giving people copyright to their own features | Deepfake | The Guardian

An interesting take on it. I am curious how this goes – defending copyright can be a very detailed thing, so what happens if someone alters someone else’s eyebrows in the deepfake by making them a mm longer? Does that invalidate the whole copyright?

This breakthrough turns old tech into pure gold — No mercury, no cyanide, just light and salt

Posted on by

An interdisciplinary team of experts in green chemistry, engineering and physics at Flinders University in Australia has developed a safer and more sustainable approach to extract and recover gold from ore and electronic waste.

Explained in the leading journal Nature Sustainability, the gold-extraction technique promises to reduce levels of toxic waste from mining and shows that high purity gold can be recovered from recycling valuable components in printed circuit boards in discarded computers.

The project team, led by Matthew Flinders Professor Justin Chalker, applied this integrated method for high-yield gold extraction from many sources – even recovering trace gold found in scientific waste streams.

The progress toward safer and more sustainable gold recovery was demonstrated for electronic waste, mixed-metal waste, and ore concentrates.

“The study featured many innovations including a new and recyclable leaching reagent derived from a compound used to disinfect water,” says Professor of Chemistry Justin Chalker, who leads the Chalker Lab at Flinders University’s College of Science and Engineering.

“The team also developed an entirely new way to make the polymer sorbent, or the material that binds the gold after extraction into water, using light to initiate the key reaction.”

Extensive investigation into the mechanisms, scope and limitations of the methods are reported in the new study, and the team now plans to work with mining and e-waste recycling operations to trial the method on a larger scale.

“The aim is to provide effective gold recovery methods that support the many uses of gold, while lessening the impact on the environment and human health,” says Professor Chalker.

The new process uses a low-cost and benign compound to extract the gold. This reagent (trichloroisocyanuric acid) is widely used in water sanitation and disinfection. When activated by salt water, the reagent can dissolve gold.

Next, the gold can be selectively bound to a novel sulfur-rich polymer developed by the Flinders team. The selectivity of the polymer allows gold recovery even in highly complex mixtures.

The gold can then be recovered by triggering the polymer to “un-make” itself and convert back to monomer. This allows the gold to be recovered and the polymer to be recycled and re-used.

[…]

The team also collaborated with experts in the US and Peru to validate the method on ore, in an effort to support small-scale mines that otherwise rely on toxic mercury to amalgamate gold.

Gold mining typically uses highly toxic cyanide to extract gold from ore, with risks to the wildlife and the broader environment if it is not contained properly. Artisanal and small-scale gold mines still use mercury to amalgamate gold. Unfortunately, the use of mercury in gold mining is one of the largest sources of mercury pollution on Earth.

[…]

ARC DECRA Fellow Dr Nicholls, adds: “The newly developed gold sorbent is made using a sustainable approach in which UV light is used to make the sulfur-rich polymer. Then, recycling the polymer after the gold has been recovered further increases the green credentials of this method.”

[…]

Story Source:

Materials provided by Flinders University. Note: Content may be edited for style and length.

Journal Reference:

  1. Maximilian Mann, Thomas P. Nicholls, Harshal D. Patel, Lynn S. Lisboa, Jasmine M. M. Pople, Le Nhan Pham, Max J. H. Worthington, Matthew R. Smith, Yanting Yin, Gunther G. Andersson, Christopher T. Gibson, Louisa J. Esdaile, Claire E. Lenehan, Michelle L. Coote, Zhongfan Jia, Justin M. Chalker. Sustainable gold extraction from ore and electronic waste. Nature Sustainability, 2025; DOI: 10.1038/s41893-025-01586-w

Source: This breakthrough turns old tech into pure gold — No mercury, no cyanide, just light and salt | ScienceDaily

Why cats prefer to sleep on their left side may be part of a survival strategy

Posted on by

An international research team that analyzed several hundred YouTube videos of sleeping cats found that they prefer to sleep on their left side. The researchers see this bias as an evolutionary advantage because it favors hunting and escape behavior after waking up.

The team from the University of Bari Aldo Moro (Italy), Ruhr University Bochum, Medical School Hamburg and other partners in Germany, Canada, Switzerland and Turkey report on the study in the journal Current Biology, published online on June 23, 2025.

All animals are particularly vulnerable while sleeping. Cats sleep around 12 to 16 hours a day, preferably in elevated places where their predators can only access them from below.

The research team led by Dr. Sevim Isparta from the Animal Physiology and Behavior Research Unit in Bari and Professor Onur Güntürkün from the Bochum working group Biopsychology wanted to find out whether cats prefer to sleep on one side or the other. “Asymmetries in behavior can have advantages because both hemispheres of the brain specialize in different tasks,” says Onur Güntürkün.

00:00
01:12
Credit: Current Biology (2025). DOI: 10.1016/j.cub.2025.04.043

Perceiving dangers with the left visual field brings advantages

The group analyzed 408 publicly available YouTube videos in which a single cat was clearly visible with its entire body sleeping on one side for at least 10 seconds. Only original videos were used; modified or flipped material was excluded from the study. Two-thirds of the videos showed sleeping on their left side.

The explanation: Cats that sleep on their left side perceive their surroundings upon awakening with their left visual field, which is processed in the right of the brain. This hemisphere is specialized in spatial awareness, the processing of threats and the coordination of rapid escape movements.

If a cat sleeps on its left shoulder and wakes up, about predators or prey goes directly to the right hemisphere of the brain, which is best in processing them. “Sleeping on the left side can therefore be a survival strategy,” the researchers conclude.

More information: Sevim Isparta et al, Lateralized sleeping positions in domestic cats, Current Biology (2025). DOI: 10.1016/j.cub.2025.04.043

Source: Why cats prefer to sleep on their left side may be part of a survival strategy

Security pro counts the cost of Microsoft dependency

Posted on by

A sharply argued blog post warns that heavy reliance on Microsoft poses serious strategic risks for organizations – a viewpoint unlikely to win favor with Redmond or its millions of corporate customers.

Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization’s exposure to security risks. In an article headlined “Microsoft dependency has risks,” he extends the now familiar arguments in favor of improving digital sovereignty, and reducing dependence on American cloud services.

The argument is quite long but closely reasoned. We recommend resisting the knee-jerk reaction of “don’t be ridiculous” and closing the tab, but reading his article and giving it serious consideration. He backs up his argument with plentiful links and references, and it’s gratifying to see several stories from The Register among them, including one from the FOSS desk.

He discusses incidents such as Microsoft allegedly blocking the email account of International Criminal Court Chief Prosecutor Karim Khan, one of several incidents that caused widespread concern. The Windows maker has denied it was responsible for Khan’s blocked account. Homer also considers the chances of US President Donald Trump getting a third term, as Franklin Roosevelt did, the lucrative US government contracts with software and services vendors, and such companies’ apparent nervousness about upsetting the volatile leader.

We like the way Homer presents his arguments, because it avoids some of the rather tired approaches of FOSS advocates. He assigns financial value to the risks, using the established measurement of Return on Security Investment [PDF]. He uses the Crowdstrike outage from last July as a comparison. For instance, what if a US administration instructed Microsoft to refuse service to everyone in certain countries or even regions?

He tries to put some numbers on this, and they are worryingly large. He looks at estimated corporate Microsoft 365 usage worldwide, and how relatively few vendors offer pre-installed Linux systems. He considers the vast market share of Android on mobile devices compared to everything else, with the interesting comparison that there are more mobile phone owners than toothbrush owners. However, every Android account is all but tied to at least one Google account – another almost unavoidable US dependency.

There is a genuine need for people to ask questions like this. And, importantly, many of the decisions are made by people who are totally tech-illiterate – as many movers and shakers are these days – so it’s also important to express the arguments in terms of numbers, and specifically, in terms of costs. Few IT directors or CEOs know what an OS is or how it matters, but they’re all either former beancounters or guided by beancounters.

Another issue we rarely see addressed is the extreme reach of Microsoft in business computing. The problem is not just bigwigs who mostly don’t know a hypervisor from an email server; the techies who advise them are also a problem. We have personally talked to senior decision-makers and company leaders who know nothing but Windows, who regard Macs as acceptable toys (because they can run MS Office and Outlook and Teams), but who have never used a Linux machine.

There’s a common position that a commodity is only worth what you pay for it, and if you don’t have to pay for it, then it’s worthless. Many people apply this to software, too. If it’s free, it must be worthless.

It’s hard to get through to someone who is totally indifferent to software on technical grounds. When choices of vendors and suppliers are based on erroneous assumptions, challenging those false beliefs is hard.

(We’ve had a few abusive comments and emails from anti-vaxxers following our coverage of Xlibre. They’re wrong, but it’s tricky to challenge the mindset of someone who doesn’t believe in the basic concepts of truth, falsehood, or evidence.)

One way to define “information” is that it is data plus context. We all need contrast and context and comparisons to understand. Any technologist who only knows one company’s technologies and offerings lacks necessary context. In fact, the more context the better. Looking around the IT world today, it would be easy to falsely conclude that Windows NT and various forms of Unix comprise everything there is to know about operating systems. That is deeply and profoundly wrong. Nothing in computing is universal, not even binary; there have been working trinary or ternary computers, and you can go and see a working decimal computer at Bletchley Park.

Lots of important decision-makers believe that Microsoft is simply a given. It is not, but telling them that is not enough. It’s like telling an anti-vaxxer that the Earth is an oblate spheroid and there are no such things as chemtrails. After all, some US legislators want to ban chemtrails, so they must be real, right?

But if you can put a price on false beliefs, and then show that changing those beliefs could reduce risk in a quantifiable way, you can maybe change the minds of IT decision-makers, without needing to tell them that they’re science deniers and the Earth isn’t flat. ®

Source: Security pro counts the cost of Microsoft dependency • The Register