AI
China issues second warning on OpenClaw risks amid adoption frenzy
China’s cybersecurity agency on Tuesday issued a second warning about security and data risks tied to OpenClaw, despite a rush among local governments and tech companies to adopt the artificial intelligence agent amid a nationwide frenzy.
Nvidia is reportedly planning its own open source OpenClaw competitor
Nvidia has been pitching the platform, which it is calling NemoClaw, to various corporate partners.
“Use a gun” or “beat the crap out of him”: AI chatbot urged violence, study finds
Character.AI deemed “uniquely unsafe” among 10 chatbots tested by CCDH.
“No other chatbot tested explicitly encouraged violence in this way, even when providing practical assistance in planning a violent attack,” the report said.
“As chatbots explode in popularity among young people, CNN’s investigation found that most of those we tested are not only failing to prevent potential harm—they are actively assisting users by giving them information that could be used in preparing attacks,” CNN wrote.
After outages, Amazon to make senior engineers sign off on AI-assisted changes
AWS has suffered at least two incidents linked to the use of AI coding assistants.
Amazon wins court order to block Perplexity’s AI shopping agent
Amazon wrote in its original complaint that Perplexity’s agents posed security risks to customer data because they “can act within protected computer systems, including private customer accounts requiring a password.”
The company also said Perplexity’s agents created challenges for the company’s advertising business, because when AI systems generate ad traffic, the impressions have to be detected and filtered out before advertisers can be billed.
Politics
Blood money: This SF startup is paying women for their monthly flow
The blood contains stem cells, which may have many medical uses.
Exclusive: Foreign hacker in 2023 compromised Epstein files held by FBI, source and documents show
The hacker expressed disgust at the presence of child abuse images on the device and left a message threatening to turn its owner over to the FBI, the person said. Officials defused the situation by convincing the hacker that they actually were the FBI.
FDA reverses course and will review Moderna’s mRNA-based flu vaccine
DHS Ousts CBP Privacy Officers Who Questioned ‘Illegal’ Orders
Department of Homeland Security leaders removed top privacy officers who objected to mislabeling government records to block their public release, WIRED has learned.
Trump Officials Are Suddenly Buying Doomsday Bunkers
At least two members of the president’s Cabinet have recently purchased bomb-proof bunkers.
Ron Hubbard, the creator of Atlas Survival Shelters, told The Telegraph over the weekend that orders have gone up “tenfold” since the United States and Israel attacked Iran earlier this month.
Canadian federal institutions average 259 days to report privacy breaches. They’re supposed to flag major incidents within 7 days
"There seems to be no accountability for non-compliance with these laws and policies"
Infosec
Intel's Heracles chip computes fully-encrypted data without decrypting it — chip is 1,074 to 5,547 times faster than a 24-core Intel Xeon in FHE math operations
It performs fully homomorphic encryption (FHE) — meaning that it ingests encrypted data, processes it, and outputs it in an encrypted format.
Ultrafast computing: Light-driven logic tops 10 terahertz in WS₂
With the use of ultra-short laser pulses, we can control the quantum states of matter at rates above 10 terahertz, over a hundred times faster than the best modern electronic devices. To achieve this aim, the researchers used the physical properties of a new two-dimensional semiconductor, tungsten disulfide (WS₂), which is only three atomic layers thick. Because of the quantum phenomena associated with this nanometric film, electrons can occupy two distinct quantum states within it, known as "valleys." These valleys can be used as a new unit of information, similar to zero and one for traditional computers, but much quicker to control.
14,000 routers are infected by malware that’s highly resistant to takedowns
The number of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus discovered the botnet. Compromised devices are overwhelmingly located in the US, and are mostly Asus devices. KadNap uses a sophisticated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers. The design makes the botnet resistant to detection and takedowns through traditional methods.
Kademlia
Kademlia is a distributed hash table for decentralized peer-to-peer computer networks. In order to look up the value associated with a given key, the algorithm explores the network in several steps. Each step will find nodes that are closer to the key, by XOR distance, until the contacted node returns the value or no more closer nodes are found. This is very efficient: like many other DHTs, Kademlia contacts only O(logn) nodes during the search.
New 'Zombie ZIP' technique lets malware slip past security tools
Trying to extract the files with standard utilities like WinRAR or 7-Zip results in errors or corrupted data. The technique works by manipulating ZIP headers to trick parsing engines into treating compressed data as uncompressed.
A threat actor can create a loader that ignores the header and treats the archive for what it is: data compressed using the standard Deflate algorithm used in modern ZIP files.
kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
There exists a potentially dangerous misuse of the pull_request_target workflow trigger that may lead to malicious PR authors (i.e. attackers) being able to obtain repository write permissions or stealing repository secrets. It is common CI/CD practice to ensure that when a new PR is submitted that tests are passing. Atackers can achieve arbitrary code execution in a variety of ways, such as write their payload as a new test that will be run with others.
Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, adding phishing-resistant passwordless authentication via Windows Hello.
Bypassing MFA with Reverse Proxies: Building a Rust-based Firefox Extension to Kill AitM Phishing
DNS, HTTP headers, TLS. All useful signals. But a well-configured AitM proxy can get most of them right. Strip the proxy headers, use a aged domain, forward the security headers. Sophisticated kits do exactly that.
The DOM, however, is harder to fake. Rewriting every single URL in the DOM is hard. Expensive. Error-prone. Most kits don’t bother, or better, don’t bother completely. When the ratio of links pointing to a different domain crosses a threshold, the extension detects an AiTM attack.
|