Feed aggregator

PWNED Welcome back to PWNED, the weekly column where we talk about weak security policies and how to avoid them. Hopefully, we can learn from others’ mistakes – or at least have a good laugh at them. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. This week, we have a tale of password passivity involving Active Directory. It comes to us courtesy of Rob Anderson, head of reactive consulting services at Reliance Cyber, a UK-based security firm. Anderson recalls in the past working with a firm that was creating service accounts that developers needed to use, but the org didn’t have a proper password vault for storing the associated credentials. Instead, to make it easy for team members to find what they needed, they put the passwords into the description field for Active Directory. “People don't realize that as soon as you've got an Active Directory user — just an ordinary user — you can read the comments field or the description field across the whole of Active Directory,” Anderson told The Register. “It's such an amazing lapse of security.” Soon enough, an Initial Access Broker (IAB), someone who specializes in gaining access to protected networks and then selling it to other threat actors, used a phishing campaign and executed offensive hacking tool Sliver on the endpoint. At that point, they captured a victim’s credentials, which led them to query Active Directory. Once in AD, the hackers found plenty of passwords, which came with full domain access. They used this access to delete all the backups and execute ransomware. In total, the crimes put 2000+ users out of action by encrypting Hyper-V hypervisors and their hosts. The company was taken offline for months. What we can learn from this sad story is that you can’t put passwords in cleartext anywhere that's easy to access, unless you want an enormous attack surface. Even without a phish, an untrustworthy colleague could have sold the passwords to a threat actor. After all, a recent survey found one in eight workers think selling company logins can be justified. “I've seen it where configuration details are kept in application servers that are running, and threat actors are using fuzzing — trying likely file and directory names — which again exposes configuration and credentials to the threat actors,” Anderson said. He noted that developers are a bit more savvy these days about where they put their credentials, but security naivete sinks ships. Trust no one. ®

The legendary abandons its more than 20 year tradition of keeping its funds to about $425 million.

The Bengaluru startup has crossed 1 million orders and reached a $50 million annualized GMV run rate within a year of launch.

While most California races were called by the morning after Election Day, a handful of key holdouts remain. “This is normal,” Secretary of State Shirley N. Weber, who was on the ballot herself, emphasized in a press release. “I would call on all Californians to be patient.”

That’s a hard ask, at least for Richard Pan, a Democrat who is running third in one of the state’s tightest races: the Sixth Congressional District.

In California’s open primary system, the top two finishers in a given race advance to a general election runoff regardless of party affiliation. The Sixth leans blue, but if Democratic votes are split among a large pool of contenders, Democratic candidates could be iced out.

The Republican now in contention to advance to the general election didn’t even run a campaign.

That’s how things were looking in the Sixth as of mid-afternoon Wednesday. With 48 percent of votes counted, Rep. Kevin Kiley—the Third District Republican incumbent who recently renounced his party to run as an independent in the Sixth—was ahead with more than a quarter of the vote. In second place was Republican Michael Stansfield, whose bid isn’t serious. (He doesn’t even have a campaign website.) Running a close third—just one percentage point behind Stansfield—is Pan, the outspoken pediatrician, pro-vaccine warrior, and former state senator I profiled for Mother Jones in April.

If this trend holds, Pan, who is perhaps best known for having authored some of the country’s toughest state vaccine laws, would be headed straight back to the clinic.

Stansfield’s success as the only Republican on the ballot highlights the unintended consequences of Prop 50, Gov. Gavin Newsom’s redistricting plan that voters approved last November. After the state congressional map was redrawn to help more Democrats win seats, the new Sixth remains blue, but less so than before, as it has absorbed conservative regions carved from other districts.

The close race seems to have surprised Stansfield, a 50 year-old tech worker who received no donations and did essentially no campaigning. He only ran, he told US News, to send a message to the religious right about peace in the Middle East. “I wasn’t necessarily going after it to win,” Stansfield said.

And he might not. Many of the remaining votes are from northern Sacramento and the adjoining suburbs, a region that so far has favored Pan. And votes counted later may have a different skew. In California, early ballot returns were up among Republican voters for this cycle, and lagged for Democrats relative to previous years.

“I think [Pan is] going to eke it out,” Sacrament0-based Democratic strategist Steven Maviglio told the New York Times. “But it’s going to be close.”

Scott Pelley, one of the most well-known journalists on the CBS News roster, revealed that the pro-Trump management now leading the network has pressured him to inject bias and lies in news stories. On Tuesday night, Pelley was fired from CBS. In a statement released via social media, Pelley said the current management of CBS is casting the “legend” of CBS News aside, “apparently to curry a…

Source

A cartoon by Tim Campbell. Related | How does Trump just keep losing? Let us count the ways.

Source

Lovable and Google signed an expanded multi-year deal athat involves a 5x expansion of Lovable's footprint on Google Cloud, and expanded access to Anthropic Claude.

AI-enabled cybercriminals have better tools and are inflicting more pain on their victims, wiping out virtual machines and hypervisors and leaving infrastructure in a "dark, dead" state after an attack, said Commvault Chief Technology Officer Brian Brockway. "The majority of cyber cases that we've seen in the customer base have moved well beyond the breaking inside, and encrypting and corrupting some of your key files and folders, to taking over control of your entire VM environment, wiping out all VMs, destroying all hypervisors, blowing up the center and leaving you in basically a dark, dead state," Brockway told The Register. Frontier AI is reshaping the threat landscape in two ways, he explained: advanced models are uncovering a deluge of software vulnerabilities, and attackers are exploiting disclosed flaws within minutes rather than weeks. “The more unplanned work that has to be done to react to this, that's always going to challenge priorities,” Brockway said. “We had the plan in place, we had sprints already dedicated to kind of get out to the next launch, and we have to come back over and reinvest more engineering time to corrective actions versus the next new get ahead feature.” Commvault cited Palo Alto Networks research showing that frontier AI models such as Mythos and GPT-5.5-Cyber identified more than seven times the typical number of software vulnerabilities found within a single month during testing. To prepare for this, Commvault recommends that IT and security teams look beyond backups and ask whether they can restore critical systems cleanly, whether recovery environments are isolated from compromised production systems, and whether recovery plans include the most important applications and dependencies. Brockway said air-gapping is the starting point. He said organizations should keep immutable and isolated copies of critical data separated from production identity, network, and management planes, and pressure-test recovery time and recovery point objectives against realistic attack scenarios, a hard lesson learned from witnessing victims recover from recent attacks. “One team is just trying to even clear the smoke to figure out what happened, then you have to come back over, strip it all down to bare metal, and basically redeploy the data center all over again,” he said. “While that's ongoing – and that's not a couple hour process by any means, that could take you, even in a well-exercised environment, it could be a couple of days or longer to get it back into a stable, usable state – what are our sanitized versions that we're going to come back over to (in order to) rebuild or restart the business again?” Businesses should prioritize the systems they cannot operate without — identity platforms, billing systems, operational databases, and cloud services — and define the order in which they will be restored, he said. As AI moves into core operations, teams should also account for newer dependencies such as data pipelines, model repositories, vector databases, and agentic workflows. In its recommendations, Commvault said it is also critical that organizations continuously test recovery. Brockway recommends rehearsing those plans in isolated cleanroom environments before the worst happens. “I need a testing environment that's got the same makeup, the same builds, which we're using, maybe not on full production resources, but I need to be able to say, ‘How do I put that application stack into a live environment, so we can come back over and test?’ “ he said. “That's what we're saying about things like this clean room concept of not just being a reaction to an incident, but it is also a quick environment for you to come back over and clone.” Brockway said this new normal in the AI era is straining the engineers who build and maintain enterprise software. He said while the first wave of AI scanning tools flooded teams with potential vulnerabilities, newer models go further, entering controlled environments and attempting the exploits themselves — a capability that mirrors what attackers do. "When you let them in, you have to do it under an extremely tight security control, because you're effectively almost automating the same thing that bad guys can do on the outside too," Brockway said. The output can swamp downstream teams. Brockway said one frontier model flagged roughly 10,000 critical vulnerabilities across operating systems, browsers, and other infrastructure. "That's 10,000 patches that have to come out of the system," he said. That volume forces hard choices about engineering priorities. Brockway said unplanned remediation work pulls staff off planned releases. To absorb the load at Commvault, Brockway runs a standing group dedicated to just those items. "They're the fast action team to analyze, make a quick assessment," he said. Brockway said the signal volume emerging from AI bug finders ultimately calls for more automation and AI to filter noise, assist with patching, and support deployment. "The amount of information and signals that are coming in are way overwhelming. People just get desensitized, and that's when bad things really start to occur," he said.®

The FIFA Men’s World Cup starts next week—and some players still don’t know whether they’ll be able to travel to their matches.

On Wednesday, Switzerland’s main goalscorer, Breel Embolo, applied for a visa at the US embassy in the country’s capital after US officials blocked him from boarding a flight with his teammates to their World Cup training camp in San Diego the day before.

The Swiss soccer federation stated that the US has been reviewing Embolo’s criminal conviction after a 2018 altercation in Basel, Switzerland. The verdict was finalized in April.

“The embassy’s inquiries focused specifically on whether any physical violence had been involved. This was not the case,” the Swiss soccer body said in a statement. According to Swiss outlets, Embolo was sentenced to a fine of roughly $165,000, conditional on two years of probation, for making multiple threats during an argument.

Meanwhile, the men’s national team of South Africa, a frequent target of the Trump administration over “white genocide” claims, had to delay their Saturday flight from Johannesburg to Mexico City because at least 20 people in their traveling group—mainly players—were still trying to get the US embassy in that country to process their visas.

On Sunday, Gayton McKenzie, South Africa’s sports, arts and culture minister, announced that all of the national team players had received their visas to travel to the US, but that an assistant coach, team doctor, the head of security, and one team analyst were still waiting. McKenzie criticized the situation earlier that day, calling it “embarrassing & grossly unfair towards the players & coaching staff.” 

“Action must be taken against those responsible for this mess,” he continued. “We are being made to look like fools.”

This @SAFA_net travel & visa debacle is embarrassing & grossly unfair towards the players & coaching staff. I have informed @SAFA_net that I need a report and action must be taken against those responsible for this mess. We are being made to look like fools.

— Gayton McKenzie (@GaytonMcK) May 31, 2026

News24, a South African news platform, reported that the team arrived on Tuesday morning but that the assistant coach and head of security arrived late after their visas were finally approved. On Monday, McKenzie notably apologized for his criticisms, posting on X that “the fault is entirely on our side,” and that US embassy workers in South Africa were “only too helpful” and “even worked on a Sunday for the first time ever.” McKenzie did not elaborate on what mistakes South Africa made. 

The Trump administration has a record of denying international athletes visas, including members of an Ethiopian delegation to the World Athletics Cross Country Championships, whose 44-year medal streak was broken by a mass visa denial in January. Multiple Cuban sports delegations have also been locked out of sports competitions since 2025 by the US’ refusal to grant them visas—including Olympic qualification events. And according to Television Jamaica, Javontae Smith, a shotput and discus thrower from Munro College in Jamaica, was denied a US nonimmigrant visa last month to compete in the Penn Relays in Philadelphia.

Iran’s national team is set to leave for Mexico on Saturday. The team’s initial three matches will take place in the US, but the country’s soccer federation won FIFA approval in May to move its training base from Tuscon, Arizona, to Tijuana, Mexico, due to security concerns amid the US and Israel’s ongoing war in Iran and elsewhere in the Middle East. 

According to Al Jazeera, the federation has not yet said whether the players had received all necessary visas for both Mexico and the US, though Mehdi Taj, Iran’s football federation chief, said on Monday that they expected to receive visas for Mexico on Tuesday or Wednesday “and then a US visa will be issued quickly.”  

The delays have created unprecedented uncertainty for many national team players and sparked outrage among their fans, who now have to worry about whether they can even get to the tournament—let alone whether their team will play well in it.

It’s almost time for the second DCU movie, as Supergirl lands in theaters on June 26. And now, via Deadline, we’ve learned that tickets are finally on sale for the upcoming Craig Gillespie film, which features House of the Dragon’s Milly Alcock as Kara Zor-El, Superman’s cousin. The initial announcement came from DCU co-head James Gunn, which also came with an awesome new trailer. In our opinion, it’s the best Supergirl trailer so far. And yes, it showcases a lot more action than before, and new alien landscapes. Plus a fair dose of Jason Momoa as Lobo, and, of course, Krypto the Superdog. You can watch the new trailer down below:

Supergirl is based on Tom King and Bilquis Evely’s 2021 DC Comics series, Supergirl: Woman of Tomorrow. Like that graphic novel, it deals with Kara Zor-El leaving Earth to venture to a world under a red sun, which takes away her powers. Thus, allowing her to get drunk on her 21st birthday. While off-world, she finds herself embroiled in a quest for revenge. A young girl enlists her help when a marauding villain, Krem of the Yellow Hills, murders her father. Unlike the comic book, however, the intergalactic bounty hunter Lobo has a role in the adventure.

DC Studios

The new trailer features a cameo from David Corenswet’s Superman, in a flashback to when Kara first landed on Earth (with Krypto) at age 15. We see Superman giving Kara her first superhero costume, letting her know that the bright colors are so everyone knows that they are the good guys. This feels like a very Clark Kent sentiment. But as Kara says in this trailer, she and her cousin are very different kinds of heroes. We’ll find out just how different when Supergirl arrives in theaters on June 26. You can buy advance tickets now by heading over to Fandango.

The post Badass Final SUPERGIRL Trailer Announces Tickets Now on Sale appeared first on Nerdist.

Wireless jamming attacks are on the rise. Rice University researchers have shown how self-curving radio beams can make a jammer appear to be somewhere it isn't, potentially undermining some anti-jamming defenses. Jamming relies on flooding a wireless receiver with noise that denies service. Some modern receivers identify and block jamming attempts using direction-of-arrival (DoA) estimation technology that pinpoints the jammer's direction and directs an array null that blocks signals emanating in the jammer’s direction. Were a jammer to transmit a self-curving beam, however, it could fool DoA-based anti-jamming defenses by appearing to come from somewhere else entirely, and that's exactly what the Rice researchers demonstrated. Rice electrical and computer engineering professor Edward Knightly and doctoral student Caroline Spindel presented a paper [PDF] last month in which they demonstrated a curving-beam jamming attack that caused "catastrophic bit-error-rate degradation" while also "fool[ing] the receiver's DoA estimator," preventing conventional DoA-based defenses from stopping the interference. Knightly and Spindel have done prior research developing wireless technology that could bend beams around objects to increase signal strength - particularly useful for short-range millimeter wave signals - and found that the same technology could be used to deploy jammers that are far harder to locate. Spindel gave the perfect analogy in a recent Rice press release about the research for understanding how curved beams confuse DoA estimators by considering a soccer ball kick to the head. “Imagine being hit on the right side of your head by a soccer ball - you would naturally look to the right,” Spindel said. “If the ball actually curved through the air, like a David Beckham free kick, then it was kicked from somewhere else entirely.” Were Sir David to keep moving and kicking curveballs at your head you’d probably spot him eventually, but it might take a minute, and a few more smacks, to stop him. A signal jammer at radio-wave distances will probably be far harder to spot, and it won’t even have to move: Knightly and Spindel were able to create the illusion that the jammer was mobile by modulating the beam parameters from a stationary position, making it even more difficult to locate the jamming signal and negating the point of blindly searching for the best spot to point an array null. Conventional recovery methods used to block jamming completely failed in laboratory tests, Spindel said. “This is the first demonstration of a jammer that cannot be reliably localized and the first time self-curving wireless beams have been used as an attack,” Knightly added. The pair sees their research not just as a way to point out a serious threat to wireless signals - GPS jamming of aircraft is on the rise, for example - but also something that can inform the direction of future wireless technologies as we move toward the 6G era. Until then, however, there’s the potential for even more devastating jamming attacks to come. ®

Defense tech is red hot right now. Anduril and Mach Industries just doubled and quadrupled their valuations, respectively, and the U.S. government is proposing a 40% increase in defense budget. A wave of new startups is chasing those government contracts, but according to Ross Fubini, the venture investor who wrote Anduril’s first check, most of them will get lost in the Valley of Death between prototype contract […]

It looks like President Donald Trump and the Justice Department are going to walk away from the treasonweasel slush fund, but don’t you worry: Trump is still going to come out on top, even if he left his little insurrectionist pals behind. Yes, the slush fund “settlement” is gone, but the Trump family and their businesses still get unprecedented immunity from Internal Revenue Service…

Source

Masters of the Universe stars Nicholas Galitzine (Adam/He-Man), Camila Mendes (Teela), and director Travis Knight sit down with Nerdist’s Hector Navarro to talk the franchise’s long history, their love of Idris Elba, and the potential future role of She-Ra.

Follow Us:
Facebook https://facebook.com/nerdist
Twitter https://twitter.com/Nerdist
Instagram https://instagram.com/nerdist/
TikTok https://www.tiktok.com/@nerdist

#Nerdist #motu #mastersoftheuniverse

The post Masters of the Universe Has Big Plans For She-Ra appeared first on Nerdist.

The Legend of Vox Machina stars Matt Mercer, Ashley Johnson (Pike), Marisha Ray (Keyleth), and Travis Willingham (Grog) sit down with Dan Casey to talk the show’s penultimate season, splitting the party, and the Mercer-verse of Weird Little Guys!

Learn more and sign up for the Geek & Sundry newsletter at ⁠https://www.geekandsundry.com/⁠!

Subscribe to Geek and Sundry: ⁠http://goo.gl/B62jl⁠

Twitter: ⁠http://twitter.com/geekandsundry⁠
Facebook: ⁠http://facebook.com/geekandsundry⁠
Instagram: ⁠http://instagram.com/geekandsundry⁠
TikTok: ⁠https://www.tiktok.com/@geekandsundry

#CriticalRole #TTRPG #DnD

The post Is Grog the Most Well-Adjusted Member of VOX MACHINA Now? appeared first on Nerdist.

A Watsonville man convicted of fatally shooting his roommate with an assault-style rifle in 2023 was sentenced Monday to more than 75 years to life in state prison.

Santa Cruz County Superior Court Judge Denine Guy sentenced Hector Manuel Rocha on June 1 to 75 years to life for first-degree murder, plus an additional 15 years and four months for related firearm and assault convictions, according to the Santa Cruz County District Attorney’s Office.

Rocha was convicted of the Aug. 7, 2023 killing of 42-year-old Victor Alamillo in the parking lot of an apartment complex on West Beach Street.

Prosecutors said Rocha shot Alamillo with an assault rifle before pointing the weapon at Alamillo’s girlfriend and fleeing the scene.

The following day, law enforcement officers located Rocha in an agricultural field near Pajaro. After a standoff that lasted several hours, Rocha surrendered and was taken into custody without incident.

Following a months-long trial, a Santa Cruz County jury found Rocha guilty of first-degree premeditated murder, assault with a semiautomatic firearm and possession of an assault weapon. Rocha had previously pleaded guilty to being a felon in possession of a firearm and ammunition.

Jurors also rejected Rocha’s plea of not guilty by reason of insanity, finding that he was legally sane at the time of the killing.

According to prosecutors, Rocha had prior felony convictions for resisting law enforcement, attempted arson and being a felon in possession of a firearm.

The case was investigated by the Watsonville Police Department, the Santa Cruz County District Attorney’s Office Bureau of Investigations and the California Department of Justice.

Alamillo is survived by a large family, many of whom attended court proceedings throughout the case.

District Attorney Jeffrey Rosell said the sentence ensures Rocha will be held accountable for his actions.

“This sentence ensures that Rocha will be held accountable for his deliberate and deadly actions,” Rosell said in a statement. “We are grateful to the jury, law enforcement and prosecution team for their dedication to seeking justice.”

Following the March 18 arrest of a 24-year-old Watsonville man for unlawful sexual intercourse with an underage girl, investigators have now added more charges that have expanded across state lines.

Darwin Linares was initially arrested by Watsonville Police in March after he was found in a hotel on the 100 block of Airport Boulevard with a 15-year-old girl reported missing in Fresno.

Detectives eventually uncovered communications with dozens of underage girls across several states and now believe there may be additional victims who have not yet been identified. Evidence shows that Linares used multiple social media platforms and applications to communicate with underage girls, often using different names and ages, for sexual purposes.

Anyone with information is asked to call Det. Ambriz at 831.768.3358.

We’ve been thinking about new Daily Kos merch—and honestly, nobody knows this community better than the community itself. So we want your ideas. What would you actually want to wear, carry, drink from, sticker onto your laptop, or gift to another Daily Kos reader? T-shirts? Tote bags? Mugs? Hats? Stickers? Protest signs? Something funny? Something bold?

Source

The modified Ioniq 5 will be loaded with sensors to capture data for Uber's new AV Labs division.

If Alphabet's record-breaking, $85 billion stock sale signals investor appetite for AI-related offerings, we can see that investors are ready to chow.