It seems not every distribution ships with the vulnerable module, built-in or loadable, either. That could be another factor, too.
On my Ubuntu 26.04 host, all patched up to yesterday, lsmod as root shows only algif_hash and algif_skcipher, not algif_aead.
Immutable distributions, in Linux parlance, run on a read-only root filesystem that is swapped for the next boot if there are any updates. Usually, you can use one or more snapshots to roll back to the (or a) previous version if an update fails.
What this attack is doing is not helped by immutability under that definition: it's entirely in memory and works only as long as the target executable is in memory. It first reads the target executable into the disk cache and asks a specific kernel module to encrypt it with a splice() system call to avoid copying the disk cache page elsewhere. Except that specific kernel module overwrites 4 bytes past the end of its buffer, so if you ask for a 32-byte buffer starting at
Now, while the attack only works as long as the targetted executable is in the disk cache, that's not much of a problem in practice, because the disk cache often survives the few microseconds needed to set up the required system calls. And once you finally execute the binary as setuid root, Linux consults the disk cache, finds it has a version already and runs it. But you now have a root shell, all without a single disk write, and can now begin to remount filesystems read-write to establish persistence.
Answering a sibling comment, write-xor-execute (W^X) memory doesn't give any protection here either, because a kernel module is performing the write. Write protection on executable pages is provided by the CPU operating in user mode.
Disney is already licensing their content to OpenAI.
https://www.wsj.com/business/m...
This isn't an AI vs Art showdown. This is just a licensing deal shakedown.
For someone who doesn't develop apps for Apple devices, can someone explain how Apple can revoke an app from a third party store? Is this a revoking of developer license keys or something?
Apex Legends uses the Source engine, which has had several RCE exploits over the years.
A nice writeup here: https://www.reddit.com/r/Compe...
Considering so many captchas are being used to feed ML datasets, it's very not surprising AI trained on those datasets can now solve them effortlessly...
Directly to far cheaper VR platforms which already have spatial movie viewing capabilities.
I bet it'll show up in a VRChat movie world within a week of release.
So if someone passes away their YouTube videos will eventually disappear. More digital history being erased.
BLE tags use a compatible phone to report their location back to a central service, but unless you had an Apple Airtag [or AirTag compatible], your tags would only be picked up by other phones with the Tile app installed. This is of course fine if you're just keeping track of your keys and other household items, but Apple Airtags are really popular to slip into luggage, packages, and other valuables as a cheaper [and far smaller] alternative to SMS/GPS trackers.
These new tags use a component in Google Play Services [installed on every Android phone with the Google Play store], instead of the Tile app, making them, at least on paper, as good or better than Airtags, and far more reliable than Tile tags for remote tracking.
Instead of waiting for a phone with the Tile app installed to come by, now any android phone can pick up and report these tags back.
There's the whole problem of privacy, security, etc involving any BLE tag, but that's a whole different can of worms..
"Websites can pass the http headers X-Robots-Tag: noai, X-Robots-Tag: noindex , X-Robots-Tag: noimageai and X-Robots-Tag: noimageindex By default img2dataset will ignore images with such headers."
Followed directly by:
"To disable this behavior and download all images, you may pass --disallowed_header_directives '[]'"
I wonder what option most users will end up enabling.
Also this tool doesn't seem to check robots.txt [from a quick source search, may be wrong.] Getting the impression they don't entirely care about this.
So you mean it's time for a fork?
This is where the BBC News style of article titles shines.
Take this article for example: NSA contractor Reality Winner admits leak. Its title not having capitals all over the place makes it immediately apparent that Reality Winner is someone's name without requiring any punctuation.
Precious few Slashdot articles don't have title case, but for this one it would have been great.
Full translation:
"15:46 (Eastern time): The alleged hostage situation at Ubisoft, which launched a major police operation in Montreal, turns out to have been a hoax, our sources say.
The investigation team is currently working on finding the one(s) responsible for the call. Many employees locked down in the building, for the most part hidden in conference rooms, did not know it was a false alarm."
Now if only they actually had any in stock!
The rule on staying alive as a program manager is to give 'em a number or give 'em a date, but never give 'em both at once.
