fidzu : computers

Aikido Security found that deleted Google API keys can continue authenticating for a median of about 16 minutes and as long as 23 minutes, despite Google Cloud's UI claiming that once a key is deleted it can no longer make API requests. Dark Reading reports: Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window -- the time between a key's deletion and its last successful authentication -- for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case. In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window was up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said. And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up." [...] Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach. "This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers." To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote. Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post.

Read more of this story at Slashdot.

22 May 2026 11:00pm GMT

"This capability is not common for satellites conducting typical missions."

22 May 2026 10:50pm GMT

Ebola outbreak risk level increased as deaths reach 177 with nearly 750 cases.

22 May 2026 10:24pm GMT

Canada's broadcast regulator says major streaming services such as Netflix must contribute 15% of their Canadian revenues to Canadian and Indigenous content. "That's three times the five-per-cent initial contribution requirement the CRTC set out in 2024, which is being challenged in court by major streamers, including Apple and Amazon," reports Global News. "Contribution requirements for traditional broadcasters, which currently pay between 30 and 45 percent, will be lowered to 25 percent." From the report: "The total contributions are expected to stabilize the funding at more than $2 billion in support of Canadian and Indigenous content, such as French-language content and news," the regulator said in a press release. The CRTC made the decisions as part of its implementation of the Online Streaming Act, which the U.S. has identified as a trade irritant ahead of trade negotiations with Canada. The CRTC also set out rules on how the money must be spent for both streamers and broadcasters, including contributions toward production funds and direct spending on Canadian content. Most of the streamers' financial contributions can go toward content, though the CRTC is imposing rules on how that money must be spent for the largest streamers. For instance, streamers with Canadian revenues of more than $100 million annually must direct 30 percent of spending toward partnerships with Canadian broadcasters and independent producers. Large Canadian broadcasters will have to direct at least 15 percent of their contributions toward news. The new financial contribution rules apply to streamers and broadcasters with at least $25 million in annual Canadian broadcasting revenues. The decision covers audiovisual programming, meaning it affects traditional TV broadcasters and online services that stream television content. The regulator also said Thursday online streamers will have to take steps to ensure Canadian and Indigenous content is available and visible to audiences. "This will make it easier for people to find this content on the platforms they use, while giving broadcasters flexibility in how they meet the new expectations," the CRTC said in the release. Details of those requirements will be determined at a later time.

Read more of this story at Slashdot.

22 May 2026 10:00pm GMT

Google tells Ars it fixed the first-gen Chromecast bug.

22 May 2026 9:42pm GMT

The NTSB temporarily closed public access to nearly all investigation dockets after people used a spectrogram image from a PDF in the UPS flight 2976 crash file to reconstruct approximate cockpit voice recorder audio and post it online. "We show our work and we've been doing this type of thing for years. Nobody was aware that you can recreate audio from a picture," a spokesperson for the board said. "NTSB is looking to make sure there's nothing else in the docket that could compromise anybody's privacy... now that we understand the possibility of a digital recreation." CNN reports: Cockpit voice recordings, often referred to as the CVR, capture everything commercial pilots say and are valuable during NTSB investigations, but are almost never released out of respect for the victims and their families. UPS flight 2976 crashed on November 4, when an engine separated from the wing while it was taking off from Louisville, Kentucky. The three crew members onboard were killed along with 12 people on the ground. During a two-day investigative hearing this week, the board released a docket full of details about the crash. Besides thousands of pages of reports and video showing the engine separating, it included a transcript of the CVR and a PDF file showing an analysis of the spectrogram of the audio it recorded. A spectrogram is a still image that is a visual representation of the audio, showing the ups and downs of the frequencies. Using that still image, members of the public were able to recreate the voices of the pilots in the moments before the plane crashed and post the results online. The clip, which included background noise and echoes, covered the last 30 seconds of the flight as the pilots struggled with the disabled aircraft as well as recordings of testing the NTSB did on another aircraft. In a statement on Thursday, the board made clear it "does not release cockpit voice recordings" due to federal law and because of the highly sensitive nature of what they include, but it was "aware that advances in image recognition and computational methods have enabled individuals to reconstruct approximations of cockpit voice recorder audio from sound spectrum imagery." Investigation dockets are made public for transparency, but this week, the board took the rare step of closing public access to all dockets, including the one for the UPS crash. [...] The NTSB is urging platforms like X and Reddit to remove posts with the audio.

Read more of this story at Slashdot.

22 May 2026 9:00pm GMT

Bruno Croci's blog had been running on Ubuntu 16.04 for a long time, well past the Linux distribution's expiration date. As such, it was time to upgrade, but instead of opting for something standard like another Ubuntu release, he opted for FreeBSD instead. This blog has been running on a Digital Ocean VPS for over ten years. A machine hosted in New York City, running Ubuntu 16.04 LTS. An LTS that hasn't been in support for at least 5 years. It was about time to change it. After some considerations, I migrated to a Hetzner virtual machine that is way better than my old Ubuntu one, less than half the price of what I used to pay, and just across the country from me. Not only that, but I took the challenge to move my stack to FreeBSD. It's a long text, but stay for a cool introduction of FreeBSD Jails with Bastille and some interesting site load benchmarks. ↫ Bruno Croci I absolutely adore the recent surge in people (re)discovering the BSDs as a valid alternative to Linux in both the server and desktop space. In this particular case, it was FreeBSD's Jails and ZFS support that won Corci over, and it's easy to see why. While there are countless alternatives to Jails in the Linux world, ZFS is harder to come by as it can't be part of the kernel due to licensing issues. With how powerful and capable ZFS is, it makes sense to want to use it on your server, and in that case, FreeBSD is probably a better choice than most Linux distributions. There are countless reasons to choose one of the BSDs over a Linux distribution, and I'm glad we're seeing an uptick.

22 May 2026 7:00pm GMT

We've already talked about the secure boot certificates from Microsoft that are about to become invalid, but Debian EFI team member and longtime Debian contributor Steve McIntyre published a blog post with more information for users and distribution developers alike. Why are Microsoft's secure boot certificates relevant for the Linux world? Well, Linux distributions use shim to provide secure boot functionality, and this shim is signed with Microsoft's certificates, because they are included in just about every single computer or motherboard ever shipped. The expiration of these oldest certificates should most likely not be a problem, as existing signed binaries should keep working. This is because the UEFI specification does not look at the expiration dates; it only cares that the signature is valid. Unless you have buggy firmware, your machine will continue to boot Linux just fine. Microsoft is already handing out new certificates, but they started the rollout of these way too late, so that's why it's an actual issue today. New machines and updated older machines will most likely have all of these new CAs installed. New machines are already shipping that only include the new CAs; they will not trust older software and this has already started causing problems for some users. If you already have an old shim signed by Microsoft for your distribution from before October 2025, then it will only be signed using the older CA that expires soon. On newer machines, your users will already not be able to boot your distro with Secure Boot enabled. If you want your users to be able to use Secure Boot in future, you will need to get a new shim build submitted, reviewed and signed using the new CA. However, that signed build will not work on older machines unless they have had the new CAs installed. This is also likely to cause problems for some users. You should encourage your users to update their systems NOW before things break for them. ↫ Steve McIntyre I think the Linux world will be able to handle this just fine, but the fact that Microsoft started this process of replacement so late is a real shame. I'm by no means an expert in this field, but I wonder if there isn't some better solution than relying on Microsoft. I understand their certificates will effectively always be installed on every motherboard, but shouldn't we be able to move that responsibility to a more independent entity?

22 May 2026 5:41pm GMT

After Google killed its search engine a few days ago, one question remained: how exactly does advertising fit into all of this? Google is obviously not going to move to chatbot search without somehow adding ads to your conversation with the pachinko machine, so everybody was wondering how that was going to work, exactly. Well, we have the answer, and it's an obvious one. When researching a topic, consumers want to know exactly how a product suits their unique situation. In fact, 75% of people report making faster, more confident decisions using AI Mode in Search. 1 That's why we're testing two new types of ads, built with Gemini, that offer relevant product details along with helpful guidance. To help people evaluate their choices, both of these new formats will feature an independent AI explainer as part of the ad. Our Gemini model evaluates and synthesizes information about a product or service, and displays that context alongside the advertiser's creative. This coherent, independent response ensures transparency and builds trust. These formats will also continue to be clearly labeled as "Sponsored." ↫ Google's Ads & Commerce Blog Of course they're going to just generate the ads with "AI", too. Google will offer two types of "AI"-generated ads in their new chatbot search tool, the first of which will simply be an "AI"-generated answer to a user's question. If you ask the Google chatbot "how can I clean my bed sheets of unintended nightly slop discharge?", Google will generate an ad based on the features of a slopcleaner washing machine detergent product and show that to you. The second type comes in when a user asks something like "what is the best way to kill a search engine?" Google's chatbot will then show a number of ways to kill a search engine, and one of the items in that list might be an ad generated by Google, alongside the customary unrelated information, wrong information, and made-up nonsense. Google claims both of these types of ads will be labeled as such, but I doubt that small label will be noticed by many, and of course, there's no way to know any of the other answers the chatbot generates aren't paid-for either. Here, too, though, we must ask the question what the end game is. This new chatbot search engine is clearly trying to keep you on Google's website, but in doing so, it'll deprive large numbers of websites of the traffic they need to survive. If they can't survive, they're die. If they're dead, they can't produce the content Google "AI" needs to slobber up to spit back out in Google's chatbot search. Chatbot search is also an agent of its own destruction, because you can't generate improved slop with nothing but slop. Because, and I can't repeat this often enough, nobody has ever used "AI" to produce anything of value.

21 May 2026 10:04pm GMT

Just trying to answer one simple question: What if the terminal was 3D?

11 May 2026 12:00am GMT

Break the pattern today or the loop will repeat tomorrow.

18 Apr 2026 12:00am GMT

My thoughts on AI-assisted programming.

11 Apr 2026 12:00am GMT