Gravis Zero - Slashdot User

Submission + - Newly discovered Linux local privilege escalation bug "CopyFail" (copy.fail)

Submitted by tylerni7 on Wednesday April 29, 2026 @07:24PM

tylerni7 writes: A recently discovered logic bug dubbed "CopyFail" in Linux dates back to 2017 and allows local privilege escalation across kernels/distros with a single exploit. The POC exploit works out of the box today, but a future version that can escape from containers like Docker is promised soon. Technical details are available at https://xint.io/blog/copy-fail...

Submission + - Copy Fail exploit lets 732 bytes hijack Linux systems and quietly grab root (nerds.xyz)

Submitted by BrianFagioli on Wednesday April 29, 2026 @06:30PM

BrianFagioli writes: A newly disclosed Linux kernel vulnerability called Copy Fail (CVE-2026-31431) allows an unprivileged user to gain root access using a tiny 732-byte script, and it works with unsettling consistency across major distributions. Unlike older exploits that relied on race conditions or fragile timing, this one is a straight-line logic flaw in the kernelâ(TM)s crypto subsystem. It abuses AF_ALG sockets and splice to overwrite a few bytes in the page cache of a target file, such as /usr/bin/su. Because the kernel executes from the page cache, not directly from disk, the attacker can inject code into a setuid binary in memory and immediately escalate privileges.

What makes this especially concerning is how quiet it is. The file on disk remains unchanged, so standard integrity checks see nothing wrong, while the in-memory version has already been tampered with. The same primitive can also cross container boundaries since the page cache is shared, raising the stakes for multi-tenant environments and Kubernetes nodes. The underlying issue traces back to an in-place optimization added years ago, now being rolled back as part of the fix. Until patched kernels are widely deployed, this is one of those bugs that feels less like a theoretical risk and more like a practical, reliable path to full system compromise.

Comment Good. (Score 2, Interesting) 23

by Gravis Zero on Sunday April 26, 2026 @09:42PM (#66113814) Attached to: Google Studies Prompt Injection Attacks Against AI Agents Browsing the Web

AI agents should be exploited by websites because AI agents themselves are exploiting the websites. I see no downsides to someone causing an AI agent to self-destruct.

Comment "isn't working" is absolutist thinking. (Score 1) 76

by Gravis Zero on Saturday April 25, 2026 @08:06PM (#66112252) Attached to: Australia's Teen Social Media Ban Isn't Working. Half Their Teens Still Have Access, Survey Finds

If a virus only infects 50% of people, that doesn't mean "nobody is getting infected". The inability for people to see nuance is annoying. 50% certainly is not 0% and it is not 100%. The idea that "perfect is the enemy of good" still applies to modern life, even if you don't understand it.

Comment Highly useful. (Score 3, Interesting) 48

by Gravis Zero on Friday April 24, 2026 @02:36PM (#66110674) Attached to: Researchers Simulated a Delusional User To Test Chatbot Safety

This is exactly what the AI development community needs because false information is a HUGE problem. A highly delusional user is a low bar but if they can detect simple delusions then it may be possible to expand that to a more general "fact or fiction" engine when interfaced with the "reasoning engine".

The result of the basic ability to tell fact from fiction would be immensely useful because it would result in a feedback loop in which AI would be able to analyze it's own statements and the retrain itself when incorrect information is detected, altering the weights that promoted incorrect output, and potentially eliminating hallucinations entirely. This seems like the goal for anyone developing AI.

Comment Re:Moral of the story: (Score 1) 50

by Gravis Zero on Wednesday April 22, 2026 @12:44AM (#66106156) Attached to: 20-Year-Old Enters Prison for Historic Breach, Ransoming of Massive Student Database

I've heard similar arguments in jail. Psychopaths blame the victims for allowing themselves to be exploited.

You see this as victim and perpetrator. I see this as, lesser perpetrator and greater perpetrator. Both parties are to blame. The world is not black and white, it is a sea of gray.

Calling him a 'child' is a bit of a stretch, too, unless you mean 'an immature or irresponsible person' or 'a person who has little or no experience in a particular area' or 'a young human below the age of puberty'.

"Lane said he was a prolific cyber criminal by age 15, and usually directed his cyberattacks toward "big, big" targets."

It implies that he shouldn't be treated as an adult....and the court decided he should be.

No, that's what you have inferred. He's an adult now and will be treated as such.

Comment Moral of the story: (Score 5, Insightful) 50

by Gravis Zero on Saturday April 18, 2026 @01:06PM (#66100202) Attached to: 20-Year-Old Enters Prison for Historic Breach, Ransoming of Massive Student Database

If a massive amount of critical information and system of your business can be held hostage by a child then you are not "taking security very seriously" and you do not "respect the rights of [your] users".

That fact that stuff like this happens is astoundingly stupid. This foolish child isn't innocent but the businesses are all guilty as a hell.

Submission + - Two new studies about how many birds die from wind turbines (euronews.com)

Submitted by ZipNada on Friday April 17, 2026 @03:48PM

ZipNada writes: The energy company Vattenfall and the tech company Spoor have analysed the extent to which wind turbines endanger birds at the offshore wind farm in Aberdeen. Over a period of 19 months — from June 2023 to December 2024 — video recordings of a wind turbine were made with the help of AI-supported analyses. A total of 2,007 bird flight paths near the monitored turbine were examined.

"By combining AI-powered detection and detailed expert analysis, we can replace assumptions with concrete observations and measure actual behaviour in the immediate vicinity of wind turbines," says Ask Helseth, Chief Executive Officer and co-founder of Spoor.

The study found that there was not a single collision

A study by the German Offshore Wind Energy Association (BWO) also shows that migratory birds almost completely avoid wind turbines.

For one and a half years, researchers analysed over four million bird movements with the help of radar and AI-based cameras. The result showed that over 99.8 per cent of migratory birds reliably avoided the wind turbines.

Submission + - Government Workers Say They're Getting Inundated With Religion (wired.com)

Submitted by joshuark on Friday April 17, 2026 @10:25AM

joshuark writes: Federal workers across multiple U.S. agencies are complaining that Christianity is flooding into their workplaces in ways they've never seen before—and they feel powerless to speak up.

It started after President Trump returned to office and signed an executive order in February 2025 creating a White House Faith Office and similar offices inside federal agencies. Since then, religion has crept into everyday government life in a big way...Secretary Brooke Rollins sent an agency-wide Easter email titled "He has risen!" with explicitly Christian messaging. One employee called it "grotesque" and suspected AI wrote it. A formal complaint was filed with the Office of Special Counsel.

Department of Labor hosts monthly worship services with pastors and political figures. One speaker, Alveda King, said she was "more concerned about" nonreligious employees—a comment that rattled staffers who felt it implied atheists were going to hell.

Health and Human Services, under vaccine denier RFK Jr., expanded funding for faith-based addiction treatment and gave workers the afternoon off for Good Friday.

Department of Defense has seen the most dramatic shift, with Secretary Pete Hegseth hosting monthly prayer services featuring high-profile Christian nationalist figures like Doug Wilson, who has advocated for a theocracy and argued women shouldn't vote. Hegseth himself has called the U.S. war with Iran a "holy war."
Employees are afraid to push back—only 22.5% of federal workers in 2025 say they could report wrongdoing without retaliation, down from nearly 72% in 2024.

The government's position: these events are voluntary and legally permitted. A public policy professor quoted in the piece put it plainly: "The Trump administration has opened a new chapter in the integration of Christianity into the daily work of government."

Comment Why NULLFS: (Score 5, Informative) 29

by Gravis Zero on Monday April 13, 2026 @05:32PM (#66092420) Attached to: Linux 7.0 Released

I was curious so I looked up the details about NULLFS.

Apparently, there is an issue with swapping the root filesystem which is done using the syscall pivot_root()... but not with initramfs,
per the man page...

The rootfs (initial ramfs) cannot be pivot_root()ed. The recommended method of changing the root filesystem in this case is to delete everything in rootfs, overmount rootfs with the new root, attach stdin/stdout/stderr to the new /dev/console, and exec the new init(1). Helper programs for this process exist; see switch_root(8).

So basically, this fixes a long-standing hack that well... is not safe in some cases, most notably with with containers (CVE-2020-15257). The proper solution was to make a simple null filesystem that could use pivot_root and swap out the rootfs without hacks.

More details here: https://lwn.net/Articles/10621...
And here: https://www.linkedin.com/pulse...

Comment If at first you don't succeed... (Score 4, Funny) 44

by Gravis Zero on Sunday April 12, 2026 @11:50PM (#66090908) Attached to: Sam Altman's Home Targeted a Second Time, Two Suspects Arrested

it's pretty obvious that ChatGPT came up with their game plan.

Comment Please, no. (Score 1) 184

by Gravis Zero on Sunday April 12, 2026 @09:10PM (#66090746) Attached to: Has the Rust Programming Language's Popularity Reached Its Plateau?

I already hate systemd, I don't need you people to make it into an even greater abomination. Do you want to have programmers start making blood oath's the destroy systemd? Because this how you get blood oaths!

Comment Not even over 9000. (Score 3, Insightful) 28

by Gravis Zero on Sunday April 12, 2026 @03:40PM (#66090362) Attached to: DNA-Level Encryption Developed by Researchers to Protect the Secrets of Bioengineered Cells

only the exact passcode worked, showing that the odds of an unauthorized person guessing it had dropped to just two in 990, or 0.2%

If you have a real lab, is 1000 different attempts really that hard to do? By hand, it would be a pain but you can automate the process, right?

Also, what if you sequence the encrypted DNA, can you not simply simulate the application of the chemicals? Running about 1000 detailed simulations doesn't strike me as being too computationally intensive to pull off.

Comment Made? (Score 1) 69

by Gravis Zero on Saturday April 11, 2026 @06:58PM (#66089396) Attached to: Oxygen Made From Moon Dust For First Time

I presume they mean that they extracted oxygen because making oxygen via fusion or fission seems unrealistic.

Comment Cost of doing business. (Score 4, Insightful) 47

by Gravis Zero on Thursday April 09, 2026 @03:19AM (#66084680) Attached to: John Deere To Pay $99 Million In Monumental Right-To-Repair Settlement

This means that plaintiffs will recover somewhere between 26% and 53% of overcharge damages, according to one of the court documents (PDF) -- far beyond the typical amount, which lands between 5% and 15%.

Anything short of 100% is merely a cost of doing business. This is no victory, this is yet another loss in the long history of losses against corporations.

Slashdot Top Deals