Submission + - Russia Thought To Hack Into US Courts (nytimes.com)
ole_timer writes: Russia thought to hack into US Courts says NY Times.
Submission + - Sloppy AI defenses take cybersecurity back to the 1990s, researchers say (scworld.com)
spatwei writes: LAS VEGAS — Just as it had at BSides Las Vegas earlier in the week, the risks of artificial intelligence dominated the Black Hat USA 2025 security conference on Aug. 6 and 7.
We couldn't see all the AI-related talks, but we did catch three of the most promising ones, plus an off-site panel discussion about AI presented by 1Password.
The upshot: Large language models and AI agents are far too easy to successfully attack, and many of the security lessons of the past 25 years have been forgotten in the current rush to develop, use and profit from AI.
We — not just the cybersecurity industry, but any organization bringing AI into its processes — need to understand the risks of AI and develop ways to mitigate them before we fall victim to the same sorts of vulnerabilities we faced when Bill Clinton was president.
"AI agents are like a toddler. You have to follow them around and make sure they don't do dumb things," said Wendy Nather, senior research initiatives director at 1Password and a well-respected cybersecurity veteran. "We're also getting a whole new crop of people coming in and making the same dumb mistakes we made years ago."
Her fellow panelist Joseph Carson, chief security evangelist and advisory CISO at Segura, had an appropriately retro analogy for the benefits of using AI.
"It's like getting the mushroom in Super Mario Kart," he said. "It makes you go faster, but it doesn't make you a better driver."
We couldn't see all the AI-related talks, but we did catch three of the most promising ones, plus an off-site panel discussion about AI presented by 1Password.
The upshot: Large language models and AI agents are far too easy to successfully attack, and many of the security lessons of the past 25 years have been forgotten in the current rush to develop, use and profit from AI.
We — not just the cybersecurity industry, but any organization bringing AI into its processes — need to understand the risks of AI and develop ways to mitigate them before we fall victim to the same sorts of vulnerabilities we faced when Bill Clinton was president.
"AI agents are like a toddler. You have to follow them around and make sure they don't do dumb things," said Wendy Nather, senior research initiatives director at 1Password and a well-respected cybersecurity veteran. "We're also getting a whole new crop of people coming in and making the same dumb mistakes we made years ago."
Her fellow panelist Joseph Carson, chief security evangelist and advisory CISO at Segura, had an appropriately retro analogy for the benefits of using AI.
"It's like getting the mushroom in Super Mario Kart," he said. "It makes you go faster, but it doesn't make you a better driver."
Submission + - Phishing training is pretty pointless, researchers find (scworld.com)
spatwei writes: LAS VEGAS — Phishing training for employees as currently practiced is essentially useless, two researchers said at the Black Hat security conference on Wednesday.
In a scientific study involving thousands of test subjects, eight months and four different kinds of phishing training, the average improvement rate of falling for phishing scams was a whopping 1.7%.
"Is all of this focus on training worth the outcome?" asked researcher Ariana Mirian, a senior security researcher at Censys and recently a Ph.D. student at U.C. San Diego, where the study was conducted. "Training barely works."
At the beginning of Mirian's presentation, Mirian asked how many people in the audience of cybersecurity professionals believed that phishing training worked. About half raised their hands, to her mock dismay.
In a scientific study involving thousands of test subjects, eight months and four different kinds of phishing training, the average improvement rate of falling for phishing scams was a whopping 1.7%.
"Is all of this focus on training worth the outcome?" asked researcher Ariana Mirian, a senior security researcher at Censys and recently a Ph.D. student at U.C. San Diego, where the study was conducted. "Training barely works."
At the beginning of Mirian's presentation, Mirian asked how many people in the audience of cybersecurity professionals believed that phishing training worked. About half raised their hands, to her mock dismay.
Submission + - In Barcelona, certain buses run on biomethane produced from human waste (lemonde.fr)
alternative_right writes: Odorless, quiet, sustainable. On the last day of July, passengers boarded Barcelona's V3 bus line with no idea where its fuel came from. Written in large letters on the bus façade, just below its name "Nimbus," a sign clearly stated: "This bus runs on biomethane produced from eco-factory sludge." Still, the explanation was likely too vague for most to grasp its full meaning. The moist matter from wastewater treated at the Baix Llobregat treatment plant was used to produce the biomethane. In other words: the human waste of more than 1.5 million residents of the Catalan city.
Submission + - Security flaws in carmaker's web portal let a hacker remotely unlock cars (techcrunch.com)
schwit1 writes: A security researcher said flaws in a carmaker’s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers’ vehicles.
Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars’ functions from anywhere.
Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars’ functions from anywhere.
Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
Submission + - Ask Slashdot: How many of you are using RSS readers?
alternative_right writes: I use RSS to cover all of my news-reading needs because I like a variety of sources spanning several fields in politics, philosophy, science, and heavy metal. However, it seems Google wanted to kill off RSS a few years back and it has fallen out of favor. Some of us are holding on, but how many? And what software do you use (or did you write your own XML parsers)?
Comment Re: It isn't unclear at all (Score 3, Insightful) 165
The Republican party is going medieval.
Submission + - The Soviet Union's secret tsunami (phys.org)
alternative_right writes: Days and months passed without any recognition of the tsunami and earthquake. Even an interview with a Russian volcanologist, Alexander Evgenievich Svyatlovsky, was stored as a "state secret," despite him merely explaining how the tsunami had originated.
Such secrecy was common at the height of the cold war, with Chernobyl and other disasters often being underreported by the Soviet authorities. It was only after the release of state archives in the early 2000s that the full picture could be told.
Such secrecy was common at the height of the cold war, with Chernobyl and other disasters often being underreported by the Soviet authorities. It was only after the release of state archives in the early 2000s that the full picture could be told.
Comment Re: Step 3: Profit (Score 3, Insightful) 54
And the AI they work on is for targeted ads and AI generated ads, not stuff that's valuable to the general population.
Submission + - Google backpedals on goo.gl shutdown to preserve active links (nerds.xyz)
BrianFagioli writes: Google is changing its mind about killing off all goo.gl short links. The company had originally planned to shut them down entirely by August 25, 2025. That decision sparked concern among developers, educators, journalists, and everyday users who rely on these links across the web.
Now, just weeks before the deadline, Google is taking a softer approach. It turns out the company is only going to disable goo.gl links that haven’t seen any activity since late 2024. If your link is still being used or clicked, it should keep working.
This adjustment comes after what Google describes as community feedback. People pointed out that goo.gl links are everywhere. They show up in YouTube video descriptions, blog posts, PDFs, tweets, QR codes, printed handouts, and more. Breaking all of them would have left a mess of dead links across the internet.
Now, just weeks before the deadline, Google is taking a softer approach. It turns out the company is only going to disable goo.gl links that haven’t seen any activity since late 2024. If your link is still being used or clicked, it should keep working.
This adjustment comes after what Google describes as community feedback. People pointed out that goo.gl links are everywhere. They show up in YouTube video descriptions, blog posts, PDFs, tweets, QR codes, printed handouts, and more. Breaking all of them would have left a mess of dead links across the internet.
Comment Re:No... (Score 4, Insightful) 142
Dubbing is just making movies worse than they have to be, no matter if it's humans or AIs doing the "work".
I prefer subtitled movies.
Submission + - Sizewell C Reactor cost has doubled to £38 billion but could triple to &po (energyvoice.com)
AleRunner writes: "The total tally for the UK’s latest bet on nuclear power, Sizewell C, is highly likely to rise above the cost of Hinkley Point C." reports Energy Voice continuing, "Taken together, the impact of project overruns and inflation could push up the estimated £38 billion price tag of the nuclear power project, in 2024 prices, by between almost £10bn and £20bn or more." and later states "This would make Sizewell C one of the most expensive nuclear power stations in history; despite advances in EDF’s European pressurised reactor (EPR) technology, and the wealth of experience gained developing nuclear projects.". despite the increases, the article states that "Sizewell C is expected to be up to a quarter more efficient than previous reactors, and that economy of scale should lower the cost of power for the consumer. The project is expected to deliver 'electricity system savings of £2 billion a year on average once operational', the energy department said"
Comment Re:Good job Apple (Score 2) 107
Add a list of known spammers and send them to Lenny or a more modern AI bot that resembles an old man or woman hard of hearing with a short memory.
Submission + - Microsoftâ(TM)s Project Ire is an autonomous AI that reverse engineers malw (nerds.xyz)
BrianFagioli writes: Microsoft has revealed something genuinely exciting in the cybersecurity world. Itâ(TM)s called Project Ire, and it might be one of the most ambitious attempts yet to automate malware classification. This isnâ(TM)t just a system that scans files or compares against known threats. It actually reverse engineers unknown software entirely on its own, analyzing it from the ground up without knowing where it came from or what itâ(TM)s supposed to do.
To be clear, this is very exciting. As someone who writes about security and tech regularly, Iâ(TM)ve seen my fair share of âoeAI-poweredâ tools, but this one feels different. Project Ire doesnâ(TM)t need hand-holding. It picks apart software like a real analyst would, using decompilers, control flow analysis, memory sandboxes, and more.
This thing came out of a collaboration between Microsoft Research, Defender Research, and Discovery & Quantum. Basically, all the big brains at Microsoft put their heads together and built a system that doesnâ(TM)t just guess. Actually, it investigates. And it does so using some of the same underlying tech behind GraphRAG and Microsoft Discovery, including a toolkit of reverse engineering utilities that it calls like a seasoned analyst.
Microsoft tested Project Ire against public datasets full of Windows drivers. Some were malicious, others totally clean. The system ended up with a precision of 0.98 and a recall of 0.83, which are both impressive numbers. That means it flagged malware with near-perfect accuracy and didnâ(TM)t miss much. Even better, it produced the first ever conviction case at Microsoft authored entirely by a machine. No human in the loop. That malware sample is now blocked by Microsoft Defender.
Unlike traditional security systems, which rely heavily on signatures and rule-based filters, Project Ire goes in blind. It reconstructs software internals using tools like angr and Ghidra, then reasons through behavior to decide if a file is safe or not. Itâ(TM)s not just making guesses. Itâ(TM)s building a case, complete with an evidence chain that reviewers can look over.
One of the standout examples Microsoft shared was a rootkit called Trojan:Win64/Rootkit.EH!MTB. Project Ire picked up on behavior like hijacking Explorer.exe, injecting hooks, and reaching out to command and control servers. Another sample, HackTool:Win64/KillAV!MTB, was designed to kill antivirus software. The system correctly identified that too, including functions aimed at terminating specific security processes. These are the kinds of files that often sneak past basic scanners.
Now, Ire isnâ(TM)t perfect. It once misread a function as anti-debugging behavior, but what stood out was how it flagged the finding as questionable and used a built-in validator to double check itself. Thatâ(TM)s not something most AI tools do today. It shows that this system isnâ(TM)t blindly confident. It understands uncertainty and knows when to ask for a second opinion.
In tougher real-world testing, Ire took on nearly 4,000 hard-to-classify files that had been set aside for expert review. These werenâ(TM)t cherry-picked samples. They were unknowns. The system worked entirely on its own and still nailed about 9 out of 10 of the malware cases it flagged. Even though it caught only a quarter of all the bad files in this high-difficulty round, it barely triggered false alarms. Thatâ(TM)s a good tradeoff in real-world defense, where one wrong call can burn trust.
Microsoft says Project Ire will now be integrated into the Defender ecosystem under the name Binary Analyzer. The long-term plan is to scale it up and speed it up, making it possible to classify unknown files instantly⦠maybe even before they hit disk. That kind of capability could be a game-changer, especially as threats become faster, smarter, and harder to pin down.
To me, the most exciting part is that this isnâ(TM)t theoretical. Project Ire is already helping real analysts inside Microsoft. Itâ(TM)s working alongside humans, not replacing them, and offering detailed, explainable reports that can stand up to scrutiny. Thatâ(TM)s the kind of AI we need more of, folks, not hype, not smoke and mirrors, but something that actually helps solve hard problems.
To be clear, this is very exciting. As someone who writes about security and tech regularly, Iâ(TM)ve seen my fair share of âoeAI-poweredâ tools, but this one feels different. Project Ire doesnâ(TM)t need hand-holding. It picks apart software like a real analyst would, using decompilers, control flow analysis, memory sandboxes, and more.
This thing came out of a collaboration between Microsoft Research, Defender Research, and Discovery & Quantum. Basically, all the big brains at Microsoft put their heads together and built a system that doesnâ(TM)t just guess. Actually, it investigates. And it does so using some of the same underlying tech behind GraphRAG and Microsoft Discovery, including a toolkit of reverse engineering utilities that it calls like a seasoned analyst.
Microsoft tested Project Ire against public datasets full of Windows drivers. Some were malicious, others totally clean. The system ended up with a precision of 0.98 and a recall of 0.83, which are both impressive numbers. That means it flagged malware with near-perfect accuracy and didnâ(TM)t miss much. Even better, it produced the first ever conviction case at Microsoft authored entirely by a machine. No human in the loop. That malware sample is now blocked by Microsoft Defender.
Unlike traditional security systems, which rely heavily on signatures and rule-based filters, Project Ire goes in blind. It reconstructs software internals using tools like angr and Ghidra, then reasons through behavior to decide if a file is safe or not. Itâ(TM)s not just making guesses. Itâ(TM)s building a case, complete with an evidence chain that reviewers can look over.
One of the standout examples Microsoft shared was a rootkit called Trojan:Win64/Rootkit.EH!MTB. Project Ire picked up on behavior like hijacking Explorer.exe, injecting hooks, and reaching out to command and control servers. Another sample, HackTool:Win64/KillAV!MTB, was designed to kill antivirus software. The system correctly identified that too, including functions aimed at terminating specific security processes. These are the kinds of files that often sneak past basic scanners.
Now, Ire isnâ(TM)t perfect. It once misread a function as anti-debugging behavior, but what stood out was how it flagged the finding as questionable and used a built-in validator to double check itself. Thatâ(TM)s not something most AI tools do today. It shows that this system isnâ(TM)t blindly confident. It understands uncertainty and knows when to ask for a second opinion.
In tougher real-world testing, Ire took on nearly 4,000 hard-to-classify files that had been set aside for expert review. These werenâ(TM)t cherry-picked samples. They were unknowns. The system worked entirely on its own and still nailed about 9 out of 10 of the malware cases it flagged. Even though it caught only a quarter of all the bad files in this high-difficulty round, it barely triggered false alarms. Thatâ(TM)s a good tradeoff in real-world defense, where one wrong call can burn trust.
Microsoft says Project Ire will now be integrated into the Defender ecosystem under the name Binary Analyzer. The long-term plan is to scale it up and speed it up, making it possible to classify unknown files instantly⦠maybe even before they hit disk. That kind of capability could be a game-changer, especially as threats become faster, smarter, and harder to pin down.
To me, the most exciting part is that this isnâ(TM)t theoretical. Project Ire is already helping real analysts inside Microsoft. Itâ(TM)s working alongside humans, not replacing them, and offering detailed, explainable reports that can stand up to scrutiny. Thatâ(TM)s the kind of AI we need more of, folks, not hype, not smoke and mirrors, but something that actually helps solve hard problems.
Comment Re: Sounds like they're going to sell and get gutt (Score 1) 115
The cloud - that's where you end up when you die.
Slashdot Top Deals
Nothing is impossible for the man who doesn't have to do it himself. -- A.H. Weiler
