Hundreds of AUR packages compromised

https://lwn.net/Articles/1077718/ #LWN #Linux #ArchLinux

Banken so: "Klickt niemals auf verdächtige Links!" Auch Banken: verschicken Links, die verdächtiger nicht sein könnten...🤦‍♂️

Zum Artikel: https://heise.de/-11327434?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#phishing #cybersecurity #sparkasse #banken #onlinesicherheit

This is really disappointing #rust

https://www.ntecs.de/blog/2026-02-01-bootstrapping-rust-considered-harmful/

Nightmare Eclipse has posted another purported bitlocker bypass: GreatXML

This exploit claims to be able to bypass bitlocker on systems that have executed Microsoft Defender Offline at some point in the past. This is done by replacing Recovery\WindowsRE\ReAgent.xml and placing unattend.xml in the WinRE partition.

I think the writeup is flawed in that the spawned CMD.EXE happens on the NEXT time that a Microsoft Defender Offline scan is triggered. And in order to trigger a Microsoft Defender Offline scan, you both need to be logged in to Windows, and also have admin credentials. And if you've already got that level of access, you can just turn off bitlocker.

The writeup for GreatXML suggests that the prerequisite is that Windows Defender Offline has been executed at some point in the past. And that after planting two files in WinRE, all you need to do is [Shift]-reboot into WinRE, and Windows will automatically go into Microsoft Defender Offline scan mode. But this is not the case in any of the 3 lineages of Win11 that I have handy.

If you only [Shift]-reboot into WinRE, you get the normal WinRE menu. Not anything related to Microsoft Defender Offline. Even after the placement of the specified files.

Someone's AI agent has been performing a wide variety of manipulation to the project for a while to the Fedora project. https://lwn.net/SubscriberLink/1077035/c7e7c14fbd60fae9/

It's clearly linked to an account that precedes the, ahem, "agentic AI era", but it also seems the account wwas probably compromised, but everything is unclear, including motivations or the extent of damage.

I'm leaving #Google: https://www.mayrhofer.eu.org/post/leaving-google/

While I believe that I have been able to do some good with my continuing (part-time) engagement in the Android security and privacy team since returning to Austria a couple of years ago, the deal with the US #DoW is completely misaligned with my personal ethical principles. I will, therefore, no longer be able to act as a contact point to Google-internal teams and discussions, but will continue our research on private digital identity, end-to-end secure communication and storage, network privacy, (embedded/mobile) operating system security, supply chain transparency, etc. from a purely academic point of view. Android - and in particular AOSP - will remain a research interest, so please feel free to reach out on any of those topics for potential collaborations or discussions on the academic side.

"But what if it's good? You can't ban AI submissions completely because what if some of them are good?"

Respectfully, I think a number of AI fans have lost the plot with that argument.

For some people, the point of banning AI submissions is that there's been a deluge of slop submissions. The fact that AI bug reports or whatever are improving *may* turn them around on allowing them at some point. But, you know, let them come around on it on their own, mmmkay?

For many others, though, the point is that they don't want AI submissions, period, end of story. The quality could be excellent, but it does not matter. The point is that it's from an LLM and they object to that on principle. Whether one agrees with that or not, respect it, ok?

It's like arguing with a person who's a vegetarian or vegan, "But this tastes excellent! And the chicken was free-range and well-cared for right up until the moment it was killed. Didn't even see it coming. Joe Pecky thought he was going to a party, and then he got a quick one in the back of the head."

It's still chicken. And some people don't eat animals. Respect that, too.

I'm not going to lecture other people on their use of LLMs, etc., here. But please, stop lobbying everybody else to just give up and accept it, especially in open source.

The thing that makes open source special, when it is, is the human factor. It's building a community that cares about a project. Talking to other humans and working with them on problems. It's OK if that moves more slowly. What's the damn rush anyway?

Sure, the project itself is important, but so is the surrounding community. When that just becomes a bunch of prompt fondling and button pressing to unleash whatever the LLM spat out into a CI/CD pipeline to make its way into another CI/CD pipeline... what even is the point?

#LLMs #OpenSource