Дэниел Cтенберг (Daniel Stenberg), автор утилиты для получения и отправки данных по сети curl, объявил о приостановке приёма и обработки сообщений об уязвимостях с 1 июля по 3 августа. Исключение будет сделано только для отправителей, пользующихся платной поддержкой. В качестве причины называется необходимость передышки и отдыха после существенного повышения нагрузки по разбору отчётов о выявлении уязвимостей в последние четыре месяца.

https://www.opennet.ru/opennews/art.shtml?num=65693

An anonymous reader quotes a report from Ars Technica: A decade ago, AMD added a protection to its high-end CPUs to protect them against cold boot attacks and other types of physical exploits that siphon sensitive data out of the connected memory chips. Short for Transparent Secure Memory Encryption, TSME encrypts the entire contents stored in memory, making the data useless to physical attackers. Over time, AMD added TSME to lower-end processors, including the consumer version of its Ryzen chips, a CPU that costs less than the Pro version. Over the years, users of these lower-end chips have gotten used to the added security. Recently and without warning or notice, this lower-end line of AMD chips suddenly dropped the protection, and did so in a way that was impossible to detect on Windows machines and required a fair amount of technical work when using Linux.

AMD has yet to say why TSME worked on these CPUs, or even to confirm the change. AMD declined to answer questions sent by email other than to say TSME "is a security feature only applied to PRO CPUs as part of AMD PRO Technologies." The statement is the first known time the chipmaker has explicitly made this restriction public. [...] There's no indication that AMD ever advertised or marketed TSME as being available in consumer CPUs. AMD has long said that a related memory protection, Secure Memory Encryption (SME), is available only in the Pro and Epyc CPU tiers. SME is OS-managed. It uses a single key and allows the OS to selectively encrypt individual memory pages. TSME is firmware-managed. It encrypts all RAM with no OS involvement. When active, it provides protection against physical attacks, including cold boot exploits, DRAM interface snooping, and memory module removal. It activates silently when enabled in the BIOS, making it the more practically useful of the two protections. Ben Kilpatrick, a self-described "privacy-conscious Linux hobbyist," discovered that TSME had stopped working on his consumer Ryzen processor despite remaining enabled in the BIOS. He spent months investigating, persuaded MSI engineers to test multiple CPUs, motherboards, and firmware versions, and filed a public AMD bug report that traced the change to newer AGESA firmware apparently disabling TSME on consumer chips while retaining it on Pro and EPYC models.

"AMD engineers' comments, such as those mentioned above, and the years of TSME working just fine in the lower-cost tier processors, have understandably conditioned Kilpatrick and other users to reasonably regard it as an expected part of the chip package," reports Ars Technica. "AMD quietly removing it and providing no acknowledgment or explanation strikes these users as something of a betrayal."

Joe Fitzgerald, an expert in silicon-level security, said in an interview: "They could have not realized they did it leading to their cagey responses, or they could have done it intentionally and tried to get away with it, leading to the same cagey responses. But I really feel like an explanation should be in order, even if it was 'TSME was never supposed to be supported. We did ship some firmwares that erroneously enabled it, but you shouldn't use them since we can't guarantee it'll work properly.'"

[ Read more of this story ]( https://hardware.slashdot.org/story/26/06/15/200234/users-cry-foul-after-amd-stripped-memory-crypto-from-its-consumer-cpus?utm_source=atom1.0moreanon&utm_medium=feed ) at Slashdot.

Комитет, управляющий разработкой набора компиляторов GCC (GCC Steering Committee), утвердил включение в кодовую базу GCC бэкенда для WebAssembly. Решение касается общего одобрения поставки WebAssembly-бэкенда в составе GCC. Вопросы утверждения реализации и принятия переданного кода будет отдельно решать команда, отвечающая за рецензирование.

https://www.opennet.ru/opennews/art.shtml?num=65695

Google is removing Chrome's last remaining workarounds for Manifest V2 extensions, effectively ending support for legacy ad blockers such as the original uBlock Origin. 9to5Google reports: CyberNews points out a Chromium commit that removes support for the "kExtensionManifestV2Disabled" flag, which is referred to as "dead code" seeing as Chrome no longer supports Manifest V2 extensions. This removal acts as the final stop for many Manifest V2-based ad blocker extensions that were still in use today -- the flag was effectively a loophole to continue using these extensions.

A Googler on the commit explains: "MV2 extensions are no longer allowed in any supported version of Chrome, and we are removing support for them and the associated functionality. We won't be able to provide / maintain this functionality indefinitely due to the complexity and tech debt, as well as the security risks it entails (we've actually found a number of bugs that are specific to MV2 lately). Of course, other browsers can continue supporting these if they so desire."

This will also impact other Chromium-based browsers, though the comment notes that "other browsers can continue supporting these if they so desire." Neowin points out that Microsoft Edge and Opera are likely to follow suit. Chrome 150, set to be released later this month, will remove this flag, while other leftover bits of Manifest V2 will be removed in the v151 release.

[ Read more of this story ]( https://tech.slashdot.org/story/26/06/15/205219/google-chromes-next-update-will-mark-the-end-of-popular-ad-blockers?utm_source=atom1.0moreanon&utm_medium=feed ) at Slashdot.

Опубликован релиз FreeRDP 3.27.0 — открытой реализации протокола Remote Desktop Protocol, включающей библиотеки и клиенты для подключения к RDP-серверам. Выпуск опубликован 15 июня 2026 года, о чём сообщается в [ официальной заметке проекта ]( https://www.freerdp.com/2026/06/15/3_27_0-release ) . Архивы новой версии загружены в [ каталог релизов FreeRDP ]( https://pub.freerdp.com/releases/ ) , а полный набор изменений доступен через [ сравнение 3.26.0…3.27.0 на GitHub ]( https://github.com/FreeRDP/FreeRDP/compare/3.26.0...3.27.0 ) .

Разработчики называют FreeRDP 3.27.0 крупным выпуском с новыми возможностями, исправлениями ошибок и чисткой кода. Одно из главных изменений — более строгие параметры TLS: уровень безопасности TLS теперь по умолчанию выставлен в 2, а минимальная поддерживаемая версия TLS повышена до TLS 1.2. Это означает, что старые и слабые TLS-конфигурации больше не будут использоваться по умолчанию. При необходимости поведение можно переопределить на стороне клиента через параметры /tls:seclevel: и /tls:enforce:, а серверные реализации могут управлять этим через rdpSettings::FreeRDP_TLSMinVersion и rdpSettings::FreeRDP_TlsSecLevel, как указано в [ релизных заметках FreeRDP 3.27.0 ]( https://www.freerdp.com/2026/06/15/3_27_0-release ) .

Основные изменения FreeRDP 3.27.0:

( [ читать дальше... ]( https://www.linux.org.ru/news/opensource/18320050#cut ) )

alternative_right shares a report from The Hill: The FBI released an urgent security warning to the public about a fast-acting scam targeting Microsoft 365 users on Teams, Outlook and OneDrive. The agency warned that the hacking platform Kali365 seeks out OAuth device codes, allowing scammers to sneak past multi-factor authentication codes, and without the need for a password, to access Microsoft accounts. Scammers will send a phishing email impersonating a trusted document-sharing service with a device code and instructions on how to verify, according to the FBI.

"Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities," the FBI stated. The platform is sold to scammers with a $250 per month subscription. The FBI, which first detected Kali365 in April, described the hacking platform as an "emerging Phishing-as-a-Service platform." Hackers with limited skills can access advanced phishing tools through the platform, according to NordPass.

[ Read more of this story ]( https://yro.slashdot.org/story/26/06/15/209242/fbi-issues-urgent-kali365-security-warning-for-teams-outlook-onedrive-users?utm_source=atom1.0moreanon&utm_medium=feed ) at Slashdot.

The Federal Data Center Enhancement Act (FDCEA) is set to expire in September without an apparent replacement, potentially ending requirements for federal agencies to report on data-center efficiency, resilience, energy and water use, and contractor sustainability. Wired reports: Despite the public backlash, the Office of Management and Budget (OMB), the government agency that sets guidance for how agencies implement policies in line with the president's agenda, is not providing any plans for how federal agencies should manage the sunset or continue to implement reporting beyond the timeline of the law. This, current and former workers at OMB and the General Services Administration (GSA) say, signals that the Trump administration is set to take an even more hands-off approach to data center oversight and regulation.

A replacement for the requirements laid out in FDCEA would, in other administrations, have been in the works for months ahead of its expiration. An employee with the GSA, the agency that oversees the government's IT services and helps to implement the FDCEA, says that the lack of any sort of plan is highly uncommon. The employee spoke to WIRED on the condition of anonymity for fear of retaliation. "Never in the history of data center policies has a policy expired without another one having been painstakingly worked on for three years behind the scenes," says the GSA employee. "The technology has changed so much it's not about getting everything right, it's about doing the best they can and updating to a new policy. They claim they're going to make sure private companies pay their fare share, but they haven't explained how they'll do that."

[...] There has been a burst of data-center-related legislation introduced in Congress this year, from bills that mandate environmental reviews of data centers to bills designed to protect local moratoriums. However, it appears that none of these bills are designed to address the requirements in FDCEA, nor do they specifically address federally run or leased data centers. [...] A search of reginfo.gov, the OMB website that contains reports on the president's Unified Agenda, also turns up nothing for the FDCEA. "By letting this expire, OMB is going to enter into this new age of prioritizing rapid AI development over any sort of centralized control or rigorous standards," says the anonymous GSA employee who spoke to Wired. "In the absence of a new policy from OMB, [GSA] has no directive or measurable standards with which to point agencies towards managing data centers efficiently."

[ Read more of this story ]( https://yro.slashdot.org/story/26/06/15/2017215/the-us-government-is-letting-a-key-data-center-regulation-expire?utm_source=atom1.0moreanon&utm_medium=feed ) at Slashdot.

An anonymous reader quotes a report from TechCrunch: A group made up of dozens of cybersecurity experts, including several well-known veterans of the industry, published an open letter to the U.S. government asking it to lift the export control order on Anthropic's Fable and Mythos models. According to the open letter, "this action has taken the best models away from [cybersecurity] defenders" who now can't use the models to find vulnerabilities and make their software and products more secure. "To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous," read the letter.

On Friday, the U.S. government ordered Anthropic to limit the export of Fable and Mythos, citing national security concerns, without explaining the specific reasons behind the order, according to Anthropic. In response, the company suspended access to the models to all users worldwide. As of this writing, the letter is signed by 76 cybersecurity experts, including Alex Stamos, former Facebook chief of security; Casey Ellis, the founder bug bounty platform Bugcrowd; Jon Callas, famed cryptographer and former Apple security design and architecture manager; Paul Vixie, computer scientist ; Dino Dai Zovi, the former head of applied security engineering at Block; Katie Moussouris, the founder of Luta Security; and Rachel Tobac, the CEO of the security awareness training firm SocialProof Security.

[...] Anthropic said that the White House export control order may have been based on a report that there was a method to bypass -- or jailbreak -- Fable to unlock its powerful Mythos-level capabilities. According to Katie Moussouris, one of the signatories of the open letter, the method was demonstrated by Amazon researchers in a paper that is not public but that she has reviewed. But Moussouris said in a blog post that the paper did not actually demonstrate a real jailbreak. Instead, she wrote, the researchers simply asked Fable to fix open source code with public and known vulnerabilities along with "deliberately planted vulnerabilities," after the model initially refused to "review the code for security issues."

"The behavior described in the paper cannot meaningfully be fixed, and any attempt would only weaken the model for defense," Moussouris wrote. "Defenders need to be able to ask AI to fix the bugs in a file, explain why the fix matters, and write tests that confirm the patch works. That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day." Moussouris' critique was echoed in the open letter, which also said that the group of experts believe the model capabilities in the Amazon paper "can be replicated" on OpenAI's GPT-5.5, on Anthropic's own publicly available Claude Opus 4.8 and Sonnet, "and even Chinese models like Kimi 2.7."

Moussouris told TechCrunch that "the bugs used to demonstrate the techniques in the paper can be found using the other models. The method in the paper is a guardrail bypass technique. Other models that lack the Fable guardrails often won't refuse the straightforward request to look for security bugs, so they don't need a bypass." The letter also asked for transparently and fairly enforced regulations created by "a democratic rule-making process" that are based on scientific research done by industry and academic experts, and "used only to the minimal extent necessary to ensure the safety of the American public."

[ Read more of this story ]( https://it.slashdot.org/story/26/06/15/2128216/cybersecurity-vets-protest-dangerous-us-government-ban-on-anthropics-most-powerful-models?utm_source=atom1.0moreanon&utm_medium=feed ) at Slashdot.