Security researcher Justin O'Leary says Google initially accepted his Config Connector privilege-escalation report as a high-priority, high-severity bug, then denied a bounty by declaring the behavior "working as intended." According to The Register, a Google rep initially praised O'Leary's report with a "Nice catch!" before the cloud giant reversed course, declaring that no vulnerability existed and therefore no fix or reward was warranted. "The bug report, however, is still marked high-priority and accepted," the publication notes. The alleged flaw, dubbed ConfigConfusion, could let a Kubernetes namespace user exploit an overprivileged service account to become a GCP organization owner with only a few lines of YAML and little apparent audit visibility. O'Leary details the incident in a blog post. The Register reports: According to O'Leary, Config Connector doesn't perform an authorization check, and this allows any Config Connector service account with org-level permissions to bypass Identity and Access Management (IAM) authorization and gain the highest level of control (roles/owner) to an entire GCP Organization -- the root node of all of a company's resources within Google Cloud. On March 27, a Google security engineer accepted O'Leary's report and told him: "Nice catch!" The employee said that they filed a bug based on O'Leary's report with the relevant product team and assured him the Chocolate Factory's security squad would work with relevant Google Cloud people to fix the flaw. "We'll work with the product team to ensure this issue is address. We'll let you know when the issue was fixed," the engineer said. "In the meantime, review the payment option selected in your bughunters.google.com profile."
Google assigned the bug P1 priority and S1 severity, signifying a flaw worthy of urgent repair because it affects a large percentage of users and can disrupt core organizational functions. "I figured that was the end of that," O'Leary said in a phone interview with The Register. Eleven days later, on April 7, he received a new message from a Google Security Bot reversing the earlier decision. The Reg viewed the email, and O'Leary included a screenshot in his Thursday writeup. The message said that the Cloud Vulnerability Reward Program panel decided that the "security impact of this issue does not meet the criteria to qualify for a reward."
After reviewing the bug report, Google determined the software "is working as intended," the message continued. It also noted that the program's decision not to pay a bounty "does not mean that the product team won't fix the issue." Nearly three months later, the case remains P1/S1 with the status "in progress (accepted)." Google hasn't assigned a CVE or issued a fix. O'Leary didn't receive any reward for his research. [...] "This is a pattern," O'Leary told [The Register]. "This is just how these trillion-dollar companies deal with people like me. In my day job, we use GKE, and it's incredibly frustrating on my end, when I find a critical vulnerability in the system that's being widely used, and I can't even get the vendor to patch their own stuff." A Google spokesperson told The Register: "The issue reported does not qualify for a reward because the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that's been granted the Organization Admin role by the organization (i.e., it is privileged). Additionally, an attacker would first need to gain entry to an organization's environment (e.g., an exposed container) in order to leverage the privileged Config Connector instance and execute commands with administrative authority, such as the IAM bypass. Granting this level of access to the Config Connector Service Account goes against Google Cloud's publicly shared best practices and the principle of least privilege."
Google assigned the bug P1 priority and S1 severity, signifying a flaw worthy of urgent repair because it affects a large percentage of users and can disrupt core organizational functions. "I figured that was the end of that," O'Leary said in a phone interview with The Register. Eleven days later, on April 7, he received a new message from a Google Security Bot reversing the earlier decision. The Reg viewed the email, and O'Leary included a screenshot in his Thursday writeup. The message said that the Cloud Vulnerability Reward Program panel decided that the "security impact of this issue does not meet the criteria to qualify for a reward."
After reviewing the bug report, Google determined the software "is working as intended," the message continued. It also noted that the program's decision not to pay a bounty "does not mean that the product team won't fix the issue." Nearly three months later, the case remains P1/S1 with the status "in progress (accepted)." Google hasn't assigned a CVE or issued a fix. O'Leary didn't receive any reward for his research. [...] "This is a pattern," O'Leary told [The Register]. "This is just how these trillion-dollar companies deal with people like me. In my day job, we use GKE, and it's incredibly frustrating on my end, when I find a critical vulnerability in the system that's being widely used, and I can't even get the vendor to patch their own stuff." A Google spokesperson told The Register: "The issue reported does not qualify for a reward because the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that's been granted the Organization Admin role by the organization (i.e., it is privileged). Additionally, an attacker would first need to gain entry to an organization's environment (e.g., an exposed container) in order to leverage the privileged Config Connector instance and execute commands with administrative authority, such as the IAM bypass. Granting this level of access to the Config Connector Service Account goes against Google Cloud's publicly shared best practices and the principle of least privilege."
Read more of this story at Slashdot.
An anonymous reader quotes a report from MacRumors: Apple is raising its prices to offset the high cost of memory and storage, CEO Tim Cook told The Wall Street Journal. Apple is no longer able to absorb the increased prices and will need to pass some of the cost on to consumers. "Unfortunately, price increases are unavoidable," said Cook. "We're doing our best to mitigate the huge increases that are being passed to us, and we've been trying to shield our customers from the increases, but the situation has become unsustainable."
Growing demand for memory and storage chips from AI companies has led to chip shortages and higher costs. The Wall Street Journal suggests Apple will need to increase device costs "substantially" to maintain its current profit margins given the cost of memory chips and SSDs. Research firm TechInsights claims Apple will need to make the iPhone 18 Pro around $270 more expensive to keep its existing profit margin.
Apple is struggling more with memory chips, but storage chips are also an issue. "There's less supply at a time when consumers want devices and the memory guys are passing along huge price increases," Cook told The Wall Street Journal. Cook said Apple will use its cash to increase memory supply, but he did not give details on what that means. Apple does not plan to create its own memory and storage factories. "We can't do everything," Cook said. "We know what we're good at." Cook likened the memory shortages to a hundred-year flood. "I've never seen anything like it in any area in over 40 years," he said.
Further reading: Smartphone Market To Shrink 15% This Year Due To Memory Crisis
Growing demand for memory and storage chips from AI companies has led to chip shortages and higher costs. The Wall Street Journal suggests Apple will need to increase device costs "substantially" to maintain its current profit margins given the cost of memory chips and SSDs. Research firm TechInsights claims Apple will need to make the iPhone 18 Pro around $270 more expensive to keep its existing profit margin.
Apple is struggling more with memory chips, but storage chips are also an issue. "There's less supply at a time when consumers want devices and the memory guys are passing along huge price increases," Cook told The Wall Street Journal. Cook said Apple will use its cash to increase memory supply, but he did not give details on what that means. Apple does not plan to create its own memory and storage factories. "We can't do everything," Cook said. "We know what we're good at." Cook likened the memory shortages to a hundred-year flood. "I've never seen anything like it in any area in over 40 years," he said.
Further reading: Smartphone Market To Shrink 15% This Year Due To Memory Crisis
Read more of this story at Slashdot.
TEHERAN (ANP/RTR) - Iran zegt te werken aan snelle vergunningen voor alle schepen die door de Straat van Hormuz willen varen. Die belangrijke zeestraat is volgens afspraken met de Verenigde Staten weer geopend, maar Iran adviseert schepen om zich te houden aan het tijdslot en de route die ze krijgen toegewezen van de Iraanse autoriteiten.
Iran en de VS hebben beide hun blokkade van de Straat van Hormuz opgeheven. Iran heeft wel aangekondigd servicekosten te willen vragen voor schepen die door de zeestraat varen. De VS hebben verklaard dat schepen juist niet hoeven te betalen voor een doortocht.
De servicekosten gelden dan ook in elk geval niet voor de komende zestig dagen, de periode die beide landen hebben uitgetrokken om een definitief vredesakkoord te bereiken.
“The prevailing emotions among scientists right now are rage and shock.” U.S. Science Is in Chaos. “This compact that has existed since World War II, that made the U.S. the successful, prosperous nation that it is, is being dismantled.”
The Founding Story Behind Japan’s Oldest Whisky Maker. “Success in the Japanese market required a lighter, more delicate flavor profile than Western spirits typically offered.” And so Suntory was born.
Gerrymandle is a daily puzzle game that asks you to perform the classic American tradition of subverting democracy by drawing district maps.
Per the puzzle authors:
Per the puzzle authors:
Why is gerrymandering bad? When a map guarantees an outcome, general elections stop mattering. The primary winner takes the seat, so incumbents only need to keep their party's base happy. The centre gets ignored; the extremes perform better. The effects are measurable. When courts struck down North Carolina's partisan map in 2022, the state elected equal numbers of Republicans and Democrats. Republicans redrew it, and in 2024 won 10 of 14 seats in a state that is closely divided. The vote totals barely shifted. The lines did. It also concentrates harm on minority communities. Residential patterns make packing or cracking a minority neighbourhood one of the most efficient ways to tip a district. In 2019, the Supreme Court ruled it could not police partisan maps, even while calling gerrymandering "inconsistent with democratic principles". A 2026 ruling went further, requiring proof of discriminatory intent rather than discriminatory effect alone, making maps far harder to challenge. That ruling has accelerated an already aggressive cycle. More than 25% of all congressional seats have been redrawn mid-decade since 2020, something that used to happen only after a census, once per decade. Texas redrew its maps in 2025 to add five Republican seats. California suspended its independent redistricting commission and redrew in response. Virginia and Florida followed. Redistricting has become an ongoing political instrument.Last year's gerrymandering duel took an explosive turn when Louisiana's case, Louisiana v. Callais, was accepted by the Supreme Court's "shadow docket." The decision focuses on the constitutionality of the Voting Rights act, and has been described as "dead" by at least one editorial. (More discussion, previously) The consequences of Callais have been swift and disastrous. In direct violation of the Purcell principle, which strongly suggests courts not grant emergency relief injunctions during an election, the court not only granted Louisiana it's request to redraw maps of an election in progress, it also chose to skip the usual 32 day waiting period on orders. In response, the Governor has canceled primaries for US House Reps. Several other states have chosen to redistrict in response. Mississippi and North Dakota have active cases. In May, Tennessee redistricted for 2026, splitting up its only majority black district. Alabama is appealing it's 11th Circuit map denial to the Supreme Court. But there is hope: yesterday Georgia cancelled special legislative sessions intended by Governor Kemp to redistrict the state and net his party several more seats in the 2028 election.
Jorge Messi, 68, ‘recovering and progressing favourably’
‘At times like these, we ask for responsibility,’ says family
Lionel Messi’s father is undergoing medical treatment for an undisclosed illness and his family asked the media for “humanity” on Thursday amid rumours about Jorge Messi’s health while his son competes at the World Cup. “Jorge is going through a health situation,” the Messi family said in a statement.
The family did not specify the illness that the 68-year-old Jorge Messi is suffering from. “He is currently under medical observation, recovering and progressing favourably within his current condition,” the statement said.
Continue reading...⚽️ Kick-off time: 12pm local time/3pm EDT/8pm BST/5am AEST
⚽️ Player guide | Bracketology | Golden Boot | Email Daniel
Some more mails:
“Hello Daniel,” says regular correspondent, Krishna Moorthy. “Can’t believe this is your first MBM!”
Hi there. I just want to say, as someone born and raised in the US, that soccer will never be a truly major sport here until it’s shown on regular TV, and that’s not happening without ad breaks. I don’t write to praise US capitalism or the media landscape it produces! I only acknowledge that that’s the country I live in.
Continue reading...Head coach says 2022 semi-finalists are now even better
Scotland could deploy back three against Group C rivals
Steve Clarke has warned Scotland the Morocco team they will face on Friday are superior to the one who reached the semi-finals of the World Cup in 2022.
Scotland kicked off their tournament with a 1-0 win over Haiti, which came hours after Morocco impressed during a 1-1 draw with Brazil. Clarke answered with a firm “absolutely” when asked whether Morocco will pose as stern a threat as Brazil to his side in Group C.
Continue reading...Number of people infected now tops 1,000 though health officials say the global risk remains low
The Centers for Disease Control and Prevention (CDC) will tap $107m in emergency funding for Ebola outbreak response in the Democratic Republic of the Congo (DRC) and Uganda, officials said on Thursday.
The continued Ebola outbreak in the DRC comes as Canada, Mexico and the US jointly host the Fifa World Cup, attracting visitors from around the world. The officials said the outbreak, now the third largest on record, required “strong immediate support”, but that the global risk remained low.
Continue reading...Supermodel ‘completely abdicated’ her trustee responsibilities at Fashion for Relief, Charity Commission tells hearing
Naomi Campbell showed herself to be unfit to run a charity after the supermodel “completely abdicated” her responsibilities as a trustee of her now defunct Fashion for Relief project, according to the charity watchdog.
The Charity Commission told a tribunal that Campbell, who is trying to overturn a five-year ban on running a charity, was “highly culpable” for mismanagement and misuse of funds at Fashion for Relief, the former charity she founded in 2015.
Continue reading...They can put the matches away, at least for a little while. Before this game the South Africa head coach, Hugo Broos, had responded to fierce criticism for how his side had started the World Cup by revealing that eight months ago, having qualified for the competition, a friend told him they would erect of a statue of him and that he had said: “Make it out of wood; that way it will burn more easily when I lose.” Defeated 2-0 by Mexico, they were seven minutes away from following that up with a 1-0 loss to Czechia, left with no points, no goals and not much hope either. But then, almost from nowhere, a penalty allowed them to live to fight another day, the bonfire avoided for now.
Teboho Mokoena was the man that scored it and what it meant could be seen not just in the way that he celebrated but in the tears that had rolled down his face during the national anthem. A draw is not a great result and it was not a great game but there was a smile at the end, and hope too. South Africa can still go through: victory over South Korea would virtually guarantee it; a win for the Czechs would see them through too. Whether they are capable of securing one is a different matter.
Continue reading...BBC says its vetting process ‘clearly failed’ after Guardian reveals presenter’s past comments about women
Warning: this article contains sexually explicit, offensive language
The BBC has pulled a documentary series with its controversial presenter Ashley Cain after revelations over his history of abusive and misogynistic comments about women.
In a statement late on Thursday, the BBC said its vetting requirements had “clearly failed” in the case of Cain, who was lauded by executives at the corporation for his ability to connect with young men. It added the BBC had “no plans” to broadcast a new series of Ashley Cain: Into the Danger Zone, a BBC programme that was filmed earlier this year at various locations across the world.
Continue reading...
Ja we hebben er even een nachtje over nagedacht maar dat nieuwe plan van staatssecretaris Tielen om "taal op één" te zetten in het onderwijs slaat natuurlijk helemaal nergens op. Een van de problemen van ons onderwijs is nou juist dat taal overal al op één staat, tot aan in het eindexamen Natuurkunde aan toe. Je kunt wel, net als Eus, zeggen dat "alles begint met taal" (begin dan zelf eens joh, red.) maar dat is helemaal niet zo. Soms begint iets gewoon met een lekker potje neuken, of met een klein aantal intuïtief aannemelijke axioma's. En het vervelende van taal is: dat leer je in eerste instantie niet op school, maar thuis. En hee, er zijn dus kinderen die het thuis goed leren, en kinderen die het thuis helemaal niet leren. Dat is niet echt een probleem van het onderwijs, maar van de samenleving.
Noem ons sceptisch maar het gaat de verspilling van talent van slimme kinderen die uit moeilijke thuissituaties komen (ongelijkheid was ooit een probleem, lijkt kennelijk alweer opgelost voor de chattering classes) echt niet verminderen als ze op school de hele tijd iets moeten doen waar ze niet goed in zijn. Bovendien gaat een lerarencorps dat voornamelijk bestaat uit ongemotiveerde matig opgeleide PABO-klanten (deze column dus) er sowieso niet voor zorgen dat alle kinderen in Moerwijk in Den Haag opeens keurig ABN (of âhwerwets plat Haags, for that matter) praten. En dan krijgen we dus weer allerlei gesubsidieerde kwakzalvers die scholen veel geld uit de zakken gaan kloppen met op dubieus 'onderzoek' gebaseerde methodes die uiteindelijk ten koste gaan van datgene waar een school haar geld aan zou moeten besteden, namelijk goede leraren en een gebouw waar je niet vanaf wilt springen omdat zo muf/warm/afgeragd/lelijk is. "U kunt van mij in het najaar een verdere uitwerking van de Versterkingsagenda Taal en andere Basisvaardigheden verwachten", schrijft staatssecretaris Tielen. Doe maar niet. Gooi die Versterkingsagenda maar lekker in dezelfde kast als die Taalgids.
Bij de Willemsbrug in het centrum van Rotterdam is donderdagavond een ongeluk gebeurd met twee auto's. Een van de voertuigen reed daarbij meerdere fietsrekken omver en kwam tegen een hek tot stilstand.
25 jaar nadat zij als eerste homopaar trouwden in Rotterdam presenteren Gil en Moti een tentoonstelling in kunstgalerie Nieuw Charlois. De centrale vraag in hun kunstproject: hoe wordt er nu gedacht over liefde, gelijkheid en acceptatie ten aanzien van homo's? "We geloven dat kunst veel kan bijdragen."
