Technisch directeur Dévy Rigaux bevestigt donderdagmiddag dat Charles Vanhoutte op weg is naar De Kuip. De Belgische middenvelder wordt hoogstwaarschijnlijk de eerste zomerse versterking van Feyenoord. "Op alle scoutinglijsten stond hij bovenaan."
Een inwoonster uit Spijkenisse is na een babbeltruc sieraden en bankspullen kwijt. Even later pint de verdachte geld van de bankrekening van de vrouw.
Om middernacht staan drie vrienden te praten op de Rotterdamse Schiedamse Vest. Twee mannen lopen op de vriendengroep in. Als ze worden aangesproken, wordt een van de twee mannen gewelddadig.
DEN HAAG (ANP) - VNO-NCW en MKB-Nederland roepen ondernemers met een WordPress-website op om "zo snel mogelijk" hun beveiliging te controleren. De werkgeversorganisaties doen dit naar aanleiding van een grote internationale politieactie deze week. Daarbij werd een belangrijk netwerk van cybercriminelen verstoord dat WordPress-websites misbruikt om malware te verspreiden onder bezoekers.
Onder de slachtoffers in Nederland zijn restaurants, autogarages en andere mkb-bedrijven met een eigen website. Bijna 15.000 besmette sites zijn inmiddels opgeschoond.
De slachtoffers zijn vaak kleinere bedrijven die "zelden een eigen IT-afdeling hebben en mogelijk niet goed zijn beveiligd", schrijven VNO-NCW en MKB-Nederland. De groep ondernemers is geraakt via gelekte wachtwoorden en een verborgen achterdeur in de site.
Politie en het Nationaal Cyber Security Centrum (NCSC) hebben uiteengezet welke stappen gebruikers en beheerders van een WordPress-site moeten zetten, stellen de organisaties.
DEN HAAG (ANP) - Vanwege de hitte zijn meer sportevenementen de komende dagen aangepast of afgelast. Sinds donderdagochtend is in het hele land het Nationaal Hitteplan en daarmee ook code geel van kracht.
De TT City Run in Assen op zaterdag had in eerste instantie het programma ingekort, maar besloot donderdagmiddag om het hele evenement niet door te laten gaan. "We hebben continu gekeken welke onderdelen nog verantwoord georganiseerd konden worden", zegt projectleider Sharon Rodenburg. "Uiteindelijk moesten we constateren dat de risico's te groot werden."
De Klimaatmarathon van Running 4 Climate op de Utrechtse Heuvelrug heeft het programma van vrijdag flink aangepast om de verwachte hitte. De routes vanaf Driebergen-Rijsenburg en Hilversum zijn ingekort en de organisatie verwacht dat iedereen met gemak voor 10.00 uur 's ochtends binnen is.
Goed voorbereid
Ook het fietsevenement Climate Classic op vrijdag is in overleg met het KNMI en de GGD aangepast. "Hoewel de actualiteit vraagt om aandacht voor klimaatverandering, vinden wij de gezondheid en veiligheid van alle deelnemers van groot belang", staat op de website. "Om dit te garanderen willen we zorgen dat na 14.00 uur niemand meer 'in koers' is."
De organisatie van de internationale atletiekwedstrijd FBK Games, zondag in Hengelo, wijst vooral de ongeveer 8000 bezoekers erop extra te drinken en voldoende zonnebrand te smeren. De atleten die in actie moeten komen, zijn goed voorbereid en trainen ook vaak onder warme omstandigheden, zegt een woordvoerster. Het hardloopevent de FBK Dubbele Mijl, dat donderdag gepland stond, is afgelast.
'Nevelstraat'
De Inner Circle Run in Hendrik-Ido-Ambacht gaat donderdag vooralsnog door, maar er zijn wel extra maatregelen getroffen. Zo heeft de organisatie extra waterpunten geplaatst en richt de brandweer na de finish een zogenoemde 'nevelstraat' in, waar de lopers kunnen afkoelen.
Eerder was al bekend dat wegens de hitte onder meer de Vuurtorenloop in Hoek van Holland vrijdag niet doorgaat.
HOUSTON (ANP/AFP) - Een man uit het Duitse Alsfeld heeft aangifte gedaan bij de politie omdat beelden van hem op het WK zo zijn bewerkt met AI dat hij eruitziet als Adolf Hitler. Hoewel hij zelf niet herkenbaar is op de foto, is zijn zoon die naast hem staat dat wel, zegt hij tegen Duitse media.
Op de beelden van zondag is de man in het publiek te zien terwijl hij juicht voor een gescoorde penalty tijdens de wedstrijd tegen Curaçao. De beelden zouden vermoedelijk door een Amerikaan zijn bewerkt, waarna die op grote schaal werden gedeeld op de sociale media. Waarom de maker van de beelden dit deed, is niet duidelijk. Volgens persbureau DPA gebruikte die OpenAI voor de bewerking.
De man zegt contact te hebben opgenomen met zowel de politie in Duitsland als die in de VS. Hij zegt dat het incident zijn plezier op het WK niet zal bederven.
Op andere met AI bewerkte beelden waren Duitse fans te zien die een Hitlergroet zouden brengen.
LOCARNO (ANP) - Wielrenster Urška Žigart heeft donderdag haar kaak gebroken bij een val in de tweede etappe van de Ronde van Zwitserland. Dat meldt haar ploeg AG Insurance - Soudal. De 29-jarige Sloveense, die verloofd is met wereldkampioen en viervoudig Tourwinnaar Tadej Pogačar, kwam in de laatste kilometer van de etappe ten val.
In het ziekenhuis is een kaakbreuk geconstateerd, maar "gelukkig", schrijft de ploeg, heeft ze geen andere verwondingen of blessures. Žigart stond na de eerste etappe zeventiende in de Ronde van Zwitserland.
Denemarken, een van de grootste varkensexporteurs ter wereld, wil dat de varkenshouderij zich juist minder op export gaat richten. Op een boerderij boven in Jutland is boer Erik Pedersen sceptisch. „Ik doe fucking hard mijn best.”
/s3/static.nrc.nl/wp-content/uploads/2026/06/16082034/160626ECO_2034165573_1.jpg)
Een fijne opsteker voor Sittard: Groninger Menno heeft deze week ‘Defend Sittard’ opgericht. Naar eigen zeggen is het een groepering die de belangen en cultuur van Sittard verdedigt en die vindt dat alle buitenlanders ‘moeten opkankeren naar hun eigen land’. De bevlogenheid waarmee de Noorderling in de bres springt voor Sittard wordt door veel niet-inwoners ‘hartverwarmend’ genoemd.
“Ik heb echt een hart voor Sittard, eigenlijk voor heel Brabant”, laat Menno weten. “Net zoals ik dat voor Wijk bij Duurstee, en Loosrecht, en Meerkerk heb. Dat zit gewoon in mijn bloed. Dat heb je of dat heb je niet he?”
Menno staat niet alleen in zijn passie voor Sittard, die plotseling opbloeide toen er plannen voor een azc in die stad werden aangekondigd. “Er is al veel animo voor Defend Sittard”, laat hij weten. “Jos uit Anna Paulowna, Cees uit Etten-Leur en Giel uit Workum hebben allemaal laten weten te komen bij de eerstvolgende demonstratie.”
Tot nu toe heeft Menno nog weinig aanmeldingen uit de regio Sittard zelf. Met leuzen als "Sittard, dit kan beter!”, probeert hij dan ook de lokale bevolking te overtuigen van de overlast die de 16 asielzoekers zullen veroorzaken. “Weet je wat het is, Sittardenaren, of Sittarders, zijn hele bescheiden mensen, die durven niet voor hun eigen op te komen. Daarom doen wij dit, geheel belangeloos. Je geeft toch om een ander, nietwaar?”
&
Our cartoonist looks at Australia’s involvement at the tournament with a place in the knockout phase tantalisingly close
Continue reading...How you respond will depend on who expects you to manage your sister’s emotions, writes advice columnist Eleanor Gordon-Smith. Is it her, or something you’ve put on yourself?
Read more Leading questions
I’m engaged and my sister is single and feels “behind”. Lately she mentioned how the people in her life (me included) going through milestone moments triggers her. She even got upset and admitted she was worried she’d never have kids. What can I say to that? How do you comfort someone who wants the things you have or might have soon?
She has felt behind for a long time, and I’ve had many a conversation with her when she’s got upset about still living at home, still not having the career she wants, etc. But she is still in the same situation, and my empathy is running low. Especially now I know my engagement is triggering for her! I deserve to feel happy during my wedding planning era but after she told me how she felt, I feel guilty for being happy.
I guess my question is: do I tiptoe around her and avoid wedding talk or should she just put a smile on her face and talk to her friend about her triggers? I hate to say it but my mental load is preferring the latter.
Eleanor says: Why are the options that you tiptoe around or she puts a smile on her face?
Continue reading...In a remake-riddled TV landscape, its fresh combination of jokes and intrigue offers something for everyone – the casual and obsessive viewer alike
In the last few weeks, you may have been seeing a lot of buzz around a show called Widow’s Bay. I am here to provide more buzz, like a loyal bee foot soldier to the queen (television).
In this dire existing-IP-driven remake-riddled landscape, an offering this fresh is the best thing in the world. The tone of the show is what has grabbed me the most, striking the exact right balance (in my correct opinion) between scary mystery vibes, and hilarious comedy. At no point does it sacrifice comedy for the more serious parts, and I really appreciate that. For example, in the penultimate, thrilling, everything’s-about-to-happen episode, they slow down for an eight-minute scene involving a side character named Rosemary, which moves the plot forward slightly but is mainly there to shine a light on the incredible comedy chops of actor Dale Dickey.
Continue reading...Pictures from photographer’s return to Lacock after 40 years were taken months before his death last December
The images are colourful, characterful and thought-provoking. They capture a flower show, a Women’s Institute meeting, a scarecrow festival. A local vicar features, resplendent in a union jack bowler hat, as does a band of bellringers and a bulldog called Billy.
Four decades after chronicling life in the picture-postcard English village of Lacock in Wiltshire, the photographer Martin Parr returned to document what had changed – and what had not.
Continue reading...Top 10% generate climate and biodiversity damage bill that exceeds economies of most countries, say researchers
The environmental damage bill racked up by the highest-consuming 10% of the world’s population has reached up to $5.7tn a year – larger than the economy of every country except the US and China, a study has found.
Mega-consumers in this group are concentrated in the global north, accounting for more than half the population of the US and 40-45% of people in the EU.
Continue reading...
EXCLUSIVE Google has a security hole in a Kubernetes operator that could allow attackers to bypass Google Cloud Platform (GCP) identity and access protections and gain full control over any organization's cloud environment. Or it has a serious communication and transparency problem when it comes to its bug bounty programs. Maybe both. Researcher and frequent cloud bug hunter Justin O'Leary told us that he found and reported to Google a major flaw that allows any Kubernetes namespace user to bypass GCP's Identity and Access Management (IAM) controls and therefore gain root access to managing an organization's cloud resources. Google initially rated the bug high priority and high severity, with a rep telling O'Leary "Nice Catch!" Then, the cloud giant changed course and told O'Leary and The Register that there's no vulnerability, so no fix and no reward payout. The bug report, however, is still marked high-priority and accepted. O'Leary spoke exclusively with The Register about the vulnerability, which he named ConfigConfusion, and what has happened since he reported it to Google on March 8. He is also releasing a blog post with more details. It stems from an issue in Config Connector, an open source Kubernetes add-on that lets users manage Google Cloud resources through Kubernetes. According to O'Leary, Config Connector doesn't perform an authorization check, and this allows any Config Connector service account with org-level permissions to bypass Identity and Access Management (IAM) authorization and gain the highest level of control (roles/owner) to an entire GCP Organization – the root node of all of a company's resources within Google Cloud. On March 27, a Google security engineer accepted O'Leary's report and told him: "Nice catch!" The employee said that they filed a bug based on O'Leary's report with the relevant product team and assured him the Chocolate Factory's security squad would work with relevant Google Cloud people to fix the flaw. "We'll work with the product team to ensure this issue is address. We'll let you know when the issue was fixed," the engineer said. "In the meantime, review the payment option selected in your bughunters.google.com profile." Google assigned the bug P1 priority and S1 severity, signifying a flaw worthy of urgent repair because it affects a large percentage of users and can disrupt core organizational functions. "I figured that was the end of that," O'Leary said in a phone interview with The Register. Eleven days later, on April 7, he received a new message from a Google Security Bot reversing the earlier decision. The Reg viewed the email, and O'Leary included a screenshot in his Thursday writeup. The message said that the Cloud Vulnerability Reward Program panel decided that the "security impact of this issue does not meet the criteria to qualify for a reward." After reviewing the bug report, Google determined the software "is working as intended," the message continued. It also noted that the program's decision not to pay a bounty "does not mean that the product team won't fix the issue." Nearly three months later, the case remains P1/S1 with the status "in progress (accepted)." Google hasn't assigned a CVE or issued a fix. O'Leary didn't receive any reward for his research. This isn't the first time this has happened to O'Leary – or other security researchers submitting bug bounty reports. O'Leary had a similar experience with Microsoft earlier this year. In a story that has become all too familiar among bug hunters, O'Leary disclosed a privilege escalation vulnerability in Azure Backup for AKS. Microsoft rejected his report – and then silently patched the flaw without assigning a CVE or publishing a security advisory. "This is a pattern," O'Leary told us. "This is just how these trillion-dollar companies deal with people like me. In my day job, we use GKE, and it's incredibly frustrating on my end, when I find a critical vulnerability in the system that's being widely used, and I can't even get the vendor to patch their own stuff." Google's response When The Reg asked Google about O'Leary's situation, the company told us that it didn't issue a bug bounty reward because there's no vulnerability. “The issue reported does not qualify for a reward because the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that’s been granted the Organization Admin role by the organization (i.e., it is privileged)," a Google spokesperson said in an email to The Register. "Additionally, an attacker would first need to gain entry to an organization's environment (e.g., an exposed container) in order to leverage the privileged Config Connector instance and execute commands with administrative authority, such as the IAM bypass," the spokesperson continued. "Granting this level of access to the Config Connector Service Account goes against Google Cloud’s publicly shared best practices and the principle of least privilege." Google did not answer The Register's questions about why the bug report case remains marked in progress – and not closed – on its end of things. O'Leary told us this is the same explanation he received. And he doesn't buy it. Yes, the Config Connector service account does need org-level permissions to manage resources across multiple GKE clusters. But Google's own documentation instructs users how to do this, he noted. We confirmed this as well. Moreover, "having those permissions doesn't mean any namespace user should be able to abuse them," O'Leary posited. "A developer with kubectl access to one namespace – and zero GCP IAM permissions – should not be able to become Organization Owner. They also shouldn't be able to impersonate any service account in the project with no audit trail." According to O'Leary: "The vulnerability is the missing authorization check. Config Connector executes privileged operations on behalf of users without verifying those users are authorized." Three lines, five seconds, full admin control In a video demonstrating ConfigConfusion, O'Leary shows how an attacker can write three lines of YAML to achieve full administrative control of a GCP Organization in about five seconds. "Config Connector has these missing validation checks," he said. "Config Connector is basically a Google-managed Kubernetes operator, and I found that having these missing validation checks creates these confused deputies, which means there's no validation of who's asking for what." Confused deputies pose a major security challenge because they allow an entity that doesn't have permission to perform an action to force a more-privileged entity to perform the action. To exploit this issue, a user with kubectl access to one namespace – and no GCP permissions – submits a malicious IAMPolicyMember, which escalates the attacker's privileges. Config Connector passes the user-controlled organization ID directly to the GCP IAM API without performing an authorization check, making the user a GCP Organization owner. This gives the attacker full admin control over everything in the environment – projects, secrets, billing, and Gmail accounts. "And there's no record of it," O'Leary said. This is because "the attacker's Kubernetes identity never touches GCP IAM," he wrote in the disclosure. "Config Connector executes the request using its own elevated credentials." 'Jenga' vulnerabilities According to O'Leary, Google has fixed this confused-deputy issue twice before in different services that access GCP. Tenable Research documented those issues and reported them to Google. One, called ImageRunner, abused permissions in Google Cloud Run to pull private Google Artifact Registry and Google Container Registry images in the same account. The second, ConfusedComposer, allowed an identity with edit permissions inside a Cloud Composer environment to escalate privileges to the default Cloud Build service account. "This privilege-escalation vulnerability in GCP builds upon a broader attack class of vulnerabilities in cloud services that we call 'Jenga,'" Tenable security researcher Liv Matan said at the time. ConfusedComposer "exploits the somewhat-hidden cloud provider misconfigurations related to cloud services permissions to escalate privileges beyond intended access levels," Matan explained. "This variant highlights how attackers can abuse interconnected services the cloud provider automatically deploys behind the scenes, as part of a service-orchestration process." Google ultimately added authorization checks to both Cloud Run and Cloud Composer. O'Leary says he doesn't understand why Google can't also add that check to Config Connector. Or perhaps he does. "It's just me versus Google," he said. "They can't do that same level of gaslighting to Tenable because they have PR teams and legal teams to fight them. I'm just a guy saying I don't understand how this is true" – that is, how something can be both a high-severity, high-priority bug and also working as intended. "And they just say: 'Well, it is true.'" ®
