this isn't happiness.

ART, PHOTOGRAPHY, DESIGN & DISAPPOINTMENT INSTAGRAM ★ ELSEWHERES

Never quit, Hiro Wakabayashi.

2026-05-21 20:27:51

The Guardian

Latest news, sport, business, comment, analysis and reviews from the Guardian, the world's leading liberal voice

Spotify and Universal Music agree deal to let subscribers create AI remixes

Licensing agreement will allow listeners to use AI to create content on streaming platform for first time

Spotify and Universal Music Group have agreed on a deal that will allow subscribers to generate song covers and remixes using artificial intelligence.

The licensing agreement is the first time the Swedish streaming company will allow listeners to use AI to create content through its platform.

2026-05-21 20:24:37

Trump says he will ‘try and make’ son’s wedding, but timing is ‘not good’ for him

‘I have a thing called Iran, and other things,’ says president as he considers invitation to Donald Trump Jr’s nuptials

Get Me to the Church on Time, sang Alfred Doolittle in the musical My Fair Lady. But for Donald Trump, attending a wedding is not simple – even when it’s that of his son.

On Thursday, the US president admitted that he might skip Donald Trump Jr’s nuptials, reportedly taking place in the Bahamas over the upcoming Memorial Day weekend.

2026-05-21 20:22:33

Lupita Nyong’o responds to rightwing criticism of The Odyssey: ‘Our cast is representative of the world’

The Oscar-winning actor’s role in the mythical drama has been attacked by Elon Musk and others on the far right

Oscar-winning actor Lupita Nyong’o has responded to far-right criticism of her role in Christopher Nolan’s adaptation of The Odyssey.

In the big-budget film, out in July, the star plays Helen of Troy alongside cast members including Matt Damon, Anne Hathaway, Tom Holland and Zendaya.

2026-05-21 19:54:17

Designs for 250ft arch in Washington approved by panel of Trump appointees

Approval marks key step forward for project dubbed ‘Arc de Trump’, which will be near Arlington national cemetery

The US Commission of Fine Arts on Thursday approved designs for Donald Trump’s proposed 250ft triumphal arch in Washington.

The vote by the panel, which is made up of Trump appointees, marks a key step forward for the project. Next month, the proposed design is set to be reviewed by the National Capital Planning Commission, another federal panel that oversees planning for federal buildings and land.

2026-05-21 19:38:33

Tim Henman steps in to grand slam pay row to deter player protests at Wimbledon

Players have demanded bigger prize pots at top events
Henman has secured meeting with players at Roland Garros

Wimbledon will offer to create a new player council in a meeting with leading player representatives scheduled for Roland Garros next week, with Tim Henman having intervened in the ongoing row over grand slam prize money.

The Guardian has learned the former British No 1 and All England Club Board member held talks with several top players, including representatives of the WTA Players’ Council at the Italian Open in Rome earlier this month. A formal meeting between Wimbledon officials and player agents at the French Open will follow.

2026-05-21 19:36:48

‘We’re the good ones. I really believe that’: meet the German billionaire behind the Enhanced Games

Having unearthed the world’s largest triceratops head, Christian Angermayer knows where to find treasure among the dirt. Step forward Sunday’s inaugural ‘Steroid Olympics’ promoting PEDs to the masses

Before we get to doping and psychedelics, arguably the most controversial man in sport is discussing how he came to own the largest triceratops skull ever discovered. And how he plans to install it in his London apartment.

So how much did you pay for it, I ask Christian Angermayer, the German billionaire who has made fortunes from biotech, bitcoin and psychedelics and now intends to do the same again using – and many believe abusing – sport. “Not a lot, because I find them.”

2026-05-21 19:28:26

The Register

Biting the hand that feeds IT — Enterprise Technology News and Analysis

Threat hunters find Google API keys still usable 23 minutes after deletion

You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account. Bad news: According to security researchers at Aikido, people can use the API keys for up to 23 minutes after a user deletes them, creating a window of opportunity that, when combined with Google’s automatic billing tier upgrades, can devastate victims. “We've identified a substantial window where an attacker with access to a leaked Google API key can continue to misuse that credential, after the user believes the key is revoked,” Joseph Leon, a security researcher with Aikido, told The Register. “In that window, an attacker could run up charges, pull sensitive files uploaded to Gemini, and exfiltrate cached context.” Aikido tested the gap during 10 trials over two days. In each trial, researchers created an API key, deleted it, and then sent three to five authenticated requests per second until no valid response came back for several minutes. From the time a user deletes the Google API key to when it can no longer be used propagates gradually across Google's infrastructure, he said. Some servers reject the key within seconds while others keep accepting it for 23 minutes. What this means is that an attacker holding a deleted key can repeatedly send requests until one reaches a server that has not caught up, Leon said. If Gemini is enabled on the project, they can dump files that were uploaded and exfiltrate cached conversations. The paper cited a similar problem researchers disclosed in December involving AWS keys. In that case, after deletion, attackers had a four-second window to exploit, and researchers showed how they could create new credentials in that time. “Four seconds was enough to matter on AWS,” Leon wrote in the paper. “Given recent attention to Google API keys used to access Gemini, we set out to measure how long Google's API key revocation window remains open.” Flaws can hit devs with huge surprise bills The Register has reported numerous cases of Google API key abuse in which developers are suddenly hit with five figure bills after their credentials are compromised. The problem was compounded in April after Google reworked its billing policy to include spending tiers for users. While developers initially thought of it as a way to limit costs, Google automatically upgrades that spending tier to the next highest level without their knowledge. For users who have been working with Google for more than 30 days and have spent more than $1,000 over the lifetime of the account, their cap can be increased from $250 to $100,000 if their usage spikes – a windfall for crooks if the credentials fall into the wrong hands. Developers whose Google API keys were stolen told The Register that their bills rocketed up to five figures minutes after their credentials were stolen, as bad actors loaded up on Google’s Gemini models such as Nano Banana and its video production model Veo 3. Google issued refunds in the three instances that The Register brought to its attention, returning $154,000 to those developers. The victims told The Register that, during the attack, they were frantically trying to shut down the spending and turn off access to their projects even as costs climbed by thousands of dollars. Leon said in cases where a Google developer tries to shut off access to their account, deleting the API key will still give crooks time to inflict damage. “It's hard to put a dollar figure on it,” Leon told us. “The window averaged 16 minutes in our testing and stretched to nearly 23 at the worst. During that window, the success rate is wildly unpredictable. We saw minutes where over 90% of requests still authenticated, and others where fewer than 1% did. An attacker who knows this can send requests at high volume to maximize their odds of hitting a server that hasn't caught up. For Google API keys with Gemini access, the damage isn't just a compute bill. It's the files and cached context an attacker can exfiltrate before the key actually dies.” Using VMs, Aikido tested its findings across three Google Cloud regions – east coast US, western Europe, and southeast Asia – then they spot checked those results on different dates. For each trial, Aikido deleted a single API key and sent requests from each of the three VMs in parallel, Leon wrote in the paper. “VMs further from the US picked up the deletion faster, which is the opposite of what you'd expect. We can't say exactly why from the outside. Google's request routing is more complex than ‘VM region equals server region,’ and a VM in Singapore isn't necessarily talking to servers in Singapore,” the paper states. “But the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference.” The trial used keys with access to Gemini, but he observed the same behavior with keys scoped to other GCP APIs, such as BigQuery and Maps. Google has built faster revocation for other credential types, Leon said. He said Google’s service account API credential revocations propagate in about 5 seconds. Gemini's newer API key format – the one that starts with AQ – propagates in about a minute. “Both run at Google scale. Both suggest this is technically solvable for Google API keys, too,” Leon wrote. But Google told Aikido it has no plans to address the 23-minute gap researchers found with its other API keys. “After reviewing our report, they closed it as ‘Won't Fix (Infeasible)’ with the comment ‘the delay due to propagation of the deletion of these keys is working as intended,’ “ Leon told us. The Register has reached out to Google about this research, but has not yet received a response. ®

2026-05-21 20:23:00

Npm registry sets stage for more secure package publishing

GitHub's npm package registry has rolled out a publishing approval step to prevent the distribution of compromised packages before they can poison the software supply chain. Modern software development relies on imported bundles of code known as packages (and sometimes libraries or modules). In the past decade or so, miscreants have focused on gaining access to the accounts of package maintainers. Subverting a widely used package offers a fast track to malware distribution. Last December, amid the Shai-Hulud 2.0 campaign that compromised software packages, GitHub described a series of planned security measures intended to harden security for npm package publishers. One of the measures, staged publishing, has now been implemented. GitHub on Wednesday merged npm stage into npm CLI (v11.15.0) and has updated the registry documentation that describes the process. Staged publishing might also be called gated publishing – it requires a project maintainer to approve changes to a package that has been staged for release. It's been under discussion since 2020. "Instead of publishing directly with npm publish, you can submit packages to a staging area with npm stage publish," the documentation explains. "A maintainer must then review and explicitly approve the staged package — with two-factor authentication (2FA) via the CLI or npmjs.com — before it becomes publicly available." This process should have particular value for automated workflows, which typically don't include a way to authorize via 2FA. Automated workflows often rely on tokens for authentication, but these can be copied and stolen. Tokens that remain valid for long periods of time become attractive targets for cyberattackers. That's why GitHub did away with long-lived classic tokens and encouraged the use of short-lived session tokens and permission-limited access tokens for automation. GitHub's discontinuation of classic tokens hasn't gone all that well because short-lived tokens tend to expire at inconvenient times – no one likes having to regenerate tokens every 90 days or less and then go through the reconfiguration process. Staged publishing should make it easier for developers to set up maintainable workflows without burdensome re-authentication rituals. It gives package publishers the option to stage their package via automation and to delay the 2FA approval for publishing at a later date. GitHub offers trusted publishing as a way to establish trust between npm and the developer's CI/CD provider using OpenID Connect (OIDC) authentication. The OIDC mechanism still doesn't work when trying to publish a package for the first time, but together with staged publishing, the software supply chain looks a bit more defensible – so long as developers avail themselves of these tools. ®

2026-05-21 19:54:46

HackerOne takes an axe to its bug bounty rewards

Finding vulns just doesn't pay like it used to. At least one bug hunter who found an open source security flaw and reported it months ago via HackerOne’s backlogged Internet Bug Bounty (IBB) program finally got paid for his work - but at a drastically reduced reward rate. The security researcher found a medium-severity vulnerability that previously paid $1,843. As of Monday, HackerOne’s IBB pays $297 for the same severity level. Similarly, the new IBB cash prize for a critical vulnerability is $2,257, compared to the previous $9,250 reward. High-severity bugs now fetch $1,009, while they used to earn a $4,429 payout. And low-severity bugs earn researchers $68, compared to the previous $597 reward. HackerOne’s IBB remains on a break, and is not accepting new submissions. “The IBB program is currently paused while we evaluate adjustments to the program that will maximize value to researchers, sponsors, and the open-source ecosystem,” a spokesperson told us. “We remain committed to strengthening open source security through ethical security research.” When asked if AI-generated reports played a role in the pause and reduced reward amounts, a spokesperson didn’t give us a direct answer. “The Internet Bug Bounty is a unique, dynamic program where bounty levels automatically adjust based on the contributions from active participating sponsors,” the HackerOne spokesperson said. “Payouts under this program are regularly adjusted accordingly, as provided in the IBB program description.” Tale of two hackers Back in January, The Register talked with hacker Jakub Ciolek, who told us he reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne’s IBB program last fall. Both were assigned CVEs and fixed. Ciolek expected to receive about $8,500 for the two flaws - but instead HackerOne ghosted him for months, finally sending him an email after The Register reached out to the bug bounty platform. HackerOne thanked him for his patience and said his bug reports remain "pending reward processing due to a temporary operational backlog." Shortly after, we heard from another researcher in a similar situation. “I still hope to get some bounty some day for it,” the bug hunter told The Reg, noting that HackerOne set an end-of-March deadline to sort the backlog. On Wednesday, this hacker told us he finally received a bounty announcement and payout from HackerOne, although at $297, it was less than expected, as the payout amounts changed after they submitted their report. “I am glad I finally got something,” they said. Ciolek said he’s still waiting for any word from HackerOne, and told us repeatedly that this isn’t about the money. “The reduced payout is a symptom,” he said. “The economics of vulnerability reporting are changing very quickly.” Until just a few months ago, project maintainers - and bug hunters themselves, Ciolek included - dismissed this as an AI-slop problem. Recently, however, as models have gotten exponentially better at writing code and exploits, open source projects can’t keep up with the pace of bug reports, which still require humans to evaluate them. "Over the last few months, we have stopped getting AI slop security reports in the curl project,” Daniel Stenberg, founder and lead developer of curl, famously said in a social media post. "They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI." Linux kernel maintainer Greg Kroah-Hartman also noted in an interview with The Register how AI-assisted bug reports contained less slop and more valid concerns. On Sunday, Linux kernel boss Linus Torvalds declared that the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports. “The recent Linux security mailing list situation is a clear signal: AI-assisted reports are increasingly real enough to matter, but numerous enough to overwhelm the people who have to validate and fix them,” Ciolek told us. “Bug bounties were supposed to reward what was scarce,” he continued. “That used to be discovery. Today, finding plausible bugs is becoming much cheaper, and generating reports is easy to scale. The expensive part is still very human: someone has to verify impact, deduplicate reports, decide whether something really crosses a security boundary, coordinate disclosure, and get a safe fix shipped.” While Ciolek says he’s sympathetic to changing economics, and overworked, underpaid open source project maintainers' capacity to investigate every serious-looking security report, the trust issue between researchers and bug bounty programs remains. “The trust issue here is that the change was effectively applied long after the work was already done, fixed, and publicly credited under a different expectation,” Ciolek said. “Responsible disclosure depends on researchers believing the process is predictable. The rules should not change after the work is complete. Serious researchers will price that in as risk, or they will stop participating.” Ciolek says he’s no longer actively doing bug bounty research - but will report serious issues as he finds them. “With the current flood of findings, I don't want to add more volume unless I'm confident the issue is serious enough,” Ciolek said. “In this AI-assisted era, the valuable work is no longer just ‘I found another bug.’ It is ‘I verified this matters and helped get it fixed.’ I think the original discovery-first bug bounty model is becoming obsolete. The next model has to reward more of the remediation cycle, not only the finding.” ®

2026-05-21 19:27:24

Wel.nl

Minder lezen, Meer weten.

Wall Street sluit opnieuw hoger, Nvidia bij dalers na cijfers

NEW YORK (ANP) - De aandelenbeurzen in New York zijn donderdag met kleine koerswinsten gesloten, waarmee een vervolg werd gegeven aan de flinke plussen een dag eerder. AI-chipconcern Nvidia behoorde echter tot de verliezers op Wall Street na de bekendmaking van kwartaalcijfers woensdag nabeurs.

Nvidia daalde 1,8 procent. De grootste verkoper van chips voor kunstmatige intelligentie (AI) boekte afgelopen kwartaal opnieuw recordresultaten. De omzet steeg met 85 procent tot 81,6 miljard dollar vergeleken met een jaar eerder dankzij de aanhoudende grote vraag naar chips voor AI-datacenters. Volgens topman Jensen Huang verloopt de bouw van AI-fabrieken met "uitzonderlijke snelheden". Nvidia is het waardevolste bedrijf ter wereld, met een beurswaarde van ruim 5 biljoen dollar.

De Dow-Jonesindex eindigde 0,6 procent hoger op 50.285,66 punten. De brede S&P 500 klom 0,2 procent tot 7445,72 punten en de technologiegraadmeter Nasdaq won 0,1 procent tot 26.293,09 punten. De Amerikaanse beurzen gingen een dag eerder tot 1,5 procent omhoog.

Olie

De prijs van een vat Amerikaanse olie daalde 1,1 procent tot 97,20 dollar en Brentolie werd 1 procent goedkoper op 103,95 dollar per vat, na eerder op de dag nog hoger te hebben gestaan. Op woensdag gingen de prijzen ook al flink omlaag door hoop op een snel einde aan de oorlog tussen Iran en de Verenigde Staten en een heropening van de Straat van Hormuz voor olietankers. De Amerikaanse minister van Buitenlandse Zaken, Marco Rubio, zei tekenen te zien van vooruitgang in de vredesgesprekken.

Verder kwamen er nog kwartaalberichten van onder meer kledingmerk Ralph Lauren. Die vielen in de smaak bij beleggers, want het aandeel steeg bijna 14 procent. Ook de producent van landbouwmachines Deere meldde cijfers. Die werden minder goed ontvangen en Deere werd 5,3 procent lager gezet.

Walmart

Walmart leverde 7,3 procent in. De grootste supermarktketen ter wereld boekte afgelopen kwartaal meer omzet dan verwacht, maar de verwachtingen voor het lopende kwartaal stelden teleur.

De producent van belastingsoftware Intuit dook 20 procent in het rood na tegenvallende vooruitzichten voor het gehele jaar. Daarnaast gaat Intuit ongeveer 3000 banen schrappen om kosten te besparen. Volgens het bedrijf kan veel werk worden overgenomen door AI.

2026-05-21 20:19:08

Verhoeven en Usyk vechten enkel om wereldtitel van boksbond WBC

GIZEH (ANP) - Rico Verhoeven vecht zaterdag tegen Oleksandr Usyk om de wereldtitel in het zwaargewicht van de World Boxing Council (WBC), de meest prestigieuze boksbond van de wereld.

De 39-jarige tegenstander van de veertienvoudig wereldkampioen kickboksen bezit ook de wereldtitels bij boksbonden WBA en IBF. Op die gordels maakt de 37-jarige Verhoeven geen kans tussen de wereldberoemde piramiden van Gizeh.

Verhoeven heeft een nieuwe uitdaging in het boksen gevonden en kan in zijn eerste serieuze optreden in de voetsporen treden van voormalig WBC-kampioenen als Muhammad Ali, Joe Frazier, George Foreman, Mike Tyson, Evander Holyfield, Lennox Lewis, Vitali Klitsjko en Tyson Fury.

Het gevecht tussen Verhoeven en Usyk is tegen betaling live te zien op streamingplatform DAZN. Het exacte tijdstip van de hoofdwedstrijd van het gala is nog niet bekendgemaakt. De verwachting is dat beide boksers niet voor 22.00 uur beginnen.

2026-05-21 19:36:35

Slashdot

News for nerds, stuff that matters

Waymo Pauses Atlanta Service As Its Robotaxis Keep Driving Into Floods

Waymo has paused service in Atlanta after one of its driverless cars entered a flooded street and got stuck. It follows a similar pause in San Antonio that prompted a recent software recall (PDF) over flood avoidance. TechCrunch reports: Waymo admitted that it hadn't finished developing a "final remedy" for avoiding flooded areas when it issued its software recall last week. Instead, the company said that it shipped an update to its fleet that placed "restrictions at times and in locations where there is an elevated risk of encountering a flooded, higher-speed roadway," according to documents released by the National Highway Traffic Safety Administration (NHTSA).

But even those precautions apparently were not enough to stop the Waymo robotaxi from entering the flooded intersection in Atlanta. Waymo told TechCrunch on Thursday that the storm in Atlanta produced so much rainfall that flooding was happening before the National Weather Service had issued a flash flood warning, watch, or advisory. The company said its fleet those alerts are part of a larger set of signals it relies on to prepare the vehicles for poor weather.

Formula 1 News

Formula 1® - The Official F1® Website

LIVE COVERAGE: Follow all the build-up ahead of Canada

Live coverage of all the build-up ahead of the 2026 Canadian Grand Prix weekend.

2026-05-21 19:40:27

Geenstijl Atom Feed

Koninklijke juice in het StamCafé

Social

Ons belastinggeld mocht weer even poseren bij de Koninklijke voorjaarsfotosessie en dat betekent natuurlijk weer een gezellig schooluitje voor de meest scherpe tak van het vaderlandse journaille: de royalty-verslaggevers. Iedereen hield het keurig netjes want voor je het weet sta je op een zwarte lijst, maar Annemarie de Klunder durfde zowaar even buiten het boekje te gaan. Die vroeg prinses Alexia - aanvankelijk voorzichtig - naar haar INNIGE CONTACT met zanger Antoon. Blijkt dus dat de royals daar helemaal niet op zaten te wachten en dus zei Alexia ook eigenlijk NIETS, maar dat Alexia NIETS zei is dan weer NIEUWS. Het hele Alexia-doet-Antoon-verhaal was tot vandaag overigens al weer maanden uit de lucht toen de zanger als single op een datingapp gespot was, maar misschien is dat juist wat de RVD wil dat je denkt! Het weerhoudt badpakcriticus Jeroen Snel er niet van om te concluderen: ALEXIA DOET ANTOON! Het bleef nog lang onrustig in sprookjesland.