DotSlash AUPTIMISME, a global Code Club partner, is an organisation whose mission is to combine inclusive technology education and creative computing, ensuring that all children in Tunisia have the opportunity to become digital creators. Tarek Seghiri, Founder of DotSlash AUPTIMISME, spoke with Ruhee Shah, Global Partnerships Coordinator at the Raspberry Pi Foundation, about his unique […]

AI-assisted development is changing more than how software is written. It might also force us to reconsider the processes we use to identify, track, and manage vulnerabilities.

Charity Majors wrote an excellent article describing AI enthusiasts in a race against time and AI skeptics in a race against entropy. Fair warning: its very first sentence triggered an acute case of PTSD:

I recently attended a talk where one of the presenters made some pretty…astonishing claims about what they had achieved by the pure, uncut power of vibe coding.

I’ve seen way too many presentations making “astonishing claims” about the unlimited unicorn-driven powers of OpenFlow, SDN, OpenDaylight, or Ansible.

A 29-year-old bug in the Squid web proxy, dubbed Squidbleed and tracked as CVE-2026-47729, can let an authorized proxy user retrieve fragments of another user's cleartext HTTP requests, including credentials and session tokens. The security researcher who reported the flaw credited Anthropic's Claude Mythos Preview for the discovery. The Hacker News reports: Squid describes this as an attack by a trusted client: someone already permitted to use the proxy, not any random host on the internet. That matches Squid's usual home, shared networks like schools, offices, and public Wi-Fi. In those setups, the attacker is just another user of the same proxy. The leak also only reaches traffic that Squid can read. Normal HTTPS rides an opaque CONNECT tunnel, so Squid never sees inside it; the exposed traffic is cleartext HTTP, plus TLS-terminating setups where Squid decrypts and inspects. The attacker also needs the proxy to reach an FTP server they control on port 21. Both FTP and that port are on by default. [...] If you patch, verify the fix, not just the version. Confirm the guard is in FtpGateway.cc, or check your distribution's backport, since distros ship their own builds (Debian packages Squid 5.7). The public thread is still inconsistent: maintainer Amos Jeffries first said Squid 7.6 carried the fix, then corrected that to 7.7, and on June 22 Debian's Salvatore Bonaccorso noted the referenced commit looks like it is already in 7.6. The fix is small, a null-terminator check before the vulnerable strchr calls, merged to the development branch in April and v7 in May. Squid 7.6 does separately patch CVE-2026-50012, an unrelated cache_digest heap overflow. The cleaner move is the one the researchers recommend anyway: turn FTP off. Chromium dropped FTP years ago, and most networks carry almost none of it, so disabling it removes this attack surface for free, whatever build you run. The risk is real but bounded. SUSE rates it moderate, CVSS 6.5, and the vector explains the score: the attacker needs proxy access (low privileges), and the only impact is confidentiality, nothing on integrity or availability.

Read more of this story at Slashdot.

The European Parliament's economic committee has backed a digital euro designed to reduce Europe's dependence on US-controlled payment networks such as Visa and Mastercard. The ECB-backed currency is targeted for launch by 2029 after a full parliamentary vote and negotiations with EU member states. Euronews reports: Under the proposal, consumers would be able to hold digital euros in a dedicated wallet, subject to a holding limit that has yet to be determined. The system would support both online and offline payments and is intended to offer a high degree of privacy, with the ECB unable to directly identify users from their payment data. The ECB would provide the underlying infrastructure, while commercial banks and payment service providers would offer digital euro services to customers. Financial institutions are expected to be compensated for their participation in the scheme, while merchants will pay fees that are expected to be lower than those associated with current card transactions. How that compensation should be structured remains one of the most contentious issues ahead of negotiations with EU member states, according to three sources familiar with the discussions. [...] The European Parliament is expected to formalise the committee's position during a plenary vote in Strasbourg in early July. Negotiations with the EU's 27 member states would then begin, with lawmakers aiming to reach a final agreement before the end of the year.

Read more of this story at Slashdot.

Last year, we featured a lengthy interview with tech journalist/science fiction author Cory Doctorow about his book, Enshittification: Why Everything Suddenly Got Worse and What To Do About It. The prolific Doctorow is back with a provocative new book that serves as a follow-up of sorts, focusing on AI and related issues: The Reverse Centaur's Guide to Life After AI.

Doctorow doesn't actually enjoy talking about AI, but he's constantly being asked to comment on it. "I made the tactical error of being sick of talking about AI," Doctorow told Ars. "So I wrote a book about why I think it's a dumb thing to keep asking people to talk about, and now I have to talk about it." Reverse Centaur is Doctorow's attempt to "sort out the bullshit from the material reality."

In automation theory, per Doctorow, a "centaur" describes a human augmented with a technology, like machine learning, or even just driving a car or using autocomplete. A reverse centaur "is a machine head on a human body, a person who is serving as a squishy meat appendage for an uncaring machine," Doctorow said in a speech last December. He gave the example of an Amazon delivery driver, surrounded by AI cameras monitoring their driving, who essentially serves as a peripheral to the delivery van.

Read full article

Comments