Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to discourage AI-assisted submissions, these reports now make up about 20% of all entries in 2025, while genuine vulnerabilities have dropped to just 5%. The Register reports: "The general trend so far in 2025 has been way more AI slop than ever before (about 20 percent of all submissions) as we have averaged about two security report submissions per week," he wrote in a blog post on Monday. "In early July, about 5 percent of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years."

The situation has prompted Stenberg to reevaluate whether to continue curl's bug bounty program, which he says has paid out more than $90,000 for 81 awards since its inception in 2019. He said he expects to spend the rest of the year mulling possible responses to the rising tide of AI refuse. Presently, the curl bug bounty program -- outsourced to HackerOne - requires the bug reporter to disclose the use of generative AI. It does not entirely ban AI-assisted submissions, but does discourage them. "You should check and double-check all facts and claims any AI told you before you pass on such reports to us," the program's policy explains. "You are normally much better off avoiding AI."

Two bug submissions per week on average may not seem like a lot, but the curl security team consists of only seven members. As Stenberg explains, three or four reviewers review each submission, a process that takes anywhere from 30 minutes to three hours. "I personally spend an insane amount of time on curl already, wasting three hours still leaves time for other things," Stenberg lamented. "My fellows however are not full time on curl. They might only have three hours per week for curl. Not to mention the emotional toll it takes to deal with these mind-numbing stupidities." [...]

Stenberg says it's not clear what HackerOne should do to reduce reckless use of AI, but insists something needs to be done. His post ponders charging a fee to submit a report or dropping the bug bounty award, while also expressing reservations about both potential remedies. "As a lot of these reporters seem to genuinely think they help out, apparently blatantly tricked by the marketing of the AI hype-machines, it is not certain that removing the money from the table is going to completely stop the flood," he concludes.

An anonymous reader quotes a report from Phoronix: Merged yesterday to the latest development code for the LibreOffice open-source office suite is now recognizing Bitcoin "BTC" as a supported currency for use within the Calc spreadsheet program and elsewhere within this cross-platform free software office suite. Stemming from a recent bug report requesting Bitcoin as an official currency option within LibreOffice Calc, the necessary additions are now in place so it's a built-in preset like USD and EUR. Thus easier managing of Bitcoin transactions and the like from within LibreOffice Calc.

BrianFagioli shares a report from NERDS.xyz: Blender 4.5 has arrived and it's a long-term support release. That means users get two full years of updates and bug fixes, making it a smart choice for anyone looking for stability in serious projects. Whether you're a solo artist or part of a studio pipeline, this version is built to last. Here's a list of key features and changes in this release:

- Vulkan backend replaces OpenGL (faster, smoother UI)
- Adaptive subdivision up to 14x faster with multithreading
- New Geometry Nodes: Camera Info, Instance Bounds
- GPU-accelerated compositor nodes with standardized inputs
- New Boolean solver: Manifold (cleaner, faster mesh operations)
- UV maps visible in Object Mode + improved selection behavior
- Grease Pencil render pass and Geometry Nodes integration
- Improved file import support: PLY, OBJ, STL, CSV, VDB
- Deprecations: Collada, Big Endian, legacy .blend, Intel Mac support
- Cycles OptiX now requires NVIDIA driver v535+
- New shader variants for add-on developers (POLYLINES_*, POINT_*)
~500 bug fixes across all major systems

Slashdot reader BrianFagioli shared this report from Nerds.xyz: NVIDIA just put out a new security notice, and if you're running one of its powerful GPUs, you might want to pay attention. Researchers from the University of Toronto have shown that Rowhammer attacks, which are already known to affect regular DRAM, can now target GDDR6 memory on NVIDIA's high-end GPUs when ECC [error correction code] is not enabled.

They pulled this off using an A6000 card, and it worked because system-level ECC was turned off. Once it was switched on, the attack no longer worked. That tells you everything you need to know. ECC matters.

Rowhammer has been around for years. It's one of those weird memory bugs where repeatedly accessing one row in RAM can cause bits to flip in another row. Until now, this was mostly a CPU memory problem. But this research shows it can also be a GPU problem, and that should make data center admins and workstation users pause for a second.

NVIDIA is not sounding an alarm so much as reminding everyone that protections are already in place, but only if you're using the hardware properly. The company recommends enabling ECC if your GPU supports it. That includes cards in the Blackwell, Hopper, Ada, and Ampere lines, along with others used in DGX, HGX, and Jetson systems. It also includes popular workstation cards like the RTX A6000.

There's also built-in On-Die ECC in certain newer memory types like GDDR7 and HBM3. If you're lucky enough to be using a card that has it, you're automatically protected to some extent, because OD-ECC can't be turned off. It's always working in the background. But let's be real. A lot of people skip ECC because it can impact performance or because they're running a setup that doesn't make it obvious whether ECC is on or off. If you're not sure where you stand, it's time to check. NVIDIA suggests using tools like nvidia-smi or, if you're in a managed enterprise setup, working with your system's BMC or Redfish APIs to verify settings.

An anonymous reader quotes a report from Wired: If you want a job at McDonald's today, there's a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and resume, directs them to a personality test, and occasionally makes them "go insane" by repeatedly misunderstanding their most basic questions. Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants -- including all the personal information they shared in those conversations -- with tricks as straightforward as guessing the username and password "123456."

On Wednesday, security researchers Ian Carroll and Sam Curryrevealedthat they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with along track record of independent security testing, discovered that simple web-based vulnerabilities -- including guessing one laughably weak password -- allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. "I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more," says Carroll. "So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years." Paradox.ai confirmed the security findings, acknowledging that only a small portion of the accessed records contained personal data. The company stated that the weak-password account ("123456") was only accessed by the researchers and no one else. To prevent future issues, Paradox is launching a bug bounty program. "We do not take this matter lightly, even though it was resolved swiftly and effectively," Paradox.ai's chief legal officer, Stephanie King, told WIRED in an interview. "We own this."

In a statement to WIRED, McDonald's agreed that Paradox.ai was to blame. "We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us," the statement reads. "We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."

We're living in a new world now — one where it's an AI-powered penetration tester that "now tops an eminent US security industry leaderboard that ranks red teamers based on reputation." CSO Online reports: On HackerOne, which connects organizations with ethical hackers to participate in their bug bounty programs, "Xbow" scored notably higher than 99 other hackers in identifying and reporting enterprise software vulnerabilities. It's a first in bug bounty history, according to the company that operates the eponymous bot...

Xbow is a fully autonomous AI-driven penetration tester (pentester) that requires no human input, but, its creators said, "operates much like a human pentester" that can scale rapidly and complete comprehensive penetration tests in just a few hours. According to its website, it passes 75% of web security benchmarks, accurately finding and exploiting vulnerabilities.

Xbow submitted nearly 1,060 vulnerabilities to HackerOne, including remote code execution, information disclosures, cache poisoning, SQL injection, XML external entities, path traversal, server-side request forgery (SSRF), cross-site scripting, and secret exposure. The company said it also identified a previously unknown vulnerability in Palo Alto's GlobalProtect VPN platform that impacted more than 2,000 hosts. Of the vulnerabilities Xbow submitted over the last 90 days, 54 were classified as critical, 242 as high and 524 as medium in severity. The company's bug bounty programs have resolved 130 vulnerabilities, and 303 are classified as triaged.

Notably, though, roughly 45% of the vulnerabilities it found are still awaiting resolution, highlighting the "volume and impact of the submissions across live targets," Nico Waisman, Xbow's head of security, wrote in a blog post this week... To further hone the technology, the company developed "validators," — automated peer reviewers that confirm each uncovered vulnerability, Waisman explained.
"As attackers adopt AI to automate and accelerate exploitation, defenders must meet them with even more capable systems," XBOW's CEO said this week, as the company raised $75 million in Series B funding to grow its platform, bringing its total funding to $117 million. Help Net Security reports: With the new funding, XBOW plans to grow its engineering team and expand its go-to-market efforts. The product is now generally available, and the company says it is working with large banks, tech firms, and other organizations that helped shape the platform during its early testing phase. XBOW's long-term goal is to help security teams stay ahead of adversaries using advanced automation. As attackers increasingly turn to AI, the company argues that defenders will need equally capable systems to match their speed and sophistication.

Long-time Slashdot reader AmiMoJo shared this report from the Apple news blog 9to5Mac: iOS 26 is a packed update for iPhone users thanks to the new Liquid Glass design and major updates for Messages, Wallet, CarPlay, and more. But another new feature was just discovered in the iOS 26 beta: FaceTime will now freeze your call's video and audio if someone starts undressing.

When Apple unveiled iOS 26 last month, it mentioned a variety of new family tools... "Communication Safety expands to intervene when nudity is detected in FaceTime video calls, and to blur out nudity in Shared Albums in Photos." However, at least in the iOS 26 beta, it seems that a similar feature may be in place for all users — adults included.
That's the claim of an X.com user named iDeviceHelp, who says FaceTime in iOS 26 swaps in a warning message that says "Audio and video are paused because you may be showing something sensitive," giving users a choice of ending the call or resuming it.

9to5Mac says "It's unclear whether this is an intended behavior, or just a bug in the beta that's applying the feature to adults... [E]verything happens on-device so Apple has no idea about the contents of your call."

In April researchers responsibly disclosed two security flaws found in Sudo "that could enable local attackers to escalate their privileges to root on susceptible machines," reports The Hacker News. "The vulnerabilities have been addressed in Sudo version 1.9.17p1 released late last month." Stratascale researcher Rich Mirch, who is credited with discovering and reporting the flaws, said CVE-2025-32462 has managed to slip through the cracks for over 12 years. It is rooted in the Sudo's "-h" (host) option that makes it possible to list a user's sudo privileges for a different host. The feature was enabled in September 2013. However, the identified bug made it possible to execute any command allowed by the remote host to be run on the local machine as well when running the Sudo command with the host option referencing an unrelated remote host. "This primarily affects sites that use a common sudoers file that is distributed to multiple machines," Sudo project maintainer Todd C. Miller said in an advisory. "Sites that use LDAP-based sudoers (including SSSD) are similarly impacted."

CVE-2025-32463, on the other hand, leverages Sudo's "-R" (chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. It's also a critical-severity flaw. "The default Sudo configuration is vulnerable," Mirch said. "Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed...."

Miller said the chroot option will be removed completely from a future release of Sudo and that supporting a user-specified root directory is "error-prone."

Beeftopia shares a report from CBS News: The U.S. government is preparing to breed billions of flies and dump them out of airplanes over Mexico and southern Texas to fight a flesh-eating maggot. That sounds like the plot of a horror movie, but it is part of the government's plans for protecting the U.S. from a bug that could devastate its beef industry, decimate wildlife and even kill household pets. This weird science has worked well before.

The targeted pest is the flesh-eating larva of the New World Screwworm fly. The U.S. Department of Agriculture plans to ramp up the breeding and distribution of adult male flies -- sterilizing them with radiation before releasing them. They mate with females in the wild, and the eggs laid by the female aren't fertilized and don't hatch. There are fewer larvae, and over time, the fly population dies out. It is more effective and environmentally friendly than spraying the pest into oblivion, and it is how the U.S. and other nations north of Panama eradicated the same pest decades ago. Sterile flies from a factory in Panama kept the flies contained there for years, but the pest appeared in southern Mexico late last year. [...]

The USDA expects a new screwworm fly factory to be up and running in southern Mexico by July 2026. It plans to open a fly distribution center in southern Texas by the end of the year so that it can import and distribute flies from Panama if necessary. The New World screwworm fly is a tropical species, unable to survive Midwestern or Great Plains winters, so it was a seasonal scourge. Still, the U.S. and Mexico bred and released more than 94 billion sterile flies from 1962 through 1975 to eradicate the pest, according to the USDA. The numbers need to be large enough that females in the wild can't help but hook up with sterile males for mating. One biological trait gives fly fighters a crucial wing up: Females mate only once in their weekslong adult lives. "A similar approach to certain species of mosquito is being debated," adds Beeftopia. "The impact on ecosystems is unclear."

An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. [...] According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices.

Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned. The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords.

The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful.

While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a general how-to guide for removing Android spyware that could be helpful.

Bcachefs "pitches itself as a filesystem that 'doesn't eat your data'," writes the open source/Linux blog It's FOSS. Although it was last October that Bcachefs developer Kent Overstreet was restricted from participating in the Linux 6.13 kernel development cycle (after ending a mailing list post with "Get your head examined. And get the fuck out of here with this shit.")

And now with the upcoming Linux kernel 6.17 release, Linus Torvalds has decided to drop Bcachefs support, they report, "owing to growing tensions" with Overstreet: The decision follows a series of disagreements over how fixes and changes for it were submitted during the 6.16 release cycle... Kent filed a pull request to add a new feature called "journal-rewind". It was meant to improve bcachefs repair functionality, but it landed during the release candidate (RC) phase, a time usually reserved for bug fixes, not new features, as Linus pointed out. [Adding "I remain steadfastly convinced that anybody who uses bcachefs is expecting it to be experimental. They had better."]

Theodore Ts'o, a long-time kernel developer and maintainer of ext4, also chimed in, saying that Kent's approach risks introducing regressions, especially when changes affect sensitive parts of a filesystem like journaling. He reminded Kent that the rules around the merge window have been a long-standing consensus in the kernel community, and it's Linus's job to enforce them. After some more back and forth, Kent pushed back, arguing that the rules around the merge window aren't absolute and should allow for flexibility, even more so when user data is at stake. He then went ahead and resubmitted the patch, citing instances from XFS and Btrfs where similar fixes made it into the kernel during RCs. Linus merged it into his tree, but ultimately decided to drop Bcachefs entirely in the 6.17 merge window.

To which Kent responded by clarifying that he wasn't trying to shut Linus out of Bcachefs' decisions, stressing that he values Linus's input...
This of course follows the great Torvalds-Overstreet "filesystem people never learn" throwdown back in April.

An anonymous reader quotes a report from SecurityWeek: Hundreds of printer models from Brother and other vendors are impacted by potentially serious vulnerabilities discovered by researchers at Rapid7. The cybersecurity firm revealed on Wednesday that its researchers identified eight vulnerabilities affecting multifunction printers made by Brother. The security holes have been found to impact 689 printer, scanner and label maker models from Brother, and some or all of the flaws also affect 46 Fujifilm Business Innovation, five Ricoh, six Konica Minolta, and two Toshiba printers. Overall, millions of enterprise and home printers are believed to be exposed to hacker attacks due to these vulnerabilities.

The most serious of the flaws, tracked as CVE-2024-51978 and with a severity rating of 'critical', can allow a remote and unauthenticated attacker to bypass authentication by obtaining the device's default administrator password. CVE-2024-51978 can be chained with an information disclosure vulnerability tracked as CVE-2024-51977, which can be exploited to obtain a device's serial number. This serial number is needed to generate the default admin password. "This is due to the discovery of the default password generation procedure used by Brother devices," Rapid7 explained. "This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process."

Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users. The remaining vulnerabilities, which have severity ratings of 'medium' and 'high', can be exploited for DoS attacks, forcing the printer to open a TCP connection, obtain the password of a configured external service, trigger a stack overflow, and perform arbitrary HTTP requests. Six of the eight vulnerabilities found by Rapid7 can be exploited without authentication. Brother has patched most of the flaws, but CVE-2024-51978 requires a new manufacturing process to fully resolve, which will apply only to future devices.

Disabling Intel graphics security mitigations in GPU compute stacks for OpenCL and Level Zero can yield a performance boost of up to 20%, prompting Ubuntu's Canonical and Intel to disable these mitigations in future Ubuntu packages. Phoronix's Michael Larabel reports: Intel does allow building their GPU compute stack without these mitigations by using the "NEO_DISABLE_MITIGATIONS" build option and that is what Canonical is looking to set now for Ubuntu packages to avoid the significant performance impact. This work will likely all be addressed in time for Ubuntu 25.10. This NEO_DISABLE_MITIGATIONS option is just for compiling the Intel Compute Runtime stack and doesn't impact the Linux kernel security mitigations or else outside of Intel's "NEO" GPU compute stack. Both Intel and Canonical are in agreement with this move and it turns out that even Intel's GitHub binary packages for their Compute Runtime for OpenCL and Level Zero ship with the mitigations disabled due to the performance impact. This Ubuntu Launchpad bug report for the Intel Compute Runtime notes some of the key takeaways. There is also this PPA where Ubuntu developers are currently testing their Compute Runtime builds with NEO_DISABLE_MITIGATIONS enabled for disabling the mitigations.

Threads now has 350 million users — but this week a strange bug affected some Threads accounts (on both desktop and mobile). "One user's post will get repeated over and over again..." explains TechCrunch, "as though every user on your feed is saying the same thing." "Siri, unsubscribe me from 2025," one Threads user wrote, per a screenshot from social media expert Alexa Heinrich. But then, everyone else on Heinrich's feed appeared to be echoing the same cheugy joke...

While it's not yet clear what caused the bug, Meta Communications Director Andy Stone responded to app researcher Jane Manchun Wong's post about the issue. "Whoops, well that clearly shouldn't have happened! We're working on getting it fixed now," Stone said.
I thought the bug was only affecting user feeds (and not replies). But either way, Wong came up with the perfect comeback.

"Whoops, well that clearly shouldn't have happened! We're working on getting it fixed now."

Microsoft has disabled Windows Hello's ability to authenticate users in low-light environments through a recent security update that now requires both infrared sensors and color cameras to verify faces. The change forces the system to see a visible face through the webcam before completing authentication with IR sensors.

Windows Hello earlier relied solely on infrared sensors to create 3D facial scans, allowing the feature to work in complete darkness similar to iPhone's Face ID. Microsoft pushed the dual-camera requirement to address a spoofing vulnerability in the biometric system.

Microsoft's latest Windows 11 preview builds contain a bug that replaces the operating system's startup sound with Windows Vista's iconic boot chime from 2006. Microsoft acknowledged the bug in its release notes -- describing it as a "delightful blast from the past" -- and said it was working on a fix.

It's no longer a hypothetical question, writes the Washington Post. "In recent years, scientists have devised powerful genetic tools that may be able to eradicate mosquitoes and other pests once and for all."

But along with the ability to fight malaria, dengue, West Nile virus and other serious diseases, "the development of this technology also raises a profound ethical question: When, if ever, is it okay to intentionally drive a species out of existence...?" When so many wildlife conservationists are trying to save plants and animals from disappearing, the mosquito is one of the few creatures that people argue is actually worthy of extinction. Forget about tigers or bears; it's the tiny mosquito that is the deadliest animal on Earth. The human misery caused by malaria is undeniable. Nearly 600,000 people died of the disease in 2023, according to the World Health Organization, with the majority of cases in Africa... But recently, the Hastings Center for Bioethics, a research institute in New York, and Arizona State University brought together a group of bioethicists to discuss the potential pitfalls of intentionally trying to drive a species to extinction. In a policy paper published in the journal Science last month, the group concluded that "deliberate full extinction might occasionally be acceptable, but only extremely rarely..."

It's unclear how important malaria-carrying mosquitoes are to broader ecosystems. Little research has been done to figure out whether frogs or other animals that eat the insects would be able to find their meals elsewhere. Scientists are hotly debating whether a broader "insect apocalypse" is underway in many parts of the world, which may imperil other creatures that depend on them for food and pollination... Instead, the authors said, geneticists should be able to use gene editing, vaccines and other tools to target not the mosquito itself, but the single-celled Plasmodium parasite that is responsible for malaria. That invisible microorganism — which a mosquito transfers from its saliva to a person's blood when it bites — is the real culprit.
A nonprofit research consortium called Target Malaria has genetically modified mosquitoes in their labs (which get core funding from the Gates Foundation and from Open Philanthropy, backed by Facebook co-founder Dustin Moskovitz and his wife). ), and hopes to deploy them in the wild within five years...

unixbhaskar shares a report from Phoronix: The X86_NATIVE_CPU Kconfig build time option has been merged for the Linux 6.16 merge window as an easy means of enforcing "-march=native" compiler behavior on AMD and Intel processors to optimize your kernel build for the local CPU architecture/family of your system. For those wanting to "-march=native" your Linux kernel build on AMD/Intel x86_64 processors, the new CONFIG_X86_NATIVE_CPU option can be easily enabled for setting that compiler option on your local kernel builds.

The CONFIG_X86_NATIVE_CPU option is honored if compiling the Linux x86_64 kernel with GCC or LLVM Clang when using Clang 19 or newer due to a compiler bug with the Linux kernel on older compiler versions. In addition to setting the "-march=native" compiler option for the Linux kernel C code, enabling this new Kconfig build option also sets "-Ctarget-cpu=native" for the kernel's Rust code too. "It seems interesting though," comments unixbhaskar. "If the detailed benchmark shows some improvement with the option selected, then distros might start to adopt it for their flavor."

Earlier this month app developer Guilherme Rambo had a warning for iPhone users: If you try to send an audio message using the Messages app to someone who's also using the Messages app, and that message happens to include the name "Dave and Buster's", the message will never be received.

In case you're wondering, "Dave and Buster's" is the name of a sports bar and restaurant in the United States... [T]he recipient will only see the "dot dot dot" animation for several seconds, and it will then eventually disappear. They will never get the audio message.
"The issue was first spotted on the podcast Search Engine..." according to an article in Fortune: Rambo's explanation of the curiosity goes like this.

"When you send an audio message using the Messages app, the message includes a transcription of the audio. If you happen to pronounce the name 'Dave and Buster's' as someone would normally pronounce it, almost like it's a single word, the transcription engine on iOS will recognize the brand name and correctly write it as 'Dave & Buster's' (with an ampersand)," he begins. So far, so good." [But ampersands have special meaning in HTML/XHTML...] And, as MacRumors puts it: "The parsing error triggers Apple's BlastDoor Messages feature that protects users from malicious messages that might rely on problematic parsing, so ultimately, the audio message fails to send."
To solve the mystery, Rambo "plugged the recipient device into my Mac and captured the logs right after the device received the problematic message." Their final thoughts... Since BlastDoor was designed to thwart hacking attempts, which frequently rely on faulty data parsing, it immediately stops what it's doing and just fails. That's what causes the message to get stuck in the "dot dot dot" state, which eventually times out, and the message just disappears. On the surface, this does sound like it could be used to "hack" someone's iPhone via a bad audio message transcription, but in reality what this bug demonstrates is that Apple's BlastDoor mechanism is working as designed.

Many bad parsers would probably accept the incorrectly-formatted XHTML, but that sort of leniency when parsing data formats is often what ends up causing security issues. By being pedantic about the formatting, BlastDoor is protecting the recipient from an exploit that would abuse that type of issue.

Valve's SteamOS 3.7.8 update brings official support for AMD-powered handhelds like Lenovo's Legion Go and Asus' ROG Ally, along with a new "Steam OS Compatible" library tab and key bug fixes. Other features include a battery charge limit, updated graphics drivers, and a shift to Plasma 6.2.5. Polygon reports: Valve outlines two requirements for the third-party devices not explicitly named in the update to run SteamOS on the handheld: they must be AMD-powered and have an NVMe SSD. Specific instructions for installing the operating system have been updated and listed here.

Before this huge update, players had to use an alternative like Bazzite to achieve a similar SteamOS experience on their devices. The new update also piggybacks off of Valve expanding the Steam Deck Verified categorization system to "any device running SteamOS that's not a Steam Deck" in mid-May. To make matters sweeter, a SteamOS-powered version of the Lenovo Legion Go S is scheduled to release on May 25. You can learn more about SteamOS 3.7.8 here.