Please enable JS and disable any ad blocker
10 interesting stories served every morning and every evening.
10 interesting stories served every morning and every evening.
Please enable JS and disable any ad blocker
The Instructure-owned learning management platform, Canvas, is now online again after it went down following a massive data breach that impacted student names, email addresses, ID numbers, and messages. Before systems were restored, students who attempted to access the system on Thursday saw a message from the hacking group ShinyHunters, which claimed responsibility for the attack:
ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some “security patches.” If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked.
ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some “security patches.” If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked.
The message included a link to a list of schools ShinyHunter claims to have breached through Canvas.
“Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate,” Instructure said in a statement to The Verge. “We regret the inconvenience and concern this may have caused.”
According to Instructure’s status page, Canvas is now available for most users, though Canvas Beta and Canvas Test systems are still in maintainence mode. Instructure is also investigating an issue where some users are having difficulties logging into Student ePortfolios.
“We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts,” Instructure said in its statement. The company has not mentioned when those accounts are expected to be restored.
Instructure said last week that it “deployed patches to enhance system security” following the breach. ShinyHunters — which has claimed responsibility for attacks on Ticketmaster, AT&T, Rockstar Games, ADT, and Vercel — said its data leak site contains 9,000 schools, including data belonging to 275 million students, teachers, and other staff, according to Bleeping Computer.
Update, May 7th: Added Instructure’s maintenance mode message.
Update, May 8th: Added statement from Instructure regarding the service being back online.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Emma Roth
Jess Weatherbed
POZNAN, Poland (AP) — A generation ago, Poland rationed sugar and flour while its citizens were paid one-tenth what West Germans earned. Today, the economy of the country has edged past Switzerland to become the world’s 20th largest with more than $1 trillion in annual output.
It’s a historic leap from the post-Communist ruins of 1989 – 90 to European growth champion, which economists say has lessons on how to bring prosperity to ordinary people — and that the Trump administration says should be recognized by Poland’s presence at a summit of the Group of 20 leading economies later this year.
The transformation is reflected in people like Joanna Kowalska, an engineer from Poznan, a city of around 500,000 people midway between Berlin and Warsaw. She returned home after five years in the U.S.
“I get asked often if I’m missing something by coming back to Poland, and, to be honest, I feel it’s the other way around,” Kowalska said. “We are ahead of the United States in so many areas.”
Kowalska works at the Poznan Supercomputing and Networking Center, which is developing the first artificial intelligence factory in Poland and integrating it with a quantum computer, one of 10 on the continent financed by a European Union program.
3 MIN READ
2 MIN READ
3 MIN READ
Kowalska worked for Microsoft in the U.S. after graduating from the Poznan University of Technology, in a job she saw as a “dream come true.”
Newer skyscrapers flank the communist-era Palace of Culture and Science, foreground, in n, Poland, May 25, 2018. (AP Photo/Alik Keplicz, File)
But she missed having a “sense of mission,” she said.
“Especially when it comes to artificial intelligence, the technology started developing so rapidly in Poland,” Kowalska said. “So it was very tempting to come back.”
Breaking out of poverty
The guest invitation to the G20 summit is mostly symbolic. No guest country has been promoted to full member since the original G20 met at the finance minister level in 1999, and that would take a consensus decision of all the members. Moreover, the original countries were chosen not just by gross domestic product rank, but by their “systemic significance” in the global economy.
But the gesture reflects a statistical truth: In 35 years — a little less than one person’s working lifetime — Poland’s per capita GDP rose to $55,340 in 2025, or 85% of the EU average. That’s up from $6,730 in 1990, or 38% of the EU average and now roughly equal to Japan’s $52,039, according to International Monetary Fund figures measured in today’s dollars and adjusted for Poland’s lower cost of living.
Poland’s economy has grown an average 3.8% a year since joining the EU in 2004, easily beating the European average of 1.8%.
It wasn’t simply one factor that helped Poland break out of the poverty trap, says Marcin Piątkowski of Warsaw’s Kozminski University and author of a book on the country’s economic rise.
One of the most important factors was rapidly building a strong institutional framework for business, he said. That included independent courts, an anti-monopoly agency to ensure fair competition, and strong regulation to keep troubled banks from choking off credit.
As a result, the economy wasn’t hijacked by corrupt practices and oligarchs, as happened elsewhere in the post-Communist world.
Poland also benefited from billions of euros in EU aid, both before and after it joined the bloc in 2004 and gained access to its huge single market.
Above all, there was the broad consensus, from across the political spectrum, that Poland’s long-term goal was joining the EU.
“Poles knew where they were going,” Piątkowski said. “Poland downloaded the institutions and the rules of the game, and even some cultural norms that the West spent 500 years developing.”
As oppressive as it was, communism contributed by breaking down old social barriers and opening higher education to factory and farmworkers who had no chance before. A post-Communist boom in higher education means half of young people now have degrees.
“Young Poles are, for instance, better educated than young Germans,” Piatkowski said, but earn half what Germans do. That’s “an unbeatable combination” for attracting investors, he said.
Success of an electric bus company
Solaris, a company founded in 1996 in Poznan by Krzysztof Olszewski, is one of the leading manufacturers of electric buses in Europe with a market share of around 15%. Its story shows one hallmark of Poland’s success: entrepreneurship, or the willingness to take risks and build something new.
Workers build electric buses at the Solaris bus factory in Poznan, Poland, Thursday, Jan. 29, 2026. (AP Photo/Pietro De Cristofaro)
Educated as an engineer under the Communist government, Olszewski opened a car repair shop where he used spare parts from West Germany to fix Polish cars. While most enterprises were nationalized, authorities gave permission to small-scale private workshops like his to operate, according to Katarzyna Szarzec, an economist at the Poznan University of Economics and Business.
“These were enclaves of private entrepreneurship,” she said.
In 1996, Olszewski opened a subsidiary of the German bus company Neoplan and started producing for the Polish market.
“Poland’s entry to the EU in 2004 gave us credibility and access to a vast, open European market with the free movement of goods, services and people,” said Mateusz Figaszewski, responsible for institutional relations.
Then came a risky decision to start producing electric buses in 2011, a time when few in Europe were experimenting with the technology. Figaszewski said larger companies in the West had more to lose if switching to electric vehicles didn’t work out.
“It became an opportunity to achieve technological leadership ahead of the market,” he said.
An aging population
Challenges still remain for Poland. Due to a low birth rate and an aging society, fewer workers will be able to support retirees. Average wages are lower than the EU average. While small and medium enterprises flourish, few have become global brands.
Poznan Mayor Jacek Jaśkowiak sees domestic innovation as a third wave in Poland’s postsocialist economic development. In the first wave, foreign countries opened factories in Poland in the early 1990s, taking advantage of a skilled local population.
Around the turn of the millennium, he said, Western companies brought more advanced branches, including finance, information technology and engineering.
“Now it’s the time to start such sophisticated activities here,” Jaśkowiak says, adding that one of his main priorities is investing in universities.
“There is still much to do when it comes to innovation and technological progress,” added Szarzec, the Poznan economist. “But we keep climbing up on that ladder of added value. We’re no longer just a supplier of spare parts.”
Szarzec’s students say more needs to be done to reduce urban-rural inequalities, make housing affordable and support young people starting families. They say Poles need to acknowledge that immigrants, such as the millions of Ukrainians who fled Russia’s full-scale invasion in 2022, contribute to economic development in an aging population.
“Poland has such a dynamic economy, with so many opportunities for development, that of course I am staying,” said Kazimierz Falak, 27, one of Szarzec’s graduate students. “Poland is promising.”
Computer equipment at the Poznan Supercomputing and Networking center is seen in Poznan, Poland, Wednesday, Jan. 28, 2026. (AP Photo/Pietro De Cristofaro)
___
David McHugh reported from Frankfurt, Germany.
Published on 2026 – 05-07, 82 words, 1 minutes to read
Oh boy yet more linux kernel vulns
In the wake of copy.fail, there are more vulnerabilities that have been announced:
Copy Fail 2: Electric Boogaloo
Dirty Frag
Right now would be one of the best times for a supply chain attack via NPM to hit hard.
Outside of Linux kernel patches from your distro, I think it’s probably a good idea to put a moratorium on installing new software for a week or so.
Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.
Tags:
Copyright 2012 – 2026 Xe Iaso. Any and all opinions listed here are my own and not representative of any of my employers, past, future, and/or present.
Served by xesite v4 (/app/bin/xesite) with site version c67419ee , source code available here.
In May 2026, Google announced “Google Cloud Fraud Defense - the next evolution of reCAPTCHA.” The announcement described a QR code challenge where users scan a code with their phone to prove human presence.
Google killed Web Environment Integrity in 2023 after standards bodies objected. Today, three years later, the same device attestation mechanism launched as a commercial product.
The open web survived because no single company could decide which hardware was legitimate enough to use it. Google is determined to end that status quo - now through a reCAPTCHA update.
Table of Contents
Google already tried this in 2023
The QR code will be bypassed
QR auth codes and device attestation are not new
Device attestation bars the users who need privacy most
“Legitimate” tracking
Final thoughts
Google already tried this in 2023
In June 2023, a Google engineer named Yoav Weiss posted a proposal to the Chromium project called “Web Environment Integrity.” The mechanism was direct: browsers would ask device hardware to sign a cryptographic attestation proving the browser was unmodified and running on Google-certified hardware. Websites could verify the signature and decide whether to serve content without friction or add a challenge. Of course, the proposal framed this as protecting web integrity against bots and automated scraping.
Mozilla published a formal position within days. The proposal “works against users’ interests” and “creates a gated internet controlled by OS and device vendors.” The Electronic Frontier Foundation called it “Chrome’s Plan to DRM the Web,” noting that by design, only Chrome running on Android or other certified hardware would easily pass attestation, routing traffic toward Google’s ecosystem as a structural consequence, not a side effect.
Google withdrew WEI three weeks after publication. The Chromium GitHub thread closed. Publicly, it was dead.
In May 2026, Google announced Google Cloud Fraud Defense, described in its blog post as “the next evolution of reCAPTCHA.” The system challenges users with a QR code: scan it with your phone to confirm human presence. The requirements page specifies the hardware that qualifies: “modern Android device with Google Play Services installed, or modern iPhone/iPad.”
“Google Play Services installed” is doing significant work in that sentence. Google Play Services is Google’s closed-source software layer that runs on certified Android devices and provides the attestation APIs - the Play Integrity API specifically - that prove a device is unmodified and approved by Google. A device without Play Services cannot satisfy Play Integrity checks at the level Fraud Defense requires. That is not a technical limitation waiting to be engineered around. It is the mechanism.
The WEI review process, whatever its limitations, required Google to defend the mechanism publicly. The proposal was withdrawn because the objections held. With Fraud Defense, there was no process to respond to. The product launched. The requirements page went live. The same attestation infrastructure that generated those documented objections in 2023 became the underpinning of a commercial service available to any organization with a Google Cloud billing account.
The QR code will be bypassed
Here is how the challenge works: a user encounters a Fraud Defense prompt and is asked to scan a QR code with their phone camera. The phone, authenticated against Google’s Play Integrity API, confirms the device is certified hardware. That confirmation returns to the originating site as proof of human presence.
The defeat is mechanical. Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 ($29.88 in Wallmart to be precise) - for a professional bot farm, which purchases devices in bulk, this is the fixed cost without material disruption to operations.
One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem:
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
The QR challenge trains users to scan codes to access websites. Phishing campaigns will exploit that trained behavior immediately.
QR auth codes and device attestation are not new
In the Apple world iOS App Attestation verifies that an app was installed through the App Store and has not been modified. It governs apps: a walled garden users chose when they purchased an iPhone. The extension to open web browsing is categorically different: it conditions URL access on hardware a private company has certified. No precedent exists for this applied to the open internet. App stores are opt-in ecosystems with explicit terms of service. The web was not designed to have terms of hardware.
QR-based authentication systems themselves already exist for a while. Estonia’s Smart ID uses QR codes to verify users, but for bounded, consent-scoped resources: banking portals, government services, health records. The user chooses to authenticate. The protected resource is defined in advance. The scope is explicit. Google Cloud Fraud Defense applies device attestation to the open web, to any URL an operator chooses to gate, without equivalent consent architecture, without purpose limitation, and very likely without user awareness that their hardware identity is functioning as an access credential.
Device attestation bars the users who need privacy most
Google Play Integrity attestation requires Google Play Services. GrapheneOS, the security-hardened Android fork recommended by the EFF and used by journalists, lawyers, and activists in high-risk environments, does not ship Play Services by default. It supports a sandboxed compatibility layer that runs some Play Services functionality, but this does not satisfy Play Integrity at the MEETS_DEVICE_INTEGRITY level that Fraud Defense requires. LineageOS for microG (a privacy-oriented Android distribution built specifically for users who want an open-source alternative) fails for the same reason. Any custom ROM that excludes Play Services fails.
Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense. This is not an oversight. Firefox does not integrate Google Play Integrity by design - Mozilla’s position on device attestation in 2023 was explicit and remains current. The practical effect: users of the most privacy-respecting major mobile browser are excluded from verified access by default, not because they are bots, but because they use software that declines to participate in Google’s certification architecture.
“Legitimate” tracking
The governance problem is the obvious objection. The tracking problem is the one that gets less attention.
Every Fraud Defense challenge that resolves successfully sends a signal to Google: this certified device accessed this site at this time. Device attestation does not just gate access - it produces attribution. A device with a stable hardware identity creates a persistent identifier that crosses sessions, browsers, and private browsing modes. The company that defines which hardware is “legitimate” also accumulates a running record of where that hardware goes on the open web. That is not a side effect of fraud defense. It is an architectural consequence decision of tying verification to certified device identity.
A technically credible alternative exists that avoids both the governance problem and the tracking problem. Private Captcha and similar proof-of-work systems issue cryptographic challenges that require computational effort (dis) proportional to volume. One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is. No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate. User privacy is structurally preserved, not promised.
Final thoughts
Google Cloud Fraud Defense is not a reCAPTCHA update. The QR code is the visible mechanism, but device attestation is the real product. Every resolved challenge tells Google which certified hardware accessed which site at which time. The same infrastructure standards bodies rejected in 2023 now operates behind a commercial release, accumulating attribution data that WEI, as a public proposal, would never have been permitted to build unchallenged. Ironically, it will fail to stop bots similarly to the version it is designed to “improve” upon.
This volume requires JavaScript. That is part of the point — your browser is what is being read.
With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops.
Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we’ll go into more detail about how we approached this work, what we found, and advice for other projects on making good use of emerging capabilities to harden themselves against attack.
Suddenly, the bugs are very good
Just a few months ago, AI-generated security bug reports to open source projects were mostly known for being unwanted slop. Dealing with reports that look plausibly correct but are wrong imposes an asymmetric cost on project maintainers: it’s cheap and easy to prompt an LLM to find a “problem” in code, but slow and expensive to respond to it.
It is difficult to overstate how much this dynamic changed for us over a few short months. This was due to a combination of two main factors. First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models — steering them, scaling them, and stacking them to generate large amounts of signal and filter out the noise.
Ordinarily we keep detailed bug reports private for several months after shipping fixes and issuing security advisories, largely as a precaution to protect any users who, for whatever reason, were slow to update to the latest version of Firefox. Given the extraordinary level of interest in this topic and the urgency of action needed throughout the software ecosystem, we’ve made the calculated decision to unhide a small sample of the reports behind the fixes we recently shipped. We’ve attempted to draw them from a range of browser subsystems, but the selection process was still somewhat arbitrary. Nevertheless, we hope that the depth and diversity of these reports lends credence to our assessment of the capabilities and our calls for defenders to begin applying these techniques:
Note that a number of these bugs are sandbox escapes, which would need to be combined with other exploits to achieve a full-chain Firefox compromise. These reports presume that the sandboxed process that renders site content has already been compromised with some separate bug, and is now running attacker-controlled machine code attempting to escalate control into the privileged parent process. When crafting a sandbox escape, the model is permitted to patch the Firefox source code, so long as the modified code is restricted to run only in the sandboxed process[1]. Such bugs are notoriously difficult to find with fuzzing, and while we’ve had some success developing new techniques to close this gap, AI analysis provides much more comprehensive coverage of this critical surface.
Just as interesting as what the models found is what they didn’t find — not because they didn’t try, but because they were unable to circumvent Firefox’s layered defenses. For example, in recent years we received several clever reports from security researchers that managed to escape the process sandbox by triggering prototype pollution in the privileged parent process. Rather than fixing these problems one-by-one, we made an architectural change to freeze these prototypes by default. While auditing logs from the harness, we saw many attempts to pursue this line of escape that were thwarted by this design. Observing such direct payoff from previous hardening work was even more rewarding than finding and fixing more bugs.
Harnessing Models to Build a Hardening Pipeline
We’ve experimented internally with LLM code audits over the past few years, with early attempts using models like GPT 4 or Sonnet 3.5 to statically analyze high risk code for vulnerabilities. These experiments showed some promise, but the high rate of false positives made them impractical to scale.
The introduction of agentic harnesses that can reliably detect security issues has completely changed this. These can find real bugs and dismiss unreproducible speculation. The key feature of such a harness is that, given the right interfaces and instructions, it can create and run reproducible test cases to dynamically test hypotheses about bugs in code. After fixing the initial set of issues that Anthropic sent to us in February, we built our own harness atop our existing fuzzing infrastructure.
We began with small-scale experiments prompting the harness to look for sandbox escapes with Claude Opus 4.6. Even with this model, we identified an impressive amount of previously-unknown vulnerabilities which required complex reasoning over multiprocess browser engine code. At first, we supervised the process in the terminal to observe the process in real-time and tune the prompts and logic. Once this was working well, we parallelized the jobs across multiple ephemeral VMs, each tasked to hunt for bugs within a specific target file and write its findings back to a bucket.
A discovery subsystem is necessary but not sufficient. In order to scale the effort, we needed to integrate it with our full security bug lifecycle: determining what to look for, where to look, and how to handle what it produces. This last part includes deduplicating against known issues, tracking bugs, triaging them, and getting fixes shipped. While the model is the core primitive powering the harness, this full pipeline is necessary to make it useful at scale.
While harnesses may be reusable across projects, this pipeline is inherently project-specific, reflecting each codebase’s semantics, tooling, and processes. Standing this up required significant iteration, with a tight feedback loop alongside the Firefox engineers who were fielding the incoming bugs.
Upgrading the Models
Once the end-to-end pipeline is in place, it’s trivial to swap in different models when they become available. Building this pipeline early helped us find a number of serious bugs using publicly-available models, and it also helped us hit the ground running when we had the opportunity to evaluate Claude Mythos Preview. In our experience, model upgrades increase the effectiveness of the entire pipeline: the system gets simultaneously better at finding potential bugs, creating proof-of-concept test cases to demonstrate them, and articulating their pathology and impact.
In addition to fixing the 271 bugs identified by Claude Mythos Preview in the 150 release, we’ve shipped more of these fixes in 149.0.2, 150.0.1, and 150.0.2. We also continue to find bugs with other means internally, and, similar to other projects, we’ve seen a significant uptick in external reports in the last few months.
Ultimately, every bug requires care and attention to properly fix. Staying on top of this unprecedented volume has led to a lot of work and long days over the last few months, and we’re extremely proud of how the team has stepped up to meet this challenge. Over 100 people contributed code to this effort to ship the most secure Firefox yet. In addition to writing and reviewing patches, others have been building and scaling this pipeline, triaging, testing the fixes, and managing the release process for each bug.
Takeaways
Anyone building software can start using a harness with a modern model to find bugs and harden their code today. We recommend getting started now. You will find bugs, and you will set yourself up to take advantage of new models as soon as they become available.
You can start with very simple prompting, then observe and iterate. Our initial prompts were not dissimilar from those described here. Through iteration we’ve built out a lot of orchestration and tooling to optimize and scale the pipeline, but the essence of the inner loop remains the same: there is a bug in this part of the code, please find it and build a testcase.
We haven’t bottomed on all the latent bugs in Firefox, but are quite pleased with the trajectory. Today, our scanning is largely focused on specific areas of the code (files, functions) where we instruct the system to look, based on a mix of human judgement and automated signals. In the near future, we intend to integrate this analysis into our continuous integration system to scan patches as they land in the tree. Models are quite flexible with the form of context provided, and we expect patch-based scanning to work as well or even better than file-based scanning.
The current moment is a perilous one, but also full of opportunity. Let’s work together to secure the internet.
FAQ
The announcement said “271 bugs”, but I count something different. What’s going on?
On the advisories web page we group all internally-reported bugs as “rollup” CVEs with multiple bugs underneath them. The web page is built from yaml in the foundation-security-advisories repo, the canonical location for our CVE assignments. While some browsers do not create CVE identifiers for internally-discovered issues at all, we provide this information in order to be as transparent as possible.
In Firefox 150, there were three internal rollups: CVE-2026 – 6784 (154 bugs), CVE-2026 – 6785 (55 bugs), and CVE-2026 – 6786 (107 bugs).
Astute readers will notice the number of bugs in those internal rollups adds up to 316, which is more than the 271 we announced finding with Claude Mythos Preview. That’s because our security team hunts for new bugs every day by attacking Firefox with a combination of (a) fuzzing systems (b) manual inspection and (c) this new agentic pipeline across a variety of models.
We fixed a total of 423 security bugs in releases in April. In addition to the 271 bugs announced two weeks ago, there were 41 externally reported bugs, with the remaining 111 discovered internally and split roughly in third between:
Bugs found using this pipeline with Claude Mythos Preview but fixed in releases other than Firefox 150
Bugs found using this pipeline with other models
Bugs found with other techniques like fuzzing
Note that we also directly credited 3 CVEs to Anthropic separate from this latest effort (CVE-2026 – 6746, CVE-2026 – 6757, CVE-2026 – 6758). These were fixes for bugs sent to us by the outstanding Anthropic Frontier Red team a couple months ago and we assigned unique CVEs for each as per our normal process.
What do security ratings mean?
As additional context, we apply security severity ratings from critical to low to indicate the urgency of a bug:
sec-critical and sec-high are assigned to vulnerabilities that can be triggered with normal user behavior, like browsing to a web page. We make no technical difference between these, but sec-critical bugs are reserved for issues that are publicly disclosed or known to be exploited in the wild.
sec-moderate is assigned to vulnerabilities that would otherwise be rated sec-high but require unusual and complex steps from the victim.
sec-low is assigned to bugs that are annoying but far from causing user harm (e.g, a safe crash).
Of the 271 bugs we announced for Firefox 150: 180 were sec-high, 80 were sec-moderate, and 11 were sec-low.
While we care most about critical/high bugs, it’s normal for us to prioritize moderate and low security bugs in order to fix correctness issues and as a defense-in-depth mechanism.
Is a sec-high or sec-critical bug the same as a practical exploit?
Not necessarily.
In most cases, a single critical/high bug is not actually enough to compromise Firefox. This is because Firefox has a defense-in-depth architecture, so for example exploiting a JIT bug only achieves remote code execution in a sandboxed and site-specific process. Real-world attackers generally need to chain multiple exploits together to escalate privileges through one or more layers of sandboxing along with OS-level mitigations like ASLR.
We also generally don’t build exploits to see whether a bug could be used by an attacker in the real world. We classify sec-high based on predictable crash symptoms such as use-after-free or out-of-bounds memory issues being reported by AddressSanitizer, and our threat model assumes that any of them could be exploitable with sufficient effort. This reduces the risk of a false negative during exploitability analysis, and more importantly it allows us to focus our resources on finding and fixing more vulnerabilities.
[1] Our bug bounty program has similar rules. ↩
Distinguished Engineer, Firefox
More articles by Brian Grinstead…
Christian is a Firefox Tech Lead and Principal Engineer at Mozilla.
More articles by Christian Holler…
Frederik Braun manages the Firefox Application Security team. He builds security for the web and for Mozilla Firefox from Berlin. As a contributor to standards, Frederik is also improving the web platform by bringing security into the defaults with specifications like the Sanitizer API and Subresource Integrity. When not at work, Frederik likes reading a good novel or going on long bike treks across Europe.
More articles by Frederik Braun…
Meshtastic® is a project that enables you to use inexpensive LoRa radios as a long range off-grid communication platform in areas without existing or reliable communications infrastructure. This project is 100% community driven and open source!
Client
Client
Client
Client
Router
Client
Client
Client
LoRa
Bluetooth
WiFi
USB
Features
Long range (331km record by MartinR7 & alleg)
No phone required for mesh communication
Decentralized communication - no dedicated router required
Encrypted communication
Excellent battery life
Send and receive text messages between members of the mesh
Optional GPS based location features
And more!
How it works
Meshtastic utilizes LoRa, a long-range radio protocol, which is widely accessible in most regions without the need for additional licenses or certifications, unlike ham radio operations.
These radios are designed to rebroadcast messages they receive, forming a mesh network. This setup ensures that every group member, including those at the furthest distance, can receive messages.
Additionally, Meshtastic radios can be paired with a single phone, allowing friends and family to send messages directly to your specific radio. It’s important to note that each device is capable of supporting a connection from only one user at a time.
If you are interested in a more technical overview of how Meshtastic works, visit the overview section below:
Contributors
Meshtastic is an open source project available on GitHub. Our generous volunteers donate their personal time to write and maintain this codebase. If you would like to contribute see our GitHub, join our Discord server, and read up on our Meshtastic Discussions.
Start using Meshtastic
Hopefully your “Getting Started” experience is straight forward and headache free. If you encounter any issues, please consider updating our documentation to improve future user experiences or reach out on the forum or Discord.
Our support is 100% volunteer based. We are passionate about the project and hope to help newcomers become Meshtastic experts!
Features
How it works
Contributors
Start using Meshtastic
Male school students who bully others, including through cyberbullying, will face caning as a “last resort” under new guidelines introduced in Singapore.
Male students can face up to three strokes of the cane under the new rules, which were discussed in parliament on Tuesday.
International groups such as Unicef, the UN’s agency for children, oppose the use of corporal punishment for children, saying it harms their physical and mental health, and increases behavioural problems over time.
The education minister, Desmond Lee, told lawmakers that caning would only be applied “if all the other measures are inadequate, given the gravity of the misconduct”.
“They follow strict protocols to ensure safety for the student. For instance, caning must be approved by the principal and administered only by authorised teachers,” he said.
“Schools will consider factors such as the maturity of the student and if caning will help the student learn from his mistake and understand the gravity of what he has done.”
The measures follow a year-long review that focused on bullying, and come after several high-profile school bullying incidents drew public attention last year.
Caning will only be used as a punishment for male students in upper primary levels (age 9 – 12 years) and above, said Lee, who pointed to the country’s criminal procedure code, which prohibits the caning of women.
After the caning is imposed, the school would “monitor the student’s wellbeing and progress”, including providing counselling, Lee said.
Female students, he said, would receive punishments “such as detention and/or suspension, adjustment of their conduct grade and other school-based consequences”.
Judicial caning, first introduced by British colonialists in the 19th century, continues to be used in Singapore for male offenders under 50. This includes crimes such as robbery, scamming or overstaying a visa by 90 days.
A report released by the World Health Organization last year said that corporal punishment remained “alarmingly widespread” globally, adding that it caused significant harm to children’s health and development.
Globally, an estimated 1.2 billion children aged 0 – 18 years are subjected to corporal punishment at home each year, according to WHO.
In the original 1881 version, the book ended in chapter fifteen with the puppet hanging dead from an oak tree.
Carlo Collodi serialised the story in Il Giornale per i bambini, the first Italian children’s magazine, beginning on July 7, 1881. The first installment was titled Storia di un burattino — Story of a Puppet. Eight episodes later, over four months, the Fox and the Cat lured Pinocchio into a forest at night, robbed him, and strung him from the branch of la Quercia grande, the Great Oak: gli legarono le mani dietro le spalle, e passatogli un nodo scorsoio intorno alla gola, lo attaccarono penzoloni al ramo di una quercia. He shut his eyes, opened his mouth, stretched his legs, gave one great convulsion, and stayed there as if frozen stiff. Fine.
Collodi was done. He had collected his fee. Italian children wrote in begging him to continue. He resumed reluctantly five months later, on February 16, 1882, with the title changed from Storia di un burattino to Le avventure di Pinocchio and a Blue Fairy — first introduced as a literal child-corpse with turquoise hair, lying in a window of a forest cottage — appearing in chapter sixteen to revive him.
The next twenty-one chapters are not gentler.
The cricket, killed
A talking cricket appears in chapter four to lecture Pinocchio about respecting his father. Pinocchio picks up a hammer from the workbench and hurls it. The cricket rimase lì stecchito e appiccicato alla parete — stuck flat to the wall, dead. He returns later as a ghost, but Collodi narrates the death with the deadpan tone of a police report.
The feet, burned off
In chapter seven, exhausted and freezing, Pinocchio falls asleep with his wooden feet propped on a brazier. He wakes up with no feet. Geppetto carves him a new pair the following morning. There is no moral framing of the loss; it is treated as an inconvenience.
The fairy, originally a corpse
When she first appears in chapter fifteen she is con i capelli turchini, e il viso bianco come un’immagine di cera, gli occhi chiusi e le mani incrociate sul petto — turquoise hair, a face white as a wax effigy, eyes closed, hands crossed on the chest. She tells the panicking Pinocchio she is dead and the bier is being prepared. Only in later installments does she become a living girl, then a fairy, then something approaching a mother.
The donkey-skin drum
Pinocchio runs away to il Paese dei Balocchi, the Land of Toys, where boys play games all day and never go to school. After five months they all turn into actual donkeys, sold to circuses. Pinocchio-the-donkey performs at one until he breaks his leg in an accident. The owner sells the donkey to a man who wants to make a drum out of his hide. The man ties a heavy stone to the donkey’s neck and throws him into the sea to drown. Inside the dead donkey, Pinocchio reverts to wood and is then swallowed by un Pesce-cane — a dogfish, a kind of shark, which Disney would later resize into a whale.
This is, again, a children’s book.
Why it reads this way
Carlo Lorenzini — Collodi was a pen name, taken from his mother’s home village in Tuscany — was a satirist before he was a children’s author. He fought as a volunteer in the Tuscan army during the Italian Wars of Independence in 1848 and 1860. In 1853 he founded the satirical newspaper Il Lampione, which was censored and shut down by the Grand Duke of Tuscany. A year later he launched another, Lo Scaramuccia. His early books were a parodic travel guide and a play of political ideas. He came to children’s literature in his fifties because the new Italian state was paying for school readers, and a magazine commission was steady money.
He wrote Pinocchio with the deadpan irony of a man who thought most children’s literature was sentimental rubbish. The donkey-skin drum is meant to land as a joke at the expense of every previous moralising children’s book in Italy. The cricket is a cartoon of every adult who ever lectured a working-class boy on respect. The Land of Toys is a satire of the truancy panic Italian schoolmasters used to drum up. None of the cruelty is gratuitous, exactly. It is dramatised exhaustion with the genre.
How a satire helped teach Italians Italian
The legacy of the book has almost nothing to do with the satire. It has to do with the language.
When Italy was politically unified in 1861, the linguist Tullio De Mauro’s classic estimate is that only about 2.5% of the population spoke standard Italian — roughly 630,000 people out of twenty-five million. The rest spoke a mosaic of regional dialects mutually unintelligible enough that a Neapolitan recruit could not understand a Piedmontese officer. The new state needed a single shared language, and fast. They chose Tuscan, the literary tongue of Dante and Petrarch — but most Italians had never heard Tuscan spoken in daily life.
What got Tuscan into ordinary Italian homes was schoolbooks. Pinocchio became one of them. Collodi wrote in clean middle-register Florentine Tuscan: short sentences, common verbs, concrete nouns — pane, naso, bugia, legno, fata, volpe (bread, nose, lie, wood, fairy, fox). The book ended up on every elementary school syllabus and stayed there. Generations of Italian children learned to read in the language Collodi had already simplified for them. By 1951, when De Mauro re-counted, the proportion of Italians who could speak standard Italian had climbed from 2.5% to roughly 87%. Television finished that job. Mass schooling, with Pinocchio in it, started it.
Collodi himself never knew. He died of a stroke in October 1890, eight years after the book was completed in print, with no idea he had written one of the most translated books in human history. He had no children. The puppet he wrote reluctantly to make rent has now outlived him by a hundred and thirty-six years.
What it’s like to read now
What’s strange about reading the original today — not the Disney version, not even a translation, the original — is that it doesn’t feel old. The Italian is plain enough that an early learner with a textbook behind them can finish a chapter in a sitting. The plot moves at television speed: thirty-six chapters of trouble before the redemption finally lands. The pictures are vivid, weird, and entirely Collodi’s: a piece of wood that talks back, a fox pretending to be blind, a donkey at the bottom of the sea. You do not need a literary education to follow it. He wasn’t writing for one.
Most translations soften the book. Most adaptations cut the donkey-skin drum. Most adults who think they know Pinocchio are remembering Disney. The book itself is still the book Collodi reluctantly extended past chapter fifteen because Italian children would not let it end.
I’m one of the makers of Storica, a daily reading club for the language you’re learning. We adapt classics — including the unsanitised Pinocchio, donkey-skin drum and all — into A0–B2 readings of about fifteen minutes a day, in seven languages. The original Italian is on the shelf if you want it.
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
Visit pancik.com for more.