• Bank cards and IDs are easily available, and cheap, on the dark web, NordVPN warns
• UK citizens are a major target, with their data worth more
• The best fix is to secure your online accounts

We already know about the risks of using the internet, and how basic cybersecurity hygiene principles can do a lot of the heavy lifting when it comes to keeping you safe, but NordVPN has revealed exactly what happens with your data after it’s been stolen.

The company’s research found stolen UK payment card details are now being commonly sold on dark web marketplaces for around £9 (around $12), with full more complete ‘digital identity packs’ being sold for around £30 ($40).

Public Sector

Are you ready to RAAC?

England’s Department for Education is
advertising a role paying up to £200,000 a year to lead a new digital and
infrastructure group overseeing school buildings and maintenance, as well as technology and data.

Its Director General, Digital and
Infrastructure, will lead the technology function of
around 1,800 staff, develop a new strategy covering digital services, data, and artificial intelligence, and lead work on a unique identifier
for children and other learners in England. Scotland, Wales, and
Northern Ireland run education services on a devolved basis.

The successful candidate will also
implement a new strategy for “the education estate” of schools,
colleges, nurseries, and children’s homes. The job ad warns the function “carries
some of the highest levels of risk and accountability in the
department – including life-and-death decisions on safety,” citing ongoing work to remove unsafe reinforced
autoclaved aerated concrete (RAAC) from schools.

“I am looking for a leader who is
motivated by impact – someone who is able to combine their digital
and data expertise with their drive to improve outcomes for children
and young people,” writes the department’s permanent secretary, Susan Acland-Hood, in a briefing document with the advert. “Whilst
you do not need to be an expert on education policy, you need to be
curious and committed to rapidly building your understanding of the
latest evidence, system, and policy landscape.”

The department is willing to base the
job in Bristol, Cambridge, Coventry, Darlington, London, Manchester,
Nottingham, or Sheffield, although those who do not work in the
capital will need to go there frequently. Applications close on June 1.

Several other departments have
recently advertised digital director-general posts, the civil service
job category just below permanent secretary (equivalent to chief
executive). In January, England’s Department of Health and Social Care
advertised the role of director general for technology, digital and
data with a salary of up to £285,000 a year. 

In February, the Ministry of Defence offered £270,000 to £300,000
for its chief digital and information
officer job. And in April, the Department for Science, Innovation and Technology
advertised for three directors-general, one paid £174,000 and the
other two paying between £200,000 and £260,000 annually. ®

During the Trinity nuclear test on July 16, 1945, in the New Mexico desert—the world’s very first test of an atomic bomb—a new material spontaneously formed. It was discovered only recently, by an international research team coordinated by geologist Luca Bindi at the University of Florence, which identified the novel clathrate based on calcium, copper, and silicon. It’s a material never before observed either in nature or as an artificial compound created in the laboratory.

What Are Clathrates?

The term “clathrates” denotes materials characterized by a “cage-like” structure that traps other atoms and molecules inside, giving them unique properties. Of great technological interest, these materials are being studied for various applications ranging from energy conversion (as thermoelectric materials capable of transforming heat into electricity) to the development of new semiconductors, to gas storage and hydrogen for future energy technologies.

The New Material

To discover the new material, researchers focused on trinitite, a silicate glass containing rare metallic phases. Using some techniques like x-ray diffraction, the team was able to identify a type I clathrate based on calcium, copper, and silicon within a tiny copper-rich metal droplet embedded in a sample of red trinitite.

The new material, the researchers say, formed spontaneously during a nuclear explosion. This indicates that the extreme conditions, such as extremely high temperatures and pressures, can generate new materials that are impossible to obtain by traditional methods.

Natural Laboratories

The discovery is even more interesting because in the same detonation event another very rare material was formed: a silicon-rich quasicrystal, already documented by the team of experts led by Bindi a few years ago.

A quasicrystal, as Bindi told WIRED at the time, is something that is not a crystal, but looks a lot like one. “Their peculiarity,” he said, “is that the atomic arrangement that is not periodic, but nearly so, creates incredible symmetries from which derive amazing physical properties, among other things, very difficult to predict.”

Establishing the link between these structures therefore helps scientists better understand how atoms organize under extreme conditions and expand the possibilities for designing new materials. “Events such as nuclear explosions, lightning strikes, or meteoritic impacts function as true natural laboratories,” the researchers explain. “They allow us to observe forms of matter that we cannot easily reproduce in the laboratory.”

In essence, this research opens new vistas for the development of innovative technologies, demonstrating that even destructive events can bequeath discoveries useful for the future.

This story originally appeared in WIRED Italia and has been translated from Italian.

A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and blocking a CVE from being issued.

The researcher’s report describes a critical privilege escalation flaw that allowed cluster-admin access from the low-privileged “Backup Contributor” role.

Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that “no product changes were made,” despite the researcher documenting new permission checks and failed exploit attempts after disclosure, suggestive of a silent patch.

CERT agrees it’s a bug, but Microsoft blocks CVE

Security researcher Justin O’Leary discovered the security flaw this March, and reported it to Microsoft on March 17.

Microsoft Security Response Center (MSRC) rejected the report on April 13, claiming the issue only involved obtaining cluster-admin on a cluster where “the attacker already held administrator access,” a characterization O’Leary says misrepresents the attack entirely.

“This is factually incorrect,” states the researcher.

“The vulnerability allows a user with zero Kubernetes permissions to gain cluster-admin. The attack does not require existing cluster access — it grants it.”

O’Leary further says that Microsoft described the submission to MITRE as “AI-generated content,” something he says did not address the technical merits of the report.

After the rejection, O’Leary escalated the issue to CERT Coordination Center, which independently validated the vulnerability on April 16 and, according to the researcher, assigned it an identifier, VU#284781:

CERT/CC had initially scheduled public disclosure for June 1, 2026, but that disclosure never happened.

On May 4, Microsoft staff reportedly contacted MITRE recommending against CVE assignment, again arguing the issue required pre-existing administrative access:

CERT/CC later closed the case under CNA hierarchy rules, effectively leaving Microsoft (which is a CNA) with final authority over CVE issuance for its own products.

How the attack worked

Azure Backup for AKS uses Trusted Access to grant backup extensions cluster-admin privileges inside Kubernetes clusters.

According to O’Leary, the flaw allowed anyone with only the Backup Contributor role on a backup vault to trigger that Trusted Access relationship without already having Kubernetes permissions.

An attacker could enable backup on a target AKS cluster, causing Azure to automatically configure Trusted Access with cluster-admin privileges. From there, an attacker could extract secrets through backup operations or restore malicious workloads into the cluster.

O’Leary classified the issue as a Confused Deputy vulnerability (CWE-441), where Azure RBAC and Kubernetes RBAC trust boundaries interacted in a manner that bypassed expected authorization controls.

Microsoft says no changes made, behavior says otherwise

BleepingComputer reached out to Microsoft to understand if the tech giant considered this finding to be a valid security vulnerability.

A Microsoft spokesperson told BleepingComputer:

“Our assessment concluded that this is not a security vulnerability, but rather expected behavior that requires pre-existing administrative privileges within the customer’s environment. Therefore, no product changes were made to address this report and no CVE or CVSS score were issued.”

However, following the disclosure of his report this month, O’Leary observed that the original attack path no longer works.

“Current behavior returns errors that did not exist in March 2026,” he states:

ERROR: UserErrorTrustedAccessGatewayReturnedForbidden

“The Trusted Access role binding is missing/has gotten removed”

According to O’Leary, Azure Backup for AKS now requires Trusted Access to be manually configured before backup can be enabled, reversing the earlier behavior where Azure configured it automatically.

He also observed additional permission checks that were absent during his original testing in March. The vault MSI now requires Reader permissions on both the AKS cluster and snapshot resource group, while the AKS cluster MSI requires Contributor permissions on the snapshot resource group.

In other words, the vulnerability appears to have been fixed, but Microsoft has neither issued a public advisory nor notified customers.

The visibility problem for defenders

Without a CVE or advisory, defenders have little visibility into the exposure window or remediation timeline.

“Organizations that granted Backup Contributor between an unknown start date and May 2026 were exposed to privilege escalation,” writes the researcher.

“Without a CVE, security teams cannot track this exposure. Silent patching protects vendors, not customers.”

The case highlights a structural problem with no easy fix.

Disputes between security researchers and major vendors over severity, exploitability, and disclosure have become common in recent years, especially as vulnerability disclosure programs face increasing volumes of reports.

Some open-source maintainers have also publicly complained that AI-assisted reports are overwhelming bug bounty and security triage systems, making it harder for legitimate findings to receive timely attention. Cases where big tech ignored patching valid flaws despite repeated contact by different researchers are not uncommon either.

Without a framework that realigns incentives for all parties, responsible disclosure risks becoming a bureaucratic exercise that serves no one—least of all the organizations left exposed in the dark.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.

This guide covers the 6 surfaces you actually need to validate.

Download Now

Gardyn Home 4.0 (read my full review here) was one of the easiest indoor gardens to assemble set up out of the box; it also yielded the most dramatic success of any of the brands I tried. Flowers, kohlrabi, thyme, and even a whole cauliflower all thrived in this pipe-based system with the lights in front to allow for taller plant growth.

Seeds arrive in proprietary pods called yCubes. Part of what makes the Gardyn foolproof is the subscription app add-on, “Kelby,” which monitors your plants via attached sensors and cameras. It delivers customized watering and lighting schedules, as well as maintenance suggestions via AI (which an anonymous source told me is basically OpenAI’s ChatGPT with an overlaid prompt). This subscription adds an additional $259 a year to the base purchase price, though it includes a certain number of credits per month, depending on whether you have the Home or Studio model, with which to buy new yCubes. There’s a free 30-day trial for Kelby, but you can use the Gardyn without it by relying on manual light and watering controls. Also, there have been some recent privacy concerns with Kelby (more below).

Each Gardyn purchase comes with your choice of yCube sets: “Salad Lover,” “Budding Florist,” or “Chef Faves.” I’ve tried both “Budding Florist” and “Chef Faves,” and my favorite is the latter; it has an interesting variety of everything from breen and Tokyo bekana greens to Thai basil and miniature sunflowers. Though Gardyn recommends starting the yCubes in the company’s add-on $80 nursery, I’ve germinated plenty of yCubes right in the system just fine. (Make sure you don’t add nutrients until they sprout. If you’re germinating yCubes later on, when nutrients are already in the system, you can just use a shallow bowl with loosely tented plastic wrap.) The seeds arrive tucked in mineral wool, snug in their little yCubes that slot into larger cups (“yPods”) that fit into the pipes. When the Gardyn waters the plants, the yPods fill with nutrient-infused water, and the plants’ roots grow right into the water.

Once a month, the base needs to be emptied and scrubbed. Every few weeks, the roots need to be checked for root rot and growth outside the yPod, examined for whether it’s time to prune, and/or tucked back in if they’ve wandered too far. This maintenance is admittedly a bit laborious, and if you do not do it consistently, you will be very sorry when it’s time to clean the Gardyn and prepare it for its next planting. (Ask me how I know!)

I now have two Gardyns, a Home 4 and a Studio 2, which features an upgraded camera and columns. Aside from some funky yCubes (which the company will replace upon request), I have no major complaints about the system. Though I will note that the plants in the Studio have been overall less lush due to the Studio’s having one light bar rather than two, which is why my primary recommendations remains the Home. I also like that Gardyn offers a Vacation Mode, which adjusts the lighting and watering to slow growth and minimize maintenance tasks while you’re away.

NOTE: On February 24, 2026, and April 2, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) released advisories regarding vulnerabilities in Gardyn Home and Studio devices. These security weaknesses could have allowed someone to take remote control of a Gardyn device, access plant photos, and obtain personal information such as names, addresses, phone numbers, and email addresses. Gardyn claims these vulnerabilities have been remediated with the most recent firmware update, and advises customers to ensure their Gardyns are internet-connected and running firmware version 619 or later. If you think your device may have been compromised, email [email protected] or call 844-4-GARDYN. For more information, see Gardyn’s Security update for Gardyn Home and Gardyn Studio.

While the idea is appealing, I have never fully enjoyed using the speech-to-text feature for voice typing. I understand why it exists, and I have used it in a pinch. But it has always felt like one of those phone features that works just enough times to be useful, and not often enough to be conveniently reliable.

It’s not just about speaking clearly; the problem is a bit more subtle. You have to avoid doubling back mid-sentence, or you have to pretend your brain naturally produces clean text messages in one smooth pass. And since mine does not, I’m looking forward to Google’s new Rambler feature for Gboard. It’s a part of the Gemini Intelligence on Android, but what has my attention is how it works.

Rambler turns natural spoken thoughts into concise text. Google says that it can deal with the way people actually speak, including self-corrections, repeated words, and filler sounds like “ums,” “ahs,” and “likes.” This might sound boring until you think about how often typing is the slowest part of using a phone.

Bigger phones might finally be for me

Modern smartphones now sport near 7-inch displays that are fantastic for watching, reading, and gaming. But typing on them or using them with one hand is still annoying. And with the screen getting taller, there’s an awkward reaching game to hit the letters at the far side of a wider keyboard. Trying to reply while walking, carrying a bag, sitting in a cab, or holding coffee usually means typos, shorter replies, or waiting until both hands are free.

Voice typing should have been the obvious fix. The problem is that raw speech-to-text often gives you exactly what you said, and people don’t speak in rigid sentence structures. Real speech has pauses, restarts, half-formed thoughts, and random corrections. A voice note can carry that chaos because tone helps. A text message cannot.

Rambler’s solution is simple. Google is letting you talk how you’d normally do in a conversation or voice note. But rather than getting the exact wording and focusing on accuracy, Rambler will pick out the important parts and fit them into a message that still sounds like you.

The bilingual angle is actually huge

The great part about being bilingual is how two different languages blend during natural speech. So it was great to hear that multilingual support is available right from the get-go. Google says Rambler can switch between languages in a single message using Gemini’s multilingual model, including examples like English mixed with Hindi. A lot of people, like myself, do not text in one language alone.

We switch depending on the person, the mood, or the context. Standard voice typing can struggle when a sentence naturally moves between languages. It might get the words right, though it skips the rhythm. If Rambler can actually preserve that mixed-language flow while cleaning up the clutter, it becomes far more practical than a generic “make this sound professional” AI button.

It still has to prove it is faster than typing

I am not convinced this becomes a daily habit for everyone. A lot of people already type fast enough. Some prefer voice notes. Others may not want to talk to their phone in public, no matter how smart the transcription gets. There is also a privacy comfort test. The company claims that it will show when Rambler is enabled, and that audio is only used to transcribe in real time and is not stored or saved. Still, it has to prove that it is fast and low-effort to really stick around. But at least, Google is promising that you don’t have to think twice before speaking or make perfect sentences.