Windows Server 2016 might be long in the tooth but that isn't about to stop Microsoft breaking stuff. The May 12 security update introduced another bug for administrators to worry about. According to Microsoft, if the server hostname is exactly 15 characters long (like, for example, THEY-NEVER-TEST), domain controller discovery might fail. In the notes for the glitch, Microsoft wrote: "When the hostname is 15 characters long, DCLocator calls (for example, using nltest /dsgetdc: /pdc) will return ERROR_INVALID_PARAMETER, preventing applications and administrative tools from locating a domain controller." In other words, anything that depends on a domain controller lookup might stop working. As an example, Microsoft gave Distributed File System (DFS) Namespace management, which would certainly be inconvenient. DFS Namespaces is a Windows Server role that allows admins to group shared folders across different servers into a single namespace. A single path can lead to files located on multiple servers. Unless, of course, the domain controller lookup is broken. Microsoft lists no workaround for affected users, though changing the server hostname to something other than 15 characters would presumably avoid the trigger. "The issue is under investigation, and additional information will be shared as soon as it becomes available," it said. Microsoft still officially supports Windows Server 2016. Mainstream support ended in 2022, but extended support will continue until January 12, 2027. Microsoft is offering up to three more years of support via the Extended Security Updates (ESU) program after that. Earlier this year, Esben Dochy of Lansweeper told The Register that the operating system accounted for just 2.2 percent of all Windows devices it tracks, but 20.3 percent of all servers. That figure is unlikely to have dropped dramatically in the months since, so there is a fair chance that an administrator with a 15-character hostname could be affected. In addition to the Windows Server 2016 problems, the May 2026 security update has failed during installation on some Windows 11 devices when the EFI System Partition is insufficient in size. It is reassuring to know Microsoft's talent for breakage shows no bias toward any particular vintage. ®

Carnival Corporation - the world's largest cruise operator - has confirmed a digital heist, a month after hacking crew ShinyHunters claimed to have stolen millions of customers' records. The breach, Carnival confirmed, stemmed from an April 14 social engineering attack on an employee, though the company declined to comment on the scale or name ShinyHunters. However, a company filing with the Maine attorney general's office puts the number of affected individuals at just under six million, down from the 8.7 million records previously listed by Have I Been Pwned. Carnival previously acknowledged the phishing attack at the time, but it did not say whether any data had been accessed or stolen. ShinyHunters claimed it lifted terabytes' worth of Carnival records and hinted at a breakdown in negotiations, likely related to the criminal outfit's extortion demands. "The company failed to reach an agreement with us despite our incredible patience," ShinyHunters wrote on its data leak site, adding: "They don't care." Following a "thorough and time-consuming analysis of the impacted data," Carnival confirmed that names, addresses, email addresses, phone numbers, dates of birth, and state identification numbers were all included in the breach. As is often the case in data theft incidents, individuals will be affected to different degrees, depending on what information they shared with the company. Carnival began sending notifications directly to affected individuals on Wednesday. Those communications include details about how recipients can redeem two years of free credit monitoring services, as is common in US breach notifications, via TransUnion. It closed its message with a promise to improve: "In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. "The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape." ®

PWNED Welcome, once again, to PWNED, the weekly column where we cover high-security hijinks that are at least partially the victim’s fault. This week, we have a trio of tales that involve incredibly unprofessional behavior, inappropriate use of corporate resources, and outright theft, all dealt with by IT. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our trilogy of tech exposure comes courtesy of Zach Lewis, the current CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis. Before his current role, Lewis worked for various other companies in IT roles and he has some tea to spill. At one job, Lewis was working as a sysadmin when the CEO asked for help recovering photos he had accidentally deleted from a company file share. The files were accessible to anyone at the organization, and Lewis searched archived copies in Google Picasa to restore them. Unfortunately, the pictures the CEO was missing included many that were very much NSFW. “So I was called in to sit down with him and look at it. And we're just like I restore everything. We start clicking images to make sure everything's there, just doing a random subset check,” Lewis said. “And, uh, just some pornography comes up and he's sitting right next to me. I mean, right next to me, he's just like, oh yeah, that's just some of my porn.” When he was done restoring the photos, Lewis left the room. It was clear the boss had no shame and no problem with IT seeing his explicit images or with storing them where any employee could download them. They were even mixed in with official photos and family pictures. However, knowing this was bad policy and could probably lead to a lawsuit, Lewis approached human resources and told them about the problem. The HR representative instructed him to delete all the smut from the network, even though it belonged to the big boss. He did that, and fortunately, did not face any repercussions at work for deleting the big man’s cheeky pictures. He wore a top hat In another instance, Lewis was asked to look at a coworker’s computer when the employee thought he had gotten a virus on his laptop. However, the colleague cautioned IT not to look through his files. After a little while, Lewis noticed a folder filled with other subfolders that were festooned with adult images, both of naked women and of the employee himself without clothes on. All of the photos had appropriately descriptive file names too. Perhaps most embarrassing of all for the coworker is that Lewis saw his semi-naked pictures. To be fair, he was dressed in the images, as he was wearing a top hat – but nothing else. The problem, Lewis notes, is that employees treat their work computers as if they are home computers and do not think about the implications of having personal images on something that belongs to a corporation. He suggests setting a firm policy against this kind of thing and educating workers about the policy. When workers inevitably violate the policy, it’s time for a gentle reminder. “A policy is just, you know, paper, right? It's hard to enforce that,” Lewis said. “You can talk to the user in this instance. In this most recent instance with this guy in the top hat, it was ‘hey, these are company resources’ when I gave the computer back to him.” Kids’ YouTube upload exposed a potential thief In another gig, Lewis worked at a university. When one athletics coach quit, he was supposed to leave his school-issued iPad on his desk. But when the IT department came to collect the equipment, this tablet was missing. No one could find the missing iPad, but a month later, someone uploaded a new video to the school’s YouTube channel. The video featured a different coach's kids and appeared to have been uploaded from his house. Apparently, the other coach had allegedly snatched the iPad off of the first coach’s desk and given it to his kids. The kids then used the iPad to film a funny home video and upload it to YouTube, not realizing that it was connected to the school’s official YouTube account. Lewis notified HR, who called the apparent thief in. At first, he denied that the children in the video were his offspring. However, the HR agent then showed him a photo of him and his kids on social media together and he admitted, okay, he was their dad. The coach then said he didn’t know how the iPad got into his house. But he grabbed it and returned it to IT. There are a lot of problems with the iPad situation from a security perspective. First, the iPad that wasn’t turned over clearly was not locked to the point where someone else couldn’t get into it. It had access to the school’s YouTube account, so any thief could add their own content to it and it may have even had PII (personally identifiable information) about some student athletes. Bottom line: make sure departing employees hand over equipment directly to IT. Don’t let them just leave equipment on a desk. And make sure even tablets require biometric access. ®