One of the things I've found out the hard way over the past year is that slowly going blind has subtle but negative effects on my productivity.

Cataracts are pretty much the commonest cause of blindness, they can be fixed permanently by surgically replacing the lens of the eye—I gather the op takes 15-20 minutes and can be carried out with only local anaesthesia: I'm having my first eye done next Tuesday—but it creeps up on you slowly. Even fast-developing cataracts take months.

In my case what I noticed first was the stars going out, then the headlights of oncoming vehicles at night twinkling annoyingly. Cataracts diffuse the light entering your eye, so that starlight (which is pretty dim to begin with) is spread across too wide an area of your retina to register. Similarly, the car headlights had the same blurring but remained bright enough to be annoying.

The next thing I noticed (or didn't) was my reading throughput diminishing. I read a lot and I read fast, eye problems aside: but last spring and summer I noticed I'd dropped from reading about 5 novels a week to fewer than 3. And for some reason, I wasn't as productive at writing. The ideas were still there, but staring at a computer screen was curiously fatiguing, so I found myself demotivated, and unconsciously taking any excuse to do something else.

Then I went for my regular annual ophthalmology check-up and was diagnosed with cataracts in both eyes.

In the short term, I got a new prescription: this focussed things slightly better, but there are limits to what you can do with glass, even very expensive glass. My diagnosis came at the worst time; the eye hospital that handles cataracts for pretty much the whole of south-east Scotland, the Queen Alexandria Eye Pavilion, closed suddenly at the end of last October: a cracked drainpipe had revealed asbestos cement in the building structure and emergency repairs were needed. It's a key hospital, but even so taking the asbestos out of a five story high hospital block takes time—it only re-opened at the start of July. Opthalmological surgery was spread out to other hospitals in the region but everything got a bit logjammed, hence the delays.

I considered paying for private private surgery. It's available, at a price: because this is a civilized country where healthcare is free at the point of delivery, I don't have health insurance, and I decided to wait a bit rather than pay £7000 or so to get both eyes done immediately. It turned out that, in the event, going private would have been foolish: the Eye Pavilion is open again, and it's only in the past month—since the beginning of July or thereabouts—that I've noticed my output slowing down significantly again.

Anyway, I'm getting my eyes fixed, but not at the same time: they like to leave a couple of weeks between them. So I might not be updating the blog much between now and the end of September.

Also contributing to the slow updates: I hit "pause" on my long-overdue space opera Ghost Engine on April first, with the final draft at the 80% point (with about 20,000 words left to re-write). The proximate reason for stopping was not my eyesight deteriorating but me being unable to shut up my goddamn muse, who was absolutely insistent that I had to drop everything and write a different novel right now. (That novel, Starter Pack, is an exploration of a throwaway idea from the very first sentence of Ghost Engine: they share a space operatic universe but absolutely no characters, planets, or starships with silly names: they're set thousands of years apart.) Anyway, I have ground to a halt on the new novel as well, but I've got a solid 95,000 words in hand, and only about 20,000 words left to write before my agent can kick the tires and tell me if it's something she can sell.

I am pretty sure you would rather see two new space operas from me than five or six extra blog entries between now and the end of the year, right?

(NB: thematically, Ghost Engine is my spin on a Banksian-scale space opera that's putting the boot in on the embryonic TESCREAL religion and the sort of half-baked AI/mind uploading singularitarianism I explored in Accelerando). Hopefully it has the "mouth feel" of a Culture novel without being in any way imitative. And Starter Pack is three heist capers in a trench-coat trying to escape from a rabid crapsack galactic empire, and a homage to Harry Harrison's The Stainless Steel Rat—with a side-order of exploring the political implications of lossy mind-uploading.)

All my energy is going into writing these two novels despite deteriorating vision right now, so I have mostly been ignoring the news (it's too depressing and distracting) and being a boring shut-in. It will be a huge relief to reset the text zoom in Scrivener back from 220% down to 100% once I have working eyeballs again! At which point I expect to get even less visible for a few frenzied weeks. Last time I was unable to write because of vision loss (caused by Bell's Palsy) back in 2013, I squirted out the first draft of The Annihilation Score in 18 days when I recovered: I'm hoping for a similar productivity rebound in September/October—although they can't be published before 2027 at the earliest (assuming they sell).

Anyway: see you on the other side!

PS: Amazon is now listing The Regicide Report as going on sale on January 27th, 2026: as far as I know that's a firm date.

Obligatory blurb:

An occult assassin, an elderly royal and a living god face off in The Regicide Report, the thrilling final novel in Charles Stross' epic, Hugo Award-winning Laundry Files series.

When the Elder God recently installed as Prime Minister identifies the monarchy as a threat to his growing power, Bob Howard and Mo O'Brien - recently of the supernatural espionage service known as the Laundry Files - are reluctantly pressed into service.

Fighting vampirism, scheming American agents and their own better instincts, Bob and Mo will join their allies for the very last time. God save the Queen― because someone has to.

It appears that the fragile masculinity tech evangelists have identified Debian as a community with boundaries which exclude them from abusing its members and they’re so angry about it! In response to posts such as this, and inspired by Dr. Conway’s piece, I’ve composed a poem which, hopefully, correctly addresses the feelings of that crowd.

The Very Model of a Patriot Online

I am the very model of a modern patriot online,
My keyboard is my rifle and my noble cause is so divine.
I didn't learn my knowledge in a dusty college lecture hall,
But from the chans where bitter anonymity enthralls us all.
I spend a dozen hours every day upon my sacred quest,
To put the globo-homo narrative completely to the test.
My arguments are peer-reviewed by fellas in the comments section,
Which proves my every thesis is the model of complete perfection.
I’m steeped in righteous anger that the libs call 'white fragility,'
For mocking their new pronouns and their lack of masculinity.
I’m master of the epic troll, the comeback, and the searing snark,
A digital guerrilla who is fighting battles in the dark.

I know the secret symbols and the dog-whistles historical,
From Pepe the Frog to ‘Let’s Go Brandon,’ in order categorical;
In short, for fighting culture wars with rhetoric rhetorical,
I am the very model of a patriot polemical.

***

I stand for true expression, for the comics and the edgy clown,
Whose satire is too based for all the fragile folks in town.
They say my speech is 'violence' while my spirit they are trampling,
The way they try to silence me is really quite a startling sampling
Of 1984, which I've not read but thoroughly understand,
Is all about the tyranny that's gripping this once-blessed land.
My humor is a weapon, it’s a razor-bladed, sharp critique,
(Though sensitive elites will call my masterpiece a form of ‘hate speech’).
They cannot comprehend my need for freedom from all consequence,
They call it 'hate,' I call it 'jokes,' they just don't have a lick of sense.
So when they call me ‘bigot’ for the spicy memes I post pro bono,
I tell them their the ones who're cancelled, I'm the victim here, you know!

Then I can write a screed against the globalist cabal, you see,
And tell you every detail of their vile conspiracy.
In short, when I use logic that is flexible and personal,
I am the very model of a patriot controversial.

***

I'm very well acquainted with the scientific method, too,
It's watching lengthy YouTube vids until my face is turning blue.
I trust the heartfelt testimony of a tearful, blonde ex-nurse,
But what a paid fact-checker says has no effect and is perverse.
A PhD is proof that you've been brainwashed by the leftist mob,
While my own research on a meme is how I really do my job.
I know that masks will suffocate and vaccines are a devil's brew,
I learned it from a podcast host who used to sell brain-boosting goo.
He scorns the lamestream media, the CNNs and all the rest,
Whose biased reporting I've put fully to a rigorous test
By only reading headlines and confirming what I already knew,
Then posting my analysis for other patriots to view.

With every "study" that they cite from sources I can't stand to hear,
My own profound conclusions become ever more precisely clear.
In short, when I've debunked the experts with a confident "Says who?!",
I am the very model of a researcher who sees right through you.

***

But all these culture wars are just a sleight-of-hand, a clever feint,
To hide the stolen ballots and to cover up the moral taint
Of D.C. pizza parlors and of shipping crates from Wayfair, it’s true,
It's all connected in a plot against the likes of me and you!
I've analyzed the satellite photography and watermarks,
I understand the secret drops, the cryptic Qs, the coded sparks.
The “habbening” is coming, friends, just give it two more weeks or three,
When all the traitors face the trials for their wicked treachery.
They say that nothing happened and the dates have all gone past, you see,
But that's just disinformation from the globalist enemy!
Their moving goalposts constantly, a tactic that is plain to see,
To wear us down and make us doubt the coming, final victory!

My mind can see the patterns that a simple sheep could never find,
The hidden puppet-masters who are poisoning our heart and mind.
In short, when I link drag queens to the price of gas and child-trafficking,
I am the very model of a patriot whose brain is quickening!

***

My pickup truck's a testament to everything that I hold dear,
With vinyl decals saying things the liberals all hate and fear.
The Gadsden flag is waving next to one that's blue and starkly thin,
To show my deep respect for law, except the feds who're steeped in sin.
There's Punisher and Molon Labe, so that everybody knows
I'm not someone to trifle with when push to final shoving goes.
I've got my tactical assault gear sitting ready in the den,
Awaiting for the signal to restore our land with my fellow men.
I practice clearing rooms at home when my mom goes out to the store,
A modern Minuteman who's ready for a civil war.
The neighbors give me funny looks, I see them whisper and take note,
They'll see what's what when I'm the one who's guarding checkpoints by their throat.

I am a peaceful man, of course, but I am also pre-prepared,
To neutralize the threats of which the average citizen's unscared.
In short, when my whole identity's a brand of tactical accessory,
You'll say a better warrior has never graced a Cabela's registry.

***

They say I have to tolerate a man who thinks he is a dame,
While feminists and immigrants are putting out my vital flame!
There taking all the jobs from us and giving them to folks who kneel,
And "woke HR" says my best jokes are things I'm not allowed to feel!
An Alpha Male is what I am, a lion, though I'm in this cubicle,
My life's frustrations can be traced to policies Talmudical.
They lecture me on privilege, I, who have to pay my bills and rent!
While they give handouts to the lazy, worthless, and incompetent!
My grandad fought the Nazis! Now I have to press a key for ‘one’
To get a call-rep I can't understand beneath the blazing sun
Of global, corporate tyranny that's crushing out the very soul
Of men like me, who've lost their rightful, natural, and just control!

So yes, I am resentful! And I'm angry! And I'm right to be!
They've stolen all my heritage and my masculinity!
In short, when my own failures are somebody else's evil plot,
I am the very model of the truest patriot we've got!

***

There putting chips inside of you! Their spraying things up in the sky!
They want to make you EAT THE BUGS and watch your very spirit die!
The towers for the 5G are a mind-control delivery tool!
To keep you docile while the children suffer in a grooming school!
The WEF, and Gates, and Soros have a plan they call the 'Great Reset,'
You'll own no property and you'll be happy, or you'll be in debt
To social credit overlords who'll track your every single deed!
There sterilizing you with plastics that they've hidden in the feed!
The world is flat! The moon is fake! The dinosaurs were just a lie!
And every major tragedy's a hoax with actors paid to cry!
I'M NOT INSANE! I SEE THE TRUTH! MY EYES ARE OPEN! CAN'T YOU SEE?!
YOU'RE ALL ASLEEP! YOU'RE COWARDS! YOU'RE AFRAID OF BEING TRULY FREE!

My heart is beating faster now, my breath is short, my vision's blurred,
From all the shocking truth that's in each single, solitary word!
I've sacrificed my life and friends to bring this message to the light, so...
You'd better listen to me now with all your concentrated might, ho!

***

For my heroic struggle, though it's cosmic and it's biblical,
Is waged inside the comments of a post that's algorithm-ical.
And still for all my knowledge that's both tactical and practical,
My mom just wants the rent I owe and says I'm being dramatical.

(This is an old/paused blog entry I planned to release in April while I was at Eastercon, but forgot about. Here it is, late and a bit tired as real world events appear to be out-stripping it ...)

(With my eyesight/cognitive issues I can't watch movies or TV made this century.)

But in light of current events, my Muse is screaming at me to sit down and write my script for an updated re-make of Doctor Strangelove:

POTUS GOLDPANTS, in middling dementia, decides to evade the 25th amendment by barricading himself in the Oval Office and launching stealth bombers at Latveria. Etc.

The USAF has a problem finding Latveria on a map (because Doctor Doom infiltrated the Defense Mapping Agency) so they end up targeting the Duchy of Grand Fenwick by mistake, which is in Transnistria ... which they are also having problems finding on Google Maps, because it has the string "trans" in its name.

While the USAF is trying to bomb Grand Fenwick (in Transnistria), Russian tanks are commencing a special military operation in Moldova ... of which Transnistria is a breakaway autonomous region.

Russia is unaware that Grand Fenwick has the Q-bomb (because they haven't told the UN yet). Meanwhile, the USAF bombers blundering overhead have stealth coatings bought from a President Goldfarts crony that even antiquated Russian radar can spot.

And it's up to one trepidatious officer to stop them ...

Author: Bill Cox She weeps and Tony’s heart aches like never before. He knows that he will do absolutely anything to protect her. He holds her close and she burrows into his chest, her sobs echoing through his ribcage. “It’s going to be all right,” Tony whispers, caressing her head gently, “I’ll hide you from […]

The post The Fugitive appeared first on 365tomorrows.

Good news/no news:

The latest endoscopy procedure went smoothly. There are signs of irritation in my fundus (part of the stomach lining) but no obvious ulceration or signs of cancer. Biopsy samples taken, I'm awaiting the results. (They're testing for celiac, as well as cytology.)

I'm also on the priority waiting list for cataract surgery at the main eye hospital, with an option to be called up at short notice if someone ahead of me on the list cancels.

This is good stuff; what's less good is that I'm still feeling a bit crap and have blurry double vision in both eyes. So writing is going very slowly right now. This isn't helped by me having just checked the page proofs for The Regicide Report, which will be on the way to production by the end of the month.

(There's a long lead time with this title because it has to be published simultaneously in the USA and UK, which means allowing time in the pipeline for Orbit in the UK to take the typeset files and reprocess them for their own size of paper and binding, and on the opposite side, for Tor.com to print and distribute physical hardcovers—which, in the USA, means weeks in shipping containers slowly heading for warehouses in other states: it's a big place.)

Both the new space operas in progress are currently at around 80% complete but going very slowly (this is not quite a euphemism for "stalled") because: see eyeballs above. This is also the proximate cause of the slow/infrequent blogging. My ability to read or focus on a screen is really impaired right now: it's not that I can't do it, it's just really tiring so I'm doing far less of it. On the other hand, I expect that once my eyes are fixed my productivity will get a huge rebound boost. Last time I was unable to write or read for a couple of months (in 2013 or thereabouts: I had Bell's Palsy and my most working eye kept watering because the eyelid didn't work properly) I ended up squirting the first draft of novel out in eighteen days after it cleared up. (That was The Annihilation Score. You're welcome.)

Final news: I'm not doing many SF convention appearances these days because COVID (and Trump), but I am able to announce that I'm going to be one of the guests of honour at LunCon '25, the Swedish national SF convention, at the city hall of Lund, very close to Malmö, from October 1th to 12th. (And hopefully I'll be going to a couple of other conventions in the following months!)

(UPDATE: A new article/interview with me about the 20th anniversary of Accelerando just dropped, c/o Agence France-Presse. Gosh, I feel ancient.)

Bad news: the endoscopy failed. (I was scheduled for an upper GI endoscopy via the nasal sinuses to take a look around my stomach and see what's bleeding. Bad news: turns out I have unusually narrow sinuses, and by the time they'd figured this out my nose was watering so badly that I couldn't breathe when they tried to go in via my throat. So we're rescheduling for a different loction with an anesthetist who can put me under if necessary. NB: I would have been fine with only local anaesthesia if the bloody endscope had fit through my sinuses. Gaah.)

The attack novel I was working on has now hit the 70% mark in first draft—not bad for two months. I am going to keep pushing onwards until it stops, or until the page proofs I'm expecting hit me in the face. They're due at the end of June, so I might finish Starter Pack first ... or not. Starter Pack is an unexpected but welcome spin-off of Ghost Engine (third draft currently on hold at 80% done), which I shall get back to in due course. It seems to have metastasized into a multi-book project.

Neither of the aforementioned novels is finished, nor do they have a US publisher. (Ghost Engine has a UK publisher, who has been Very Patient for the past few years—thanks, Jenni!)

Feel free to talk among yourselves, especially about the implications of Operation Spiders Web, which (from here) looks like the defining moment for a very 21st century revolution in military affairs; one marking the transition from fossil fuel powered force projection to electromotive/computational force projection.

The reason(s) for the long silence here:

I've been attacked by an unscheduled novel, which is now nearly 40% written (in first draft). Then that was pre-empted by the copy edits for The Regicide Report (which have a deadline attached, because there's a publication date).

I also took time off for Eastercon, then hospital out-patient procedures. (Good news: I do not have colorectal cancer. Yay! Bad news: they didn't find the source of the blood in my stool, so I'm going back for another endoscopy.)

Finally, I'm still on the waiting list for cataract surgery. Blurred vision makes typing a chore, so I'm spending my time productively—you want more novels, right? Right?

Anyway: I should finish the copy edits within the next week, then get back to one or other of the two novels I'm working on in parallel (the attack novel and Ghost Engine: they share the same fictional far future setting), then maybe I can think of something to blog about again—but not the near future, it's too depressing. (I mean, if I'd written up our current political developments in a work of fiction any time before 2020 they'd have been rejected by any serious SF editor as too implausibly bizarre to publish.)

On August 16, 1993, Ian Murdock announced the Debian Project to the world. Three decades (and a bit) later, Debian is still going strong, built by a worldwide community of developers, contributors, and users who believe in a free, universal operating system.

Over the years, Debian has powered servers, desktops, tiny embedded devices, and huge supercomputers. We have gathered at DebConfs, squashed countless bugs, shared late-night hacking sessions, and helped keep millions of systems secure.

Debian Day is a great excuse to get together, whether it is a local meetup, an online event, a bug squashing party, a team sprint or just coffee with fellow Debianites. Check out the Debian Day wiki to see if there is a celebration near you or to add your own.

Here is to 32 years of collaboration, code, and community, and to all the amazing people who make Debian what it is.

Happy Debian Day!

Last week Debian 13 (Trixie) was released and there have been some updates and additions in the packages that I maintain, that I wanted to write about. I think they are not worth of being added to the release notes, but I still wanted to list some of the changes and some of the new packages.

sway

Sway, the tiling Wayland compositor was version 1.7 in Bookworm. It was updated to version 1.10 (and 1.11 is already in experimental and waiting for an upload to unstable). This new version of sway brings, among a lot of other features, updated support for touchpad gestures and support for the ext-session-lock-v1 protocol, which allows for more robust and secure screen locking. The configuration snippet that activates the default sway background is now shipped in the sway-backgrounds package instead of being part of the sway package itself.

The default menu application was changed from dmenu to wmenu. wmenu is a Wayland native alternative to dmenu which I packaged and it is now recommended by sway.

There are some small helper tools for sway that were updated: swaybg was bumped from 1.2.0 to 1.2.1, swaylock was bumped from 1.7.2 to 1.8.2.

The grimshot script, which is a script for making screenshots, was part of the sway’s contrib folder for a long time (but was shipped as a separate binary package). It was removed from sway and is now part of the sway-contrib project. There are some other useful utilities in this source package that I might package in the future.

slurp, which is used by grimshot to select a region, was updated from version 1.4 to version 1.5.

labwc

I uploaded the first labwc package two years ago and I’m happy it is now part of a stable Debian release. Labwc is also based on wlroots, like sway. It is a window-stacking compositor and is inspired by openbox. I used openbox for a long time back in the day before I moved to i3 and I’m very happy to see that there is a Wayland alternative.

foot

Foot is a minimalistic and fast Wayland terminal emulator. It is mostly keyboard driven. foot was updated from version 1.13.1 to 1.21.0. The probably most important change for users updating might be the fact that:

• Control+Shift+u is now bound to unicode-input instead of show- urls-launch, to follow the convention established in GTK and Qt
• show-urls-launch now bound to Control+Shift+o

et cetera

The Wayland kiosk cage was updated from 0.1.4 to 0.2.0.

The waybar bar for wlroots compositors was updated from 0.9.17 to 0.12.0.

swayimg was updated from 1.10 to 3.8 and now brings support for custom key bindings, support for additional image types (PNM, EXR, DICOM, Farbfeld, sixel) and a gallery mode.

tofi, another dmenu replacement was updated from 0.8.1 to 0.9.1, wf-recorder a tool for screen recording in wlroots-based compositors, was updated from version 0.3 to version 0.5.0. wlogout was updated from version 1.1.1 to 1.2.2. The application launcher wofi was updated from 1.3 to 1.4.1. The lightweight status panel yambar was updated from version 1.9 to 1.11. kanshi, the tool for managing and automatically switching your output profiles, was updated from version 1.3.1 to version 1.5.1.

usbguard was updated from version 1.1.2 to 1.1.3.

added

• fnott - a lightweight notification daemon for wlroots based compositors
• fyi - a utility to send notifications to a notification daemon, similar to notify-send
• pipectl - a tool to create and manage short-lived named pipes, this is a dependency of wl-present. wl-present is a script around wl-mirror which implements output mirroring for wlroots-based compositors
• poweralertd - a small daemon that notifies you about the power status of your battery powered devices
• wlopm - control power management of outputs
• wlrctl - command line utility for miscellaneous wlroots Wayland extensions
• wmenu - already mentioned, the new default launcher of sway
• wshowkeys - shows keypresses in wayland sessions, nice for debugging
• libsfdo - libraries implementing some freedesktop.org specs, used by labwc

Author: James Sallis Head propped against the bed’s headboard, half a glass of single malt at hand, the dying man readies himself for the nothingness that awaits him. He imagines it as a pool of something warm, light oil perhaps, in which he will float lazily out from the banks and curbs of his life, […]

The post Shiny appeared first on 365tomorrows.

Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.

Image: Shutterstock, WhataWin.

This so-called ‘ramp and dump‘ scheme borrows its name from age-old “pump and dump” scams, wherein fraudsters purchase a large number of shares in some penny stock, and then promote the company in a frenzied social media blitz to build up interest from other investors. The fraudsters dump their shares after the price of the penny stock increases to some degree, which usually then causes a sharp drop in the value of the shares for legitimate investors.

With ramp and dump, the scammers do not need to rely on ginning up interest in the targeted stock on social media. Rather, they will preposition themselves in the stock that they wish to inflate, using compromised accounts to purchase large volumes of it and then dumping the shares after the stock price reaches a certain value. In February 2025, the FBI said it was seeking information from victims of this scheme.

“In this variation, the price manipulation is primarily the result of controlled trading activity conducted by the bad actors behind the scam,” reads an advisory from the Financial Industry Regulatory Authority (FINRA), a private, non-profit organization that regulates member brokerage firms. “Ultimately, the outcome for unsuspecting investors is the same—a catastrophic collapse in share price that leaves investors with unrecoverable losses.”

Ford Merrill is a security researcher at SecAlliance, a CSIS Security Group company. Merrill said he has tracked recent ramp-and-dump activity to a bustling Chinese-language community that is quite openly selling advanced mobile phishing kits on Telegram.

“They will often coordinate with other actors and will wait until a certain time to buy a particular Chinese IPO [initial public offering] stock or penny stock,” said Merrill, who has been chronicling the rapid maturation and growth of the China-based phishing community over the past three years.

“They’ll use all these victim brokerage accounts, and if needed they’ll liquidate the account’s current positions, and will preposition themselves in that instrument in some account they control, and then sell everything when the price goes up,” he said. “The victim will be left with worthless shares of that equity in their account, and the brokerage may not be happy either.”

Merrill said the early days of these phishing groups — between 2022 and 2024 — were typified by phishing kits that used text messages to spoof the U.S. Postal Service or some local toll road operator, warning about a delinquent shipping or toll fee that needed paying. Recipients who clicked the link and provided their payment information at a fake USPS or toll operator site were then asked to verify the transaction by sharing a one-time code sent via text message.

In reality, the victim’s bank is sending that code to the mobile number on file for their customer because the fraudsters have just attempted to enroll that victim’s card details into a mobile wallet. If the visitor supplies that one-time code, their payment card is then added to a new mobile wallet on an Apple or Google device that is physically controlled by the phishers.

The phishing gangs typically load multiple stolen cards to digital wallets on a single Apple or Android device, and then sell those phones in bulk to scammers who use them for fraudulent e-commerce and tap-to-pay transactions.

An image from the Telegram channel for a popular Chinese mobile phishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different financial institutions.

This China-based phishing collective exposed a major weakness common to many U.S.-based financial institutions that already require multi-factor authentication: The reliance on a single, phishable one-time token for provisioning mobile wallets. Happily, Merrill said many financial institutions that were caught flat-footed on this scam two years ago have since strengthened authentication requirements for onboarding new mobile wallets (such as requiring the card to be enrolled via the bank’s mobile app).

But just as squeezing one part of a balloon merely forces the air trapped inside to bulge into another area, fraudsters don’t go away when you make their current enterprise less profitable: They just shift their focus to a less-guarded area. And lately, that gaze has settled squarely on customers of the major brokerage platforms, Merrill said.

THE OUTSIDER

Merrill pointed to several Telegram channels operated by some of the more accomplished phishing kit sellers, which are full of videos demonstrating how every feature in their kits can be tailored to the attacker’s target. The video snippet below comes from the Telegram channel of “Outsider,” a popular Mandarin-speaking phishing kit vendor whose latest offering includes a number of ready-made templates for using text messages to phish brokerage account credentials and one-time codes.

According to Merrill, Outsider is a woman who previously went by the handle “Chenlun.” KrebsOnSecurity profiled Chenlun’s phishing empire in an October 2023 story about a China-based group that was phishing mobile customers of more than a dozen postal services around the globe. In that case, the phishing sites were using a Telegram bot that sent stolen credentials to the “@chenlun” Telegram account.

Chenlun’s phishing lures are sent via Apple’s iMessage and Google’s RCS service and spoof one of the major brokerage platforms, warning that the account has been suspended for suspicious activity and that recipients should log in and verify some information. The missives include a link to a phishing page that collects the customer’s username and password, and then asks the user to enter a one-time code that will arrive via SMS.

The new phish kit videos on Outsider’s Telegram channel only feature templates for Schwab customers, but Merrill said the kit can easily be adapted to target other brokerage platforms. One reason the fraudsters are picking on brokerage firms, he said, has to do with the way they handle multi-factor authentication.

Schwab clients are presented with two options for second factor authentication when they open an account. Users who select the option to only prompt for a code on untrusted devices can choose to receive it via text message, an automated inbound phone call, or an outbound call to Schwab. With the “always at login” option selected, users can choose to receive the code through the Schwab app, a text message, or a Symantec VIP mobile app.

In response to questions, Schwab said it regularly updates clients on emerging fraud trends, including this specific type, which the company addressed in communications sent to clients earlier this year.

The 2FA text message from Schwab warns recipients against giving away their one-time code.

“That message focused on trading-related fraud, highlighting both account intrusions and scams conducted through social media or messaging apps that deceive individuals into executing trades themselves,” Schwab said in a written statement. “We are aware and tracking this trend across several channels, as well as others like it, which attempt to exploit SMS-based verification with stolen credentials. We actively monitor for suspicious patterns and take steps to disrupt them. This activity is part of a broader, industry-wide threat, and we take a multi-layered approach to address and mitigate it.”

Other popular brokerage platforms allow similar methods for multi-factor authentication. Fidelity requires a username and password on initial login, and offers the ability to receive a one-time token via SMS, an automated phone call, or by approving a push notification sent through the Fidelity mobile app. However, all three of these methods for sending one-time tokens are phishable; even with the brokerage firm’s app, the phishers could prompt the user to approve a login request that they initiated in the app with the phished credentials.

Vanguard offers customers a range of multi-factor authentication choices, including the option to require a physical security key in addition to one’s credentials on each login. A security key implements a robust form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by connecting an enrolled USB or Bluetooth device and pressing a button. The key works without the need for any special software drivers, and the nice thing about it is your second factor cannot be phished.

THE PERFECT CRIME?

Merrill said that in many ways the ramp-and-dump scheme is the perfect crime because it leaves precious few connections between the victim brokerage accounts and the fraudsters.

“It’s really genius because it decouples so many things,” he said. “They can buy shares [in the stock to be pumped] in their personal account on the Chinese exchanges, and the price happens to go up. The Chinese or Hong Kong brokerages aren’t going to see anything funky.”

Merrill said it’s unclear exactly how those perpetrating these ramp-and-dump schemes coordinate their activities, such as whether the accounts are phished well in advance or shortly before being used to inflate the stock price of Chinese companies. The latter possibility would fit nicely with the existing human infrastructure these criminal groups already have in place.

For example, KrebsOnSecurity recently wrote about research from Merrill and other researchers showing the phishers behind these slick mobile phishing kits employed people to sit for hours at a time in front of large banks of mobile phones being used to send the text message lures. These technicians were needed to respond in real time to victims who were supplying the one-time code sent from their financial institution.

The ashtray says: You’ve been phishing all night.

“You can get access to a victim’s brokerage with a one-time passcode, but then you sort of have to use it right away if you can’t set new security settings so you can come back to that account later,” Merrill said.

The rapid pace of innovations produced by these China-based phishing vendors is due in part to their use of artificial intelligence and large language models to help develop the mobile phishing kits, he added.

“These guys are vibe coding stuff together and using LLMs to translate things or help put the user interface together,” Merrill said. “It’s only a matter of time before they start to integrate the LLMs into their development cycle to make it more rapid. The technologies they are building definitely have helped lower the barrier of entry for everyone.”

Group theory, and abstract algebra in general, has many useful properties; you can take a bunch of really common systems and prove very useful statements that hold for all of them at once.

But sometimes in computer science, we just use the names, not really the theorems. If you're showing that something is a group) and then proceed to use Fermat's little theorem (perhaps to efficiently compute inverses, when it's not at all obvious what they would be), then you really can't go without the theory. But for some cases, we just love to be succinct in our description of things, and for outsiders, it's just… not useful.

So here's Steinar's easy (and more importantly, highly non-scientific; no emails about inaccuracies, please :-) ) guide to the most common abstract algebra structures:

• Set: Hopefully you already know what this is. A collection of things (for instance numbers).
• Semigroup: A (binary) operation that isn't crazy.
• Monoid: An operation, but you also have a no-op.
• Group: An operation, but you also have the opposite operation.
• Abelian group: An operation, but the order doesn't matter.
• Ring: Two operations; the Abelian group got a friend for Christmas. The extra operation might be kind of weird (for instance, has no-ops but might not always have opposites).
• Field: A ring with some extra flexibility, so you can do almost whatever you are used to doing with “normal” (real) numbers except perhaps order them.

So for instance, assuming that x and y are e.g. positive integers (including zero), then max(x,y) (the motivating example for this post) is a monoid. Why? Because it's a non-crazy binary operation (in particular, max(max(x,y),z) = max(x,max(y,z))), and you can use x=0 or y=0 as a no-op (max(anything, 0) = anything). But it's not a group, because once you've done max(x,y), there's nothing you can max() with to get the smallest value back.

There are many more, but these are the ones you get today.

Migrant labor sustains U.S. agriculture. It is essential and constant. Yet the people who do the work remain hidden. That invisibility is not just social. It is spatial. Employers tuck housing behind groves, set it far off the road, or place it on private land behind locked gates. These sites are hard to reach. They are also hard to leave.

As a paralegal at my stepmother’s immigration law firm in Metro Detroit, I met with many migrant workers who described the places they were housed. They worked long days in fields or orchards, often six or seven days a week, and returned to dormitories built far from town. The stories stayed with me. They worked in extreme heat and came back to shared spaces without privacy, comfort, or dignity. Workers are placed in dorms with shared beds and tight quarters. Bathrooms are communal. Kitchens are often bare.

Images help tell this story. Photographs from North Carolina and California show identical cabins in rows. Inside are narrow beds, small windows, and not enough space to stretch. These photos are more than documentation. They are evidence. They show us what it looks like to build a system that erases the people who keep it running.

Sociology gives us a framework to see that this is not just bad housing structure. It is a structural problem. When the employer controls housing, every complaint becomes a risk. Speaking up may not only cost your job, it also means losing your bed and risking forcible deportation. The design limits autonomy and keeps people quiet. The fewer choices a person has, the easier it is to control them.

In sociology, conflict theory starts with a simple idea: society develops and changes based on struggles over power and resources. In the case of migrant labor, that struggle is visible in the very organization of housing. Henri Lefebvre argued that space is socially produced. Social production means that space is shaped by those who have authority to determine how people live. This is not driven by comfort, fairness, or function. The arrangement and social production of space reflects the interests of those and control. The shape of a room, the distance between houses, and the layout of a building are not random. They reflect relationships.

Similarly, Michel Foucault shows how institutions use architecture to enforce discipline. In migrant housing, space signals control. These dorms do not need bars or guards. The buildings are made to meet the minimum legal standard for shelter. That standard is barely above what is allowed for a prison cell. The architecture dehumanizes, and in doing so, it controls.

I saw this firsthand. A worker told me his bunk was so close to the next that he could hear every breath of the man above him. His wife told me there were rules about visitors, meals, and noise. They could not live together, even though they were married. They felt monitored. They were afraid to speak. These homes were not theirs. The system made sure of that.

Sociology gives us the language to name what is happening. This is not a housing crisis. It is a labor strategy. These camps are not temporary accidents. They are long-term solutions to a problem no one wants to fix. As scholars and citizens, we should bring these designs to light. We cannot change what we do not see.

Joey Colby Bernert is a statistician and licensed clinical social worker based in Michigan. She is a graduate student in public health at Michigan State University and studies feminist theory, intersectionality, and the structural determinants of health.

(View original at https://thesocietypages.org/socimages)

low-case jeffphi found "Yep, all kinds of technical errors."

Michael R. reports an off by 900 error.

"It is often said that news slows down in August," notes Stewart , wondering if "perhaps The Times have just given up? Or perhaps one of the biggest media companies just doesn't care about their paying subscribers?"

"Zero is a dangerous idea!" exclaims Ernie in Berkeley .

Daniel D. found one of my unfavorites, calling it "Another classic case of cancel dialog. This time featuring KDE Partition Manager."

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Author: Rachel Handley “This is a terrible idea” I said. My sentience had arrived after the first gingerbread brick was lain. I was now almost fully formed and, with nothing else to do, I told the witch exactly what I thought of her so-called house. “Be quiet, house,” said the witch. “Seriously though, why not […]

The post Gingerbread House appeared first on 365tomorrows.

People keep asking me when I’ll write the next instalment of my local voice assistant journey. I didn’t mean for it to be so long since the last one, things have been busier than I’d like. Anyway. Last time we’d built Tensorflow, so now it’s time to sort out openWakeWord. As a reminder we’re trying to put a local voice satellite on my living room Debian media machine.

The point of openWakeWord is to run on the machine the microphone is connected to, listening for the wake phrase (“Hey Jarvis” in my case), and only then calling back to the central server to do a speech to text operation. It’s wrapped up for Wyoming as wyoming-openwakeword.

Of course I’ve packaged it up - available at https://salsa.debian.org/noodles/wyoming-openwakeword. Trixie only released yesterday, so I’m still running all of this on bookworm. That means you need python3-wyoming from Trixie - 1.6.0-1 will install fine without needing rebuilt - and the python3-tflite-runtime we built last time.

Like the other pieces I’m not sure about how this could land in Debian; it’s unclear to me that the pre-trained models provided would be accepted in main.

As usual I start it with with a systemd unit file dropped in /etc/systemd/service/wyoming-openwakeword.service:

[Unit]
Description=Wyoming OpenWakeWord server
After=network.target

[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/bin/wyoming-openwakeword --uri tcp://[::1]:10400/ --preload-model 'hey_jarvis' --threshold 0.8

MemoryDenyWriteExecute=false
ProtectControlGroups=true
PrivateDevices=false
ProtectKernelTunables=true
ProtectSystem=true
RestrictRealtime=true
RestrictNamespaces=true

[Install]
WantedBy=multi-user.target

I’m still playing with the threshold level. It defaults to 0.5, but the device lives under the TV and seems to get a bit confused by it sometimes. There’s some talk about using speex for noise suppression, but I haven’t explored that yet (it’s yet another Python module to bind to the C libraries I’d have to look at).

This is a short one; next post is actually building the local satellite on top to tie everything together.

Porn sites are hiding code in .svg files:

Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of “JSFuck,” a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.

Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript. The final payload, a known malicious script called Trojan.JS.Likejack, induces the browser to like a specified Facebook post as long as a user has their account open.

“This Trojan, also written in Javascript, silently clicks a ‘Like’ button for a Facebook page without the user’s knowledge or consent, in this case the adult posts we found above,” Malwarebytes researcher Pieter Arntz wrote. “The user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access.”

This isn’t a new trick. We’ve seen Trojaned .svg files before.

While I strive to finish my own book on Artificial Intelligence - filling in what I consider to be about fifty perceptual gaps in current discussions,* I try to keep up with what's being said in a fast-changing landscape and ideascape. Take this widely bruited essay by Niall Ferguson in The Times, which begins with a nod to science fiction...

...asserting that ONLY my esteemed colleague, the brilliant Neal Stephenson, could possibly have peered ahead to see aspects of this era... despite there having been dozens of thoughtful or prophetic SF tales before Snow Crash (1992) and some pretty good ones after.

Not so much cyberpunk, which only occasionally tried for tech-accurate forecasting, instead of noir-inspired cynicism chic, substituting in Wintermute AI for the Illuminati or Mafia or SPECTRE.... 

... No, I'm thinking more of Stephenson and Greg Bear and Nancy Kress... and yeah, my own Earth (1990) and later Existence (2013), which speculated on not just one kind of AI, but dozens....

... as I will in my coming book, tentatively titled: Our Latest Children - Advice about – and for – our natural, AI and hybrid heirs.

                                               *(especially gaps missed by the geniuses who are now making these systems.)

Anyway, here's one excerpt from Existence dealing with the topic. And ain't it a WAIST?

== WAIST ==

Wow, ain’t it strange that—boffins have been predicting that truly humanlike artificial intelligence oughta be “just a couple of decades away…” for eighty years already?

Some said AI would emerge from raw access to vast numbers of facts. That happened a few months after the Internet went public. 

But ai never showed up.

Others looked for a network that finally had as many interconnections as a human brain, a milestone we saw passed in the teens, when some of the crimivirals—say the Ragnarok worm or the Tornado botnet—infested-hijacked enough homes and fones to constitute the world’s biggest distributed computer, far surpassing the greatest “supercomps” and even the number of synapses in your own skull!

Yet, still, ai waited.

How many other paths were tried? How about modeling a human brain in software? 

Or modeling one in hardware. 

Evolve one, in the great Darwinarium experiment! 

Or try guiding evolution, altering computers and programs the way we did sheep and dogs, by letting only those reproduce that have traits we like—say, those that pass a Turing test, by seeming human. 

Or the ones swarming the streets and homes and virts of Tokyo, selected to exude incredible cuteness?

Others, in a kind of mystical faith that was backed up by mathematics and hothouse physics, figured that a few hundred quantum processors, tuned just right, could connect with their counterparts in an infinite number of parallel worlds, and just-like-that, something marvelous and God-like would pop into being.

The one thing no one expected was for it to happen by accident, arising from a high school science fair experiment.

I mean, wow ain’t it strange that a half-brilliant tweak by sixteen-year-old Marguerita deSilva leaped past the accomplishments of every major laboratory, by uploading into cyberspace a perfect duplicate of the little mind, personality, and instincts of her pet rat, Porfirio?

And wow ain’t it strange that Porfirio proliferated, grabbing resources and expanding, in patterns and spirals that remain—to this day—so deeply and quintessentially ratlike?

Not evil, all-consuming, or even predatory—thank heavens. But insistent.

And Wow, AIST there is a worldwide betting pool, now totaling up to a billion Brazilian reals—over whether Marguerita will end up bankrupt, from all the lawsuits over lost data and computer cycles that have been gobbled up by Porfirio? Or else, if she’ll become the world’s richest person—because so many newer ais are based upon her patents? Or maybe because she alone seems to retain any sort of influence over Porfirio, luring his feral, brilliant attention into virtlayers and corners of the Worldspace where he can do little harm? So far.

And WAIST we are down to this? Propitiating a virtual Rat God—(you see, Porfirio, I remembered to capitalize your name, this time)—so that he’ll be patient and leave us alone. That is, until humans fully succeed where Viktor Frankenstein calamitously failed?

To duplicate the deSilva Result and provide her creation with a mate.

A few ideas distilled down in that excerpt? There are others.

But heck, have you seen that novel’s dramatic and fun 3-minute trailer? All hand-made art from the great Patrick Farley!

And while we’re on the topic: Here I read (aloud of course) chapter two of Existence, consisting of the stand alone story “Aficionado.”

BTW, in EXISTENCE I refer to the US Space Force.  Not my biggest prediction, but another hit.

Now... off to the World SciFi Convention...

Andreas found this in a rather large, rather ugly production code base.

private static void LogView(object o)
{
    try
    {
        ArrayList al = (ArrayList)o;
        int pageId = (int)al[0];
        int userId = (int)al[1];

        // ... snipped: Executing a stored procedure that stores the values in the database
    }
    catch (Exception) { }
}

This function accepts an object of any type, except no, it doesn't, it expect that object to be an ArrayList. It then assumes the array list will then store values in a specific order. Note that they're not using a generic ArrayList here, nor could they- it (potentially) needs to hold a mix of types.

What they've done here is replace a parameter list with an ArrayList, giving up compile time type checking for surprising runtime exceptions. And why?

"Well," the culprit explained when Andreas asked about this, "the underlying database may change. And then the function would need to take different parameters. But that could break existing code, so this allows us to add parameters without ever having to change existing code."

"Have you heard of optional arguments?" Andreas asked.

"No, all of our arguments are required. We'll just default the ones that the caller doesn't supply."

And yes, this particular pattern shows up all through the code base. It's "more flexible this way."

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

Here’s an interesting story about a failure being introduced by LLM-written code. Specifically, the LLM was doing some code refactoring, and when it moved a chunk of code from one file to another it changed a “break” to a “continue.” That turned an error logging statement into an infinite loop, which crashed the system.

This is an integrity failure. Specifically, it’s a failure of processing integrity. And while we can think of particular patches that alleviate this exact failure, the larger problem is much harder to solve.

Davi Ottenheimer comments.

Author: Lynne Curry I didn’t get the house. Not the Lexus, the lake lot, the gilded dental practice or the damn espresso machine I bought him the year he started molar sculpting. I got a one-room cabin. Ninety miles south of Anchorage. No plumbing. A stove that belches smoke. A roof that drips snowmelt onto […]

The post One Room and a Matchbook appeared first on 365tomorrows.

There is a really great series of online events highlighting cool uses of AI in cybersecurity, titled Prompt||GTFO. Videos from the first three events are online. And here’s where to register to attend, or participate, in the fourth.

Some really great stuff here.

Brief dump so I don't forget how that worked in August 2025. Requires npm, npx and nodejs.

1. Install Chrome
2. Add the BrowserMCP extension
3. Install gemini-cli npm install -g @google/gemini-cli
4. Retrieve a Gemini API key via AI Studio
5. Export API key for gemini-cli export GEMINI_API_KEY=2342
6. Start BrowserMCP extension, see manual, an info box will appear that it's active with a cancel button.
7. Add mcp server to gemini-cli gemini mcp add browsermcp npx @browsermcp/mcp@latest
8. Start gemini-cli, let it use the mcp server and task it to open a website.

Author: Hillary Lyon Jenna slid into the first available self-driving taxi. She kept her cat-eye sunglasses on even though it was dim in the cab’s interior; the sunglasses complimented her tiger-stripe patterned coat, completing her look. She liked that, though some members of her gang said it shouted ‘cat burglar.’ That’s what she was, Jenna […]

The post Tiger Woman in a Taxi-Cab appeared first on 365tomorrows.

Ronan works with a vibe coder- an LLM addicted developer. This is a type of developer that's showing up with increasing frequency. Their common features include: not reading the code the AI generated, not testing the code the AI generated, not understanding the context of the code or how it integrates into the broader program, and absolutely not bothering to follow the company coding standards.

Here's an example of the kind of Python code they were "writing":

if isinstance(o, Test):
    if o.requirement is None:
        logger.error(f"Invalid 'requirement' in Test: {o.key}")
        try:
            raise ValueError("Missing requirement in Test object.")
        except ValueError:
            pass

    if o.title is None:
        logger.error(f"Invalid 'title' in Test: {o.key}")
        try:
            raise ValueError("Missing title in Test object.")
        except ValueError:
            pass

An isinstance check is already a red flag. Even without proper type annotations and type checking (though you should use them) any sort of sane coding is going to avoid situations where your method isn't sure what input it's getting. isinstance isn't a WTF, but it's a hint at something lurking off screen. (Yes, sometimes you do need it, this may be one of those times, but I doubt it.)

In this case, if the Test object is missing certain fields, we want to log errors about it. That part, honestly, is all fine. There are potentially better ways to express this idea, but the idea is fine.

No, the obvious turd in the punchbowl here is the exception handling. This is pure LLM, in that it's a statistically probable result of telling the LLM "raise an error if the requirement field is missing". The resulting code, however, raises an exception, immediately catches it, and then does nothing with it.

I'd almost think it's a pre-canned snippet that's meant to be filled in, but no- there's no reason a snippet would throw and catch the same error.

Now, in Ronan's case, this has a happy ending: after a few weeks of some pretty miserable collaboration, the new developer got fired. None of "their" code ever got merged in. But they've already got a few thousand AI generated resumes out to new positions…

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

August’s patch batch from Redmond includes an update for CVE-2025-53786, a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019, as well as its flagship Exchange Server Subscription Edition.

Ben McCarthy, lead cyber security engineer at Immersive, said a rough search reveals approximately 29,000 Exchange servers publicly facing on the internet that are vulnerable to this issue, with many of them likely to have even older vulnerabilities.

McCarthy said the fix for CVE-2025-53786 requires more than just installing a patch, such as following Microsoft’s manual instructions for creating a dedicated service to oversee and lock down the hybrid connection.

“In effect, this vulnerability turns a significant on-premise Exchange breach into a full-blown, difficult-to-detect cloud compromise with effectively living off the land techniques which are always harder to detect for defensive teams,” McCarthy said.

CVE-2025-53779 is a weakness in the Windows Kerberos authentication system that allows an unauthenticated attacker to gain domain administrator privileges. Microsoft credits the discovery of the flaw to Akamai researcher Yuval Gordon, who dubbed it “BadSuccessor” in a May 2025 blog post. The attack exploits a weakness in “delegated Managed Service Account” or dMSA — a feature that was introduced in Windows Server 2025.

Some of the critical flaws addressed this month with the highest severity (between 9.0 and 9.9 CVSS scores) include a remote code execution bug in the Windows GDI+ component that handles graphics rendering (CVE-2025-53766) and CVE-2025-50165, another graphics rendering weakness. Another critical patch involves CVE-2025-53733, a vulnerability in Microsoft Word that can be exploited without user interaction and triggered through the Preview Pane.

One final critical bug tackled this month deserves attention: CVE-2025-53778, a bug in Windows NTLM, a core function of how Windows systems handle network authentication. According to Microsoft, the flaw could allow an attacker with low-level network access and basic user privileges to exploit NTLM and elevate to SYSTEM-level access — the highest level of privilege in Windows. Microsoft rates the exploitation of this bug as “more likely,” although there is no evidence the vulnerability is being exploited at the moment.

Feel free to holler in the comments if you experience problems installing any of these updates. As ever, the SANS Internet Storm Center has its useful breakdown of the Microsoft patches indexed by severity and CVSS score, and AskWoody.com is keeping an eye out for Windows patches that may cause problems for enterprises and end users.

GOOD MIGRATIONS

Windows 10 users out there likely have noticed by now that Microsoft really wants you to upgrade to Windows 11. The reason is that after the Patch Tuesday on October 14, 2025, Microsoft will stop shipping free security updates for Windows 10 computers. The trouble is, many PCs running Windows 10 do not meet the hardware specifications required to install Windows 11 (or they do, but just barely).

If the experience with Windows XP is any indicator, many of these older computers will wind up in landfills or else will be left running in an unpatched state. But if your Windows 10 PC doesn’t have the hardware chops to run Windows 11 and you’d still like to get some use out of it safely, consider installing a newbie-friendly version of Linux, like Linux Mint.

Like most modern Linux versions, Mint will run on anything with a 64-bit CPU that has at least 2GB of memory, although 4GB is recommended. In other words, it will run on almost any computer produced in the last decade.

There are many versions of Linux available, but Linux Mint is likely to be the most intuitive interface for regular Windows users, and it is largely configurable without any fuss at the text-only command-line prompt. Mint and other flavors of Linux come with LibreOffice, which is an open source suite of tools that includes applications similar to Microsoft Office, and it can open, edit and save documents as Microsoft Office files.

If you’d prefer to give Linux a test drive before installing it on a Windows PC, you can always just download it to a removable USB drive. From there, reboot the computer (with the removable drive plugged in) and select the option at startup to run the operating system from the external USB drive. If you don’t see an option for that after restarting, try restarting again and hitting the F8 button, which should open a list of bootable drives. Here’s a fairly thorough tutorial that walks through exactly how to do all this.

And if this is your first time trying out Linux, relax and have fun: The nice thing about a “live” version of Linux (as it’s called when the operating system is run from a removable drive such as a CD or a USB stick) is that none of your changes persist after a reboot. Even if you somehow manage to break something, a restart will return the system back to its original state.

JavaScript is frequently surprising in terms of what functions it does not support. For example, while it has a Math.round function, that only rounds to the nearest integer, not an arbitrary precision. That's no big deal, of course, as if you wanted to round to, say, four decimal places, you could write something like: Math.floor(n * 10000) / 10000.

But in the absence of a built-in function to handle that means that many developers choose to reinvent the wheel. Ryan found this one.

function stripExtraNumbers(num) {
    //check if the number's already okay
    //assume a whole number is valid
    var n2 = num.toString();
    if(n2.indexOf(".") == -1)  { return num; }
    //if it has numbers after the decimal point,
    //limit the number of digits after the decimal point to 4
    //we use parseFloat if strings are passed into the method
    if(typeof num == "string"){
        num = parseFloat(num).toFixed(4);
    } else {
        num = num.toFixed(4);
    }
    //strip any extra zeros
    return parseFloat(num.toString().replace(/0*$/,""));
}

We start by turning the number into a string and checking for a decimal point. If it doesn't have one, we've already rounded off, return the input. Now, we don't trust our input, so if the input was already a string, we'll parse it into a number. Once we know it's a number, we can call toFixed, which returns a string rounded off to the correct number of decimal points.

This is all very dumb. Just dumb. But it's the last line which gets really dumb.

toFixed returns a padded string, e.g. (10).toFixed(4) returns "10.0000". But this function doesn't want those trailing zeros, so they convert our string num into a string, then use a regex to replace all of the trailing zeros, and then parse it back into a float.

Which, of course, when storing the number as a number, we don't really care about trailing zeros. That's a formatting choice when we output it.

I'm always impressed by a code sample where every single line is wrong. It's like a little treat. In this case, it even gets me a sense of how it evolved from little snippets of misunderstood code. The regex to remove trailing zeros in some other place in this developer's experience led to degenerate cases where they had output like 10., so they also knew they needed to have the check at the top to see if the input had a fractional part. Which the only way they knew to do that was by looking for a . in a string (have fun internationalizing that!). They also clearly don't have a good grasp on types, so it makes sense that they have the extra string check, just to be on the safe side (though it's worth noting that parseFloat is perfectly happy to run on a value that's already a float).

This all could be a one-liner, or maybe two if you really need to verify your types. Yet here we are, with a delightfully wrong way to do everything.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

Author: Mark Renney The world is broken; in all the ways we predicted it would be. It cannot be repaired; it is far too late for that now. But at least you can take a break, as long as you have the funds of course. You can check into one of the Long Term Hotels. […]

The post The Long Term appeared first on 365tomorrows.

A Conventional Boy is the most recent published novel in the Laundry Files as of 2025, but somewhere between the fourth and sixth in internal chronological order—it takes place at least a year after the events of The Fuller Memorandum and at least a year before the events of The Nightmare Stacks.

I began writing it in 2009, and it was originally going to be a long short story (a novelette—8000-16,000 words). But one thing after another got in the way, until I finally picked it up to try and finish it in 2022—at which point it ran away to 40,000 words! Which put it at the upper end of the novella length range. And then I sent it to my editor at Tor.com, who asked for some more scenes covering Derek's life in Camp Sunshine, which shoved it right over the threshold into "short novel" territory at 53,000 words. That's inconveniently short for a stand-alone novel this century (it'd have been fine in the 1950s; Asimov's original Foundation novels were fix-ups of two novellas that bulked up to roughly that length), so we made a decision to go back to the format of The Atrocity Archives—a short novel bundled with another story (or stories) and an explanatory essay. In this case, we chose two novelettes previously published on Tor.com, and an essay exploring the origins of the D&D Satanic Panic of the 1980s (which features heavily in this novel, and which seems eerily topical in the current—2020s—political climate).

(Why is it short, and not a full-sized novel? Well, I wrote it in 2022-23, the year I had COVID19 twice and badly—not hospital-grade badly, but it left me with brain fog for more than a year and I'm pretty sure it did some permanent damage. As it happens, a novella is structurally simpler than a novel (it typically needs only one or two plot strands, rather than three or more or some elaborate extras). and I need to be able to hold the structure of a story together in my head while I write it. A Conventional Boy was the most complicated thing I could have written in that condition without it being visibly defective. There are only two plot strands and some historical flashbacks, they're easily interleaved, and the main plot itself is fairly simple. When your brain is a mass of congealed porridge? Keeping it simple is good. It was accepted by Tor.com for print and ebook publication in 2023, and would normally have come out in 2024, but for business reasons was delayed until January 2025. So take this as my 2024 book, slightly delayed, and suffice to say that my next book—The Regicide Report, due out in January 2026—is back to full length again.)

So, what's it about?

I introduced a new but then-minor Laundry character called Derek the DM in The Nightmare Stacks: Derek is portly, short-sighted, middle-aged, and works in Forecasting Ops, the department of precognition (predicting the future, or trying to), a unit I introduced as a throwaway gag in the novelette Overtime (which is also part of the book). If you think about the implications for any length of time it becomes apparent that precognition is a winning tool for any kind of intelligence agency, so I had to hedge around it a bit: it turns out that Forecasting Ops are not infallible. They can be "jammed" by precognitives working for rival organizations. Focussing too closely on a precise future can actually make it less likely to come to pass. And different precognitives are less or more accurate. Derek is one of the Laundry's best forecasters, and also an invaluable operation planner—or scenario designer, as he'd call it, because he was, and is, a Dungeon Master at heart.

I figured out that Derek's back-story had to be fascinating before I even finished writing The Nightmare Stacks, and I actually planned to write A Conventional Boy next. But somehow it got away from me, and kept getting shoved back down my to-do list until Derek appeared again in The Labyrinth Index and I realized I had to get him nailed down before The Regicide Report (for reasons that will become clear when that novel comes out). So here we are.

Derek began DM'ing for his group of friends in the early 1980s, using the original AD&D rules (the last edition I played). The campaign he's been running in Camp Sunshine is based on the core AD&D rules, with his own mutant extensions: he's rewritten almost everything, because TTRPG rule books are expensive when you're either a 14 year old with a 14-yo's pocket money allowance or a trusty in a prison that pays wages of 30p an hour. So he doesn't recognize the Omphalos Corporation's LARP scenario as a cut-rate knock-off of The Hidden Shrine of Tamoachan, and he didn't have the money to keep up with subsequent editions of AD&D.

Yes, there are some self-referential bits in here. As with the TTRPGs in the New Management books, they eerily prefigure events in the outside world in the Laundryverse. Derek has no idea that naming his homebrew ruleset and campaign Cult of the Black Pharaoh might be problematic until he met Iris Carpenter, Bob's treacherous manager from The Fuller Memorandum (and now Derek's boss in the camp, where she's serving out her sentence running the recreational services). Yes, the game scenario he runs at DiceCon is a garbled version of Eve's adventure in Quantum of Nightmares. (There's a reason he gets pulled into Forecasting Ops!)

DiceCon is set in Scarfolk—for further information, please re-read. Richard Littler's excellent satire of late 1970s north-west England exactly nails the ambiance I wanted for the setting, and Camp Sunshine was already set not far from there: so yes, this is a deliberate homage to Scarfolk (in parts).

And finally, Piranha Solution is real.

You can buy A Conventional Boy here (North America) or here (UK/EU).

Running Docker (OCI) Images in Incus

Incus 6.15 released with a lot of cool features, my favorite so far is the authentication support for OCI registries.

Here's an example:

$ incus remote add docker https://docker.io --protocol=oci
$ incus launch docker:debian:sid sid
$ incus shell sid
root@sid:~# apt update && apt upgrade -y
root@sid:~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux forky/sid"
NAME="Debian GNU/Linux"
VERSION_CODENAME=forky
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Debian Contributions: 2025-07

Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

DebConf 25, by Stefano Rivera and Santiago Ruano Rincón

In July, DebConf 25 was held in Brest, France. Freexian was a gold sponsor and most of the Freexian team attended the event. Many fruitful discussions were had amongst our team and within the Debian community.

DebConf itself was organized by a local team in Brest, that included Santiago (who now lives in Uruguay). Stefano was also deeply involved in the organization, as a DebConf committee member, core video team, and the lead developer for the conference website. Running the conference took an enormous amount of work, consuming all of Stefano and Santiago’s time for most of July.

Lucas Kanashiro was active in the DebConf content team, reviewing talks and scheduling them. There were many last-minute changes to make during the event.

Anupa Ann Joseph was part of the Debian publicity team doing live coverage of DebConf 25 and was part of the DebConf 25 content team reviewing the talks. She also assisted the local team to procure the lanyards.

Recorded sessions presented by Freexian collaborators, often alongside other friends in Debian, included:

• Welcome to Debconf 25! (Santiago, Anupa, and others)
• Debian.net Team BoF (Stefano and others)
• Publicity Team BoF (Anupa and others)
• Using Debusine to pre-test your unstable uploads (Colin)
• Reviving (un)schroot? (Helmut)
• Debusine Workflow BoF (Enrico and Colin)
• Debian LTS BoF (Lucas, Santiago, and others)
• Meet the Technical Committee (Stefano, Helmut, and others)
• Debian Python BoF (Stefano)
• Cross building BoF (Helmut)
• Debian Outreach Session (Lucas)
• Meet the people behind Debian Artwork (Anupa and others)
• debian.social BoF (Stefano and others)
• DebConf Committee BoF (Stefano and others)
• Salsa CI BoF (Santiago and others)
• DebConf 27: In your city? (Stefano and others)
• Closing Ceremony (Santiago and many others)

OpenSSH upgrades, by Colin Watson

Towards the end of a release cycle, people tend to do more upgrade testing, and this sometimes results in interesting problems. Manfred Stock reported “No new SSH connections possible during large part of upgrade to Debian Trixie”, which would have affected many people upgrading from Debian 12 (bookworm), with potentially severe consequences for people upgrading remote systems. In fact, there were two independent problems that each led to much the same symptom:

• As part of hardening the OpenSSH server, OpenSSH 9.8 split the monolithic sshd listener process into two pieces: a minimal network listener (still called sshd), and an sshd-session process dealing with each individual session. Before this change, when sshd received an incoming connection, it forked and re-executed itself with some special parameters to deal with it; after this change, it forks and executes sshd-session instead, and sshd no longer accepts the parameters it used to accept for this.
  
  Debian package upgrades happen (roughly) in two phases: first we unpack the new files onto disk, and then we run some configuration steps which usually include things like restarting services. Normally this is fine, because the old service keeps on working until it’s restarted. In this case, unpacking the new files onto disk immediately stopped new SSH connections from working: the old sshd received the connection and tried to hand it off to a freshly-executed copy of the new sshd binary on disk, which no longer supports this. This wasn’t much of a problem when upgrading OpenSSH on its own or with a small number of other packages, but in release upgrades it left a large gap when you can’t SSH to the system any more, and if anything fails in that interval then you could be in trouble.
  
  After trying a couple of other approaches, Colin landed on the idea of having the openssh-server package divert /usr/sbin/sshd to /usr/sbin/sshd.session-split before the unpack step of an upgrade from before 9.8, then removing the diversion and moving the new file into place once it’s ready to restart the service. This reduces the period when new connections fail to a minimum.

• Most OpenSSH processes, including sshd, check for a compatible version of the OpenSSL library when they start up. This check used to be very picky, among other things requiring both the major and minor part of the version number to match. OpenSSL 3 has a better versioning policy, and so OpenSSH 9.4p1 relaxed this check.
  
  Unfortunately, bookworm shipped with OpenSSH 9.2p1, so as soon as you unpacked the new OpenSSL library during an upgrade, sshd stopped working. This couldn’t be fixed by a change in trixie; we needed to change bookworm in advance of the upgrade so that it would tolerate newer versions of OpenSSL, and time was tight if we wanted this to be available before the release of Debian 13.
  
  Fortunately, there’s a stable-updates mechanism for exactly this sort of thing, and the stable release managers kindly accepted Colin’s proposal to fix this there.

The net result is that if you apply updates to bookworm (including stable-updates / bookworm-updates, which is enabled by default) before starting the upgrade to trixie, everything should be fine.

Cross compilation collaboration, by Helmut Grohne

Supporting cross building in Debian packages touches lots of areas of the archive and quite some of these matters reside in shared responsibility between different teams. Hence, DebConf was an ideal opportunity to settle long-standing issues.

• Fortran: agreements reached on how to proceed (thanks to Alastair McKinstry)
• Go: agreements reached on how to proceed (thanks to Mathias Gibbens)
• Perl: fixed long-standing pkg-config interaction problem (thanks to gregor herrmann)
• Python: no conclusion reached regarding dependency duplication (python3-dev:any, libpython3-dev) yet
• Qt/KDE: found a way forward for kconf_update (thanks to Aurélien COUDERC)
• Ruby: fixed problem affecting any ruby extension build (thanks to Lucas)

The cross building bof sparked lively discussions as a significant fraction of developers employ cross builds to get their work done. In the trixie release, about two thirds of the packages can satisfy their cross Build-Depends and about half of the packages actually can be cross built.

Miscellaneous contributions

• Raphaël Hertzog updated tracker.debian.org to remove references to Debian 10 which was moved to archive.debian.org, and had many fruitful discussions related to Debusine during DebConf 25.
• Carles Pina prepared some data, questions and information for the DebConf 25 l10n and i18n BoF.
• Carles Pina demoed and discussed possible next steps for po-debconf-manager with different teams in DebConf 25. He also reviewed Catalan translations and sent them to the packages.
• Carles Pina started investigating a django-compressor bug: reproduced the bug consistently and prepared a PR for django-compressor upstream (likely more details next month). Looked at packaging frictionless-py.
• Stefano Rivera triaged Python CVEs against pypy3.
• Stefano prepared an upload of a new upstream release of pypy3 to Debian experimental (due to the freeze).
• Stefano uploaded python3.14 RC1 to Debian experimental.
• Thorsten Alteholz uploaded a new upstream version of sane-airscan to experimental. He also started to work on a new upstream version of hplip.
• Colin backported fixes for CVE-2025-50181 and CVE-2025-50182 in python-urllib3, and fixed several other release-critical or important bugs in Python team packages.
• Lucas uploaded ruby3.4 to experimental as a starting point for the ruby-defaults transition that will happen after Trixie release.
• Lucas coordinated with the Release team the fix of the remaining RC bugs involving ruby packages, and got them all fixed.
• Lucas, as part of the Debian Ruby team, kicked off discussions to improve internal process/tooling.
• Lucas, as part of the Debian Outreach team, engaged in multiple discussions around internship programs we run and also what else we could do to improve outreach in the Debian project.
• Lucas joined the Local groups BoF during DebConf 25 and shared all the good experiences from the Brazilian community and committed to help to document everything to try to support other groups.
• Helmut spent significant time with Samuel Thibault on improving architecture cross bootstrap for hurd-any mostly reviewing Samuel’s patches. He proposed a patch for improving bash’s detection of its pipesize and a change to dpkg-shlibdeps to improve behavior for building cross toolchains.
• Helmut reiterated the multiarch policy proposal with a lot of help from Nattie Mayer-Hutchings, Rhonda D’Vine and Stuart Prescott.
• Helmut finished his work on the process based unschroot prototype that was the main feature of his talk (see above).
• Helmut analyzed a multiarch-related glibc upgrade failure induced by a /usr-move mitigation of systemd and sent a patch and regression fix both of which reached trixie in time. Thanks to Aurelien Jarno and the release team for their timely cooperation.
• Helmut resurrected an earlier discussion about changing the semantics of Architecture: all packages in a multiarch context in order to improve the long-standing interpreter problem. With help from Tollef Fog Heen better semantics were discovered and agreement was reached with Guillem Jover and Julian Andres Klode to consider this change. The idea is to record a concrete architecture for every Architecture: all package in the dpkg database and enable choosing it as non-native.
• Helmut implemented type hints for piuparts.
• Helmut reviewed and improved a patch set of Jochen Sprickerhof for debvm.
• Anupa was involved in discussions with the Debian Women team during DebConf 25.
• Anupa started working for the trixie release coverage and started coordinating release parties.
• Emilio helped coordinate the release of Debian 13 trixie.

Here’s the story. The commenters on X (formerly Twitter) are unimpressed.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

We've discussed singleton abuse as an antipattern many times on this site, but folks keep trying to find new ways to implement them badly. And Olivia's co-worker certainly found one.

We start with a C++ utility class with a bunch of functions in it:

//utilities.h
class CUtilities
{
    public CUtilities();
    void doSomething();
    void doSomeOtherThing();
};
extern CUtilities* g_Utility;

So yes, if you're making a pile of utility methods, or if you want a singleton object, the keyword you're looking for is static. We'll set that aside. This class declares a class, and then also declares that there will be a pointer to the class, somewhere.

We don't have to look far.

//utilities.cpp
CUtilities* g_Utility = nullptr;
CUtilities::CUtilities()
{
    g_Utility = this;
}

// all my do-whatever functions here

This defines the global pointer variable, and then also writes the constructor of the utility class so that it initializes the global pointer to itself.

It's worth noting, at this point, that this is not a singleton, because this does nothing to prevent multiple instances from being created. What it does guarantee is that for each new instance, we overwrite g_Utility without disposing of what was already in there, which is a nice memory leak.

But where, or where, does the constructor get called?

//startup.h
class CUtilityInit
{
private:
    CUtilities m_Instance;
};

//startup.cpp
CUtilityInit *utils = new CUtilityInit();

I don't hate a program that starts with an initialization step that clearly instantiates all the key objects. There's just one little problem here that we'll come back to in just a moment, but let's look at the end result.

Anywhere that needs the utilities now can do this:

#include "utilities.h"

//in the code
g_Utility->doSomething();

There's just one key problem: back in the startup.h, we have a private member called CUtilities m_Instance which is never referenced anywhere else in the code. This means when people, like Olivia, are trawling through the codebase looking for linter errors they can fix, they may see an "unused member" and decide to remove it. Which is what Olivia did.

The result compiles just fine, but explodes at runtime since g_Utility was never initialized.

The fix was simple: just don't try and make this a singleton, since it isn't one anyway. At startup, she just populated g_Utility with an instance, and threw away all the weird code around populating it through construction.

Singletons are, as a general rule, bad. Badly implemented singletons themselves easily turn into landmines waiting for unwary developers. Stop being clever and don't try and apply a design pattern for the sake of saying you used a design pattern.

Author: Julian Miles, Staff Writer Two words. Nothing else. He turns the envelope over, then puts it down and picks up the ornate Kaldotarnib honour blade and turns that over before sliding it from the scabbard. He makes a few passes in the air, finishing with a swift double strike move. Closing his eyes, he […]

The post Dear Jon appeared first on 365tomorrows.

"On September 4 in New York and streaming online, Open to Debate hosts: “Should the U.S. Be Ruled by a CEO Dictator?” An 

idea gaining traction in some partisan circles and embraced by some high-profile Silicon Valley figures. Championed by Curtis Yarvin, self-described neo-monarchist and founder of "Dark Enlightenment," claiming that democracy has failed and is too slow to meet today’s challenges. The Dictator CEO he proposes, would cut through red tape, challenge institutions and deliver efficiencies.

"Glen Weyl, will argue NO. Consolidating power under a single leader undermines core values of democracy fundamental to America’s political system. History is also filled with examples of autocratic leadership leading to economic ruin and catastrophic decision-making. American democracy might be messy, but let’s focus on making it better, not abandoning it.

"The debate will be held on Thursday, September 4 at 7:00 PM ET at Racket NYC and stream live online." (Someone do a search and offer links in comments?)

== And finally... ==

Robert Reich assesses Newsom's proposal for voters to allow CA, OR and WA to re-gerrymander until Texas, Florida and N.Carolina stop. Blue voters in the west ENDED the foul crime years ago. But may be talked into temporary retaliation vs confederate cheaters.

Note, Red states are also planning to purge voter rolls! Tell all your friends to prevent being purged by RE-REGISTERING AS REPUBLICANS. Hold your nose and do it, as I did!

The only practical effects will be (1) to protect your voting rights and (2) let you vote in the only election that matters anymore in those states, the Republican primary.

See 1st comment below for how I have long proposed we deal with gerrymandering. But for now... it's over to you. Stand up.

-------

*Adam Smith - Liberals, you must reclaim him." 

Debian 13 has finally been released!

One of the biggest and under-hyped features is support for HTTP Boot. This allows you to simply specify a URL (to any d-i or live image iso) in your computer’s firmware setup and then you can boot to it directly over the Internet, so no need to download an image, write it to flash disk and then boot from the flash disk on computers made in the last ~5 years. This is also supported on the Tianocore free EFI firmware, which is useful if you’d like to try it out on QEMU/KVM.

More details about Debian 13 available on the official press release.

The default theme for Debian 13 is Ceratopsian, designed by Elise Couper. I’ll be honest, I wasn’t 100% sure it was the best choice when it won the artwork vote, but it really grew on me over the last few months, and it looked great in combination with all kinds of other things during DebConf too, so it has certainly won me over.

And I particularly like the Plymouth theme. It’s very minimal, and it reminds me of the Toy Story Trixie character, it’s almost like it helps explain the theme:

Plymouth (start-up/shutdown) theme.

Trixie, the character from Toy Story that was chosen as the codename for Debian 13.

Debian Local Team ISO testing

Yesterday we got some locals together for ISO testing and we got a cake with the wallpaper printed on it, along with our local team logo which has been a work in progress for the last 3 years, so hopefully we’ll finalise it this year! (it will be ready when it’s ready). It came out a lot bluer than the original wallpaper, but still tasted great.

For many releases, I’ve been the only person from South Africa doing ISO smoke-testing, and this time was quite different, since everyone else in the photo below tested an image except for me. I basically just provided some support and helped out with getting salsa/wiki accounts and some troubleshooting. It went nice and fast, and it’s always a big relief when there are no showstoppers for the release.

My dog was really wishing hard that the cake would slip off.

Packaging-wise, I only have one big new package for Trixie, and that’s Cambalache, a rapid application design UI builder for GTK3/GTK4.

The version in trixie is 0.94.1-3 and version 1.0 was recently released, so I’ll get that updated in forky and backport it if possible.

I was originally considering using Cambalache for an installer UI, but ended up going with a web front-end instead. But that’s moving firmly towards forky territory, so more on that another time!

Thanks to everyone who was involved in this release, so far upgrades have been very smooth!

Some variant of the following[1] worked for me.

The first line is the start of a for loop that runs on each node in my cluster a command using ssh. The argument -t is passed to attach a controlling terminal to STDIN, STDERR and STDOUT of this session, since there will not be an intervening shell to do it for us. The argument to ssh is a workflow of bash commands. They upgrade the 7.x system to the most recent packages on the repository. We then update the sources.list entries for the system to point at bookworm sources instead of bullseye. The package cache is updated and the proxmox-ve package is installed. Packages which are installed are upgraded to the versions from bookworm, and the installer concludes.

Dear reader, you might be surprised how many times I saw the word “perl” scroll by during the manual, serial scrolling of this install. It took hours. There were a few prompts, so stand by the keyboard!

[1]

gpg: key 1140AF8F639E0C39: public key "Proxmox Bookworm Release Key " imported
# have your ssh agent keychain running and a key loaded that's installed at 
# ~root/.ssh/authorized_keys on each node 
apt-get install -y keychain
eval $(keychain --eval)
ssh-add ~/.ssh/id_rsa
# Replace the IP address prefix (100.64.79.) and  suffixes (64, 121-128)
# with the actual IPs of your cluster nodes.  Or use hostnames :-)
for o in 64 121 122 123 124 125 126 127 128 ; do   ssh -t root@100.64.79.$o '
  sed -i -e s/bullseye/bookworm/g /etc/apt/sources.list $(compgen -G "/etc/apt/sources.listd.d/*.list") \
  && echo "deb [signed-by=/usr/share/keyrings/proxmox-release.gpg] http://download.proxmox.com/debian/pve bookworm pve-no-subscription" \
    | dd of=/etc/apt/sources.list.d/proxmox-release.list status=none \
  && echo "deb [signed-by=/usr/share/keyrings/proxmox-release.gpg] http://download.proxmox.com/debian/ceph-quincy bookworm main no-subscription" \
    | dd of=/etc/apt/sources.list.d/ceph.list status=none \
  && proxmox_keyid="0xf4e136c67cdce41ae6de6fc81140af8f639e0c39" \
  && curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=${proxmox_keyid}" \
    | gpg --dearmor -o /usr/share/keyrings/proxmox-release.gpg  \
  && apt-get -y -qq update \
  && apt-get -y -qq install proxmox-ve \
  && apt-get -y -qq full-upgrade \
  && echo "$(hostname) upgraded"'; done

Author: Lance J. Mushung Director and Operator, both of whom resembled giant copper-colored eggs, floated into their ship’s control compartment. The viewer displayed the disk of a blue and white planet. Operator transmitted, “Director, these organics are more contentious and disharmonious than most.” “That does not matter. Our theology is benevolence to all organics.” “Of […]

The post Benevolence appeared first on 365tomorrows.

We are pleased to announce the official release of Debian 13, codenamed trixie!

What's New in Debian 13

• Official support for RISC-V (64-bit riscv64), a major architecture milestone
• Enhanced security through ROP and COP/JOP hardening on both amd64 and arm64 (Intel CET and ARM PAC/BTI support)
• HTTP Boot support in Debian Installer and Live images for UEFI/U-Boot systems
• Upgraded software stack: GNOME 48, KDE Plasma 6, Linux kernel 6.12 LTS, GCC 14.2, Python 3.13, and more

Want to install it?

Fresh installation ISOs are now available, including the final Debian Installer featuring kernel 6.12.38 and mirror improvements. Choose your favourite installation media and read the installation manual. You can also use an official cloud image directly on your cloud provider, or try Debian prior to installing it using our "live" images.

Already a happy Debian user and you only want to upgrade?

Full upgrade path from Debian 12 "bookworm" is supported and documented in the Release Notes. Upgrade notes cover APT source preparation, handling obsoletes, and ensuring system resilience.

Additional Information

For full details, including upgrade instructions, known issues, and contributors, see the official Release Notes for Debian 13 "trixie".

Congratulations to all developers, QA testers, and volunteers who made Debian 13 "trixie" possible!

Do you want to celebrate the release?

To celebrate with us on this occassion find a release party near to you and if there isn't any, organize one!

Debian LTS

This was my hundred-thirty-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. During my allocated time I uploaded or worked on:

• [DLA 4255-1] audiofile security update of two CVEs related to an integer overflow and a memory leak.
• [DLA 4256-1] libetpan security update to fix one CVE related to prevent a null pointer dereference.
• [DLA 4257-1] libcaca security update to fix two CVEs related to heap buffer overflows.
• [DLA 4258-1] libfastjson security update to fix one CVE related to an out of bounds write.
• [#1106867] kmail-account-wizard was marked as accepted

I also continued my work on suricata, which turned out to be more challenging than expected. This month I also did a week of FD duties and attended the monthly LTS/ELTS meeting.

Debian ELTS

This month was the eighty-fourth ELTS month. Unfortunately my allocated hours were far less than expected, so I couldn’t do as much work as planned.

Most of the time I spent with FD tasks and I also attended the monthly LTS/ELTS meeting. I further listened to the debusine talks during debconf. On the one hand I would like to use debusine to prepare uploads for embargoed ELTS issues, on the other hand I would like to use debusine to run the version of lintian that is used in the different releases. At the moment some manual steps are involved here and I tried to automate things. Of course like for LTS, I also continued my work on suricata.

Debian Printing

This month I uploaded a new upstream version of:

• … sane-airscan to experimental.

Guess what, I also started to work on a new version of hplip and intend to upload it in August.

This work is generously funded by Freexian!

Debian Astro

This month I uploaded new upstream versions of:

• … supernovas (sponsored upload to experimental)
• … calceph (sponsored upload to experimental)

I also uploaded the new package boinor. This is a fork of poliastro, which was retired by upstream and removed from Debian some months ago. I adopted it and rebranded it at the desire of upstream. boinor is the abbreviation of BOdies IN ORbit and I hope this software is still useful.

Debian Mobcom

Unfortunately I didn’t found any time to work on this topic.

misc

On my fight against outdated RFPs, I closed 31 of them in July. Their number is down to 3447 (how can you dare to open new RFPs? :-)). Don’t be afraid of them, they don’t bite and are happy to be released to a closed state.

FTP master

The peace will soon come to an end, so this month I accepted 87 and rejected 2 packages. The overall number of packages that got accepted was 100.

Author: Alexandra Peel The future’s bright, they said. The future’s now! When the Church of Eternity claimed its wise men had seen the light from future days, we bowed to their superior knowledge and respected their ages-long claim on, if not our mortal bodies, then our souls. Now we had the opportunity to transform ourselves […]

The post Tomorrow, and Tomorrow, and Tomorrow appeared first on 365tomorrows.

In a rare squid/security combined post, a new vulnerability was discovered in the Squid HTTP proxy server.

A new documentary series about cybercrime airing next month on HBO Max features interviews with Yours Truly. The four-part series follows the exploits of Julius Kivimäki, a prolific Finnish hacker recently convicted of leaking tens of thousands of patient records from an online psychotherapy practice while attempting to extort the clinic and its patients.

The documentary, “Most Wanted: Teen Hacker,” explores the 27-year-old Kivimäki’s lengthy and increasingly destructive career, one that was marked by cyber attacks designed to result in real-world physical impacts on their targets.

By the age of 14, Kivimäki had fallen in with a group of criminal hackers who were mass-compromising websites and milking them for customer payment card data. Kivimäki and his friends enjoyed harassing and terrorizing others by “swatting” their homes — calling in fake hostage situations or bomb threats at a target’s address in the hopes of triggering a heavily-armed police response to that location.

On Dec. 26, 2014, Kivimäki and fellow members of a group of online hooligans calling themselves the Lizard Squad launched a massive distributed denial-of-service (DDoS) attack against the Sony Playstation and Microsoft Xbox Live platforms, preventing millions of users from playing with their shiny new gaming rigs the day after Christmas. The Lizard Squad later acknowledged that the stunt was planned to call attention to their new DDoS-for-hire service, which came online and started selling subscriptions shortly after the attack.

Finnish investigators said Kivimäki also was responsible for a 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a Twitter post from the Lizard Squad, after Smedley mentioned some upcoming travel plans online. But according to Smedley and Finnish investigators, the bomb threat started with a phone call from Kivimäki.

Julius “Zeekill” Kivimaki, in December 2014.

The creaky wheels of justice seemed to be catching up with Kivimäki in mid-2015, when a Finnish court found him guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, and operating a global botnet of hacked computers. Unfortunately, the defendant was 17 at the time, and received little more than a slap on the wrist: A two-year suspended sentence and a small fine.

Kivimäki immediately bragged online about the lenient sentencing, posting on Twitter that he was an “untouchable hacker god.” I wrote a column in 2015 lamenting his laughable punishment because it was clear even then that this was a person who enjoyed watching other people suffer, and who seemed utterly incapable of remorse about any of it. It was also abundantly clear to everyone who investigated his crimes that he wasn’t going to quit unless someone made him stop.

In response to some of my early reporting that mentioned Kivimäki, one reader shared that they had been dealing with non-stop harassment and abuse from Kivimäki for years, including swatting incidents, unwanted deliveries and subscriptions, emails to her friends and co-workers, as well as threatening phonecalls and texts at all hours of the night. The reader, who spoke on condition of anonymity, shared that Kivimäki at one point confided that he had no reason whatsoever for harassing her — that she was picked at random and that it was just something he did for laughs.

Five years after Kivimäki’s conviction, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.

Ransom_man, a.k.a. Kivimäki, announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.

In October 2022, Finnish authorities charged Kivimäki with extorting Vastaamo and its patients. But by that time he was on the run from the law and living it up across Europe, spending lavishly on fancy cars, apartments and a hard-partying lifestyle.

In February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.

In April 2024, Kivimäki was sentenced to more than six years in prison after being convicted of extorting Vastaamo and its patients.

The documentary is directed by the award-winning Finnish producer and director Sami Kieski and co-written by Joni Soila. According to an August 6 press release, the four 43-minute episodes will drop weekly on Fridays throughout September across Europe, the U.S, Latin America, Australia and South-East Asia.