Più o meno una volta al mese, torno a scrivere qualcosa 😁
Le cose stanno iniziando ad andare meglio (non lavorativamente), anche se il mio tempo libero è sempre pochissimo.
Comunque domenica mattina partiamo in vacanza e non vedo l'ora. Abbiamo proprio bisogno di ricaricarci un po'. Andremo in Slovenia 😀

Io, molto a rilento, sto cercando di togliere google e tanto altro schifo dalla mia vita. E questo mi fa sentire bene.

Many decades ago, IBM engineers developed the typeball. This semi-spherical hunk of metal would become the heart of the Selectric typewriter line. [James Brown] has now leveraged that very concept to create a pivoting mouth mechanism for a robot that appears to talk.

What you’re looking at is a plastic ball with lots of different mouth shapes on it. By pivoting the ball to different angles inside the head of a robot, it’s possible to display different mouth shapes on the face. By swapping mouth shapes rapidly in concert with recorded speech, it’s possible to make the robot appear to be speaking. We don’t get a great look at the mechanism that operates the ball, but Selectric typeball operation is well documented elsewhere if you seek to recreate the idea yourself.

The real benefit of this mechanism is speed. It might not look as fluid as some robots with manually-articulated flexible mouths, but the rapid mouth transitions really help sell the effect because they match the pace of speech. [James] demonstrated the finished product on Mastodon, and it looks great in action.

This isn’t the first time we’ve featured [James Brown]’s work. You may recall he got DOOM running on a tiny LEGO brick a few years back.

Thanks to [J. Peterson] for the tip!

hackaday.com/2025/08/08/talkin…

James Brown

2025-07-24 03:20:20

I made a new mouth mechanism. I'm calling it Selectramatronics.

Una falla di sicurezza cruciale nell’HTTP/1.1 è stata resa pubblica dagli esperti di sicurezza, mettendo in luce una minaccia che continua ad impattare sull’infrastruttura web da più di sei anni, con potenziali ripercussioni per milioni di siti, nonostante gli sforzi continui per arginarla. I ricercatori di PortSwigger rivelano che HTTP/1.1 rimane intrinsecamente insicuro, esponendo regolarmente milioni di siti web a tentativi di acquisizione ostile tramite sofisticati attacchi di desincronizzazione HTTP.

La società di sicurezza informatica ha segnalato l’introduzione di varie nuove tipologie di tali attacchi, che hanno messo in luce falle critiche, andando ad intaccare decine di milioni di siti web e minando l’infrastruttura basilare all’interno di più reti di distribuzione dei contenuti (CDN). Nonostate gli sforzi dei fornitori, che hanno messo in atto varie strategie di contenimento nell’arco degli ultimi sei anni, i ricercatori sono stati in grado di superare costantemente le barriere protettive.

Per la prima volta, la minaccia è stata resa pubblica da PortSwigger nel 2019, tuttavia, relativamente alla causa fondamentale della vulnerabilità, sono state apportate solo minime modifiche. Un difetto progettuale critico in HTTP/1.1 è all’origine del problema: il protocollo permette agli aggressori di generare un’estrema ambiguità sul punto in cui si conclude una richiesta e sul punto in cui inizia la successiva.

La presenza di ambiguità permette ai responsabili degli attacchi malevoli di variare i confini delle richieste, generando così attacchi di tipo request smuggling che sono in grado di minare l’integrità di intere applicazioni web e dell’infrastruttura che le supporta. Le differenze nell’interpretazione delle richieste HTTP da parte di server e sistemi proxy diversi vengono sfruttate da questi attacchi, i quali consentono agli attaccanti di inserire richieste dannose che appaiono come legittime ai sistemi di sicurezza, ma che in realtà eseguono operazioni dannose sui server di back-end.

Le versioni successive di HTTP/2 rimuovono sostanzialmente ogni ambiguità fondamentale, di fatto rendendo molto difficili gli attacchi di desincronizzazione. Gli esperti di sicurezza però evidenziano che l’attivazione di HTTP/2 soltanto sui server edge risulta essere insufficiente. Fondamentale è invece l’attuazione di HTTP/2 nelle connessioni dirette ai server di origine attraverso i proxy inversi, in quanto permangono molte vulnerabilità causate dalla costante dipendenza da HTTP/1.1.

PortSwigger ha lanciato un’iniziativa completa intitolata “HTTP/1.1 Must Die: The Desync Endgame”, esortando le organizzazioni ad abbandonare il protocollo vulnerabile. La ricerca include raccomandazioni pratiche per l’implementazione immediata, tra cui l’abilitazione del supporto HTTP/2 upstream e la garanzia che i server di origine possano gestire il protocollo più recente.

Per le organizzazioni che dipendono ancora da HTTP/1.1, i ricercatori raccomandano di implementare le funzionalità di convalida e normalizzazione delle richieste disponibili sui sistemi front-end, di valutare la disattivazione del riutilizzo della connessione upstream e di collaborare attivamente con i fornitori in merito alle tempistiche del supporto HTTP/2.

Questa vulnerabilità interessa un ampio spettro di infrastrutture web, dai singoli siti web ai principali provider CDN, evidenziando l’urgente necessità di un’adozione a livello di settore dei moderni protocolli HTTP per garantire la sicurezza web.

L'articolo HTTP/1.1 Must Die! Falle critiche mettono milioni di siti web a rischio proviene da il blog della sicurezza informatica.

Una recente scoperta ha portato alla luce una sofisticata tecnica che aggira il controllo dell’account utente (UAC) di Windows, consentendo l’escalation dei privilegi senza necessità di intervento utente, grazie all’uso dell’editor di caratteri privati, e suscitando preoccupazioni su scala mondiale tra gli amministratori di sistema.

L’attacco divulgato da Matan Bahar sfrutta eudcedit.exe l’editor di caratteri privati integrato di Microsoft, disponibile in C:WindowsSystem32, originariamente progettato per creare e modificare i caratteri definiti dall’utente finale (EUDC).

I ricercatori di sicurezza hanno scoperto che questa utility apparentemente innocua può essere sfruttata per aggirare il principale gatekeeper di sicurezza di Windows.

La falla di sicurezza è causata da impostazioni critiche integrate nel manifest dell’applicazione eudcedit.exe. Questa vulnerabilità è generata da due particolari tag di metadati. Questa combinazione si rivela particolarmente pericolosa. Quando UAC è configurato con impostazioni permissive come “Eleva senza chiedere conferma”, Windows eleva automaticamente eudcedit.exe da un livello di integrità medio ad uno alto senza visualizzare alcun avviso di sicurezza, ha affermato Bahar .

L’attacco si sviluppa attraverso una sequenza accuratamente studiata che sfrutta i meccanismi di gestione dei file dell’applicazione. Gli aggressori iniziano avviando l’editor di caratteri privati, che passa automaticamente al livello di integrità “Alta”. Accedono quindi alla funzionalità di collegamento dei font all’interno dell’interfaccia dell’applicazione, solitamente accessibile tramite il menu File.

La vulnerabilità critica si manifesta quando gli utenti selezionano le opzioni di collegamento dei font e viene richiesto di salvare i file. In questo frangente, il processo eudcedit.exe con privilegi elevati può essere manipolato per eseguire comandi arbitrari. Semplicemente inserendo “PowerShell” nella finestra di dialogo del file, gli aggressori possono generare una sessione PowerShell con privilegi elevati che eredita il livello di integrità elevato del processo padre.

Il bypass dell’UAC di eudcedit.exe dimostra come gli aggressori possano sfruttare le utilità di sistema legittime per raggiungere obiettivi dannosi. La semplicità e l’efficacia di questa tecnica la rendono una preoccupazione significativa per i team di sicurezza aziendale.

L'articolo Una nuova tecnica di Privilege Escalation (PE) consente il bypass del UAC su Windows proviene da il blog della sicurezza informatica.

Il cybercrime è sempre da condannare. Che tu colpisca una multinazionale o un piccolo negozio online, resta un crimine.

Ma quando prendi di mira ospedali, associazioni senza scopo di lucro, fondazioni che vivono di donazioni, il livello scende ancora più in basso. Non sei un “hacker” perché i criminali non si chiamano così, non sei un “genio del computer”.

Sei solo uno sciacallo digitale.

Rubare un account social è già un atto deplorevole. Ma violare la pagina Instagram della Fondazione Giulia Cecchettin – creata per onorare la memoria di una giovane donna uccisa dall’ex fidanzato – è qualcosa di infinitamente peggiore. È un colpo basso, un atto vile che travalica la sfera tecnologica per diventare una ferita emotiva e collettiva.

La sorella di Giulia, Elena Cecchettin, ha dato la notizia tramite una storia Instagram: “La nostra pagina è stata compromessa. Vi preghiamo di non rispondere a messaggi o richieste sospette. Siamo al lavoro per risolvere il problema“. Poche ore dopo, è arrivata la conferma: un attacco informatico mirato, con un messaggio intimidatorio lasciato nella bio dell’account: “Se volete indietro il vostro account, controllate la mail e contattatemi su Telegram.”

Un ricatto in piena regola, che dimostra quanto i criminali informatici senza scrupoli non conoscano limiti né rispetto. Questo non è “semplice” cybercrime. Questo è scempio: l’uso della tecnologia per colpire il dolore, per profanare uno spazio nato per sensibilizzare, per dare voce a una causa che riguarda tutti.

Ed è qui che la società deve rispondere compatta: non solo recuperando l’account, ma trasformando questo atto vile in un’ulteriore ragione per combattere chi sfrutta la rete per distruggere invece che per costruire. Perché la memoria di Giulia – e la battaglia della Fondazione – non si hackerano.

L'articolo Scempio Digitale: Instagram della Fondazione Giulia Cecchettin, la ragazza uccisa dall’ex fidanzato è stato hackerato proviene da il blog della sicurezza informatica.

The Internet is fighting over whether robots.txt applies to AI agents. It all started when Cloudflare published a blog post, detailing what the company was seeing from Perplexity crawlers. Of course, automated web crawling is part of how the modern Internet works, and almost immediately after the first web crawler was written, one managed to DoS (Denial of Service) a web site back in 1994. And the robots.txt file was first designed.

Make no mistake, robots.txt on its own is nothing more than a polite request for someone else on the Internet to not index your site. The more aggressive approach is to add rules to a Web Application Firewall (WAF) that detects and blocks a web crawler based on the user-agent string and source IP address. Cloudflare makes the case that Perplexity is not only intentionally ignoring robots.txt, but also actively disguising their webcrawling traffic by using IP addresses outside their normal range for these requests.

This isn’t the first time Perplexity has landed in hot water over their web scraping, AI learning endeavors. But Perplexity has published a blog post, explaining that this is different!

And there’s genuinely an interesting argument to be made,that robots.txt is aimed at indexing and AI training traffic, and that agentic AI requests are a different category. Put simply, perplexity bots ignore robots.txt when a live user asks them to. Is that bad behavior, or what we should expect? This question will have to be settled as AI agents become more common.

Breaking Into the Vault

Researchers at Cisco Talos took a look at the Dell ControlVault, a Hardware Security Module (HSM) built into many Dell laptops. The firmware running on these embedded processors had some problems, including a stack-overflow and other memory-related issues. Usually the potential for abuse of these kind of attacks is limited mostly to the theoretical realm, but this embedded HSM also includes accessible USB pins, that can be accessed with a custom connector. The vulnerabilities found, then represent a real attack scenario where the firmware on the HSM can be tampered with, via nothing more than physical access. To prove the point, the Talos write-up includes a great video of a compromised machine accepting a green onion as a valid fingerprint for Windows Login.

Trend Micro In the Wild

Trend Micro’s Apex One system is under active exploitation, as a pair of vulnerabilities allow an authenticated attacker to inject system commands in the system’s management console. The full fix is expected to roll out later this month, but a mitigation disables a specific feature of the console, the Remote Install Agent. This leads to the obvious conclusion that the installation process was allowing for code execution as part of the install process.

GreedyBear

There was an interesting malware campaign run this year, by a group that Koi Security is calling GreedyBear. The campaign could be called a blitz, where malicious browser extensions, ransomware binaries, and scammy websites were all employed at once, with the goal of stealing cryptocurrency. The surprising thing is that so far not much over $1 million has been reported as stolen through the campaign.

The first technique used was “Extension Hollowing”, where safe, boring browser extensions are published, and maintained for a few months. Good reviews come in naturally or are purchased, and the publisher appears trustworthy. Then the extension is updated, with malicious code suddenly shipping. These extensions are now sniffing for user input and form filled data.

The second technique used was the old classic, packing malware into cracked and pirated software. The source of many of these malicious binaries seems to be primarily Russian piracy sites.

The final approach discovered was the simple scam website, often typo-squatting on nearly-legitimate domain names. These sites advertised fake hardware wallets or wallet repair, but only existed to steal whatever information would-be customers were willing to share.

The question may be raised, why does Koi Security believe all this activity is connected? The answer boils down to a single IP address, 185.208.156.66. This was the Command and Control server for the entire network of activity, and should be seen as a definite red flag in logs and records.

HashiCorp Vault Audit

The fine folks at Cyata took a crack at HashiCorp’s Vault, a source available secrets storage solution. And they discovered a host of subtle but important issues. The first on the list is an outstanding find, and it deals with how Vault protects against brute-force attacks. It’s supposed to be a simple counter, that locks out password attempts for a while, once a threshold of failures has been reached. The problem is that usernames aren’t case sensitive, but the failure counter is case sensitive in tracking password failures. Tried guessing the admin password too many times? Try the Admin account next.

The Multi-Factor Authentication has some issues, like the TOTP code reuse protection. This attempts to enforce that a code is only used once while valid. The problem is that a code of “ 123456” and “123456” both evaluate the same for the TOTP valuation itself, but as different codes for the reuse protection. This could enable an attacker to first abuse the reuse protection error message to identify a valid but used code, and then insert the space to be able to use the code for authentication.

After authentication, this same style of attack is possible again, this time targeting the root policy protections. An admin cannot assign this “root” policy, but can assign a “ root” policy. Those are treated as different policy identifiers by the validation code, but the same thing in the final implementation.

And finally, they discovered a Remote Code Execution flaw, via plugin installation. This one requires admin access, but an information leak and an audit log that allows writing to anywhere on the disk is enough to execute code injected in that audit log. This seems to be the first RCE ever made public in Vault, which is an impressive statement for both Hashicorp and Cyata.

Bits and Bytes

Nvidia isn’t taking last week’s talk of backdoors laying down, taking the offensive this week to reassure everyone that “There are no back doors in NVIDIA chips.” There’s a separate bit of news that US lawmakers are considering legislation that would require a kill-switch and location verification in future hardware.

It’s reassuring to be reminded that cyber-criminals do get captured and extradited. A Nigerian man was arrested in France and is being extradited to the US on multiple charges of fraud, identity theft, and other crimes. No word on whether the Nigerian national was or has claimed to be a prince.

And finally, filed in the “awkward” category, Google has disclosed that they were also a victim in the Salesforce hacks that Google researchers discovered and first publicized. These were good-old social engineering campaigns, where the attacker contacted an employee at the target company, and convinces them to read off an eight-digit security code. A group calling itself ShinyHunters has started an exploitation campaign using data pilfered in the attacks.

hackaday.com/2025/08/08/this-w…

Si è registrato un aumento del 14% delle richieste arrivate alla nostra infoline: da Liguria e Lazio il maggior numero di chiamate in proporzione al numero degli abitanti

580 le richieste di aiuto alla morte volontaria

Negli ultimi 12 mesi sono arrivate 16.035 richieste di informazioni sul fine vita tramite il Numero Bianco(06 9931 3409), coordinato da Valeria Imbrogno, compagna di Dj Fabo, e attraverso le email dirette all’Associazione Luca Coscioni. Una media di 44 richieste al giorno, in crescita del 14 per cento rispetto all’anno precedente.

Si tratta di un servizio attivo tutti i giorni per ascoltare, orientare e informare sulle possibilità offerte oggi dall’ordinamento italiano in materia di fine vita, su temi come eutanasia e suicidio medicalmente assistito, testamento biologico, interruzione delle terapie e sedazione palliativa profonda. In assenza di risposte istituzionali adeguate, il servizio aiuta a costruire percorsi legali e umani verso la libertà di scelta sul fine vita.

Nel dettaglio, le richieste hanno riguardato soprattutto eutanasia e suicidio medicalmente assistito (circa 5 al giorno), ma anche interruzione delle terapie e sedazione palliativa profonda (più di una al giorno). Sono inoltre aumentate le domande pratiche per accedere alla morte volontaria medicalmente assistita in Svizzera o attraverso percorsi legali in Italia, arrivate da 580 persone (51 per cento donne, 49 per cento uomini), contro le 533 dell’anno precedente.

Sulla base delle informazioni disponibili sulla provenienza geografica di chi ha contattato il servizio, quando fornite, è stata elaborata una proiezione regionale ponderata per popolazione, che restituisce una fotografia della richiesta di aiuto a morire in Italia.

datawrapper.dwcdn.net/jsJTr/1/!function(){"use strict";window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}})}();

La classifica delle regioni con il maggior numero di richieste rapportate a 100.000 abitanti vede al primo posto la Liguria con 48 ogni 100.000 abitanti, seguita dal Lazio con 43 richieste. Al terzo posto si posiziona la Toscana con 35, affiancata dal Friuli Venezia Giulia. Seguono Umbria, Emilia-Romagna e Lombardia con 33 richieste. Poi Piemonte con 28, il Veneto e le Marche con 26.

L'articolo Più di 16mila persone hanno contattato il Numero Bianco nell’ultimo anno proviene da Associazione Luca Coscioni.

For decades, one organization has dedicated itself to protecting the rights of news photographers and videographers. The National Press Photographers Association has led countless First Amendment battles to protect visual journalists’ right to document and the public’s right to see and hear the news.

The organization’s general counsel, Mickey Osterreicher, is often at the forefront of those fights. He and NPPA have protected the First Amendment right to record in public, limited senseless government regulations restricting photography and recording, and even won a groundbreaking settlement with the New York Police Department over its treatment of journalists at protests.

But recently, NPPA announced that it faces financial difficulties. Freedom of the Press Foundation (FPF) spoke to Osterreicher about NPPA’s work and the impact on the First Amendment if it shutters. You can read our full conversation below, and you can donate to NPPA’s programs here.

You’ve been NPPA’s general counsel since 2005, and you’ve also been a news photographer. How have the legal issues facing visual journalists changed over the years, and what are the most pressing issues they face today?

Both from a practical and legal standpoint, being a journalist was a lot simpler when I was a photojournalist. One of the biggest challenges I now face is trying to answer the question from police and lawmakers, “Who is a journalist?” and, during a protest, “Who gets to stay after an order to disperse?”

But once those press access rights have been attained, what good is it if visual journalists cannot make a decent living after risking their health and safety because their images are being misappropriated without permission, credit, or compensation? So it is a combination of dealing with First Amendment and copyright issues that keeps me up most nights.

That is to say nothing of the exponential use of generative artificial intelligence that has economically impacted the market for news photography as well as creating ethical challenges for visual journalists and public perception.

Tell us more about how the rise of AI-generated images and deepfakes is affecting the work and rights of visual journalists.

For visual journalism, generative artificial intelligence is the worst of both worlds, where millions of images (still and video) are ingested to train AI models without payment to the creators and the public can no longer believe what they see without wondering if what they are viewing is a true depiction of what really happened or an artificially created image. Even worse, this technology now provides an additional layer of ambiguity to those who claim that actual images of real events are “fake news.”

You’ve trained many law enforcement officers about journalists’ First Amendment rights, especially when they’re covering political conventions and protests. What are the most important things for police officers to know about press freedom, and how is NPPA uniquely positioned to provide that training?

I have three goals when training police and journalists about press freedoms. One: that police are not sued for abridging First Amendment rights of citizens and journalists, costing taxpayers dearly with money that could be better spent for police recruitment and retention or equipment. Two: that journalists are able to do their jobs without being harassed, injured, or arrested. Three: that the public is informed, which is the basis for the First Amendment — that being the desire by the founding fathers for the right of the public to receive information, and be an informed electorate.

As “the voice of visual journalists” since 1946, NPPA is uniquely positioned to foster improved police-press-public relations in an era when it is most needed by instilling greater respect for the roles each plays in our democracy. We’ve provided these trainings to law enforcement agencies nationwide for almost 20 years, with scores of departments and hundreds of officers being trained, including the entire Minnesota State Patrol as part of the settlement terms of a federal civil rights lawsuit, as well as the start of training with the NYPD regarding the new policies and procedures implemented as a result of the settlement of our lawsuit.

“Should our voice be muted, its silence will be deafening.“

Mickey Osterreicher

What I believe also adds to NPPA’s credibility is my background as a photojournalist with over forty years’ experience in print and broadcast, my experience as a First Amendment attorney, and my understanding of the challenges facing law enforcement from having been a uniformed reserve deputy sheriff with the Erie County Sheriff’s Office since 1976 and working closely with law enforcement through various associations and committees.

That experience working with police departments — which not many press freedom organizations have — has also allowed you to get involved in many other issues that are important to all journalists, not just visual ones. Tell us about your work on police radio encryption and other ways you’re able to leverage the work you’ve done training police departments.

The encryption of police radio transmissions is a growing problem nationwide, because for almost a century, newsrooms and journalists have relied on the monitoring of those broadcasts to cover breaking news and other matters of public concern.

One place where such coverage is critical is New York City, where so many newsworthy events occur and where, because of the congested vehicle traffic, time is of the essence in getting to the scene. A few years ago, the NYPD announced that it would begin encrypting its transmissions. NPPA joined a consortium of news organizations asking to work with NYPD to allow journalists to continue to have real-time access to those broadcasts. Despite meeting with police officials, testifying before the city council and submitting a white paper on the subject, the NYPD has refused to discuss this issue further, and many of the important police frequencies have already been encrypted.

The consortium then supported a state bill that would allow for press access. That bill passed both houses and is awaiting the governor’s signature. NPPA has also worked with press groups around the country to address this issue.

Another problem we helped to solve was an exemption for journalists to a New York law that banned anyone in the state (except for certain “eligible professions”) from the “purchase, taking possession of, sale, exchange, giving or disposing of body armor.”

Additionally, NPPA was instrumental in opposing an Arizona bill that barred anyone recording police from getting closer than 15 feet to an officer without their permission. I drafted several letters to the legislature joined by 30 press organizations cautioning against the unconstitutionality of the proposed law, which was ultimately passed after the measure was amended to an 8-foot distance. I then worked with the American Civil Liberties Union and Arizona Broadcasters Association to obtain a permanent injunction prohibiting enforcement of the law. NPPA has also filed amicus briefs in two other constitutional challenges to similar laws in Indiana and Louisiana.

When the White House restricted the Associated Press’s access over its use of the term ‘Gulf of Mexico’ (a move that NPPA and FPF condemned), it raised concerns about the chilling effects of such retaliation on journalists. If presidents can exclude outlets or photographers from the press pool for editorial decisions, what does that mean for press freedom and the role of visual journalists?

As NPPA stated, such actions by the administration are unacceptable as both an attempt at prior restraint and a blatant retaliation and chilling abridgment of the First Amendment rights of the AP and its journalists.

Unfortunately, we have seen both the federal district court as well as the circuit court hearing the appeal in this case give wide latitude and discretion to the White House as to who it admits to cover certain events. Additional fallout from this has been the White House Correspondents Association losing its long-standing control over the press pool rotation as well as other “disfavored” media outlets being barred from inclusion in the pool.

All these actions taken by the administration are having a chilling effect on press coverage of the government and are eviscerating press freedom. The NPPA continues to work with news and press freedom organizations to advocate and support the right of the public to be informed.

Over the years, NPPA has had to oppose a number of laws that prohibit or limit taking pictures in public places as well as using drones to capture aerial footage. What should journalists do if they’re stopped and told they can’t take pictures or record in public?

Our staunch advocacy has led to the right to photograph and record in traditional public forums being “clearly established” in three-quarters of the U.S. Circuit Courts of Appeal, which is key to successfully bringing civil rights claims against those who try to limit or interfere with those rights.

While NPPA was initially successful in challenging Texas drone regulations, that decision was reversed on appeal. But we have been effective in ensuring that language protecting the First Amendment rights of journalists to use drones for newsgathering be included in government regulations.

NPPA has provided extensive training as to what journalists can do if they’re stopped and told they can’t take pictures or record in public. The foremost advice is to meet with law enforcement on a regular basis to ensure that these rights are honored by police and to discuss how best to improve police-press interactions. While in the field, it is crucial to maintain situational awareness and pay attention to police and crowd movements to avoid being encircled (kettled). Always have an exit strategy, as it is always better to move to a different location than be arrested. If police stop or question you about your activities, make sure to identify yourself as a journalist.

What will journalism lose if NPPA is forced to close its doors?

It would be a significant loss to not only visual journalists but to journalism itself if NPPA were to cease as an organization. For almost 80 years, NPPA has strongly advocated for the rights of visual journalists and now more than ever that unique voice is needed as more journalists are required to report not only with words but images. It also comes at a time when the importance of truthful images could not be greater.

While there are many other organizations supporting the First Amendment and press freedoms, none is more exclusively dedicated to the advancement and protection of visual journalism in its role as a vital public service than the NPPA. Our code of ethics is often cited as exemplary of what visual journalism should strive to achieve. Should our voice be muted, its silence will be deafening.

Donate to NPPA’s programs here to help protect the rights of visual journalists and the public’s right to know.

freedom.press/issues/the-leadi…

These days the president of the United States files frivolous lawsuits at an alarming clip, including against news outlets that displease him. He’s far from the only prominent public figure abusing the federal court system in this way, steering scarce judicial resources away from meritorious lawsuits by ordinary people who have suffered serious damages.

And yet, Congress has not seen fit to pass a federal “anti-SLAPP” law to stop billionaires and politicians from pursuing strategic lawsuits against public participation. But powerless prisoners? That’s another story. If they want access to the federal courts they need to navigate the Prison Litigation Reform Act — a maze of onerous procedural requirements. It’s supposedly intended to stop the courts from being burdened by inmates’ frivolous lawsuits.

We held a webinar to discuss the PLRA’s impact on incarcerated journalists and the journalists on the outside who cover the prison system, featuring Jeremy Busby, a journalist and Freedom of the Press Foundation (FPF) columnist who is incarcerated in Texas, and American Civil Liberties Union attorneys Nina Patel and Corene Kendrick. Patel is senior policy counsel at the ACLU Justice Division and Kendrick is the deputy director of the ACLU’s National Prison Project.

As Kendrick explained, the PLRA originated as one of the Clinton administration’s “tough on crime” initiatives as it pivoted right in preparation for the 1996 presidential election. The law was enacted despite a lack of evidence that incarcerated people file baseless lawsuits any more frequently than anyone else, presidents or otherwise. She said the law “singles out one disfavored group of people and categorically denies them equal access to the courts.”

youtube.com/embed/wiGxxwp8byI?…

She described how the harm extends beyond the impacted litigants, as the kinds of court filings foreclosed by the PLRA are “oftentimes the best way that information about conditions in our nation’s prisons and jails reach the public and members of the media.”

“The PLRA has, in practice, served as a real barrier for journalists to get any sort of information” about facilities that “get billions and billions of dollars a year to lock up human beings,” Kendrick said. “The ability to communicate with the outside world is so circumscribed and is monitored and recorded. And you know, once something gets to a federal court and it’s filed on the docket, it is out there.”

But when the court dismisses a case for procedural reasons without any consideration of whether the claims are true, all journalists are left with are untested allegations that they rarely have the resources to corroborate. “That happens all the time, and unfortunately, and it adversely affects journalists greatly,” Kendrick said.

Lawsuits are also the only recourse available to incarcerated journalists, who often report relentless retaliation when their work upsets prison officials. That’s what happened to Busby when he helped expose deplorable conditions inside the prison where he was housed when the COVID-19 pandemic hit in 2020. Busby said he was transferred to four prisons, each overcrowded with people sick with COVID, before landing in a cell without a mattress or sheets, where he was kept for six weeks. His property was damaged or seized, and he was written bogus disciplinary charges that were later overturned.

He brought a federal lawsuit, but because he was retaliated against in four different prisons, the judge said the PLRA required four separate lawsuits in four different courts. “I wasn’t able to successfully keep up with four active litigations in four different courts in four different counties, from the solitary confinement cell that I was being held in,” Busby explained, resulting in his lawsuits each being dismissed on procedural grounds before the merits of his claims could be adjudicated.

Busby is a college graduate and accomplished writer — if he can’t navigate the PLRA, it is all the more difficult for an average member of the prison population to do so. Even the experienced lawyers on the webinar acknowledged how challenging it can be to comply with the PLRA when representing their incarcerated clients. Incarcerated litigants, Busby noted, must also pay court fees — in his case, a $400 fee became $1,600 when his lawsuit was split into four.

“You don’t get paid for work here in Texas, and so most guys, they don’t even want the $400 thing against their account because their family members can maybe send $20 for toothpaste and deodorant every month or so, or every two or three months, and they don’t want to sacrifice their deodorant and toothpaste money to pursue this lawsuit,” he said.

So what’s the point of the PLRA? As Patel noted, “The courts are well equipped to throw out lawsuits that are frivolous,” and do so every day in cases involving non-incarcerated people. Patel believes the real problem the PLRA is meant to address isn’t that incarcerated people file so many invalid claims — it’s that they file so many valid ones.

With around two million people incarcerated in the United States, “a functional system where someone can go to the courts and have their constitutional violations in prison litigated and then compensated would break most prison systems in this country,” Patel explained. “That is the dirty truth of the PLRA.”

She added, “Everyone knows, and it’s not a secret, that it would bankrupt the system, and it would break it, and that we couldn’t do what we do in this country, which is lead the world in mass incarceration.”

Watch the full webinar here, and subscribe to our newsletters to get notice of future events.

Note: FPF Advocacy Director Seth Stern, who authored this article and moderated the webinar, is on the board of Busby’s nonprofit organization, JoinJeremy.

freedom.press/issues/federal-l…