Have you ever been out and about and needed to make a check against INT, WIS or CON but not had a die handy? Sure, you could use an app on your phone, but who knows what pseudorandom nonsense that’s getting up to. [Lazy Hovercraft] has got the solution with his new site RealDice.org, which, well, rolls real dice.

Well, one die, anyway. The webpage presents a button to roll a single twenty-sided die, or “Dee-Twenty” as the cool kids are calling it these days. The rolling is provided by a unit purchased from Amazon that spins the die inside a plastic bubble, similar to this unit we covered back in 2020. (Alas for fans of the venerable game Trouble, it does not pop.) The die spinner’s button has been replaced by a relay, which is triggered from the server whenever a user hits the “roll” button.

You currently have to look at the camera feed with your own eyes to learn what number was rolled, but [Lazy Hovercraft] assures us that titanic effort will be automated once he trains up the CVE database. To that end you are encouraged to help build the dataset by punching in what number is shown on the die.

This is a fun little hack to get some physical randomness, and would be great for the sort of chatroom tabletop gaming that’s so common these days. It may also become the new way we select the What’s That Sound? winners on the Hackaday Podcast.

Before sitting down for a game session, you might want to make sure you’re all using fair dice. No matter how fair the dice, its hard to beat quantum phenomena for random noise.

hackaday.com/2025/08/29/no-die…

Gli scienziati cinesi hanno presentato un lanciatore spaziale compatto, inizialmente progettato per rimuovere pericolosi detriti spaziali, ma che potrebbe potenzialmente essere utilizzato come arma. Il progetto è stato ideato da ingegneri di Nanchino, Shanghai e Shenyang e i risultati sono stati pubblicati sulla rivista peer-reviewed Acta Aeronautica et Astronautica Sinica.

ezstandalone.cmd.push(function () { ezstandalone.showAds(604); });
Il sistema si basa sul principio dell’espulsione della polvere da sparo, noto in Cina fin dal IX secolo, ma rielaborato per l’era spaziale. A differenza delle armi convenzionali, che creano lampi, vibrazioni e nuvole di fumo, il nuovo sistema funziona in modo silenzioso e pulito: niente luce, niente fumo e quasi nessuna vibrazione. Ciò è stato reso possibile da un meccanismo a gas chiuso con assorbimento di energia.

Quando viene sparato, una piccola carica crea un gas ad alta pressione che spinge un pistone. Una sezione appositamente indebolita del corpo collassa a una certa pressione, rilasciando il proiettile. All’uscita, incontra un anello piegato a un angolo di 35°, che smorza l’energia principale e le vibrazioni deformandosi verso l’interno. Di conseguenza, il rinculo scompare quasi completamente e il gas rimane bloccato all’interno, eliminando la contaminazione dell’orbita.

ezstandalone.cmd.push(function () { ezstandalone.showAds(612); });
Secondo gli autori, l’angolo di 35° si è rivelato ottimale: ha ridotto la forza di rinculo massima di oltre il 9% rispetto ai 20° e ha limitato lo spostamento della canna a soli 3,45 mm. Questo è fondamentale per i veicoli spaziali, dove vibrazioni o flare eccessivi possono danneggiare gli strumenti sensibili e ridurre la riserva di energia.

A differenza dei cannoni elettromagnetici a rotaia, che richiedono enormi alimentatori, superconduttori e complessi sistemi di raffreddamento, la nuova installazione non richiede alimentazione esterna, è facile da manutenere e può essere prodotta in serie in fabbriche convenzionali.

La missione principale del dispositivo è catturare un detrito utilizzando una capsula con una rete espandibile, fissarlo e trascinarlo nell’atmosfera, dove brucerà. Tuttavia, gli esperti ammettono che con piccole modifiche, il sistema potrebbe disattivare i satelliti nemici, privandoli di comunicazioni o informazioni, senza esplosioni o attacchi visibili, che potrebbero apparire come un semplice guasto.

ezstandalone.cmd.push(function () { ezstandalone.showAds(613); });
Non è noto se lo sviluppo abbia raggiunto la fase di applicazione pratica. È noto che il responsabile del progetto, il professore associato dell’Università di Scienza e Tecnologia di Nanchino Yue Shuai, è specializzato nella dinamica e nel controllo delle armi spaziali e ha già due sistemi operativi in orbita.

Sebbene il Trattato sullo spazio extra-atmosferico del 1967 proibisca l’impiego di armi nucleari e richieda l’uso pacifico dei corpi celesti, non vieta esplicitamente i sistemi cinetici convenzionali, tra cui questo dispositivo.

L'articolo Lanciato in Cina un sistema spaziale compatto per rimuovere detriti spaziali proviene da il blog della sicurezza informatica.

È stato scoperto che RubyGems conteneva 60 pacchetti dannosi che si spacciavano per strumenti innocui per l’automazione di social network, blog e servizi di messaggistica. I codici malevoli rubavano le credenziali degli utenti e sono state scaricate più di 275.000 volte da marzo 2023. Gli esperti di Socket, che hanno individuato la campagna, riferiscono che i pacchetti erano rivolti principalmente agli utenti sudcoreani che utilizzano strumenti di automazione per lavorare con TikTok, X, Telegram, Naver, WordPress, Kakao e così via.

ezstandalone.cmd.push(function () { ezstandalone.showAds(604); });
L’elenco completo dei pacchetti dannosi è disponibile nel rapporto Socket. Di seguito sono riportati esempi di typosquatting utilizzati dagli aggressori.

• Automazione di WordPress: wp_posting_duo, wp_posting_zon.ezstandalone.cmd.push(function () { ezstandalone.showAds(612); });
• Bot per Telegram: tg_send_duo, tg_send_zon.
• Strumenti SEO per i backlink: backlink_zon, back_duo.
• Strumenti per piattaforme di blogging: nblog_duo, nblog_zon, tblog_duopack, tblog_zon.ezstandalone.cmd.push(function () { ezstandalone.showAds(613); });
• Strumenti di Naver Café: cafe_basics[_duo], cafe_buy[_duo], cafe_bey, *_blog_comment, *_cafe_comment.

Il malware è stato pubblicato su RubyGems.org con i nomi di diversi editori: zon, nowon, kwonsoonje e soonje. La distribuzione delle attività dannose su più account ha reso difficile tracciare e bloccare gli attacchi.

Si sottolinea che tutto i 60 pacchetti avevano un’interfaccia grafica apparentemente plausibile e implementavano le funzionalità dichiarate. Allo stesso tempo, però, tutti i dati inseriti dalle vittime nei moduli di accesso venivano trasmessi agli indirizzi hard-coded dei server degli aggressori (programzon[.]com, appspace[.]kr, marketingduo[.]co[.]kr).

ezstandalone.cmd.push(function () { ezstandalone.showAds(614); });
In alcuni casi, gli strumenti mostravano anche messaggi di errore o di successo, anche se in realtà non avevano eseguito alcuna richiesta di accesso o API. Di conseguenza, agli autori del malware sono stati forniti login e password in chiaro, indirizzi MAC dei dispositivi (per l’impronta digitale) e nomi di pacchetti dannosi (per monitorare l’efficacia della campagna). I ricercatori affermano di aver trovato i dati rubati in vendita sui mercati darknet in lingua russa.

Il rapporto rileva che almeno 16 dei 60 pacchetti dannosi sono ancora disponibili per il download, nonostante Socket abbia notificato al team di RubyGems tutti i pacchetti dannosi. Gli esperti ricordano agli sviluppatori di controllare sempre attentamente i pacchetti provenienti da repository open source per individuare codice sospetto (ad esempio offuscamento), di considerare la reputazione e la cronologia delle versioni dell’autore e di affidarsi a versioni già testate e note per essere sicure.

L'articolo 60 Gems Dannose su RubyGems: Furto di Credenziali con Typosquatting proviene da il blog della sicurezza informatica.

If a system is popular with users, you can bet it’s just as popular with cybercriminals. Although Windows still dominates, second place belongs to macOS. And this makes it a viable target for attackers.

With various built-in protection mechanisms, macOS generally provides a pretty much end-to-end security for the end user. This post looks at how some of them work, with examples of common attack vectors and ways of detecting and thwarting them.

Overview of macOS security mechanisms

Let’s start by outlining the set of security mechanisms in macOS with a brief description of each:

1. Keychain – default password manager
2. TCC – application access control
3. SIP – ensures the integrity of information in directories and processes vulnerable to attacks
4. File Quarantine – protection against launching suspicious files downloaded from the internet
5. Gatekeeper – ensures only trusted applications are allowed to run
6. XProtect – signature-based anti-malware protection in macOS
7. XProtect Remediator – tool for automatic response to threats detected by XProtect

Keychain

Introduced back in 1999, the password manager for macOS remains a key component in the Apple security framework. It provides centralized and secure storage of all kinds of secrets: from certificates and encryption keys to passwords and credentials. All user accounts and passwords are stored in Keychain by default. Access to the data is protected by a master password.

Keychain files are located in the directories ~/Library/Keychains/, /Library/Keychains/ and /Network/Library/Keychains/. Besides the master password, each of them can be protected with its own key. By default, only owners of the corresponding Keychain copy and administrators have access to these files. In addition, the files are encrypted using the reliable AES-256-GCM algorithm. This guarantees a high level of protection, even in the event of physical access to the system.

However, attacks on the macOS password manager still occur. There are specialized utilities, such as Chainbreaker, designed to extract data from Keychain files. With access to the file itself and its password, Chainbreaker allows an attacker to do a local analysis and full data decryption without being tied to the victim’s device. What’s more, native macOS tools such as the Keychain Access GUI application or the /usr/bin/security command-line utility can be used for malicious purposes if the system is already compromised.

So while the Keychain architecture provides robust protection, it is still vital to control local access, protect the master password, and minimize the risk of data leakage outside the system. Below is an example of a Chainbreaker command:

python -m chainbreaker -pa test_keychain.keychain -o output

As mentioned above, the security utility can be used for command line management, specifically the following commands:

• security list-keychains – displays all available Keychain files

Keychain files available to the user

• security dump-keychain -a -d – dumps all Keychain files

Keychain file dump

• security dump-keychain ~/Library/Keychains/login.keychain-db – dumps a specific Keychain file (a user file is shown as an example)

To detect attacks of this type, you need to configure logging of process startup events. The best way to do this is with the built-in macOS logging tool, ESF. This allows you to collect necessary events for building detection logic. Collection of necessary events using this mechanism is already implemented and configured in Kaspersky Endpoint Detection and Response (KEDR).

Among the events necessary for detecting the described activity are those containing the security dump-keychain and security list-keychains commands, since such activity is not regular for ordinary macOS users. Below is an example of an EDR triggering on a Keychain dump event, as well as an example of a detection rule.

Example of an event from Kaspersky EDR

Sigma:
title: Keychain access
description: This rule detects dumping of keychain
tags:
- attack.credential-access
- attack.t1555.001
logsource:
category: process_creation
product: macos
detection:
selection:
cmdline: security
cmdline:
-list-keychains
-dump-keychain
condition: selection
falsepositives:
- Unknow
level: medium

SIP

System Integrity Protection (SIP) is one of the most important macOS security mechanisms, which is designed to prevent unauthorized interference in critical system files and processes, even by users with administrative rights. First introduced in OS X 10.11 El Capitan, SIP marked a significant step toward strengthening security by limiting the ability to modify system components, safeguarding against potential malicious influence.

The mechanism protects files and directories by assigning special attributes that block content modification for everyone except trusted system processes, which are inaccessible to users and third-party software. In particular, this makes it difficult to inject malicious components into these files. The following directories are SIP-protected by default:

• /System
• /sbin
• /bin
• /usr (except /usr/local)
• /Applications (preinstalled applications)
• /Library/Application Support/com.apple.TCC

A full list of protected directories is in the configuration file /System/Library/Sandbox/rootless.conf. These are primarily system files and preinstalled applications, but SIP allows adding extra paths.

SIP provides a high level of protection for system components, but if there is physical access to the system or administrator rights are compromised, SIP can be disabled – but only by restarting the system in Recovery Mode and then running the csrutil disable command in the terminal. To check the current status of SIP, use the csrutil status command.

Output of the csrutil status command

To detect this activity, you need to monitor the csrutil status command. Attackers often check the SIP status to find available options. Because they deploy csrutil disable in Recovery Mode before any monitoring solutions are loaded, this command is not logged and so there is no point in tracking its execution. Instead, you can set up SIP status monitoring, and if the status changes, send a security alert.

Example of an event from Kaspersky EDR

Sigma:
title: SIP status discovery
description: This rule detects SIP status discovery
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: macos
detection:
selection:
cmdline: csrutil status
condition: selection
falsepositives:
- Unknow
level: low

TCC

macOS includes the Transparency, Consent and Control (TCC) framework, which ensures transparency of applications by requiring explicit user consent to access sensitive data and system functions. TCC is structured on SQLite databases (TCC.db), located both in shared directories (/Library/Application Support/com.apple.TCC/TCC.db) and in individual user directories (/Users/<username>/Library/Application Support/com.apple.TCC/TCC.db).

Contents of a table in the TCC database

The integrity of these databases and protection against unauthorized access are implemented using SIP, making it impossible to modify them directly. To interfere with these databases, an attacker must either disable SIP or gain access to a trusted system process. This renders TCC highly resistant to interference and manipulation.

TCC works as follows: whenever an application accesses a sensitive function (camera, microphone, geolocation, Full Disk Access, input control, etc.) for the first time, an interactive window appears with a request for user confirmation. This allows the user to control the extension of privileges.

TCC access permission window

A potential vector for bypassing this mechanism is TCC Clickjacking – a technique that superimposes a visually altered window on top of the permissions request window, hiding the true nature of the request. The unsuspecting user clicks the button and grants permissions to malware. Although this technique does not exploit TCC itself, it gives attackers access to sensitive system functions, regardless of the level of protection.

Example of a superimposed window

Attackers are interested in obtaining Full Disk Access or Accessibility rights, as these permissions grant virtually unlimited access to the system. Therefore, monitoring changes to TCC.db and managing sensitive privileges remain vital tasks for ensuring comprehensive macOS security.

File Quarantine

File Quarantine is a built-in macOS security feature, first introduced in OS X 10.5 Tiger. It improves system security when handling files downloaded from external sources. This mechanism is analogous to the Mark-of-the-Web feature in Windows to warn users of potential danger before running a downloaded file.

Files downloaded through a browser or other application that works with File Quarantine are assigned a special attribute (com.apple.quarantine). When running such a file for the first time, if it has a valid signature and does not arouse any suspicion of Gatekeeper (see below), the user is prompted to confirm the action. This helps prevent running malware by accident.

Example of file attributes that include the quarantine attribute

To get detailed information about the com.apple.quarantine attribute, use the xattr -p com.apple.quarantine <File name> command. The screenshot below shows an example of the output of this command:

• 0083 – flag for further Gatekeeper actions
• 689cb865 – timestamp in hexadecimal format (Mac Absolute Time)
• Safari – browser used to download the file
• 66EA7FA5-1F9E-4779-A5B5-9CCA2A4A98F5 – UUID attached to this file. This is needed to database a record of the file

Detailed information about the com.apple.quarantine attribute

The information returned by this command is stored in a database located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2, where it can be audited.

Data in the com.apple.LaunchServices.QuarantineEventsV2 database

To avoid having their files quarantined, attackers use various techniques to bypass File Quarantine. For example, files downloaded via curl, wget or other low-level tools that are not integrated with File Quarantine are not flagged with the quarantine attribute.

Bypassing quarantine using curl

It is also possible to remove the attribute manually using the xattr -d com.apple.quarantine <filename> command.

Removing the quarantine attribute

If the quarantine attribute is successfully removed, no warning will be displayed when the file is run, which is useful in social engineering attacks or in cases where the attacker prefers to execute malware without the user’s knowledge.

Running a file without a File Quarantine check

To detect this activity, you need to monitor execution of the xattr command in conjunction with -d and com.apple.quarantine, which implies removal of the quarantine attribute. In an incident related to macOS compromise, also worth investigating is the origin of the file: if it got onto the host without being flagged by quarantine, this is an additional risk factor. Below is an example of an EDR triggering on a quarantine attribute removal event, as well as an example of a rule for detecting such events.

Example of an event from Kaspersky EDR

Sigma:
title: Quarantine attribute removal
description: This rule detects removal of the Quarantine attribute, that leads to avoid File Quarantine
tags:
- attack.defense-evasion
- attack.t1553.001
logsource:
category: process_creation
product: macos
detection:
selection:
cmdline: xattr -d com.apple.quarantine
condition: selection
falsepositives:
- Unknow
level: high

Gatekeeper

Gatekeeper is a key part of the macOS security system, designed to protect users from running potentially dangerous applications. First introduced in OS X Leopard (2012), Gatekeeper checks the digital signature of applications and, if the quarantine attribute (com.apple.quarantine) is present, restricts the launch of programs unsigned and unapproved by the user, thus reducing the risk of malicious code execution.

The spctl utility is used to manage Gatekeeper. Below is an example of calling spctl to check the validity of a signature and whether it is verified by Apple:

Spctl -a -t exec -vvvv <path to file>

Checking an untrusted file using spctl

Checking a trusted file using spctl

Gatekeeper requires an application to be:

• either signed with a valid Apple developer certificate,
• or certified by Apple after source code verification.

If the application fails to meet these requirements, Gatekeeper by default blocks attempts to run it with a double-click. Unblocking is possible, but this requires the user to navigate through the settings. So, to carry out a successful attack, the threat actor has to not only persuade the victim to mark the application as trusted, but also explain to them how to do this. The convoluted procedure to run the software looks suspicious in itself. However, if the launch is done from the context menu (right-click → Open), the user sees a pop-up window allowing them to bypass the block with a single click by confirming their intention to use the application. This quirk is used in social engineering attacks: malware can be accompanied by instructions prompting the user to run the file from the context menu.

Example of Chropex Adware using this technique

Let’s take a look at the method for running programs from the context menu, rather than double-clicking. If we double-click the icon of a program with the quarantine attribute, we get the following window.

Running a program with the quarantine attribute by double-clicking

If we run the program from the context menu (right-click → Open), we see the following.

Running a program with the quarantine attribute from the context menu

Attackers with local access and administrator rights can disable Gatekeeper using the spctl –master disable or --global-disable command.

To detect this activity, you need to monitor execution of the spctl command with parameters –master disable or --global-disable, which disables Gatekeeper. Below is an example of an EDR triggering on a Gatekeeper disable event, as well as an example of a detection rule.

Example of an Kaspersky EDR event

Sigma:
title: Gatekeeper disable
description: This rule detects disabling of Gatekeeper
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: process_creation
product: macos
detection:
selection:
cmdline: spctl
cmdline:
- '--master-disable'
- '--global-disable'
condition: selection

Takeaways

The built-in macOS protection mechanisms are highly resilient and provide excellent security. That said, as with any mature operating system, attackers continue to adapt and search for ways to bypass even the most reliable protective barriers. In some cases when standard mechanisms are bypassed, it may be difficult to implement additional security measures and stop the attack. Therefore, for total protection against cyberthreats, use advanced solutions from third-party vendors. Our Kaspersky EDR Expert and Kaspersky Endpoint Security detect and block all the threats described in this post. In addition, to guard against bypassing of standard security measures, use the Sigma rules we have provided.

securelist.com/macos-security-…

WIRobotics ha presentato la parte superiore del suo primo robot umanoide multiuso , ALLEX, presso il Robot Innovation Hub della Korea University of Technology and Education. Il nome sta per “ALL-EXperience” e gli sviluppatori sottolineano che la macchina non solo è in grado di riconoscere immagini e controllare la propria posizione nello spazio, ma anche di rispondere a influenze fisiche reali: forza, tocco, impatto. Questo rende ALLEX un passo avanti rispetto ai modelli esistenti, poiché dimostra un comportamento simile a quello umano.

ezstandalone.cmd.push(function () { ezstandalone.showAds(604); });
La caratteristica principale del progetto è una nuova mano con un elevato grado di mobilità. Ha dimensioni paragonabili a quelle di una mano umana ed è dotata di 15 gradi di libertà, il che garantisce movimenti precisi e un’ampia gamma di compiti. Allo stesso tempo, la mano è in grado di rilevare sforzi di soli 100 grammi di forza anche senza sensori tattili. L’errore nel posizionamento ripetuto della punta delle dita non supera 0,3 mm e la forza di compressione raggiunge i 40 Newton, consentendole di sollevare oltre 30 kg su un gancio: questo è uno dei migliori indicatori tra i manipolatori antropomorfi ad alta mobilità.

Particolare attenzione è stata dedicata ai sistemi di azionamento e controllo. Il nuovo attuatore presenta un attrito estremamente basso e un’elevata capacità di carico, e l’algoritmo di controllo combina il posizionamento preciso con il controllo di forza e rigidità. Il design utilizza anche un compensatore di peso per il corpo, rendendo l’interazione umana più sicura e migliorando la precisione durante l’esecuzione di compiti pesanti.

ezstandalone.cmd.push(function () { ezstandalone.showAds(612); });
Un elemento importante è la combinazione di leggerezza ed elevata capacità di carico. La mano pesa circa 700 grammi e l’intero assemblaggio, dalla spalla in giù, pesa circa 5 kg. Allo stesso tempo, il robot è in grado di manipolare oggetti di peso superiore a 3 kg con una sola mano, una capacità paragonabile a quella di un manipolatore collaborativo medio di peso superiore a 20 kg.

ALLEX è il primo umanoide dotato di una “flessibilità” innata in grado di rispondere a forze esterne con mani, dita e corpo senza l’uso di sensori di forza. Questo apre la strada a un’interazione sicura ma dinamica con gli esseri umani e semplifica l’addestramento basato sull’apprendimento automatico , riducendo al minimo il divario tra simulazione e mondo reale.

L’azienda vede ALLEX come la base di una futura piattaforma modulare: braccia, mani, corpo o sistema di controllo possono essere utilizzati separatamente. WIRobotics prevede di condurre dimostrazioni in vari settori per entrare nel mercato.

ezstandalone.cmd.push(function () { ezstandalone.showAds(613); });
Per unire robotica e intelligenza artificiale , WIRobotics sta costruendo un ecosistema di innovazione aperto. L’azienda ha una partnership strategica con RLWRLD, una startup che lavora allo sviluppo di “IA fisica”, e collabora anche con importanti centri di ricerca e aziende in tutto il mondo, tra cui il MIT , l’Università dell’Illinois a Urbana-Champaign, l’Università del Massachusetts, il Korea Advanced Institute of Science and Technology e Maxon.

“ALLEX non è solo un’imitazione dei movimenti umani. È il primo robot che percepisce e reagisce realmente al mondo che lo circonda“, ha affermato Young-Jae Kim, co-CEO e CTO di WIRobotics. Secondo lui, l’obiettivo dell’azienda è creare una piattaforma umanoide multifunzionale, accessibile a tutti nella vita di tutti i giorni entro il 2030.

WIRobotics è stata fondata nel giugno 2021 da quattro ex ingegneri Samsung . L’azienda promuove l’idea di “Tecnologia per le persone, per la qualità della vita”. Tra i suoi progetti figurano l’esoscheletro industriale WIBS e l’assistente mobile WIM, che ha vinto il CES Innovation Awards per due anni consecutivi. Nel 2024, l’azienda ha raccolto 13 miliardi di won per lo sviluppo, ha inaugurato il Robot Innovation Hub e ha avviato collaborazioni con organizzazioni accademiche per accelerare la ricerca nei campi dei manipolatori sicuri e flessibili e della deambulazione robotica.

ezstandalone.cmd.push(function () { ezstandalone.showAds(614); });
L'articolo WIRobotics presenta ALLEX, il robot umanoide multiuso avanzato proviene da il blog della sicurezza informatica.

A couple of years ago, a judge in Arizona issued a restraining order against journalist Camryn Sanchez at the behest of a state senator, Wendy Rogers. The ordeal was alarming, but press freedom advocates were able to breathe a sigh of relief when the order was struck down by another judge a few weeks later. That Rogers is, well, out of her mind, made it easier to hope that the whole thing was an isolated incident.

Unfortunately, that doesn’t appear to be the case. A Maryland journalist, Will Fries, was recently served with a “peace order” that would’ve barred him from city hall in Salisbury. The order, requested by the city’s communications director (allegedly in coordination with higher-ups), followed Fries’ reporting on the city’s purported policy requiring media inquiries to be routed through its communications office — which officials cited to restrict Fries from asking questions during a committee meeting.

Fortunately, a judge ultimately declined to issue the order. But after the Arizona restraining order and plenty of other instances of local officials claiming bizarre grounds to punish routine newsgathering, it would be a mistake to dismiss Fries’ case as a one-off.

We talked to Fries about the experience via email. Our conversation is below.

Tell us briefly about your background and the kind of reporting you do for The Watershed Observer.

For over a decade, I’ve worked to counter disinformation and malign influence across communities. I’ve done investigative work for nonprofits and tech companies, served on major presidential campaigns, and overseen digital strategy for former Portland (Oregon) Mayor Ted Wheeler (where things got interesting). Most recently, I launched The Watershed Observer to provide communities with faithful reporting at the intersection of local and global issues.

We want to talk about the “peace order,” or restraining order, that a government employee sought against you in Salisbury, but it looks like there’s a bit of press freedom “Inception” going on — that ordeal arose from your reporting on another press freedom issue. What happened on August 6 in Salisbury, Maryland?

Salisbury’s Mayor’s Office claimed the Human Rights Advisory Committee advised him to remove a rainbow crosswalk. In reality, the committee had voted against that and gone on public record disputing the mayor’s communications. I received reports, tips, and outreach, and I reviewed the committee’s approved May meeting minutes.

As a courtesy, I let the committee know ahead of time that I planned to take part in the open, public forum section of their August 6 meeting. After being recognized, when I raised questions about the mayor’s false statement, the mayor’s liaison blocked both me and the committee from discussion, falsely claiming a city policy barred journalists from participating. No such policy exists. Later, the mayor’s comms director sent an email exclusively targeting the Human Rights Committee and their ability to speak with the press and public about their public work, the same group that had raised concerns about the mayor’s misinformation.

The kind of policy that the mayoral staffer cited, that city employees are required to route all media inquiries to a communications office, has been referred to as “censorship by PIO,” or public information officer, because of how it limits the information obtainable by journalists. They’ve repeatedly been held unconstitutional. Putting aside that the commission members weren’t actually city employees subject to the policy — and that even if a city policy could restrict employees from answering certain questions, it certainly can’t block reporters from asking them — how have you observed these policies impacting the press?

The city’s actions had a tangible chilling effect. After the comms director’s email, some committee members hesitated to go on record, while others only spoke confidentially. In practice, this limited the committee’s ability to speak publicly about human rights issues or potential concerns regarding the mayor and his staff.

“If someone is a nongovernment actor who produces media to be consumed by the public, they are press. The idea of official versus unofficial press is a ridiculous invention.”

Will Fries

I say actions, not policy, because there is no legitimate city policy banning journalists from participating in public meetings, and such a rule would serve no legitimate purpose. The false claim and creation of policy was fabricated in the moment to intimidate and coerce members of the public body, and me, in order to suppress participation in further discussing the mayor’s office’s gross misrepresentation of the committee’s public work. Its only purpose was to block accountability and prevent scrutiny.

I noticed in some correspondence, the comms director seems to refer to you as someone who claims to be a member of the media, and distinguishes between what she sees as official and unofficial press. As an independent journalist, how do you think city officials should determine who is or isn’t really the press? Or should they at all?

If someone is a nongovernment actor who produces media to be consumed by the public, they are press. The idea of “official” versus “unofficial” press is a ridiculous invention, completely at odds with constitutional protections and civic norms. The city of Salisbury has no legitimate policy distinguishing “real” from “not real” press, nor could it. That notion exists only to imply the city can ignore questions or accountability from anyone they don’t consider “official press.” They can’t. In Maryland, our Declaration of Rights explicitly extends the freedom of the press to “every citizen,” and many states have similar protections.

Talk about the follow-up reporting you did, or tried to do, after the August 6 meeting.

After the August 6 meeting, I did what any responsible journalist would do: I followed up. I gave the city employee a chance to clarify. I reached out to the mayor’s comms director for confirmation and comment. I also shared my reporting with the committee, inviting them to add their perspectives. Instead of engaging, the comms director issued an email exclusively to the Human Rights Advisory Committee, discouraging members from speaking to the press or the public. They spread falsehoods about me and my reporting in retaliation, rather than investigate the reality themselves or address the underlying facts of the mayor’s misinformation about the Human Rights Committee and mayor’s staff improperly interfering at the August 6 meeting. I also filed public records requests to learn more about the city’s processes and policies.

Then you got the peace order from the mayor’s comms director. Which allegations in the peace order application do you contend were factually false, and did the city ever present any evidence that those allegations were, in fact, true?

The comms director falsely claimed I was behind a nonthreatening and fact-forward whistleblower email that raised serious ethical concerns about her conduct, and petitioned that this, combined with my public records requests, somehow were grounds for a peace order. Those allegations were unfounded, baseless, and unsupported by any evidence. The petition functioned solely as retaliation against protected activities and now fits into an observable pattern of the city disregarding realities.

I’ve had a long investigatory career, and I am aware of other instances where peace orders have been misused as tools to discredit reporters and witnesses, or to intimidate people participating in serious investigations. At the same time, it’s important for everyone to recognize that lawful peace orders serve an important and serious purpose: They protect individuals from genuine threats and ensure safety in difficult circumstances. I believe that misuse and abuse of peace orders is rare.

So stripping away the allegations you dispute, what’s left is essentially that you sought comment for stories from the comms director, filed public records requests, and voiced your displeasure with how officials had characterized your reporting. That all sounds like routine journalistic conduct (especially when city policy doesn’t allow you to talk to anyone else besides the comms director) and a pretty open-and-shut case. Was it easy to get this thrown out?

Once all false statements and disprovable allegations are removed, what remains is professional conduct and routine journalism: seeking comment, filing records requests, and following up on city actions, activities documented by journalists every day. It’s concerning that it went as far as a court proceeding, but the judge ultimately ruled there was no basis for the petition.

Do you think higher-ups at the city had anything to do with the effort to obtain a peace order against you, which, incidentally, would have restricted you from entering city headquarters?

During sworn testimony, the mayor’s comms director acknowledged she pursued the peace order with encouragement and guidance from the city solicitor’s office and the Police Department. If that testimony were false, it would amount to perjury. In addition, I have received reports from trusted sources that an elected official may have personally participated. All of this indicates the effort wasn’t an isolated action by one employee, but part of a broader institutional attempt to retaliate against a reporter and restrict reporting access.

The U.S. Press Freedom Tracker, a project of Freedom of the Press Foundation (FPF), only has one case documented in which a judge knowingly entered a restraining order against a journalist (the Tracker is not documenting your case because the court declined to issue the order). That case involved a state senator in Arizona who objected to a reporter knocking on her door, and the order was later overturned. But there have been plenty of cases involving reporters being arrested, ticketed, investigated, sued, raided, or criminally charged over routine journalism. How do you think what happened to you fits into this broader national trend of local authorities retaliating against the press for doing its job?

We are seeing instances in which some people with public responsibilities respond to journalists with resistance or retaliation rather than openness. These actions rarely arise from legitimate concern and more often reflect institutional reluctance to confront reality or uphold accountability. In some cases, public officials entrusted with serving their communities treat engagement and transparency as risks rather than obligations. The healthiest communities are built on leaders who stay open, accountable, and ready to face tough questions from the public and the press.

Everyone has a responsibility to support press freedom, including journalists, city employees, and members of the public. Sometimes that responsibility is as simple as subscribing to a news outlet. Other times, it involves asking hard questions and sharing difficult truths with the public. And in some cases, it requires taking personal risks, including facing arrest or accusations, to advance public interests.

In this climate, we all have a responsibility to ask ourselves the hard questions about what we each can do to strengthen a free and transparent society.

freedom.press/issues/journalis…

Dear Friend of Press Freedom,

For 157 days, Rümeysa Öztürk has faced deportation by the United States government for writing an op-ed it didn’t like, and for 76 days, Mario Guevara has been imprisoned for covering a protest. Read on for more, and click here to subscribe to our other newsletters.

Government excuses for Öztürk secrecy are insulting

A recent court filing suggests the U.S. government is abusing the Freedom of Information Act to hide potentially damning evidence about its March arrest of Öztürk over her co-authorship of an op-ed criticizing Israel.

The government told Freedom of the Press Foundation (FPF), in response to a lawsuit we’ve filed for Öztürk’s records, that releasing them would be an invasion of privacy, although it’s not clear whose. Read more here. And to learn more about our FOIA work, subscribe to our secrecy newsletter, The Classifieds.

• SUBSCRIBE

Stop congressional secrecy bill

A new legislative proposal – almost identical to one we opposed in 2023 – would allow members and even former members of Congress to compel the censorship of a broad range of information that journalists and others are constitutionally entitled to publish.

It would impede journalists’ and watchdogs’ efforts to, for example, check property, vehicle or travel records to investigate bribery allegations, monitor lawmakers leaving their districts during emergencies, scrutinize potential financial conflicts impacting policy positions, and a myriad of other newsworthy matters. We collaborated with our friends at Defending Rights & Dissent on a petition to lawmakers to stop this censorial proposal. Contact your senator here.

Police: Don’t impersonate journalists

We told you last week that police in Eugene, Oregon, said they’d stop putting their videographers in “PRESS” vests. Great.

But the practice was disturbing enough that we thought police in Eugene and elsewhere needed to understand the dangers of government employees posing as journalists — from providing propagandists with greater access than real journalists to exposing journalists and police officers alike to the risk of assault.

We led a letter from press and liberties groups to Eugene’s police chief, copying national associations of police communications personnel.Read it here.

Another journalist restraining order

A couple years ago, a judge in Arizona issued a restraining order against journalist Camryn Sanchez at the behest of a state senator, Wendy Rogers. That ordeal was alarming, but press freedom advocates were able to breathe a sigh of relief when the order was struck down by another judge a few weeks later. That Rogers is, well, out of her mind, made it easier to hope that the whole thing was an isolated incident.

Unfortunately, that doesn’t appear to be the case. Maryland journalist Will Fries was recently served with a “peace order” that would’ve barred him from city hall in Salisbury. Fortunately, a judge ultimately declined to issue the order, but after the Arizona restraining order and plenty of other instances of local officials claiming bizarre grounds to punish routine newsgathering, it would be a mistake to dismiss Fries’ case as a one-off.

We talked to Fries about the experience via email. Read the conversation here.

What we’re reading

Israel’s killing of six Gaza journalists draws global condemnation (Al Jazeera). We told Al Jazeera that “Any story that quotes an Israeli official or references Israeli allegations should say that Israel does not allow the international press to verify its claims and kills the local journalists who try.”

Homeland Security tells watchdog it hasn’t kept text message data since April (The New York Times). We told the Times that “Agencies cannot get away from responding to FOIA requests by intentionally degrading their capabilities … This is like a fire department saying, ‘We don’t have a hose, so we’re not going to put out the fires anymore.’”

Accepted at universities, unable to get visas: inside Trump’s war on international students (The Intercept). “An intrepid reporter who wants to use his time in America to become an even more effective watchdog against government corruption is an undesirable in the eyes of a corrupt government like ours,” we told The Intercept about journalist Kaushik Raj’s student visa denial.

News groups ask judge to increase protections for journalists covering LA protests (Courthouse News). The federal government apparently believes that assaulting journalists covering protests is legal because “videotaping can lead to violence.” The First Amendment says otherwise.

The student newspaper suing Marco Rubio over targeted deportations (The Intercept). “It does not matter if you’re a citizen, here on a green card, or visiting Las Vegas for the weekend — you shouldn’t have to fear retaliation because the government doesn’t like what you have to say,” Conor Fitzpatrick of the Foundation for Individual Rights and Expression told The Intercept.

Lack of local news tied to government secrecy, new report says (Medill Local News Initiative). A new study by the Brechner Center for the Advancement of the First Amendment shows that states with more newspapers are more likely to respond to records requests, and states with fewer papers are more likely to ignore them.

Public broadcast cuts hit rural areas, revealing a political shift (The New York Times). Rural stations in Alaska and elsewhere may no longer have the bandwidth to send emergency alerts. That could be the difference between life and death.

Opinion: D.C. must invest in local news (The 51st). Funding local news by directing public grants through consumer coupons is a creative way to address the local news crisis. Local governments must act to keep community news from dying.

freedom.press/issues/governmen…