The Register

Biting the hand that feeds IT — Enterprise Technology News and Analysis

Hands off our VPNs, privacy groups tell UK ministers

Privacy campaigners, browser makers, and VPN providers have united to warn the UK government against restricting virtual private networks, saying age-gating the technology would weaken online security while doing little to stop kids dodging social media bans. The Open Rights Group on Tuesday published an open letter signed by more than 20 organizations, including the Electronic Frontier Foundation, ExpressVPN, the Internet Society, Mozilla, Mullvad, Proton, and the Tor Project. It urges ministers to rule out age verification and other restrictions on VPN services. The coalition argues that VPNs have become important infrastructure for a broad range of users, from businesses and journalists to abuse survivors and ordinary users trying to protect themselves on public Wi-Fi. Requiring users to prove their age would undermine the privacy VPNs are intended to provide. "Restricting VPNs would undercut the security and privacy of millions, without making children safer," the letter reads. "Age-gating VPNs would require everyone to surrender sensitive personal information simply to access tools designed to protect privacy." It's hardly a new fight. Mozilla spent much of spring arguing that ministers were chasing the wrong target, warning that breaking VPNs would do little to fix Britain's age-check problem while making the internet less private and less secure for everyone else. The open letter suggests plenty of others have since reached the same conclusion. The intervention comes as ministers prepare to introduce a ban on social media for under-16s, arguing that VPNs aren't the loophole many critics assume. The government's own research backs that up, showing that while about one in four 11 to 17-year-olds said they'd used a VPN, only 7 to 10 percent did so to bypass age checks. Most simply lied about their age instead. The coalition highlights similar figures from Ofcom, which it says makes a poor case for tightening access to VPNs. "Ofcom's research found that only around 3 percent of children had used VPNs to access content meant for older audiences," the letter says. "Evidence from Australia shows children are much more likely to get around age checks by not being asked, giving false information, or even drawing on a mustache." The signatories instead want ministers to tackle what they describe as the "root causes of online harms," rather than making people prove who they are before they can use privacy tools. The letter argues that strong enforcement of platform obligations, better parental controls, investment in digital literacy, and privacy-by-design requirements would do more to protect children than requiring VPNs to be behind age checks. Whether the government is persuaded may depend on whether it views VPNs as a niche loophole used by a small minority of teenagers – as its own research suggests – or as the next obstacle to enforcing its online safety agenda. ®

Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites

CISA has added two critical Joomla extension bugs to its Known Exploited Vulnerabilities catalog after attackers were caught exploiting both flaws to upload malicious code onto vulnerable websites. The newly listed bugs affect iCagenda, an events calendar extension for the open source Joomla content management system, and Balbooa Forms, a popular form builder used to collect contact requests, registrations, surveys, and file uploads. Joomla powers roughly 1.2 percent of all websites – around a million sites worldwide – with extensions developed by independent, third-party companies, doing much of the heavy lifting beyond the core platform. Both vulnerabilities carry the maximum CVSS score of 10 and allow attackers to upload arbitrary files that can ultimately be executed as PHP code on the server, handing over remote control of the affected site. CISA added CVE-2026-48939, affecting iCagenda, and CVE-2026-56291, affecting Balbooa Forms, to its KEV catalog this week after confirming in-the-wild exploitation. Federal civilian agencies were ordered to patch against the flaws under the agency's vulnerability management directive, but the warning is equally relevant to the wider Joomla community, given that both extensions are used on public-facing websites. The iCagenda bug allows attackers to upload a malicious PHP file through the extension's attachment feature, turning what should be a simple file upload into remote code execution, CISA said. Security firm mySites.guru said it spotted attackers exploiting the iCagenda bug just hours before patched versions 4.0.8 and 3.9.15 were released in mid-June. The attacks targeted the extension's "Submit an Event" feature, which lets visitors contribute events to a site's calendar. Researchers said they observed automated scanning looking specifically for vulnerable installations before dropping web shells onto compromised servers. The Balbooa Forms bug is much the same story. Researchers said the extension's frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types. That made it possible to upload a PHP file into a publicly accessible directory and execute it remotely. The researchers said they uncovered the flaw while investigating an abuse report from a customer whose Joomla site was already under attack. Balbooa responded with version 2.4.1 on July 9, but researchers warned that exploitation is continuing against sites that have yet to update. If there's a silver lining, it's that the fixes are already available. If there's a downside, it's that the attackers didn't wait around for release notes. ®

Frame: A new X11 server – implemented directly in assembly

Wayland is dominating the recent news about FOSS GUIs – even dignified elder Xfce’s official support is getting close. However, X11 is very much not dead yet, and new developments keep appearing. Last week, Norwegian FOSS developer Geir Isene announced his all-new server for the venerable X11 display protocol. Its description is in the title of the announcement post: Frame - the first Linux Assembly X server. Isene explains his motivation thus: “On my quest to own my software, one foundational piece kept itching… the X server. The underlying graphics engine, the thing that puts pixels on the screen. X11 is 4 million lines of code, a beast very few can claim they understand. So I did the reasonable thing. I wrote my own, in Assembly.” (This, for clarity, is extremely dry Norwegian humor. Writing your own X11 server in assembly language is the polar opposite of what most Unix developers would consider “reasonable…” But there is a reason behind the decision, and you may already have guessed it.) Isene also has his own window manager, Tile; his own terminal emulator, Glass; and even his own shell, called Bare. He calls the whole stack CHasm — CHange to ASM. All the tools are standalone binaries, implemented in x86-64 assembly language, targeting Linux, with no external dependencies. To go with them, he also has a similarly compact suite of Rust-based tools as well, named Fe₂O₃. It reminds us of the Suckless collection of extremely minimal, statically linked Linux apps, which once included a entire statically-linked Linux distro called Stali. Although Stali has been unmaintained for nearly a decade now, there are others: one current statically linked Linux distro is Oasis.) If you like a hyper-minimalist Linux setup, Isene’s custom stack of tools sounds amazing – perhaps even too good to be true. (That’s a hint, or what we gather fiction writers call foreshadowing.) yserver Remarkably enough, Frame is not the first new X11 server for Linux that has appeared recently. That distinction goes to yserver, which appeared last month. Developer Jos Dehaes describes it as “a modern X11 server written from scratch in Rust.” This also sounds good, especially if you’re an admirer of Rust. We have started using a few Rust-based projects here in the Irish Sea wing of Vulture Towers. They tend to be small, fast, stable, and quite clean of legacy baggage. They offer a significant contrast with Electron-based ones. In terms of tech legacy baggage, they score very well on what sometime Reg contributor Verity Stob measured with the Stob Cruft index. Yserver looks impressively complete: for instance, Dehaes has a list of 13 existing environments that run fine under it, from Enlightenment to Xfce. But – there’s always a “but” – before you get too excited, there’s a catch. Both Frame and yserver were built using LLM bots. (“Vibe coded” feels too harsh for programs of this complexity, but some will apply it anyway.) So, although Isene says of Frame, “I wrote my own in Assembly,” further down the same page, he concedes: “When something breaks or I want a feature, I turn to my buddy Claude and describe the itch.” To be honest, for this staunchly AI-skeptical vulture, this means Isene didn’t really write the CHasm programs himself: he presumably wrote a detailed spec, from which a bot generated code. This also arguably means he doesn’t strictly own the software, but on that point, to his credit, he does not call it open source or free software: instead, he put it in the public domain under the Unlicense. There’s less info about yserver development than Frame, but yserver’s Github repository contains both CLAUDE.md and AGENTS.md, and both OpenAI Codex and Github Copilot have commits in its history. Previously… There is also a third new X11 server, which we already mentioned back in January. That one is called Phoenix, and it’s written in the relatively new Zig language. Phoenix’s original Git repo seem to be down, and although the homepage is there, it hasn’t been updated in a couple of years and doesn’t mention Phoenix at all. Even so, the Github repo is active, with commits just three weeks ago at the time of writing. We have no information as to whether the developer, known only as dec05eba, is using any LLM tools to work on it. As well as all these, there is the XLibre fork of the X.org server, whose announcement we covered a year ago, followed by its gathing vocal endorsement, including Devuan. Multiple distros and OSes include or support XLibre. Development is active: the project has put out 27 releases so far. (XLibre development does seem to be happening significantly faster than the Wayback project, which appeared a month later. Wayback is a sort of “Wayland display server” to enable entire X11 desktop environments to run on a pure-Wayland display stack. As far as we can see, there have only been three Wayback releases so far, and the last was six months ago.) Arcan Alongside whole new X11 servers, whatever they’re written in (or how), there is also an active project that is far more technologically ambitious than all of them put together. The Arcan display server hit a significant anniversary in June, and developer Björn Ståhl marked it with a blog post: Arcan: 10 Years of Online Obscurity. We wrote about the project back in 2022, in Lash#Cat9: A radical new Linux UI for keyboard warriors. That article focused on just part of the project, its shell Cat9. Cat9 is a shell in the sense of the Windows Shell: it’s a user interface. Cat9 happens to be a command-line one, and it also contains quite a lot of what in traditional Unix terms would be a terminal emulator. Arcan is a lot more than that. Arcan covers a display protocol (called A12) and a display server (comparable to X.org). It includes a command-line shell (Cat9), but also a desktop environment called Durden. Durden isn’t the only one: there’s also a Zooming user interface (ZUI) called Pipeworld. So you can run X11 apps, Arcan has an X server called xarcan, and it can also run Wayland client apps over a module called Waybridge – a pun on weighbridge. Arcan is the sort of ambitous rethink of the Unix display stack we wanted to see – and which Wayland’s developers didn’t even think about, let alone attempt. Arcan doesn’t just let programs open windows over the network like X11. Arcan lets networked computers send media streams to each other, and because it understands hardware 3D it enables remote 3D acceleration, for instance for network gaming. It integrates multitasking and 3D and media right into the Unix command line: shell commands can fade into the background while displaying grapical progress meters, or play media streams in the terminal, or multiple updating parallel zones of text output. There are multiple prices to pay for this, and they are formidable: in the learning curve, and the maturity of the tools, and in interoperability with existing solutions. Arcan really deserves wider attention. Its potential is amazing. It’s also all hand-coded by a tiny team. As far as we can tell, there are no coding assistants here. This is the sort of thing the Linux world deserved, not some modest improvement to local 2D desktops that has taken nearly 20 years to reach minimal usability. ®

'Gezin dat gelinkt wordt aan drillrap teistert buurt'

Drillrap, polemiek voor mensen die iets te vaak Dangerous Minds hebben gekeken. Er lopen een zooi van die drillrappers rond in de Bims waar wijken en buurten en flats helemaal Tookie Williams op elkaar gaan. Maar kennelijk slicen ze ook met de blades door de weights (ja geen idee joh) in Zwijndrecht, beter bekend als SWINKO. "Gezin dat gelinkt wordt aan drillrap teistert buurt", kopt de regio-RTV dan ook. "Grof, lelijk, ordinair en vuil, dat braken ze daar uit", aldus buurtgenoten. Het gaat om een moeder met zes kinderen en vooral de oudste zoon blijkt nogal een halvegare. Buurt slaapt niet meer, auto's bekrast, overlast, buurtbewoners bang, politiecamera voor het huis - en die drillrap dus. Burgemeester, politie, gemeente, hulpverlening, OM: allemaal zijn ze er druk mee. En dan komt de aap uit de mouw. "Het gezin in kwestie is vanuit Brabant naar Zwijndrecht gekomen." BRABANDERS!

Vulnerability in FIFA’s Network

FIFA’s network was vulnerable to anyone with even minimal access.

Original

Thomas Hawk posted a photo:

Original

Black Lives Matter

Thomas Hawk posted a photo:

Black Lives Matter

Kabukicho, July 2026.

mikeleonardvisualarts posted a photo:

Kabukicho, July 2026.

Jizo

peaceful-jp-scenery posted a photo:

Jizo

Hasedera Temple
長谷寺

These are the "Good Match Jizo" statues at Hasedera Temple in Kamakura. Apparently, there are three of them located within the temple. I visited Shibuya again over the weekend, stopping by Kamakura on the way.

鎌倉の長谷寺にある良縁地蔵で、境内の3ヶ所にあるそうです。週末は再び渋谷に、鎌倉に寄って行きました。

Kamakura city, Kanagawa pref, Japan

MetaFilter

The past 24 hours of MetaFilter

You couldn't direct the individual bits of molten metal

The tech of Terminator 2: an oral history vfxblog goes back in time with more than a dozen ILMers to discuss the development of key CGI tools and techniques, how they worked with early animation packages like Alias, and how a selection of the most memorable shots in the film—forever etched into the history of visual effects—came to be.