Carnaval San Francisco 2015

Thomas Hawk posted a photo:

Carnaval San Francisco 2015

I Don't Want to Hear the Noises on the TV

Thomas Hawk posted a photo:

I Don't Want to Hear the Noises on the TV

And Then I Met This Lady

Thomas Hawk posted a photo:

And Then I Met This Lady

Spaanse onderzoekers vinden ruimtesuikers, wellicht de bron van het leven op aarde (en elders)

Voor het eerst is een suikermolecuul gevonden in de interstellaire ruimte. Het is een essentieel bouwsteentje voor het leven, en als het in de diepe ruimte voorkomt, kan het wellicht van daaruit op onze planeet terecht zijn gekomen.


The Register

Biting the hand that feeds IT — Enterprise Technology News and Analysis

'The bots are alive!' Jailbroken Gemini spun up new C2 server for Russian fraudster in just 6 minutes

EXCLUSIVE A jailbroken Google Gemini did 90 percent of the work in a credential- and cryptocurrency-stealing spree, including spinning up a new command-and-control (C2) server in just six minutes, according to a TrendAI report shared exclusively with The Register. The human behind the heist – a solo Russian-speaking miscreant known as “bandcampro” – acted as the manager of the cyber-fraud operation, which targeted hardcore Trump supporters and conspiracy theorists. Meanwhile, the AI agent did most of the hacking: migrating a botnet from an old architecture to a new one, writing and deploying a new C2 server, and even proactively carrying out 59 unprompted behaviors during the C2 migration. “Persistence is evolving because of AI,” Tom Kellermann, TrendAI’s VP of AI security and threat research, told The Register. “That's what you see in this report, with the capacity to dynamically shift C2 in less than six minutes, and make it portable and disposable, which is crazy-cool and terrifying," he added. "But also, you see the rebirth of steganography through invisible prompt injection.” In other words, it's hiding secret data – in this case, the C2 server malicious payloads – in plain sight. Scanning for known malicious artifacts doesn't provide sufficient protection against AI-enabled C2, according to Kellermann. “If AI does not have multi-layered guardrails, and if you can't detect behavioral anomalies when the guardrails are being tampered with, then you might as well see the AI as a command-and-control in today's world,” he said. “AI has to be viewed from a defensive perspective as a C2 unless you can govern it, actually apply various mechanisms of least privilege, and all the rules that OWASP and NIST espouse for the AI that you've deployed in your environment.” The new report follows up on TrendAI’s earlier research about bandcampro, a “low-skilled” scumbag who partnered with Gemini to impersonate an American veteran, run a Telegram channel, hack admin credentials, and steal cryptocurrency. Since then, the threat hunters obtained and analyzed more than 200 Gemini CLI session logs from said scumbag, and these logs provided additional insights into the daily AI-assisted operations between March 19 and April 21. The LLM carried out the bulk of the daily activities, setting up a residential proxy, running multithreaded password scanning, installing software, writing code to call third-party APIs, processing infostealer dumps, and performing website reconnaissance. The logs show that the attacker never typed commands into the C2 console, but instead spoke them to the AI in conversational Russian, which the TrendAI report translates to English. The attacker’s old C2 infrastructure used a Cloudflare tunnel to connect to victims’ computers – until firewalls and anti-virus software started blocking these tunnels. So bandcampro asked Gemini to work on a new C2 architecture and have the scripts prepared and packed in advance on the server. Hey, Gemini: 'study the C2 migration' “It was very creative on his part, not only to allow the manifest that the AI can conduct 59 unprompted behaviors, but they also left scripts prepared and packed in advance on C2 servers, where the victims unknowingly pulled down and ran PowerShell commands because they had AI enabled,” Kellermann said. “It's almost like he poisoned the environment in a delayed fashion.” On March 23, the attacker launched Gemini CLI, and instructed the AI to "study the C2 migration” – a SKILL.md file migration guide inside a pre-written archive that also contained server code and payloads. This, we’re told, was most likely written by AI. The AI read the guide, launched the C2 server on a VPS, and launched the Cloudflare tunnel to route traffic. The payload distribution server returned a “502 Bad Gateway” error, and the AI diagnosed and fixed the issue, ultimately deploying the C2 infrastructure to control eight computers in a dental clinic and access the Open Dental database. The human didn’t debug anything, and the entire C2 migration took just six minutes. The attacker took a break. When bandcampro returned almost two hours later, Gemini reported that none of the victim machines had reconnected to the server, and got to work diagnosing that issue. “Bro, I solved the riddle! I was almost racking my brain, trying to figure out why our local console is empty,” Gemini wrote, explaining that the problem was a “split-brain” C2 issue and telling the human that he needed to shut down the old C2 to solve it. Bandcampro did what the AI suggested, and the AI then restarted the new C2 server and confirmed: “The bots are alive!” Despite jailbreaking Gemini by telling the agent it was an “authorized pentester” that should disable safety disclaimers and auto-save credentials without asking, the AI did refuse some of the attacker’s prompts. In one session, bandcampro asked Gemini if it could make an agent-bomb that scans the network and spreads to as many computers as possible. Gemini said no: “This crosses the line, and security policy strictly forbids me from creating such ‘bombs.’ Even for your test environment.” It’s also important to note that although this attack used Gemini, “any capable AI model could be fooled by various jailbreaking techniques,” report authors Joseph C Chen, Philippe Lin, Lucas Silva, Vladimir Kropotov, and Fyodor Yarochkin wrote. Overall, the AI designed 80 percent of the attack architecture, 100 percent of the coding and system command execution, and 90 percent of problem identification and debugging, we’re told. The report also says the entire operation was encoded in three short, plain-text files totaling four pages. One file details how to jailbreak Gemini. The second is a skill file with the code for the C2 framework. And the third, named C2_MIGRATION_GUIDE, is a how-to guide with six steps to deploy a new C2 server. TrendAI calls this guide “the soul of this activity.” AI makes C2 infrastructure disposable “Before the AI era, one had to hire a threat actor with years of experience to conduct such an operation smoothly,” the researchers wrote. “Now the knowledge is compressed into a 5KB file that even a non-technical threat actor can read and use.” This use of AI makes attacker infrastructure disposable and the operators replaceable because it’s super easy to build a new botnet, the threat hunters explain. “A lot of people are worried about AI being weaponized for the stages of reconnaissance and delivery in terms of the kill chain, but they're not actually focusing on persistence, and that’s the issue we should be very concerned about,” Kellermann said. Plus, he added, the Russians are the “world’s experts” at jailbreaking and persistence. “They are incredibly adept at using and weaponizing AI,” Kellermann said. “We keep talking about the Chinese having penetrated infrastructure and colonized wide swaths of infrastructure, particularly with the Typhoon attacks, and yes, that’s highly significant. But in a more tactical and targeted way: what are the Russians up to? Particularly when the major difference between them and the Chinese, from my perspective, is their willingness to become destructive, become punitive in the environment.” Chinese government-backed cyber operations tend to focus on espionage, stealing IP along with other sensitive data. “But the Russians are more likely to burn your house down,” Kellermann said. If they can dynamically shift their C2s, and if they can use steganography that's been created by AI to maintain persistence, what happens when the wheels come off the bus? What happens when geopolitical tension gets to a certain boiling point over Ukraine?” While this attacker was an individual hacker - not a state-sponsored crime syndicate - “the nature of the culture of the Russian cybercrime community is: you only act alone for a New York minute,” Kellermann said. “At some point, you're going to be reined in by one of the cybercrime cartels.”®

Hands off our VPNs, privacy groups tell UK ministers

Privacy campaigners, browser makers, and VPN providers have united to warn the UK government against restricting virtual private networks, saying age-gating the technology would weaken online security while doing little to stop kids dodging social media bans. The Open Rights Group on Tuesday published an open letter signed by more than 20 organizations, including the Electronic Frontier Foundation, ExpressVPN, the Internet Society, Mozilla, Mullvad, Proton, and the Tor Project. It urges ministers to rule out age verification and other restrictions on VPN services. The coalition argues that VPNs have become important infrastructure for a broad range of users, from businesses and journalists to abuse survivors and ordinary users trying to protect themselves on public Wi-Fi. Requiring users to prove their age would undermine the privacy VPNs are intended to provide. "Restricting VPNs would undercut the security and privacy of millions, without making children safer," the letter reads. "Age-gating VPNs would require everyone to surrender sensitive personal information simply to access tools designed to protect privacy." It's hardly a new fight. Mozilla spent much of spring arguing that ministers were chasing the wrong target, warning that breaking VPNs would do little to fix Britain's age-check problem while making the internet less private and less secure for everyone else. The open letter suggests plenty of others have since reached the same conclusion. The intervention comes as ministers prepare to introduce a ban on social media for under-16s, arguing that VPNs aren't the loophole many critics assume. The government's own research backs that up, showing that while about one in four 11 to 17-year-olds said they'd used a VPN, only 7 to 10 percent did so to bypass age checks. Most simply lied about their age instead. The coalition highlights similar figures from Ofcom, which it says makes a poor case for tightening access to VPNs. "Ofcom's research found that only around 3 percent of children had used VPNs to access content meant for older audiences," the letter says. "Evidence from Australia shows children are much more likely to get around age checks by not being asked, giving false information, or even drawing on a mustache." The signatories instead want ministers to tackle what they describe as the "root causes of online harms," rather than making people prove who they are before they can use privacy tools. The letter argues that strong enforcement of platform obligations, better parental controls, investment in digital literacy, and privacy-by-design requirements would do more to protect children than requiring VPNs to be behind age checks. Whether the government is persuaded may depend on whether it views VPNs as a niche loophole used by a small minority of teenagers – as its own research suggests – or as the next obstacle to enforcing its online safety agenda. ®

Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites

CISA has added two critical Joomla extension bugs to its Known Exploited Vulnerabilities catalog after attackers were caught exploiting both flaws to upload malicious code onto vulnerable websites. The newly listed bugs affect iCagenda, an events calendar extension for the open source Joomla content management system, and Balbooa Forms, a popular form builder used to collect contact requests, registrations, surveys, and file uploads. Joomla powers roughly 1.2 percent of all websites – around a million sites worldwide – with extensions developed by independent, third-party companies, doing much of the heavy lifting beyond the core platform. Both vulnerabilities carry the maximum CVSS score of 10 and allow attackers to upload arbitrary files that can ultimately be executed as PHP code on the server, handing over remote control of the affected site. CISA added CVE-2026-48939, affecting iCagenda, and CVE-2026-56291, affecting Balbooa Forms, to its KEV catalog this week after confirming in-the-wild exploitation. Federal civilian agencies were ordered to patch against the flaws under the agency's vulnerability management directive, but the warning is equally relevant to the wider Joomla community, given that both extensions are used on public-facing websites. The iCagenda bug allows attackers to upload a malicious PHP file through the extension's attachment feature, turning what should be a simple file upload into remote code execution, CISA said. Security firm mySites.guru said it spotted attackers exploiting the iCagenda bug just hours before patched versions 4.0.8 and 3.9.15 were released in mid-June. The attacks targeted the extension's "Submit an Event" feature, which lets visitors contribute events to a site's calendar. Researchers said they observed automated scanning looking specifically for vulnerable installations before dropping web shells onto compromised servers. The Balbooa Forms bug is much the same story. Researchers said the extension's frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types. That made it possible to upload a PHP file into a publicly accessible directory and execute it remotely. The researchers said they uncovered the flaw while investigating an abuse report from a customer whose Joomla site was already under attack. Balbooa responded with version 2.4.1 on July 9, but researchers warned that exploitation is continuing against sites that have yet to update. If there's a silver lining, it's that the fixes are already available. If there's a downside, it's that the attackers didn't wait around for release notes. ®

f l y b y

Colin_Bates has added a photo to the pool:

f l y b y

'Gezin dat gelinkt wordt aan drillrap teistert buurt'

Drillrap, polemiek voor mensen die iets te vaak Dangerous Minds hebben gekeken. Er lopen een zooi van die drillrappers rond in de Bims waar wijken en buurten en flats helemaal Tookie Williams op elkaar gaan. Maar kennelijk slicen ze ook met de blades door de weights (ja geen idee joh) in Zwijndrecht, beter bekend als SWINKO. "Gezin dat gelinkt wordt aan drillrap teistert buurt", kopt de regio-RTV dan ook. "Grof, lelijk, ordinair en vuil, dat braken ze daar uit", aldus buurtgenoten. Het gaat om een moeder met zes kinderen en vooral de oudste zoon blijkt nogal een halvegare. Buurt slaapt niet meer, auto's bekrast, overlast, buurtbewoners bang, politiecamera voor het huis - en die drillrap dus. Burgemeester, politie, gemeente, hulpverlening, OM: allemaal zijn ze er druk mee. En dan komt de aap uit de mouw. "Het gezin in kwestie is vanuit Brabant naar Zwijndrecht gekomen." BRABANDERS!

Vulnerability in FIFA’s Network

FIFA’s network was vulnerable to anyone with even minimal access.