The Register

Biting the hand that feeds IT — Enterprise Technology News and Analysis

World Cup grudge attackers may have scored Argentine FA access via year-old infostealer infection

Hudson Rock says the suspected compromise of the Argentine Football Association (AFA) may be linked to an infostealer infection nearly a year earlier. The incident appears to be the work of an aggrieved football fan, or group of them, after Argentina eliminated Egypt from the World Cup round of 16. Egypt's coach and football association complained about several refereeing and VAR decisions, which they said contributed to the result. The compromise of AFA's systems was spotted after mass emails were sent from legitimate domains stating that Argentina "stole" the win from Egypt and that "the robbery will not go unnoticed." Hudson Rock said it found evidence of an infostealer infection dating back to September 8, 2025, on a device belonging to an AFA software developer who had been employed at the governing body for nearly a decade. The security shop operates a database of known infostealer victims, and noted that the compromised machine was added to its database the following day. Whoever was behind the attack, which was claimed by "All Egyptian Cyber Warriors," they either sat on the credentials for nearly a year, or sought them out after Egypt were controversially eliminated from the World Cup. Once they procured the credentials and authenticated themselves into the AFA's systems, Hudson Rock said they "likely had profound administrative control." This would have included direct access to phpMyAdmin database management panels, root access to certain AFA databases, access to the management portal of AFA's training HQ, the AFA media portal, and its competition management system. After looking at the stolen credentials in their database, the researchers said that weak, easily guessable passwords were reused across several internal systems. In addition to the compromised emails sent from AFA's management and admin portal (afasistemas.com.ar), Hudson Rock spotted a number of posts made to cybercrime forums advertising the body's data for sale. According to the advertisements, the data related to staff, professional clubs, and the AFA's external media partners. The samples appeared to include internal email addresses, phone numbers, user roles, and registration timestamps, as well as listings for access to AFA subdomains. Passwords were also among the data, although much of them were securely hashed. However, a small portion were in plaintext, which Hudson Rock said suggests "a significant security oversight." "The AFA breach is a textbook example of how devastating a single, unmitigated infostealer infection can be," the security outfit said. "A compromised machine belonging to a developer with high-level access highly likely handed a threat actor direct database administration rights and the ability to send authenticated internal emails. "Because the stolen credentials sat dormant for months, the organization was lulled into a false sense of security, completely unaware of the ticking time bomb in their network infrastructure." The AFA told reporters on Friday that it was investigating the compromise with its IT team after many received the emails sent by the intruders. "There is a possibility that our account has been subject to unauthorized access," the AFA stated. "We are currently working to clarify the situation and implement the necessary security measures." ®

HTTP gets a QUERY method so complex searches can stop pretending to be POST

"Idempotent" may be jargon, but the term performs an important job in HTTP as a hall pass that gives reverse proxies and gateways the go-ahead to cache complex query responses and automatically retry failed requests. HTTP has long allowed automatic retries for idempotent methods, but complex queries are often sent using POST, which intermediaries cannot safely assume is retryable. Developers have worked around that limitation for decades. The Internet Engineering Task Force (IETF) has published a new HTTP request method, QUERY (RFC 10008), joining familiar methods including GET, POST, PUT, and PATCH. In development since 2021, the QUERY request method provides a way for an HTTP client to make an idempotent request to an HTTP server. An idempotent request has the same intended effect whether it is sent once or multiple times (so retrying it should not charge a user's credit card again). The specification defines QUERY as safe and idempotent, and the solution was surprisingly simple. "Thanks to QUERY, we finally have functional HTTP caching for complex requests. Proxies, CDNs, and browsers can now cache requests with a body. This is huge for performance," writes developer Elie Treport in a recent blog post. Query operations have traditionally used the GET method. HTTP defines GET as safe and idempotent, as it made no changes to the server itself, but GET becomes awkward when the query data is too large or complex for a URI. The idea behind GET was to load all the necessary query parameters onto the form's URL, resulting in a very long string that the browser sent to the server. Many search services still work this way, appending query parameters to the URL after a question mark. Those URLs can expose sensitive data through browser histories, server logs, and bookmarks. Festooned with nested filters, sort rules, date ranges, and other database flotsam, GET URLs can become unwieldy. HTTP recommends support for URIs of at least 8,000 octets, but there is no universal maximum, so an oversized URL may be rejected by any of the systems it passes through. Long query strings are also a pain to read and debug. Faced with these Franken-URLs, many developers turned to POST instead. POST can carry query data in the request body, but its semantics do not tell intermediaries that the operation is safe and idempotent. The method is more commonly associated with operations such as submitting form data, uploading a PDF, or creating and modifying resources. For a basic HTML form, switching to moves the encoded form data from the URL into the request body. Crafty developers soon began placing complex query payloads, often encoded as JSON, in POST request bodies and having their applications process the responses. Many APIs adopted the pattern; GraphQL, for example, commonly uses POST for queries, although it also supports GET. It was a hack, though. This was not what POST was designed for. HTTP defines POST as neither safe nor idempotent by default. A POST request could change the server's state. And this is why internet networking software treats POST far more delicately than GET. Intermediaries generally cannot reuse POST responses for later POST requests or automatically retry POST without knowing the operation is idempotent. If the message fails, the browser or gateway will not resend it, necessitating intervention from either the user or the app. QUERY's long road to adoption So basically, QUERY combines request content similar to POST with explicitly safe and idempotent query semantics. No longer will the query URL need to be appended beyond recognition, but, like POST, apps and browsers will get a dedicated space to put their complex query data. Unlike POST, QUERY is a read-only operation, and hence receives the IETF's blessing as idempotent, freeing up HTTP clients and intermediaries to cache and resend QUERY requests after a connection failure. A QUERY request does not ask or expect the server to change the state of the target resource. It's just there to ask a question. Cloudflare and Akamai engineers co-wrote RFC 10008. Both companies provide edge caching for large clients. German internet engineering firm greenbytes also contributed. As a new standard, QUERY still has limited support. The HTML forms standard still only understands GET and POST for ordinary form submission, so it will need to be updated even before the browsers get on board. The good news is that the Web Hypertext Application Technology Working Group is already on the case. However, a whole ecosystem of network software still doesn't understand QUERY and may reject requests using an unfamiliar method. Reverse proxies, load balancers, content delivery networks, API gateways, firewalls, and web frameworks will all need to be updated. "The pattern one would expect is the same seen with other HTTP methods and headers that became standard over the last twenty years: first server-side adoption and dev tools, then consolidation in frameworks, and finally, more slowly, native browser support and JavaScript APIs like fetch()," wrote open source developer Daniele Teti in a blog post. Teti noted that Node.js is adding support in its HTTP module, and the Go programming language is ahead of the game because it can already send custom HTTP methods. Elsewhere, the PHP framework Laravel is already ingesting QUERY. But, as with IPv6, the IETF faces an uphill battle to get the HTTP ecosystem on the same page. ®

Slashdot

News for nerds, stuff that matters

Japan's Space Agency Conducts First Test Flight For Experimental Reusable Rocket

"Japan's experimental reusable rocket took off and safely landed in a first test flight Saturday," reports the Associated Press, as Japan "seeks to achieve the technology key to cut launch costs and compete in the global space market dominated by SpaceX."


The RV-X rocket lifted off, hovered and moved horizontally before landing [watch the video here] during its less than one-minute flight at the Japan Aerospace Exploration Agency's Noshiro Testing Center in northeastern Japan, which was livestreamed by the NVS, a group of space fans...
Saturday's flight is a step forward for Japan in achieving the technology needed to develop a lower cost successor to the country's current mainstay, single-use H3 series.

Japan's test comes the same week that China recovered an orbital booster rocket for the first time.

Read more of this story at Slashdot.

Potenramvrije zones tijdens Pride Amsterdam

pride amsterdam

Nadat 'jongens op fatbikes' geprobeerd hebben een bezoeker van Amersfoort Pride tot hetero te rammen staat iedereen weer op de achterste.. euh, poten. Niet prettig, zo met de grootse Amsterdam Pride voor de deur. En het gaat met de LHBTI-acceptatie in Nederland zó goed, dat er in Amsterdam potenramvrije zones zijn ingericht. "Als je als lhbti'er wordt lastiggevallen, kun je in Amsterdam straks in 35 hotels met beveiliging terecht. Ook plekken als het Stedelijk Museum, De Nieuwe Kerk en het stadsarchief zijn aangesloten. 'Je bent daar in ieder geval veilig en iemand helpt je verder'." Wat natuurlijk goedbedoeld en fijn is, maar besef: tijdens de Pride in onze lieve, vrije, homovriendelijke en supertolerante hoofdstad Amsterdam moeten specifieke plekken worden aangewezen en ingericht waar je als homo 'in ieder geval veilig' bent. Sad.

Vanillasludge posted a photo:

Lately More or Less

Thomas Hawk posted a photo:

Lately More or Less

I Wandered Out Into the Water

Thomas Hawk posted a photo:

I Wandered Out Into the Water

Kama River Kyoto

rohantstevens posted a photo:

Kama River Kyoto

MetaFilter

The past 24 hours of MetaFilter

Surprisingly elastic

If Foucault is inescapable, then he is also, perversely, elusive: both celebrated and reviled, sometimes by people in the same political camp. He's been called a relativist, a reactionary, a faux-radical, an anarchist, a nihilist and an idealist, among many other things. Foucault himself took pleasure in being hard to pin down. [NY Times; ungated (note: archive site)]

AI Data Centers and the Concentration of Wealth

This essay was written with Nathan E. Sanders, and originally appeared in The Guardian.

Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data centers bring is worth their costs. Still, we worry that a focus on data centers obscures the larger impacts of AI on people’s lives: the concentration of power of AI companies, and their widespread political and financial influence.

Local data center opposition is grounded in legitimate concerns about misallocation of land resources when housing is at a premium, pressures on already higher energy prices, and localized environmental impact. Unlike other resource-consuming and polluting industrial facilities, data centers produce very few jobs. The fact that US opposition to data centers seems to be most fierce among lower-income communities reflects righteous indignation with an inequitable bargain, where tech companies and developers profit from exploiting local resources but offer little in return. On a global scale, their carbon footprint could grow unsustainably if usage accelerates. And all this is in aid of a technology that many fear will propagate misinformation, take their jobs, or even cause existential risks for humanity.

For some, data center opposition may feel like the only tangible mechanism for registering their concern, disapproval, or even anger about AI. The problem is that this may be exactly what the AI companies are banking on. They can overcome the protest when it matters to them, and live with a significant fraction of proposals being defeated. More importantly, focusing political opponents on the data center issue obscures the bigger prize they’re after.

While there is a staggering three-quarters of a trillion dollars being spent on data center infrastructure by US companies this year alone, this investment should be taken in perspective. The market for enterprise software, for example, is about twice this size. And it’s small compared with what these companies actually want.

AI companies have their eyes set on capturing all the value created by entire industries. The technology has arguably already conquered customer service and consumer sales. But on the horizon are bigger targets, such as enterprise software development, creative design, management and even legal services. In AI companies and their allies’ vision of the future, AI replaces teachers and doctors. The companies would rather spend time fighting resistance to how fast they are building computing infrastructure than dealing with issues of how their products should be used in those fields, or how those fields should be protected from their products.

And while data center opposition campaigns have been successful in building widespread appeal, their effectiveness in the US is mixed. They seem to be most successful when organizing against speculative, early-stage data center proposals that have a relatively low likelihood to ever see fruition. Meanwhile, advanced-stage, well-capitalized data center projects have proven to have the resources to overcome local opposition. An OpenAI- and Oracle-backed facility in Saline township, Michigan, is breaking ground on construction even after local officials voted to reject it. The developers sued the town of 3,000 and forced a settlement that involved their project going forward. Meanwhile, the Trump administration, a vigorous ally of corporate AI, has signaled its willingness to advance AI infrastructure development by overriding state objections and even using federal lands.

Also consider that rampant data center development may be a momentary spike rather than a longstanding concern. Demand for the centralized computing that data centers provide may well decline over time. The leading Chinese labs, such as Z.ai, are innovating in technical mechanisms to make frontier-class models smaller and cheaper to run. AI power users have become adept at miniaturizing open weight models, ones published free for anyone to download and use, to run locally on their own computers. Apple and Google both support infrastructure stacks for running AI models directly on mobile phones. It could be that the current mania for data centers will look like the fiber optic cable bubble from the early 2000s, as demand shifts to smaller models and AI usage on people’s own devices.

For those concerned primarily with affordability and environmental protection, singling out data center construction is misplaced. Energy rates and inflation today seem to be most visibly affected by the US-Iran war. The US is disinvesting in long-term energy security by ceding the renewable energy industry to China and actively cancelling climate commitments. Consider that 10% of global carbon emissions stem from heating buildings, which dwarfs energy use by AI and could be cut fivefold by using heat pumps powered by renewable energy. With respect to housing affordability, federal housing subsidies have changed little over three decades, in inflation-adjusted terms, even as housing costs have spiked and homeowners have enjoyed robust tax incentives.

As for AI itself, the concentration of power and wealth in these tech companies is the greatest existential risk facing society today. This means we must limit corporate power, especially corporations’ ability to exploit the public and manipulate our political system.

Opposing data centers should be just a starting point. We can advocate for states to regulate AI, to reject irresponsible uses of the technology, and shape corporate behavior. We can fight for AI computation to be taxed, so that the public can capture some of the profit of AI use while also forcing AI companies to internalize more of the energy and environmental consequences associated with its use. And we all can join the global movement for Public AI, an alternative ecosystem for AI that is developed under public control with an incentive structure to create public benefit rather than private profit.

The US midterm elections present ample opportunity for those seeking to control the AI political agenda. In the recent New York congressional Democratic primary, PACs linked to the dueling AI companies Anthropic and OpenAI spent millions of dollars lobbying for or against “AI safety“, the idea that we must urgently monitor and prevent people from using AI to cause catastrophic harms. We’re already seeing a similar dynamic play out in races in Massachusetts and other states.

Why would Anthropic and OpenAI—bitter industry rivals but fundamentally on the same side politically—support opposing viewpoints? Because they both ultimately profit from the mystique: the idea that their products are so powerful that controlling those products is the world’s most important challenge. Here’s the typical read on the dynamic. To one side (backed by OpenAI affiliates), “safety” comes from the appearance of US industry dominating AI innovation, under the slow-moving control of federal lawmakers (and without pesky state regulators in the way). To the other side (backed by Anthropic), “safety” means a heavier regulatory framework that plays to Anthropic’s posturing as the ethics- and compliance-focused AI vendor. In both cases, it’s more marketing than principled concern about safety.

Political organizers should call out and reject the AI companies’ framing of the debate, and reorient campaign agendas around populist resistance to corporate concentration of wealth and power. When AI companies pump millions into legislative races, the result should not be hyperbolic discussion of AI superintelligence. And when a plot of land in a small town is pitched as a data center site, the debate should be about more than the local costs and benefits. It should include out-of-control money in politics, and Citizens United-proof solutions to limit corporate influence like public financing and state regulation.

We all have a vested interest in what’s on the policy agenda, and what the outcomes are. Today, the greatest risk AI poses to society is the exacerbation of inequality and the concentration of wealth. The real problem is trillion-dollar AI companies and their trillionaire oligarchs cozying up to political power in Washington and governments worldwide, and using their money to enact their agenda over the popular will of the people. This is the issue we’d like to see put front and center, and it requires solutions much more extensive than slowing data center development.