Comments

ResearcherZero November 1, 2025 10:38 PM

Hundreds of Cisco routers that were not updated are waiting to be exploited in Australia.

‘https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy

CVE-2023-20198 is a critical vulnerability which can easily be mitigated or patched.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

The privilege escalation vulnerability in Cisco’s IOS XE web UI,with a perfect score of 10.0, has been used to gain access to telecommunications companies by groups such as Salt Typhoon.
https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-prc-cyber-actors-target-telecommunications-companies-global-cyberespionage-campaign

ResearcherZero November 1, 2025 10:50 PM

Palantir is suing former engineers who worked at the company for starting their own company. Palantir has complained that the product is similar to their own product and claims that its former employees have used tactics of the kind Palantir employed to compete with other software and technology companies and that the new company intends to compete with Palantir by providing a product to governments and businesses in the AI service space.

‘https://www.businessinsider.com/palantir-lawsuit-employees-ai-startup-general-catalyst-2025-10

not important November 2, 2025 7:21 PM

https://www.yahoo.com/news/articles/scientists-create-time-crystals-visible-150700322.html

=In addition to the beautiful visual effects, these continuous space-time crystals (CSTCs) may have far-reaching applications.

One application is in anti-counterfeiting. Because every crystal develops a unique time-based pattern when illuminated, it becomes a sort of motion fingerprint.

The idea is that in the future, identification cards, currency, and official materials could be created with secret “time watermarks”. Then a user simply shines light on the surface of an identified material and looks for a specific rhythm to verify authenticity.

The team believes CSTCs may also be useful for cryptography and data storage. The researchers can encode information not only through space, like pixels or barcodes, but also through time, by varying the rhythm, or phase, of each oscillation. Essentially, one light-driven patch of material could contain thousands of bits of information per second, all in complex and stable repeating patterns.

The CSTC may inspire and enable a new class of anti-counterfeiting designs, ultra-secure methods of encrypting information, and high-bandwidth data techniques.=

Clive Robinson November 2, 2025 8:45 PM

@ ALL,

I oft mention the failings of short termism in management and how chasing “shareholder value” will kill the company.

A friend pointed out that the actual reason was “accounting rules on margins” that is it really does matter how you paint things rather than what good it does you if you want to keep your job and bonuses.

Any way they pushed this in my direction,

https://www.cringely.com/2015/06/03/autodesks-john-walker-explained-hp-and-ibm-in-1991/

Some of you might shrug, others go WTF!!! but either way that’s the rules of the game run by the stock markets.

Clive Robinson November 2, 2025 9:31 PM

We don’t live in the Matrix because it can not exist.

I mention from time to time Kurt Gödel’s little “bump in the road” that derailed many trains of thought not just at the time but subsequently.

Well one thing it shows is that as the universe comes from information some of which can not be generated algorithmically it can not come from a deterministic process…

Well some one has written it up as a formal proof,

https://arxiv.org/abs/2507.22950

It does when you think on/about it, open up the notion, that there is something beyond Quantum Computing as well.

Which in turn begs the question will Post QC Crypto need to be replaced for Key Agreement etc.

Clive Robinson November 3, 2025 1:31 PM

@ lurker, ALL,

With regards,

“If you’re having persistent problems with Yahoo, maybe that is local to you.”

It depends on what you mean by “local”.

Increasingly I am seeing issues that are the “fall out” of the UK Gov demanding via the “Online Safty Act” that people give all sorts of personal information including images of Gov Issued Identity documents.

Basically things are just getting “slapped on” by third party organisations badly and without thought. The sites for such companies I either don’t go anywhere near or block.

As you might have heard various charity equivalent organisations such as the the internet archives and encyclopedias getting told they have incurred mammoth fines. Bycan organisation “OfCom” that I personally know to be corrupt at best and certainly some were “on the take” (look up “Clive Corrie” to see one such corrupt individual).

I'm inside your walls November 3, 2025 2:55 PM

The RF Clown: Simple Device Can Freeze Wi-Fi Camera Feeds

Wi-Fi cameras are everywhere these days, with wireless networking making surveillance systems easier to deploy than ever. [CiferTech] has been recently developing the RF Clown—a tool that can block transmissions from these cameras at some range.

The build is based around an ESP32, with three tactile switches and an OLED display for the user interface. The microcontroller is hooked up to a trio of GT—24 Mini radio modules, which feed a bank of antennas on top of the device. Depending on the mode the device is set to, it will command these modules to jam Bluetooth, BLE, or Wi-Fi traffic in the area with relatively crude transmissions.

The use of multiple radio modules isn’t particularly sophisticated—it just makes it easier to put out more signal on more bands at the same time, flooding the zone and making it less likely legitimate transmissions will get through. Specifically, [CiferTech] demonstrates the use case of taking out a Wi-Fi camera—with the device switched on, the video feed freezes because packets from the camera simply stop making it through.

It’s perhaps impolite to interfere with the operation of somebody else’s cameras, so keep that in mind before you pursue a project like this one. Files are on GitHub for the curious. Video after the break.

https://hackaday.com/2025/11/01/simple-device-can-freeze-wi-fi-camera-feeds/

not important November 3, 2025 7:31 PM

@Clive – link on science… is working ok.
@Robin – link on nature have tracking features required accept all cookies.

@all
https://www.yahoo.com/news/articles/zico-kolter-professor-leads-openai-132149666.html

=If you believe artificial intelligence poses grave risks to humanity, then a professor
at Carnegie Mellon University has one of the most important roles in the tech industry
right now.

Zico Kolter leads a 4-person panel at OpenAI that has the authority to halt the ChatGPT
maker’s release of new AI systems if it finds them unsafe. That could be technology so
powerful that an evildoer could use it to make weapons of mass destruction. It could
also be a new chatbot so poorly designed that it will hurt people’s mental health.

“Very much we’re not just talking about existential concerns here,” Kolter said in an
interview with The Associated Press.

“We’re talking about the entire swath of safety and security issues and critical topics that come up when we start talking about these very widely used AI systems.”

“Do models enable malicious users to have much higher capabilities when it comes to
things like designing bioweapons or performing malicious cyberattacks?”

“The impact to people’s mental health, the effects of people interacting with these
models and what that can cause. All of these things, I think, need to be addressed from a safety standpoint.”

“I think very few people, even people working in machine learning deeply, really
anticipated the current state we are in, the explosion of capabilities, the explosion of
risks that are emerging right now,” he said.=

Robin November 4, 2025 3:17 AM

@ not important • November 3, 2025 7:31 PM
” @Robin – link on nature have tracking features required accept all cookies.”

I get a large (half the screen) panel asking about cookies, with “only necessary” being a central and clearly visible option. Apart from that I hope Vivaldi no-tracking options and Privacy Badger mop up the rest.

Maybe what you see depends on where Nature thinks you are? I’m visibly in the EU and without that cookie option Nature would be in expensive trouble. Or maybe your browser blocks the panel?

ResearcherZero November 4, 2025 4:34 AM

Resuming nuclear testing – if underground testing of warheads rather than the current missile tests – will place workers and the public at risk and reignite Cold War tensions.

‘https://theconversation.com/if-the-us-resumes-nuclear-weapons-testing-this-would-be-extremely-dangerous-for-humanity-268661

Under an executive order, Trump placed control of the regulatory process of the Nuclear Regulatory Commission under the powers of the Office of Management and Budget, leaving residents living near facilities and nuclear workers at higher risk of exposure due to weakened rules as a result of the push to build new plants with a lack of independent oversight.

Many existing plants were under-reporting radiation leaks and worker exposure, including those which were thought to have good safety and never reported incidents at facilities.

Findings from a cohort of nuclear workers that were included in the U.S. Million Person Study suggest safety regulations should be strengthened rather than weakened.

Weakening existing nuclear regulations increases the risk of serious accident or exposure.
https://www.nbcnewyork.com/news/business/money-report/trumps-nuclear-power-push-weakens-regulator-and-poses-safety-risks-former-officials-warn/6339338/

109,000 nuclear workers and an unknown number of residents have been exposed to harmful radiation which can cause illness or death, according to preliminary cancer study findings.
https://thebulletin.org/2025/09/why-a-national-cancer-study-near-us-reactors-must-be-conducted-before-any-new-expansion-of-nuclear-power/

Clive Robinson November 4, 2025 10:30 AM

Microsoft as Malware, blame the other Guy…

This may amuse, it sure did make me smile (which after getting out of hospital was something I was cautious about as “Claret on the carpet” is not an easy later clean).

https://www.theregister.com/2025/11/04/openai_api_moonlights_as_malware/

OpenAI API moonlights as malware HQ in Microsoft’s latest discovery :

Redmond uncovers SesameOp, a backdoor hiding its tracks by using OpenAI’s Assistants API as a command channel

They go onto say,

“Hackers have found a new use for OpenAI’s Assistants API – not to write poems or code, but to secretly control malware.”

In essence they are using it as a covert command and control channel.

It’s a variation of a attack I detailed here using Google Search for a “headless control channel” for controling bot-nets as they were then called more than a decade ago.

When you sit and think on it, you quickly realise how AI LLM systems are really quite a good vehicle / “data courier” channel for illicit command and control.

The reason I used Google Search way back was because it was “expected network traffic” and most probably would not be blocked. And for various reasons was the easiest game in town at the time.

Things have moved on since then and whilst you can use other services they are usually not quite as easy to abuse as Google was.

So using OpenAI to form a covert command and control channel might sound “Hip-n-Trendy due to AI” it’s actually something that can be done with lots of “Cloud Services”.

As the articles final paragraph says,

“In an age where everything from HR chatbots to help-desk scripts talks to an API, this won’t be the last time a threat actor turns your favorite cloud tool into their getaway car.”

But then we were all warned about this semi-covert channel / vehicle / data courier “Oh so many long years ago”…

I wonder if it will actually get listened to this time?

To be honest the way the ICT industry works especially through “Marketing and Management” chasing VC funding or stock prices, I suspect not.

not important November 4, 2025 6:16 PM

Will AI mean the end of call centres?
https://www.bbc.com/news/articles/cz913ylq3k3o

=>Legislation currently proposed in the US to move off-shore call centers back to America also requires businesses to disclose the use of AI, and transfer a caller to a human if asked to do so.=

Yes, that is right legislation but bleeping lobbyists could put brakes on it.

I was always curious how call center outside US with foreigners getting access to your PII is legitimate violating your privacy by default.

Moreover, call centers stupid notification of recording Your conversation for training and other purposes WITOUT granting YOU, customer, the same right of recording just for balance of rights and possible future litigation. And possibility of storage Your voice print for future undisclosed for customer purposes.

ResearcherZero November 4, 2025 10:05 PM

@Clive Robinson

Cloud services and their APIs are great communications channels for all the reasons you sighted and the average chump is not very familiar with them which is an added bonus. An well resourced adversary can set up covert operations within an organization without making much noise and nearly all of the activities will look like completely legitimate traffic.

A state-backed actor is exploiting VMWare’s AirWatch API to steal Windows logins. The malware is designed to extract details from the browser used by human employees working within the business process outsourcing sector (BPO) and give the attackers access to the business supply chain. There they can then extract information from a large number of downstream customers, monitor these targets and move on through the business environment.

‘https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/

ResearcherZero November 4, 2025 10:34 PM

The Australian government once wanted nuclear weapons and was once considered to be front runner amongst countries looking to acquire them. It then led the push in 1995 to ban nuclear weapons and created the Canberra Commission to call for the abolition of nuclear weapons. The Australian government has since changed its mind again on an outright ban.

‘https://www.abc.net.au/news/2025-11-03/labor-retreats-from-nuclear-weapons-ban-pledge-four-corners/105959312

The real story itself though is not so simple.

In 1956 Australia attempted to acquire nuclear weapons from the United Kingdom. When that then failed, Australia planned to develop nuclear weapons on its own, after the United States and the United Kingdom instead signed a deal that left Australia alone to pursue another course.

Australia began a secret program to develop a nuclear reactor to produce nuclear weapons. The project named The High Flux Australian Reactor (HIFAR) would be sold to the public as a research reactor for the purpose of one day producing electricity in Australia from nuclear power. Then, in the early 1960’s Australia discussed a secret plan named SEATO plan 4 with the United States to assemble nuclear weapons in Australia.

The plan came undone when the prime minister at the time was later rolled before the project could be fully implemented. Yet the pursuit was not completely abandoned. Electric power was used as the excuse when the multi-purpose Open-pool Australian lightwater reactor was also built at Lucas Heights. Another purpose of Lucas Heights was atomic weapons research.

https://nautilus.org/apsnet/0623a-broinowski-html/

ResearcherZero November 5, 2025 2:13 AM

A very odd decision made by the House would be to strip the FBI of the ability to conduct counterintelligence investigations. The Office of the Director of National Intelligence is a coordinating body, not versed in and equipped at – or legislated to handle such matters.

The FBI has had many decades of experience with counterintelligence and counter-terrorism.
To remove a crucial ability from the FBI at this very time is a foolish and dangerous move.

‘https://www.nbcnews.com/politics/national-security/fbi-slams-house-proposal-grant-tulsi-gabbard-leading-role-counterintel-rcna240559

The National Security Council was the first department to be purged of experience and is primarily an advisory body. The NSC and ODNI have a very different function than the FBI.
https://www.reuters.com/world/us/us-national-security-council-thinned-by-recent-firings-sources-say-2025-04-24/

As politicians argue, foreign adversaries will be watching carefully and taking advantage.
https://www.forbes.com/sites/emilsayegh/2025/10/16/shutdown-or-meltdown-prolonged-government-lapse-threatens-us-cybersecurity/

Clive Robinson November 5, 2025 6:23 AM

@ not important, ALL,

You ask,

“Will AI mean the end of call centres?”

The simple answer is “Yes and No”

There is a public need for “call centers” hence the “Yes”, but we’ve already see many become Email and chat groups with few humans involved hence the “No”.

More complicated is the “can we train the custards[1]” to pay for what should be free to all customers who have purchased a product or in other ways boost profit mentality of the bonus hunting C-Suits.

The basic approach is to “cut costs” by where they can getting rid of working humans[2].

This is the aim of “automation” and it’s been going on for way longer than AI has[3].

Thus the basic rull of if your job is vulnerable is,

1, Can you be replaced by automation?

And the answer to that is unless you are pushing the bounds of the unknown in knowledge and creativity, at some point you will be.

But the speed it’s likely to happen is,

1, Are humans in your job cheaper?
2, Are humans in your job more profitable?

Put simply between 1/3 and 2/3rds of jobs in the West are “Makework” and although they can draw upper middle class wages, they are mostly “tedium” as they are basically due to being strongly “rules based” so effectively “mechanical” in nature.

Anything “mechanical” becomes subject to the law of “Force Multipliers” that basically means a machine optimized to a given function will be more “efficient” thus more “productive” than something not optimised like say a human. It is after all why you “drive a car” rather than be “carried in a sedan chair”.

There once used to be a job called “Calculator” their job to do basic maths over and over to find results. The job nolonger really exists, same with “Typewriters”. But go back a while and you find the job of Navie long gone, and quite a few farm jobs. Then semis skilled and even skilled jobs of weavers and masons all replaced by machines.

If you want to see this in action just look at the number of “self checkout machines” that are spring up around you in shops. Being a “till jockey” was never a job that required much… But it provided “productive work at minimum wage” and thus met a need in society. As a teenager it gave me money to get me into collage, a second job as a “plate washer” in a restaurant turned me into becoming a chef, again paying my way. Other jobs I picked up turned into trades and professions. As an orphan I had some hard lessons that I would not otherwise have had, had my upper middle class parents lived.

So if we loose those entry level jobs where people “learn the workplace” what are we going to do with them? It’s a question employers are asking even about “graduates” who are “skilled in knowledge” but totally inept in just about everything else.

So the more rules based your job is fundamentally the more vulnerable it is. It’s why not just call center staff but upper middle class professions are the ones that are going to get hit.

That is anything that involves “encyclopedic knowledge” and “pattern matching” is when you think about it little more than a “Database with Search engine” which is all mechanical in nature so can be replaced.

Current LLMs by the way they are designed are just “Databases with Search Engines”…

Thus the professions of Lawyers, Accountants and much of the medical profession are replaceable by LLMs. As are their support staff.

Why we will need to keep them around all be it in much reduced numbers is the “creative side”. In all rules and mechanical systems there are non functions, edge and corner cases, and vulnerabilities. A creative and oft artistic mind will be able to easily outdo an LLM. Because LLMs and the ML that populates them are not designed for “creativity or artistry” only “mimicry of what exists”.

Thus the more “creativity or artistry” your job requires the longer it will last.

So Scientists, Engineers, and some researchers are fairly safe, as are architects. Less so doctors and only some of lawyers and accountants.

The problem nobody is giving voice to is “How do we select and train them”. Politicians talk of “life long learning” but that can not be done if there are no entry level jobs…

And it’s entry level jobs that LLMs and current MLs are replacing…

The US is a classic example of “Offshoring and Outsourcing” and the price paid is the US does not have a “skilled workforce” left.

It’s why I smile ruefully when I hear the “Trumpster blurt out his idiocies” about MAGA, it’s not going to happen for Americans in the next three to 10 generations. Jobs have gone they got optimised and automated out of existence whilst being done abroad. Those left behind in the US don’t have the required skills and they are very unlikely to obtain them because they are “over thirty”.

I could go on about the nest feathering politics but I would get banned 😉

But suffice it to say whilst you can wind back a clock, you can not wind back time.

So “when jobs are gone” after a very short while they are never coming back again…

[1] The term “Custards” comes from amalgamating “Customers an 13astard” which originated with the early sales and call centers. Moved into management and has become a viewpoint of the C Suits in places like Amazon, that the customers should know their place and that is to be exploited for profit not take it away for their legal rights.

[2] As I pointed out many years ago here it’s a short sighted view point. To survive a company or organisation needs money. Where does that money come from that their customers hand over?

Yup ultimately out of the pockets of “people who work”…

So if you lay staff off you are in effect shaving to much off and thus “cutting your own throat”.

[3] Look up the “cotton gin” if you want one example. But in more general terms how the word “Sabotage” came into existence. Sabot is the French word for “Wooden Shoe” and if you throw them into a machine it’s unlikely to fare well. So it literally means “Putting the boot in”. So who were the people throwing their clogs into the system? Those who had lost their jobs to the machines. Those in charge named them luddites to turn the public against them thus make them easier to sanction to hanging or life in jail.

Clive Robinson November 5, 2025 11:09 AM

@ ResearcherZero, ALL,

As you say,

“. An[y] well resourced adversary can set up covert operations within an organization without making much noise and nearly all of the activities will look like completely legitimate traffic.”

However I don’t think “well resourced” is actually a requirement.

Back when I said how to do the Command and Control in an unblockable way by using the “Google Search Engine” it was about the only widely used service, and it was very easy to do so needed warning about.

Because I thought it out in about a half hour and half a day with a laptop had me up and running with a “Proof of Concept”(PoC).

Which is why I only talked about the sending of commands from the “Master” Controler to the “Slave” Bot(s).

What I did not talk talk about and said as much at the time was the other half of the control channel which was Exfiltrating Data. As it was high bandwidth and contained recognisably confidential information. That is say 1Gbyte of easily recognisable data across the “Organisation Choke Point”(OCP) of the perimeter firewall.

At the time I’d thought up a way to encrypt plaintext as other plaintext so making the Exfiltration Data look benign. I’d also come up with various ways to send the data at times the network was comming off of busy, so it would look like people were just working late (that trick used random pings and looking at the TCP count to gage traffic flow, this would just appear in the noise of “script kiddy” and similar attacks, so would just get ignored).

The “Hard Resource” part was getting the Exfiltrated Data back to the Controller without using a traceable server that could be blocked etc.

The answer to this is “Hotel WiFi” but needs technology and access and quite a bit of knowledge.

Briefly you would “Fixed Route/Path” or “circuit switch” to the Hotel as a way to another IP address where a fake or even phantom server existed.

The Exfiltrated Data would be “passed through” to the phantom destination. However in passing it got “Teed” into two that which was passing through in a rate controller manner, and stored locally on a SBC and Storage to later “forward” onto the real destination

I can talk about this now because it’s an unlikely way to do things…

The obvious way is to do what the SigInt agencies have been doing since the Internet got started. Which is to use backdoored routers and just watch normal data flow by, or MitM attack it if “Secure Sockets Layer”(SSL) or similar “link encryption” is in use.

As you’ve previously noted routers are rather more easy to hack than most people thought (or are still daft enough not to get “up to date” on router OS failings to find out).

So watching data flow by is for them and increasingly others “just an easy hack away”. So attack the “upstream router” in the Internet of either the Target of Interest”(ToI) or the “Destination of Interest”(DoI) if “Hover it up” bulk surveillance is the desired intent.

The thing everyone forgets in the E2EE traffic for SSL etc is that there are often more than a couple of security end points involved.

But look at it this way the Key Negotiation Protocol makes MiTM attacks at the link layer almost trivial. Because nobody checks if the “End they see” is really the “End they think” it is. Worse they often have no way of reliably knowing.

Thus getting in the middle of a link level protected channel is not that difficult…

What makes this the “preferred route” rather than the “tresspass on Target route” is that the data they want just “flows on by” because of “using the cloud” by target organisations…

At the perimeter firewall two things go unremarked,

1, Traffic to a SaaS Cloud Server.
2, Confidential data going to the SaaS Cloud Service.

Because both are “normal operations”.

The attacks are not new and in some circles well known and have been for more than two decades…

Thus the level of required resources has dropped significantly. Likewise the cost of technology has decreased so much in cost it’s almost down to “pocket change”.

So being a “well resorced” attacker is nolonger really an issue any more…

pour one out for me November 5, 2025 1:47 PM

UK carriers to block spoofed phone numbers in fraud crackdown

https://www.bleepingcomputer.com/news/security/uk-carriers-to-block-spoofed-phone-numbers-in-fraud-crackdown/

AMD red-faced over random-number bug that kills cryptographic security

https://www.theregister.com/2025/11/05/amd_promises_to_fix_chips/

Uncle Sam wants to scan your iris and collect your DNA, citizen or not

https://www.theregister.com/2025/11/04/dhs_wants_to_collect_biometric_data/

Clive Robinson November 5, 2025 7:03 PM

@ pour one out for me,

With regards the bleeping computer article it says,

“Britain’s largest mobile carriers have committed to upgrading their networks to eliminate scammers’ ability to spoof phone numbers within a year.”

I’m saying,

“It ain’t going to happen.”

Two reasons,

1, The Telecoms companies realy do not move that fast.
2, All the spammers have to do is buy a Sim Box or O800 number.

The first has been demonstrated “Historically” but one of the more recent was “Pulling Chinese manufactured 5G equipment out.

But there is another point with regards to this, the “Mobile Carriers” don’t own or run the networks they have. They lease them and get the maintenance and updates done by the leasing firms for “Tax Reasons” but more importantly so they can “massage the margins” so they look good to those who buy shares.

So realistically “within a year” does not have a high probability.

But if they do it or not is not really relevant.

Because of the second point. All they need is a UK phone number they can “dial out from” and an Internet or other electronic connection with sufficient anonymity lets say Tor as an example. But it does not really matter as there are hundreds of ways of carrying digitised audio.

All the scammers then need to do is “convert back to audio” and add an old fashioned dialing device that takes a serial line that talks to an “auto dialler”.

This can be conveniantly done with a low cost “Digital PBX” on a computer using part of Asterix or similar.

The point being that the “carriers” can not tell the difference between an international call and a national call…

So the idea is a bit of a bust, if not just a “publicity stunt” any one with sufficient “Historical Technical knowledge” will know this and confirm in detail how to do it.

I used to do something similar with a “Pole-Job” as part of surveillance equipment I designed for UK Government agencies. Trust me it’s not difficult the biggest per unit cost would after the “Safety box” would be line isolation transformers and if you needed it BABT approvals to cross the “Demark”.

Using a variation of a SimBox removes the need for Approvals or line transformers but you are stuck with using the equivalent of mobiles.

However it is common practice currently for the “company 0800 number” to be used even from individual SIMs if they were all registered to the company. Such things are done for “Sales People” who are “on the road”

Another trick is to use one of these “Push-to-Talk over Cellular radio hand-held devices”(POC).

Currently the way they are billed the Operator is not UK based (even though the SIMs often come from near Scotland).

Because of what they are primarily used for –replacing analogue and digital “mobile radios”– which is for “work men” and other mobile staff. Getting bespoke ID’s is not a problem. And the business behind POC networks being abroad means “a sale is a sale” and they won’t check if it’s the legitimate UK company, because the reality is they can not…

Also registering a company in the UK whilst superficially difficult is actually not difficult, or you xan just buy one from any one of the hundreds of “company formations companies. You then simply change the name with a form you can print off or fill in on-line from “Companies House”. Thus as long as it is unique can be almost anything.

So lets say you want to register “IBM Telecoms” then you can do it if anyone asks you simply say it’s a new subdivision. Even if they want to check with IBM, IBM HQ generally does not have a clue about all the sub companies that get created for Tax / Business / Shareholder reasons. All you then need is a company bank account.

The reason this is so often done is that it “goes in on the other side of the balance sheet” so is seen as an investment from then on and does not negatively effect a large corporates margins thus Share Value…

What is “standard practice” is almost always a vulnerability waiting “Exploitation”.

So at the end of the day this is a near meaningless agreement for “Good Publicity” the fact it will be so easily bypassed will be “Somebody elses problem maybe at some future time” at which point it nolonger matters.

ResearcherZero November 6, 2025 6:20 AM

@Clive Robinson

Old bugs in Cisco routers and clunky configuration are particularly good for eavesdropping.

The APIs or functions within libraries that are commonly used by developers also make for a good channel and now threat actors are including LLMs with their malware or using AI to assist with familiarizing themselves with systems, obfuscation techniques and JIT actions.

AI is being used to implement polymorphism into malicious code to produce mutating versions of malware that will change over time, fetched new scripts for evading antivirus detection and regular rewriting of malware source code to assist in avoiding signature detection.

Unlike typical software vulnerabilities, techniques that evolve and are not easily patched.

‘https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools

math

The US government may suffer a loss of revenue designed to pay for tax cuts for the rich. The tariffs had little hope of matching the bill for the tax cuts and are not well suited for raising revenue. The amount tariffs can raise is relatively small compared with GDP.

‘https://www.brookings.edu/articles/tariffs-are-a-particularly-bad-way-to-raise-revenue/

If the tariffs prove unlawful, households will not get back US$1,300 extra they were taxed.
https://apnews.com/article/trump-tariffs-supreme-court-refunds-81432b8fecf6c3183f3aba84a0c07edb

Clive Robinson November 6, 2025 12:04 PM

@ ResearcherZero, ALL,

You make the point of,

“AI is being used to implement polymorphism into malicious code to produce mutating versions of malware that will change over time, fetched new scripts for evading antivirus detection and regular rewriting of malware source code to assist in avoiding signature detection.”

These AI uses are “narrow in scope” don’t require any reasoning or other “wo wo nonsense” and have a great number of “examples in their training set that can be seemingly “mixed and matched” untill beyond what many if not most humans think of as “impossibly large”.

Thus yes they have the basic requirements to be a success for developing malware without writing it.

In general all software uses loops, branching, and static linear code. Even at the assembler level there are multiple different instructions or arrangements to make each without changing higher level functioning in the slightest.

Likewise blocks of instructions can have the same function yet be built from different multiple instruction sub-blocks.

And so on upto Scripting languages and apps.

Thus polymorphism does not require reason or intelligence it’s just a form of almost random shuffling.

In fact it is known you can make a stream cipher implement enormous combinations of end assembler code that are in effect uniquely different but perform exactly the same function.

The cipher generates a byte, and this gets used Modulo the number of code or code groups to select which to use.

I’ve used similar techniques myself to “protect code” by putting in the equivalent of a DRM signature using “Low Probability of Intercept”(LPI) techniques back last century.

So using an LLM to do basic polymorphism is actually “over kill”. So as a force multiplier it’s efficacy would be questionable, even though quite functional.

Where the balance would change is where you start to get well above basic code blocks, and importantly want to mimic another programmer’s “style”. Here AI would be considerably more useful. But the reasons for doing so would be akin to malicious impersonation / fraud for the intent of “fitting up a fall guy”.

Something as an observer I would say is not just bad, but very bad with an intent to harm another deliberately.

I could go through the other things you mention with a very very similar analysis.

That said it’s not something current investigators are going to be likely to consider.

So an interesting future lies in the future for all of us on this.

The power to absorb talents from mere objects using only your mind November 6, 2025 12:30 PM

Microsoft and Microsoft GitHub (and Rust @ Microsoft GitHub) the Future of Ubuntu, They Want the Same for Debian

Canonical seems to have a “soft” spot for back doors and Ubuntu seems to be moving many things to Microsoft, even at GNU’s expense and the GPL’s expense. Ubuntu becomes increasingly dependent on proprietary software that “causes serious security breaches. This reminds us of Microsoft staff that was pushing Mono into Ubuntu and Debian at the same time. Same tactics, different shades.”

“Right now there are Debian Developers who are in fact full-time staff (yes, salaried) of Microsoft. Let that sink in.”

“Ubuntu is not the place to find freedom. Debian is influenced by the decisions made by Ubuntu (Microsoft Canonical), whereas it used to be the other way around, so Arch Linux looks increasingly interesting.”

knowing is half the battle November 6, 2025 2:28 PM

@Grima Squeakersen

@I’m inside your walls re: RFClown “It’s perhaps impolite to interfere with the operation of somebody else’s cameras, so keep that in mind before you pursue a project like this one.”

“In the US, it is more than impolite, it is explicitly illegal.”

Who gives a shit. “TALK HARD!”

Clive Robinson November 6, 2025 2:44 PM

@ ALL,

Is OpenAI “to big to fail” or “to late to stop”

Is an interesting question in theory, but practically either way OpenAI are talking about tax payers bailing them out,

https://garymarcus.substack.com/p/if-you-thought-the-2008-bank-bailout

For those caught up in the hype,

“No”… Current AI LLM and ML System and associated companies claiming “National Security” status are full of hype and bovine tail exhaust.

They can not deliver on their promises and almost certainly never can. In a normal world they would have “slammed into the wall” of bankruptcy long ago.

The only reason they are seen as potentially “to big to fail” is the US Economy has “flat lined” and the only thing making it look alive is all the artificial churn surrounding AI in the Silicon Valley Mega-Corps.

But it’s not “real economic activity” it’s actually an empty “artificial money spiral” where debt is transformed by “accounting tricks” to “investment” thus makes artificial margins for dumb share holders to ‘buy into’ and so becomes pseudo-profit thus faux-value.

There is only so many times that spiral can turn to make churn before it becomes obvious to those primed to “grab and run” leaving nothing but debt and loss behind on their “Sunset Run”.

So is Open AI “to big to fail?”

As an organisation no it’s passing would hardly be noticed technology wise. As a debtor probably not, empty barrels float high out of the water but they are far from stable. But… with a precariously faked up US Economy depending on the AI Hype bubble the answer is Yes, as long as the US Economy is crap OpenAI will be a national security concern.

Because if OpenAI goes then so do all the others it has circular investment agreements with (the exception to this most likely is Microsoft but you’ld have to dig deep into the legal paper work to determine this. But the way the men at the top are behaving, that is “running or preparing to run” says that maybe the paper work is not that good).

With a major recession pending old wisdom said it was time to go on a “War Footing” and go start one.

But that policy like the one OpenAI is hinting at means it’s the ordinary tax payer that will pay and pay and pay, for considerably less than nothing in return.

The only trick will be how the Fed will get on board to massage it in this time around as “Quantitative Easing” is so 2008.

the 1st rule of fight club November 6, 2025 3:38 PM

FuguIta 7.8 – OpenBSD-based Live System Released!

https://fuguita.org/

FuguIta is a Live System based on OpenBSD.
It inherits almost all of the features of OpenBSD.

It can be booted and used directly from DVD or USB media.
Since it does not affect the internal storage, it is ideal for
trying out or testing OpenBSD.

The operating environment can be saved to storage and reloaded
at the next boot, enabling persistent use.

It also provides a variety of original tools such as desktop
environment installation, live update, and USB media management
(saving environments, remastering, etc.).

FuguIta leverages the simple and robust design philosophy of
OpenBSD to provide a world that can be used for everyday
purposes as well as applied to a wide range of scenarios, from
desktop environments to network appliances.

It aims to respect the user’s freedom to build and shape their
own environment.

Clive Robinson November 6, 2025 6:09 PM

@ knowing is half the battle, ALL,

Your answer to @Grima Squeakersen of,

‘Who gives a shit. “TALK HARD!”’

I assume is based on the fact it’s normally the FCC responsible for,

“Tracking down and stoping intentional interference”

And they have a nearly 20year reputation of “sitting on their thumbs” and at best only responding to the requests of “Federal Agencies” or agencies that have emergency service communications requirements.

In which case your “TALK HARD” might have had some justification.

However shortly before the “shutdown” they had started going after people who were doing normal things but in abnormal ways.

Things like just firing up the PTT and jabbering nonsense into the band.

It was something I used to do when doing “test, design and repair” back last century.

Unlike some European countries legislation the FCC has a “no transmit at any power” view point, so even testing into a “Dummy Load” is an unlawful act from their view point…

Other nations have a more sensible,

“If it remains within your property boundaries. With a hight set at the civil aviation minimum or lower.”

(usually 100m or slightly higher)

So you can’t microwave a large Drone / UAV or light aircraft used for State / Federal Agency surveillance out of the sky either (not sure what the status of lasers, spotlights, or certain types of ionising radiation are).

Which begs the question

“What about a laser pointer faced at the camera lense?”

Most CCTV sensors are particularly sensitive to this some even to IR laser radiation from a C02 laser or one of the very modern laser diode based welding machines.

But in the past some criminals have used Home Made “HERF Guns”. Essentially a striped down microwave magnetron tube, high voltage low current and low voltage high current transformer that happens to work in the two and a half Ghz “Industrial Scientific and Medical”(ISM) band.

At short range it will take out some of the electronics quite rapidly thus stoping the CCTV camera operating “for good”.

Which means you can turn the HERF Gun very briefly, just turning it on and off gain befor anyone can do about it.

In Europe there is also Human Rights legislation that gives you rights to a “Private” Life on non public land and other places so pointing a CCTV camera at someone’s home garden or other space would be an offence and people have been successfully and fairly inexpensively prosecuted for it. There is also in some countries “harrisment” legislation which can be dealt with quite rapidly by the police in a couple of hours.

The US really does not have the equivalent the nearest actually being some terrorism legislation.

So there are ways you can potentially get away with things, but it first requires an “Adversary Capability Assesment Before Action”(A-CABA) of your direct adversary and any third party adversary they might bring in. It then becomes an “Observe, Orient, Decide, Act
“(OODA) loop action action, where you,

“Attack their weaknesses whilst denying them their strengths.”

If you do decide to plan remember the “golden rules’ of,

1, Paper, Paper, NEVER Data
2, Write on something hard (like glass in a Picture etc)

Then when done with a page a pocket/kitchen match and ashtray for the pages (remember to grind the ashes then mix with water).

Basically treat things the way you would use a paper based “One Time Pad” encryption system.

This is fairly “standard advice” on basic OpSec techniques I’ve given before.

Clive Robinson November 6, 2025 7:27 PM

@ Bruce,

You might remember the papers “Why Johnny can’t Encrypt” from back last century?

Well at the same time were numerous similar comments and articles about “passwords”.

Well another report on the fact the majority of user selected passwords are bad has been peoduced, and The Register has an article,

https://www.theregister.com/2025/11/06/most_common_passwords/

My thinking for a couple of decades at least is it’s a human brain problem. It appears to be that for,

“The neuro typical non technical human.”

Their brains are still incapable of doing things securely… Such things being in effect alien to their everyday normality.

Thus it could be said that,

“It’s the human condition at work.”

That gives us such sayings as

“To err is human, but it takes a computer to really fudge things up!”

What ever the cause “Passwords” had outstayed their welcome over sixty years ago before even “Flower Power”.

And we really should be rid of them.

skeleton November 6, 2025 11:27 PM

RE: FBI Tries to Unmask Owner of Infamous Archive.is Site

I tried to enter an archived URL so you could skip registration in order to read the article but this blog keeps spamming me with message being held for moderation.. ugh.

ResearcherZero November 7, 2025 3:29 AM

The Congressional Budget Office has reportedly been hacked by a foreign adversary.

‘https://www.cnn.com/2025/11/06/politics/congressional-budget-office-hacked-china-suspected

The office handles a large amount of data used in implementing policy decisions.
https://apnews.com/article/congressional-budget-office-hacking-treasury-44b5c3e3f5ce09142b38d6f9ed62d861

Penetrating the office could reveal valuable insight into executive decision making.
https://026magazine.com/congressional-budget-office-cbo-key-functions-and-duties/

ResearcherZero November 7, 2025 4:33 AM

@lurker, skeleton

The service can be used to archive government sites and information that the US government keeps deleting. The FBI may be looking for other purposes than some of the usual activities it used to preform such as counterespionage investigations, when it had a more capable team.

‘https://www.heise.de/en/news/Archive-today-FBI-Demands-Data-from-Provider-Tucows-11066346.html

@Clive Robinson

The easy way to obtain information is to recruit (or place) someone in government and then simply request the information. Performing the act overtly limits the long-term usefulness.
Rather than recruit those better versed in more subtle arts of performance, if the need to get hold of the information is urgent then burning the assets in the process will do.

In times of heightened tensions, suspicious activities may get slightly more attention.

An aide to a member of the European Parliament for the far-right Alternative for Germany has been arrested in Germany on suspicion of “especially severe” espionage for China. The aide works for Maximilian Krah, one of the AfD’s lead candidates, who is currently being investigated for alleged payments from Russia and China. Munich prosecutors have also been investigating a case of money laundering by Petr Bystron, AfD candidate for EU parliament.

‘https://www.spiegel.de/international/germany/afd-spionageaffaere-russland-und-china-im-fokus-neue-enthuellungen-belasten-die-partei-1714480876-a-a1c05e64-b6bc-4c6b-844e-a78a32ec4f91

AfD lawmakers posed extremely detailed questions in a systematic series of inquiries.

The inquiries included details of drone countermeasures and critical infrastructure, gaps in defenses of such assets, German defense capabilities and weaknesses. The AfD allegedly may have used inquiries to gather information in return for payment from Russia and China.

https://www.yahoo.com/news/articles/far-alternative-germany-suspected-systematically-020700778.html

Clive Robinson November 7, 2025 4:42 AM

@ Bruce, ALL,

For some reason we’ve now had another “trip down memory lane” incident just recently.

Or for the superstitious the third of,

“Accidents come in threes”

Or for the more paranoid of those that are still alive of, 007’s “saw” in Ian Fleming’s ‘Goldfinger’ story of

“Once is happenstance.
Twice is coincidence.
Three times is enemy action.”

This “third one” being about the three decades or more long arguments[1] about On Chip RNDs that centers around the Intel designed on chip RND and the resulting “RDRAND” and “RDSEED” x86 instructions.

https://www.theregister.com/2025/11/05/amd_promises_to_fix_chips/

Which kind of makes “enemy action” feel like being about right…

But hey that’s just my “paranoia”, “spidey-sense”, “third eye view” kicking in yet again 😉

[1] Any one else remember the Linus vigorous “head nodding Yes whilst mouth saying No” incident as a reply when asked if he thought On-Chip Real-RNDs in CPU chips were “backdoored” by the NSA?

It is part of the story that goes back into the early 1990’s when Intel + Suspected NSA bodies tried pushing Linux developer Theodore Ts’o to “just use the Intel on chip hardware RND”,

https://web.archive.org/web/20180611180213/https://plus.google.com/117091380454742934025/posts/SDcoemc9V3J

An incident of which Theo later said,

“I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction… Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea.[2]”

[2] As I pointed out at a similar time when talking about the Intel Real RND design using two “ring oscillators”… There is a very simple reason to see why it’s “a BAD idea”,

The use of two oscillators mixed in a D-Type latch is a very bad idea, because even with graph paper you can clearly see the result at the output of the latch is a “1bit oversampled sinewave of the difference frequency”. Close in “it looks random” on an oscilloscope, but dial the time base out and you start to see the “bunching” of the waveform be a sinewave[3].

That is put the output through a simple integrator / low pass filter and you get a very good quality sinewave at the difference frequency.

It’s a technique I used way way back when designing a “digital audio signal generator” for a “Radio Test Set”.

[3] I’ve also pointed out that Intel always follow their RND source with a Crypto Algorithm and don’t let you see the real source output which again is a “BAD idea”.

It’s raised the “What are they hiding?” Question a number of times. To which “it’s crap and has no entropy” or “they’re hiding a back door” and some in between answers have been suggested.

As I’ve said before it’s a “BAD idea” because if you think about it for a moment you will see a simple thought experiment of,

“Let’s assume it’s a “1bit quantatised sinewave” output, putting it behind a crypto algorithm is “encrypting it” which by definition “Makes the statistics flattened and random looking”.

If you don’t have “the key” then you can not see and sync to the sinewave, but if you do you can…”

So think how much easier it would be if the NSA “had or controlled the key”. Then it could become a NOBUS back door.

Winter November 7, 2025 5:35 AM

@Clive

OpenAI are talking about tax payers bailing them out,

One “positive” thing that came out of the 2008-2011 bailouts was the decision that a taxpayer bailout would henceforth mean a nationalization of the failed company without compensation. If you cannot go bankrupt, you become the property of the tax payers that bail you out.

This has been done with a few European banks at the time.

If Sam wants to get bailed out by the tax payers, he and all his investors will loose their money.

Clive Robinson November 7, 2025 11:29 AM

@ Winter,

With regards,

“This has been done with a few European banks at the time.”

You forgot the important one, the Icelandic, Ireland, Spain, and others decision to prosecute and jail even the “seniors” as well as fines sequestrate of any and all assets (in some cases I’m told they concluded “in wifes name” was money laundering and got the assets, not sure if any of the wives did time or not (but they should have)

It sent quite a message at the time,

And for one of them in Italy they are still under imprisonment.

The FT “pink-un” did a piece on it some years back,

‘https://ig.ft.com/jailed-bankers/

Prior to this such “self entitled” people assumed no matter what they did they could “buy their way out”…

But not having any money corporately or personally took most options off the table so in Iceland I’ve been told they “turned on each other” in hopes of “consideration”.

It would be interesting to see the state of their economies today v those of countries just tut tuted and let them walk away.

Clive Robinson November 7, 2025 12:05 PM

@ ResearcherZero,

As you note,

The easy way to obtain information is to recruit (or place) someone in government and then simply request the information.

We’ve seen quite a bit of this in the UK since the 1960’s.

Mostly not “civil servants” but “Cabinet Ministers, their aids, Members of Parliment and their researchers”…

Due to the House of Commons running databases from a company I worked for I got to “visit the bowels of the building” and other places, with “free rein” like wild stallion on open ground. Whilst I was not a “card carrier” some one else at one of our distributors was. He had many war stories of what went on.

So later seeing stories of people throwing powder down on MP’s and the Prime Minister did not surprise me in the slightest. The levels of security were, once inside the door, obscenely low, and the “get the intern to do it” attitude with highly classified information was endemic. As for the then network it was ridiculously insecure at best.

But it never really improved… a decade ago the head of GCHQ gave evidence to a select committee. He pointed out that the “Harold Wilson Doctrine” rules had no legal status, and that all cross the boarder communications had “collect it all” in place. Which did not appear to upset many MPs untill it was noted that the “outsourced” Office and EMail to “Microsoft Cloud” was in Eire (Southern Ireland) so every key stroke and more had been recorded by GCHQ… And Microsoft and god alone knows who else…

See,

https://en.wikipedia.org/wiki/Wilson_Doctrine

And the 1980’s book “Spy Catcher” by Peter Wright.

Winter November 7, 2025 12:41 PM

@Clive

You forgot the important one, the Icelandic, Ireland, Spain, and others decision to prosecute and jail even the “seniors” as well as fines sequestrate of any and all assets

Although I welcome taking the responsible persons to court for their misdeeds, these were basically just hired guns, hit men. Their employers can always hire new hit men.

Those who hired them were the investors and shareholders who were also the beneficiaries when things went well. They are best punished by taking away their ill gotten gains and anything they invested in this bad business.

It would be interesting to see the state of their economies today v those of countries just tut tuted and let them walk away.

Look at the USA. They set the example of tut tutying

Clive Robinson November 8, 2025 3:15 AM

@ Winter,

You indicate,

“Although I welcome taking the responsible persons to court for their misdeeds, these were basically just hired guns”

Whilst I agree with this, the problem is “crossing the divide”.

That is the long history of stocks and share which started in our two countries have many what we would call “gapping techniques” in security

Each of these gaps are designed such that a couple of hierarchical structures are formed.

The first is that of “implicit control” nothing is said or directly communicated. But “investment comes with strings” that get as far as the law is concerned “invisibly pulled”[1]. That is control and “power over” goes down but liability can not cross back up. One term that you will see for this in other circumstances is “externalising risk”.

From this directly comes the other hierarchy which is the taking of money from the company to the various layers of investors.

It was this second hierarchy that was used to create the sub-prime mortgage crisis that caused the consequent Financial Crisis. With certain people walking away with “Fees” that were high “initially” at something like 30% but seen as being very small when amortized across 20 years etc. The reality was a washing of bad debt into what looked like –but were not– good longterm investments that would for the perpetrators give very large “up front” money they disappeared with “like thieves in the night” by various other “gap tricks”.

There is well over four centuries of bending legislators into making the law such that there are such “gaps” possible. And many made sense historically.

But like the old joke/story of the man “smuggling donkeys”, you have to as an authority be able to recognize all the tricks and stamp on them.

Therefore ultimately it’s the “regulatory process and authorities” and their failings that are the real causes of nearly all the “fiscal woes” with “the buck stopping” at the legislators.

It’s one reason why I say that “Money should be taken out of politics”, and “All legislation should have ‘sun set clauses'” built in.

But of course with saying,

“They are best punished by taking away their ill gotten gains and anything they invested in this bad business.”

You risk being “Hung, Drawn, and Quartered” by the real offenders of those who are true believers in “The Capitalist Way”.

Of course I’m awaiting that fate from having noted that,

“Any way you look at it the ‘Great American Dream’ is only possible by theft and other capital crimes.”

And further noting,

“Something that the democracy hating Founding Fathers –who were thieving land grabbers and English lawyers– absolutely knew.”

The truth is they wanted a “Kingdom” but without a King except as a figure head. They looked at every one else as a “Detestable Rabble” that should have no say, and be as “serfs or slaves”, with “their labours taxed” to pay for the Barron’s and their enforcing “guard labour”.

To compound my crime 😉 I’ve also given detail to events from American History, that have had the details left out in US Schools.

Thus the “American Way” is,

Commit your crimes and lie to not just cover them up, but make them look like they were necessary for the good of all… Wash rinse and repeat.

Whilst this is not unique to the US it is one of the more illustrating examples, as current events more than amply demonstrate.

[1] Set up your own company for “investors” and you will soon find out the more traditional “requirements” and a whole bunch a “third parties” will tell you makes you attractive or not to investors. You could call this “the little finger” from “the hiden hand” of “the market”. It’s one of the unstated reasons for share “buy backs”.

To avoid this quite a few long term successful companies use a different process of raising capital by “mortgages” and similar that are viewed as “assets buying in” rather than “organisations buying in”. Thus the lender only gets to see a very limited amount of information about the company and exert little or no control on it as long as it pays the agreed sums for the term. It’s also fairly easy to account it as an investment, and in most places you can also use it as a way to “hide value”, that is you write it down on the books for ever at the “mortgage price” not the “current market value” (also buying and selling property or constructing it does not attract VAT in many places).

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.