One day soon, at a research lab near Santa Barbara or Seattle or a secret facility in the Chinese mountains, it will begin: the sudden unlocking of the world’s secrets. Your secrets.

Cybersecurity analysts call this Q-Day—the day someone builds a quantum computer that can crack the most widely used forms of encryption. These math problems have kept humanity’s intimate data safe for decades, but on Q-Day, everything could become vulnerable, for everyone: emails, text messages, anonymous posts, location histories, bitcoin wallets, police reports, hospital records, power stations, the entire global financial system.

“We’re kind of playing Russian roulette,” says Michele Mosca, who coauthored the most recent “Quantum Threat Timeline” report from the Global Risk Institute, which estimates how long we have left. “You’ll probably win if you only play once, but it’s not a good game to play.” When Mosca and his colleagues surveyed cybersecurity experts last year, the forecast was sobering: a one-in-three chance that Q-Day happens before 2035. And the chances it has already happened in secret? Some people I spoke to estimated 15 percent—about the same as you’d get from one spin of the revolver cylinder.

The corporate AI wars may have stolen headlines in recent years, but the quantum arms race has been heating up too. Where today’s AI pushes the limits of classical computing—the kind that runs on 0s and 1s—quantum technology represents an altogether different form of computing. By harnessing the spooky mechanics of the subatomic world, it can run on 0s, 1s, or anything in between. This makes quantum computers pretty terrible at, say, storing data but potentially very good at, say, finding the recipe for a futuristic new material (or your email password). The classical machine is doomed to a life of stepwise calculation: Try one set of ingredients, fail, scrap everything, try again. But quantum computers can explore many potential recipes simultaneously.

So, naturally, tech giants such as Google, Huawei, IBM, and Microsoft have been chasing quantum’s myriad positive applications—not only for materials science but also communications, drug development, and market analysis. China is plowing vast resources into state-backed efforts, and both the US and the European Union have pledged millions in funding to support homegrown quantum industries. Of course, whoever wins the race won’t just have the next great engine of world-saving innovation. They’ll also have the greatest code-breaking machine in history. So it’s normal to wonder: What kind of Q-Day will humanity get—and is there anything we can do to prepare?

If you had a universal picklock, you might tell everyone—or you might keep it hidden in your pocket for as long as you possibly could. From a typical person’s vantage point, maybe Q-Day wouldn’t be recognizable as Q-Day at all. Maybe it would look like a series of strange and apparently unconnected news stories spread out over months or years. London’s energy grid goes down on election day, plunging the city into darkness. A US submarine on a covert mission surfaces to find itself surrounded by enemy ships. Embarrassing material starts to show up online in greater and greater quantities: classified intelligence cables, presidential cover-ups, billionaires’ dick pics. In this scenario, it might be decades before we’re able to pin down exactly when Q-Day actually happened.

Then again, maybe the holder of the universal picklock prefers the disaster-movie outcome: everything, everywhere, all at once. Destroy the grid. Disable the missile silos. Take down the banking system. Open all the doors and let the secrets out.

Suppose you ask a classical computer to solve a simple math problem: Break the number 15 into its smallest prime factors. The computer would try all the options one by one and give you a near-instantaneous answer: 3 and 5. If you then ask the computer to factor a number with 1,000 digits, it would tackle the problem in exactly the same way—but the calculation would take millennia. This is the key to a lot of modern cryptography.

Take RSA encryption, developed in the late 1970s and still used for securing email, websites, and much more. In RSA, you (or your encrypted messaging app of choice) create a private key, which consists of two or more large prime numbers. Those numbers, multiplied together, form part of your public key. When someone wants to send you a message, they use your public key to encrypt it. You’re the only person who knows the original prime numbers, so you’re the only person who can decrypt it. Until, that is, someone else builds a quantum computer that can use its spooky powers of parallel computation to derive the private key from the public one—not in millennia but in minutes. Then the whole system collapses.

The algorithm to do this already exists. In 1994, decades before anyone had built a real quantum computer, an AT&T Bell Labs researcher named Peter Shor designed the killer Q-Day app. Shor’s algorithm takes advantage of the fact that quantum computers run not on bits but on qubits. Rather than being locked in a state of 0 or 1, they can exist as both simultaneously—in superposition. When you run an operation on a handful of qubits in a given quantum state, you’re actually running that same operation on those same qubits in all their potential quantum states. With qubits, you’re not confined to trial and error. A quantum computer can explore all potential solutions simultaneously. You’re calculating probability distributions, waves of quantum feedback that pile onto each other and peak at the correct answer. With Shor’s algorithm, carefully designed to amplify certain mathematical patterns, that’s exactly what happens: Large numbers go in one end, factors come out the other.

In theory, at least. Qubits are incredibly difficult to build in real life, because the slightest environmental interference can nudge them out of the delicate state of superposition, where they balance like a spinning coin. But Shor’s algorithm ignited interest in the field, and by the 2010s, a number of projects were starting to make progress on building the first qubits. In 2016, perhaps sensing the nascent threat of Q-Day, the US National Institute for Standards and Technology (NIST) launched a competition to develop quantum-proof encryption algorithms. These largely work by presenting quantum computers with complex multidimensional mazes, called structured lattices, that even they can’t navigate without directions.

In 2019, Google’s quantum lab in Santa Barbara claimed that it had achieved “quantum supremacy.” Its 53-qubit chip could complete in just 200 seconds a task that would have taken 100,000 conventional computers about 10,000 years. Google’s latest quantum processor, Willow, has 105 qubits. But to break encryption with Shor’s algorithm, a quantum computer will need thousands or even millions.

There are now hundreds of companies trying to build quantum computers using wildly different methods, all geared toward keeping qubits isolated from the environment and under control: superconducting circuits, trapped ions, molecular magnets, carbon nanospheres. While progress on hardware inches forward, computer scientists are refining quantum algorithms, trying to reduce the number of qubits required to run them. Each step brings Q-Day closer.

That’s bad news not just for RSA but also for a dizzying array of other systems that will be vulnerable on Q-Day. Security consultant Roger A. Grimes lists some of them in his book Cryptography Apocalypse: the DSA encryption used by many US government agencies until recently, the elliptic-curve cryptography used to secure cryptocurrencies like Bitcoin and Ethereum, the VPNs that let political activists and porn aficionados browse the web in secrecy, the random number generators that power online casinos, the smartcards that let you tap through locked doors at work, the security on your home Wi-Fi network, the two-factor authentication you use to log in to your email account.

Experts from one national security agency told me they break the resulting threats down into two broad areas: confidentiality and authentication. In other words, keeping secrets and controlling access to critical systems. Chris Demchak, a former US Army officer who is a professor of cybersecurity at the US Naval War College and spoke with me in a personal capacity, says that a Q-Day computer could let an adversary eavesdrop on classified military data in real time. “It would be very bad if they knew exactly where all of our submarines were,” Demchak says. “It would be very bad if they knew exactly what our satellites are looking at. And it would be very bad if they knew exactly how many missiles we had and their range.” The balance of geopolitical power in, say, the Taiwan Strait could quickly tilt.

Beyond that real-time threat to confidentiality, there’s also the prospect of “harvest now, decrypt later” attacks. Hackers aligned with the Chinese state have reportedly been hoovering up encrypted data for years in hopes of one day having a quantum computer that can crack it. “They wolf up everything,” Demchak told me. (The US almost certainly does this too.) The question then becomes: How long will your sensitive data remain valuable? “There might be some needles in that haystack,” says Brian Mullins, the CEO of Mind Foundry, which helps companies implement quantum technology. Your current credit card details might be irrelevant in 10 years, but your fingerprint won’t be. A list of intelligence assets from the end of the Iraq War might seem useless until one of those assets becomes a prominent politician.

The threat to authentication may be even scarier. “Pretty much anything that says a person is who they say they are is underpinned by encryption,” says Deborah Frincke, a computer scientist and national security expert at Sandia National Laboratories. “Some of the most sensitive and valuable infrastructure that we have would be open to somebody coming in and pretending to be the rightful owner and issuing some kind of command: to shut down a network, to influence the energy grid, to create financial disruption by shutting down the stock market.”

Illustration: Nicholas Law

 

The exact level of Q-Day chaos will depend on who has access to the first cryptographically relevant quantum computers. If it’s the United States, there will be a “fierce debate” at the highest levels of government, Demchak believes, over whether to release it for scientific purposes or keep it secret and use it for intelligence. “If a private company gets there first, the US will buy it and the Chinese will try to hack it,” she claims. If it’s one of the US tech companies, the government could put it under the strict export controls that now apply to AI chips.

Most nation-state attacks are on private companies—say, someone trying to break into a defense contractor like Lockheed Martin and steal plans for a next-generation fighter jet. But over time, as quantum computers become more widely available, the focus of the attacks could broaden. The likes of Microsoft and Amazon are already offering researchers access to their primitive quantum devices on the cloud—and big tech companies haven’t always been great at policing who uses their platforms. (The soldier who blew up a Cybertruck outside the Trump International Hotel in Las Vegas early this year queried ChatGPT to help plan the attack.) You could have a bizarre scenario where a cybercriminal uses Amazon’s cloud quantum computing platform to break into Amazon Web Services.

Cybercriminals with access to a quantum computer could use it to go after the same targets more effectively, or take bigger swings: hijacking the SWIFT international payments system to redirect money transfers, or conducting corporate espionage to collect kompromat. The earliest quantum computers probably won’t be able to run Shor’s algorithm that quickly—they might only get one or two keys a day. But combining a quantum computer with an artificial intelligence that can map out an organization’s weakness and highlight which keys to decrypt to cause the most damage could yield devastating results.

And then there’s Bitcoin. The cryptocurrency is exquisitely vulnerable to Q-Day. Because each block in the Bitcoin blockchain captures the data from the previous block, Bitcoin cannot be upgraded to post-quantum cryptography, according to Kapil Dhiman, CEO of Quranium, a post-quantum blockchain security company. “The only solution to that seems to be a hard fork—give birth to a new chain and the old chain dies.”

But that would require a massive organizational effort. First, 51 percent of Bitcoin node operators would have to agree. Then everyone who holds bitcoin would have to manually move their funds from the old chain to the new one (including the elusive Satoshi Nakamoto, the Bitcoin developer who controls wallets containing around $100 billion of the cryptocurrency). If Q-Day happens before the hard fork, there’s nothing to stop bitcoin going to zero. “It’s like a time bomb,” says Dhiman.

That bomb going off will only be the beginning. When Q-Day becomes public knowledge, either via grim governmental address or cheery big-tech press release, the world will enter the post-quantum age. It will be an era defined by mistrust and panic—the end of digital security as we know it. “And then the scramble begins,” says Demchak.

All confidence in the confidentiality of our communications will collapse. Of course, it’s unlikely that everyone’s messages will actually be targeted, but the perception that you could be spied on at any time will change the way we live. And if NIST’s quantum-proof algorithms haven’t rolled out to your devices by that point, you face a real problem—because any attempts to install updates over the cloud will also be suspect. What if that download from Apple isn’t actually from Apple? Can you trust the instructions telling you to transfer your crypto to a new quantum-secure wallet?

Grimes, the author of Cryptography Apocalypse, predicts enormous disruptions. We might have to revert to Cold War methods of transmitting sensitive data. (It’s rumored that after a major hack in 2011, one contractor purportedly asked its staff to stop using email for six weeks.) Fill a hard drive, lock it in a briefcase, put someone you trust on a plane with the payload handcuffed to their wrist. Or use one-time pads—books of pre-agreed codes to encrypt and decrypt messages. Quantum-secure, but not very scalable. Expect major industries—energy, finance, health care, manufacturing, transportation—to slow to a crawl as companies with sensitive data switch to paper-based methods of doing business and scramble to hire expensive cryptography consultants. There will be a spike in inflation. Most people might just accept the inevitable: a post-privacy society in which any expectation of secrecy evaporates unless you’re talking to someone in person in a secluded area with your phones switched off. Big Quantum is Watching You.

The best-case scenario looks something like Y2K, where we have a collective panic, make the necessary upgrades to encryption, and by the time Q-Day rolls around it’s such an anticlimax that it becomes a joke. That outcome may still be possible. Last summer, NIST released its first set of post-quantum encryption standards. One of Joe Biden’s last acts as president was to sign an executive order changing the deadline for government agencies to implement NIST’s algorithms from 2035 to “as soon as practicable.”

Already, NIST’s post-quantum cryptography has been rolled out on messaging platforms such as Signal and iMessage. Sources told me that sensitive national security data is probably being locked up in ways that are quantum-secure. But while your email account can easily be Q-proofed over the internet (assuming the update doesn’t come from a quantum imposter!), other things can’t. Public bodies like the UK’s National Health Service are still using hardware and software from the 1990s. “Microsoft is not going to upgrade some of its oldest operating systems to be post-quantum secure,” says Ali El Kaafarani, the CEO of PQShield, a company that makes quantum-resistant hardware. Updates to physical infrastructure can take decades, and some of that infrastructure has vulnerable cryptography in places it can’t be changed: The energy grid, military hardware, and satellites could all be at risk.

And there’s a balance to be struck. Rushing the transition risks introducing vulnerabilities that weren’t there before. “How do you make transitions slow enough that you can be confident and fast enough that you don’t dawdle?” asks Chris Ballance, CEO of Oxford Ionics, a quantum computing company. Some of those vulnerabilities might even be there by design: Memos leaked by Edward Snowden indicate that the NSA may have inserted a backdoor into a pseudorandom number generator that was adopted by NIST in 2006. “Anytime anybody says you should use this particular algorithm and there’s a nation-state behind it, you’ve got to wonder whether there’s a vested interest,” says Rob Young, director of Lancaster University’s Quantum Technology Centre.

Then again, several people I spoke to pointed out that any nation-state with the financial muscle and technical knowledge to build a quantum device that can run Shor’s algorithm could just as easily compromise the financial system, the energy grid, or an enemy’s security apparatus through conventional methods. Why invent a new computing paradigm when you can just bribe a janitor?

Long before quantum technology is good enough to break encryption, it will be commercially and scientifically useful enough to tilt the global balance. As researchers solve the engineering challenge of isolating qubits from the environment, they’ll develop exquisitely sensitive quantum sensors that will be able to unmask stealth ships and map hidden bunkers, or give us new insight into the human body. Similarly, pharma companies of the future could use quantum to steal a rival’s inventions—or use it to dream up even better ones. So ultimately the best way to stave off Q-Day may be to share those benefits around: Take the better batteries, the miracle drugs, the far-sighted climate forecasting, and use them to build a quantum utopia of new materials and better lives for everyone. Or—let the scramble begin.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The move prevents unencrypted API requests from being sent, even accidentally, to eliminate the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP conection and redirects to a secure communication channel.

“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected,” reads Cloudflare’s announcement on Thursday.

“Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established” - the internet services company added.

The Cloudflare API helps developers and system administrators to automate and manage Cloudflare services. It is used for DNS records management, firewall configuration, DDoS protection, caching, SSL settings, infrastructure deployment, accessing analytics data, and managing zero-trust access and security policies.

Previously, Cloudflare systems allowed API access over both HTTP (unencrypted) and HTTPS (encrypted), either by redirecting or rejecting HTTP.

However, as the company explains, even rejected HTTP requests may leak sensitive data like API keys or tokens before the server responds.

Such a sceario is more dangerous when the connection is over public or shared Wi-Fi networks where adversary-in-the-middle attacks are easier to pull off.

By disabling HTTP ports entirely for API access, Cloudflare blocks plaintext connections at the transport layer before any data is exchanged, enforcing HTTPS from the start.

Impact and next steps

The change immediately affects anyone using HTTP on the Cloudflare API service. Scripts, bots, and tools relying on the protocol will break.

The same applies to legacy systems and automated clients, IoT devices, and low-level clients that don’t support or don’t default to HTTPS due to improper configuration.

For customers with websites on Cloudflare, the company prepares to release a free option towards the end of the year that will disable HTTP traffic in a safe way.

Cloudflare data indicates that a small but significant percentage of roughly 2.4% of all internet passing through its systems is still done over the insecure HTTP protocol. When automated traffic is taken into account, the HTTP share jumps to nearly 17%.

Customers can track HTTP vs HTTPS traffic on their dashboard under Analytics & Logs > Traffic Served Over SSL before opting in, to estimate the impact it will have on their environment.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Discord’s mobile app will have video ads starting in June, the company announced today. The initial pilot for the video ads, which Discord calls Video Quests on Mobile, will offer advertisers the ability to “showcase trailers, make impactful announcements, and highlight premium content” to users, Discord said.

Discord was a proudly ad-free platform until March 2024, when it introduced ads to its desktop and console apps. Those ads offer Discord users rewards for PC games if they play certain games or get people to watch a stream of their gameplay through Discord. Discord followed up with Video Quests, which let developers show Discord users video ads, like trailers and announcements of new seasons and downloadable content. Discord users see prompts for both types of ads on the bottom-left side of their screen and can choose to expand or ignore them.

Discord users can also opt out of personalized promotions and “hide an in-app promotion for a specific Quest or game you’re not interested in,” Discord said.

In June, users of Discord’s mobile apps will see Video Quest advertisements on the bottom of the screen as depicted below:

First, the ad prompt appears.

Discord

 

This is what the prompt looks like expanded.

Discord

 

If users click "Accept Quest" on the expanded prompt, a video ad like this will play.

Discord

 

Users can then claim rewards...

Discord

 

...and be assured that they've received said rewards.

Discord

 

“Expanding our advertising platform to mobile is an obvious, natural evolution in our strategy," Peter Sellis, Discord’s product SVP, said in a statement accompanying today’s announcement. "Our mission is to create the most authentic, player-centric advertising platform in the galaxy."

Discord’s expansion into mobile ads brings the 10-year-old company deeper down the rabbit hole of online advertising. The company, which used to rely solely on subscriptions and premium add-ons for money, previously viewed the idea of ads on Discord as intrusive.

However, Discord reportedly isn’t profitable and is looking to go public soon. Earlier this month, The New York Times reported that Discord could file an initial public offering "as soon as this year," citing "two people familiar with the talks." Discord founder and CEO Jason Citron told Bloomberg last year that Discord would "probably" go public eventually.

As such, it's a critical time for Discord to create new forms of revenue, even if that means embracing something that Citron has previously acknowledged is unpopular. The situation is similar to that of another social media platform, Reddit. Reddit has increased its focus on ads since going public in March 2024 and finally reaching profitability in October 2024. The company's advertising revenue grew 60 percent year over year in 2024.

In its effort to continue pleasing investors, Reddit has hinted at bringing more ads to the platform. The need for ad dollars is also part of the reason Reddit changed its API pricing, killing most third-party apps that let users access Reddit outside of its native platforms, where Reddit sells ads. Reddit's growth and evolution illustrate how advertising can quickly become more central to a social platform and potentially frustrate users.

So far, Discord’s ads have seemed minimally intrusive. But the door separating Discord users and advertisers will creak open a little more in June.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

WP Ghost is a popular security add-on used in over 200,000 WordPress sites that claims to stop 140,000 hacker attacks and over 9 million brute-forcing attempts every month.

It also offers protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting.

However, as revealed by Patchstack, the security tool itself is vulnerable to a critical (CVSS score: 9.6) remote code execution (RCE) vulnerability that could lead to a complete website takeover.

The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths.

The flaw is triggered only if WP Ghost's "Change Paths" feature is set to Lite or Ghost mode. Although these modes are not enabled by default, Patchstack notes that the Local File Inclusion (LFI) part applies to nearly all setups.

"The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file," reads Patchstack's report.

"Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup."

Hence, the vulnerability allows LFI universally, but whether it escalates to RCE depends on the specific server configuration.

LFI without RCE can still be dangerous through scenarios such as information disclosure, session hijacking, log poisoning, access to source code, and denial of service (DoS) attacks.

Following the discovery of the flaw by researcher Dimas Maulana on February 25, 2025, Patchstack analyzed it internally and eventually notified the vendor on March 3.

On the next day, the developers of WP Ghost incorporated a fix in the form of an additional validation on the supplied URL or path from the users.

The patch was incorporated on WP Ghost version 5.4.02, while version 5.4.03 has also been made available in the meantime.

Users are recommended to upgrade to either version to mitigate CVE-2025-26909.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Take the following attack method as an example. It is a vulnerability in .lnk shortcuts that is exploited to trigger malware downloads. It was discovered by Trend Micro in 2024 and reported to Microsoft in September 2024.

Security engineers at Trend Micro say that the issue has been exploited since at least 2017 and that it has found almost a 1,000 of these links in the wild already.

These links contain megabytes of whitespace characters according to Trend Micro to fool antivirus and other security solutions. Attacks come from four countries only -- North Korea, China, Russia, and Iran -- according to the researchers. Trend Micro revealed that the vast majority of attacks come from state-sponsored attack crews and fall in the information theft and espionage category. Government were targeted the most, followed by the private and financial sector, think tanks, and telecommunications.

The attackers download and install different malware payloads on successfully exploited systems. Among them notorious payloads and loaders such as Lumma Stealer or GuLoader.

Microsoft has not acted on the provided information. Trend Micro says that it decided to go public with the information because of Microsoft's inactivity. The threat "poses a significant risk "to the confidentiality, integrity, and availability of data maintained by governments, critical infrastructure, and private organizations globally" according to the researchers.

Microsoft classified the issue as low severity according to Trend Micro, indicating that the issue may not be patched in the "immediate future".

In a comment to The Register, a Microsoft spokesperson encouraged customers to "exercise caution when downloading files from unknown sources".

Shortcut files can be analyzed on local Windows systems. The problem with the disclosed vulnerability is that the link files are specifically crafted. This means that the user won't see the exploit when analyzing the link shortcut according to Trend Micro.

Some security solutions may recognize these malicious shortcuts already, others may do so in the near future.

Now You: what is your take on this? Should Microsoft develop a fix and release it? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Google has been testing new implementations since then, including server-side ads that break adblockers, or by throwing jabs against competing browsers like Firefox.

A new banner

Reports on Reddit and other online forums suggest that Google has started to intensify its fight against content blockers once again on YouTube.

The new banner resembles the old. It is shown to users when they use content blockers. The text is slightly different, as it now says "Ad blockers violate YouTube's Terms of Service".

The options are identical to last year's banner: allow ads on YouTube or subscribe to YouTube Premium. No word on YouTube Premium Lite, a cheaper subscription option that promises fewer ads on YouTube as well though.

Not everyone appears to be affected by this. Google, is likely testing the waters on a small percentage of YouTube visitors to collect data and make sure that false positives are low.

Affected users report issues on non-Chrome browsers for the most part. Opera and Firefox seem to be affected specifically by this.

I tested YouTube video playback in several browsers with native or extension-based content blockers and it worked in all of them.

Affected users may try a few things to get back on track.

1. First thing they may want to do is update the content blocker and its filter lists, if such an option is provided.
2. If that does not work, loading YouTube in private browsing mode may help, as it uses a separate profile for the loading. Just make sure that the content blocker is allowed to run in private browsing mode.
3. The next option is to test different browsers to see if they let you get around the blockage.
4. Another option is to use Bing Videos to play YouTube videos. Not the most elegant of solutions, but it seems to come without any ads.

If all of those fail, you may want to give third-party frontends and apps a try. Invidious appears to be working again for now, and apps like NewPipe for Android are also alive and kicking.

Closing Words

The cat and mouse game between content blockers and Google's anti-ad-blocking on YouTube could intensify again in the coming months. Users with content blockers may be blocked from time to time when they try to play videos on YouTube.

Now You: do you watch videos on YouTube regularly? Did you run into any content blocks or use YouTube Premium? Let us know in the comments below. (via Neowin)

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

In the banner, Google says that "Adblockers violate YouTube's Terms of Service" as it encourages users to disable such content blockers or switch to YouTube Premium, which is a paid subscription which removes ads from the video platform. The company is also said to be working on server-side ads to make blocking them even harder.

As mentioned above, this saga is anything but new. There were accusations back in 2023 that Google was purposefully slowing down YouTube on Firefox, though Google denied it and also explained why that wasn't the case. A similar thing happened a few months later with people again pointing fingers towards Google. However, the search once again came out not guilty as Adblock admitted it was a fault on its end. There were also allegations that Google was hiding the "skip ad" button although Google once again claimed innocence.

Here's what the banner says:

Ad blockers violate YouTube's Terms of Service

 

• It looks like you may be using an ad blocker. Video playback is blocked unless YouTube is allowlisted or the ad blocker is disabled.
• Ads allow YouTube to be used by billions worldwide.
• You can go ad-free with YouTube Premium, and creators can still get paid from your subscription.

 

Allow YouTube Ads

 

Try YouTube Premium

It looks like the nagging banner is back again at least on Opera's browsers as Neowin noticed it today. We are unsure if this is happening in other regions too or if it is just India-specific. However, there are complaints about it on the OperaGX subreddit (link1, link2) as well as on the YouTube subreddit.

When I came across this, the first thing I tried was to disable and re-enable uBlock Origin, and following that I updated the extension's filtering engine since it often helps with bypassing this YouTube anti-adblock banner. However, those did not help at all.

Following that, I turned off Opera's native content filtering add-on called "Privacy Protection" and this one did the trick. Therefore it looks like the built-in Opera adblocker is what is causing the issue.

After Opera, I checked Brave since it also comes with a native content blocker in the form of "Brave Shields". I tried the same video here and it played without issue. As usual, though, you have to make sure that the "Block scripts" option inside the Brave Shields is toggled off or else the YouTube website won't load properly and the video thumbnails will only display themselves as white windows.

There are also similar reports for Firefox but I must add I did not experience this, yet, although I have been noticing YouTube asset-loading issues with AdGuard. On the other hand, Google's own Chrome has exhibited sluggish performance for the last couple of days with uBlock Origin.

Therefore, it looks like different adblockers are getting affected by different sort of issues as Google keeps trying to make YouTube adblocking very difficult, if not impossible.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Nugroho developed the decryptor after being asked for help from a friend, deeming the encrypted system solvable within a week, based on how Akira generates encryption keys using timestamps.

The project ended up taking three weeks due to unforeseen complexities, and the researcher spent $1,200 on GPU resources to crack the encryption key, but eventually, he succeeded.

Using GPUs to brute force keys

Nugroho's decryptor does not work like a traditional decryption tool where users supply a key to unlock their files.

Instead, it brute-forces encryption keys (unique for each file) by exploiting the fact that the Akira encryptor generates its encryption keys based on the current time (in nanoseconds) as a seed.

An encryption seed is data used with cryptographic functions to generate strong, unpredictable encryption keys. Since the seed influences the key generation, keeping it secret is critical to prevent attackers from recreating encryption or decryption keys through brute force or other cryptographic attacks.

Akira ransomware dynamically generates unique encryption keys for each file using four different timestamp seeds with nanosecond precision and hashes through 1,500 rounds of SHA-256.

These keys are encrypted with RSA-4096 and appended at the end of each encrypted file, so decrypting them without the private key is hard.

The level of timing precision in the timestamps creates over a billion possible values per second, making it difficult to brute force the keys.

Also, Nugroho says that Akira ransomware on Linux encrypts multiple files simultaneously using multi-threading, making it hard to determine the timestamp used and adding further complexity.

The researcher narrowed down the possible timestamps to brute-force by looking at log files shared by his friend. This allowed him to see when the ransomware was executed, the file metadata to estimate the encryption completion times, and produce encryption benchmarks on different hardware to create predictable profiles.

Initial attempts using an RTX 3060 were far too slow, with a ceiling of only 60 million encryption tests per second. Upgrading to an RTC 3090 didn't help much either.

Eventually, the researcher turned to using RunPod & Vast.ai cloud GPU services that offered enough power at the right price to confirm the effectiveness of his tool.

Specifically, he used sixteen RTX 4090 GPUs to brute-force the decryption key in roughly 10 hours. However, depending on the amount of encrypted files that need recovery, the process may take a couple of days.

The researcher noted in his write-up that GPU experts could still optimize his code, so performance can likely be improved.

Nugroho has made the decryptor available on GitHub, with instructions on how to recover Akira-encrypted files.

As always, when attempting to decrypt files, make a backup of the original encrypted files, as there's a possibility that files can be corrupted if the wrong decryption key is used.

BleepingComputer has not tested the tool and cannot guarantee its safety or effectiveness, so use it at your own risk.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Since Amazon announced plans for a generative AI version of Alexa, we were concerned about user privacy. With Alexa+ rolling out to Amazon Echo devices in the coming weeks, we’re getting a clearer view at the privacy concessions people will have to make to maximize usage of the AI voice assistant and avoid bricking functionality of already-purchased devices.

In an email sent to customers today, Amazon said that Echo users will no longer be able to set their devices to process Alexa requests locally and, therefore, avoid sending voice recordings to Amazon’s cloud. Amazon apparently sent the email to users with “Do Not Send Voice Recordings” enabled on their Echo. Starting on March 28, recordings of everything spoken to the Alexa living in Echo speakers and smart displays will automatically be sent to Amazon and processed in the cloud.

Attempting to rationalize the change, Amazon’s email said:

As we continue to expand Alexa’s capabilities with generative AI features that rely on the processing power of Amazon’s secure cloud, we have decided to no longer support this feature.

One of the most marketed features of Alexa+ is its more advanced ability to recognize who is speaking to it, a feature known as Alexa Voice ID. To accommodate this feature, Amazon is eliminating a privacy-focused capability for all Echo users, even those who aren’t interested in the subscription-based version of Alexa or want to use Alexa+ but not its ability to recognize different voices.

However, there are plenty of reasons why people wouldn't want Amazon to receive recordings of what they say to their personal device. For one, the idea of a conglomerate being able to listen to personal requests made in your home is, simply, unnerving.

Further, Amazon has previously mismanaged Alexa voice recordings. In 2023, Amazon agreed to pay $25 million in civil penalties over the revelation that it stored recordings of children’s interactions with Alexa forever. Adults also didn’t feel properly informed of Amazon’s inclination toward keeping Alexa recordings unless prompted not to until 2019—five years after the first Echo came out.

If that's not enough to deter you from sharing voice recordings with Amazon, note that the company allowed employees to listen to Alexa voice recordings. In 2019, Bloomberg reported that Amazon employees listened to as many as 1,000 audio samples during their nine-hour shifts. Amazon says it allows employees to listen to Alexa voice recordings to train its speech recognition and natural language understanding systems.

Other reasons why people may be hesitant to trust Amazon with personal voice samples include the previous usage of Alexa voice recordings in criminal trials and Amazon paying a settlement in 2023 in relation to allegations that it allowed "thousands of employees and contractors to watch video recordings of customers' private spaces" taken from Ring cameras, per the Federal Trade Commission.

Save recordings or lose functionality

Likely looking to get ahead of these concerns, Amazon said in its email today that by default, it will delete recordings of users’ Alexa requests after processing. However, anyone with their Echo device set to “Don’t save recordings” will see their already-purchased devices’ Voice ID feature bricked. Voice ID enables Alexa to do things like share user-specified calendar events, reminders, music, and more. Previously, Amazon has said that "if you choose not to save any voice recordings, Voice ID may not work." As of March 28, broken Voice ID is a guarantee for people who don't let Amazon store their voice recordings.

Amazon's email says:

Alexa voice requests are always encrypted in transit to Amazon’s secure cloud, which was designed with layers of security protections to keep customer information safe. Customers can continue to choose from a robust set of controls by visiting the Alexa Privacy dashboard online or navigating to More > Alexa Privacy in the Alexa app.

Amazon is forcing Echo users to make a couple of tough decisions: Grant Amazon access to recordings of everything you say to Alexa or stop using an Echo; let Amazon save voice recordings and have employees listen to them or lose a feature set to become more advanced and central to the next generation of Alexa.

However, Amazon is betting big that Alexa+ can dig the voice assistant out of a financial pit. Amazon has publicly committed to keeping the free version of Alexa around, but Alexa+ is viewed as Amazon's last hope for keeping Alexa alive and making it profitable. Anything Amazon can do to get people to pay for Alexa takes precedence over other Alexa user demands, including, it seems, privacy.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Reddit has shown a growing commitment to promoting ads on its platform, especially since going public a year ago. But in the interest of not completely alienating customers with incessant, irrelevant, or personally offensive ads, the social media company is giving users the ability to block advertisers for a year.

In a Reddit post last night, a Reddit employee known as cozy_sheets said that clicking “Hide” on an unwanted ad on Reddit will soon result in Reddit automatically hiding “future ads from that advertiser account for at least a year (you can re-hide the ad after that period of time).” The change will debut on the Reddit website and Reddit’s iOS and Android app throughout “the next several weeks,” according to the announcement.

Reddit didn't detail what limits it will use to ensure that users don't block every single advertiser for an ad-free Reddit. Some users have already reported seeing a daily limit for hiding ads, though.

Reddit's representative said the ad blocks are a response to users wanting “more control over the ads they see.”

The spokesperson noted that users can also “report” an ad if they believe it goes against Reddit’s policies. Reporting an ad also results in that advertiser being blocked from pitching to you for a year.

Reddit already lets people block advertising related to alcohol, dating, gambling, “politics and activism,” “pregnancy and parenting,” "religion and spirituality,” and weight loss. However, some users have complained about this system failing.

Reddit also lets users with accounts in the US and other select countries turn off personalized ads. The company made personalized ads mandatory in some geographies in September 2023.

Despite these ad controls, though, Redditors are likely to see more ads on the platform over the next few years. Reddit executives have pointed to the potential for more ads in comments and a greater focus on contextual ads based on the content around them. All of these ads will be harder for Redditors to avoid than they would have been a few years ago, as a successful war on third-party apps has made it difficult to access Reddit outside of its native apps or website. In 2024, advertising represented 92 percent of Reddit's revenue and grew 60 percent year over year.

Advance Publications, which owns Ars Technica parent Condé Nast, is the largest shareholder in Reddit.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Over the past decade, encrypted communication has become the norm for billions of people. Every day, Signal, iMessage, and WhatsApp keep billions of messages, photos, videos, and calls private by using end-to-end encryption by default—while Zoom, Discord, and various other services all have options to enable the protection. But despite the technology’s mainstream rise, long-standing threats to weaken encryption keep piling up.

Over the past few months, there has been a surge in government and law enforcement efforts that would effectively undermine encryption, privacy advocates and experts say, with some of the emerging threats being the most “blunt” and aggressive of those in recent memory. Officials in the UK, France, and Sweden have all made moves since the start of 2025 that could undermine or eliminate the protections of end-to-end encryption, adding to a multiyear European Union plan to scan private chats and Indian efforts that could damage encryption.

These latest assaults on encryption come as intelligence agencies and law enforcement officials in the United States have recently backtracked on years of anti-encryption attitudes and now recommend that people use encrypted communication platforms whenever they can. The drastic shift in attitude followed the China-backed Salt Typhoon hacker group’s widespread breach of major US telecoms, and it comes as the second Trump administration ramps up potential surveillance of millions of undocumented migrants living in the US. Simultaneously, the administration has been straining longtime, crucial international intelligence-sharing agreements and partnerships.

“The trend is bleak,” says Carmela Troncoso, a longtime privacy and cryptography researcher and the scientific director at the Max-Planck Institute for Security and Privacy in Germany. “We see these new policies coming up as mushrooms trying to undermine encryption.”

End-to-end encryption is designed so only the sender and receiver of messages have access to their contents—governments, tech companies, and telecom providers can’t snoop on what people are saying. Those privacy and security guarantees have made encryption a target for law enforcement and governments for decades, because officials claim that the protection makes it prohibitively difficult to investigate urgent threats such as child sexual abuse material and terrorism.

As a result, governments around the world have frequently proposed technical mechanisms to bypass encryption and allow access to messages for investigations. Cryptographers and technologists have repeatedly and definitively warned, though, that any backdoor created to access end-to-end encrypted communications could be exploited by hackers or authoritarian governments, compromising everyone’s safety. Additionally, it is likely that criminals would find ways to continue to use self-made encryption tools to conceal their messages, meaning that backdoors in mainstream products would succeed at undermining protections for the public without eliminating its use by bad actors.

Broadly, the recent threats to encryption have come in three forms, says Namrata Maheshwari, the encryption policy lead at international nonprofit Access Now. First, there are those where governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. At the end of February, for example, Apple pulled its encrypted iCloud backup system, called Advanced Data Protection, from use in the UK after the country’s lawmakers reportedly hit the Cupertino company with a secret order demanding Apple provide access to encrypted files. To do so, Apple would have had to create a backdoor. The order, which has been criticized by the Trump administration, is set to be challenged in a secret court hearing on March 14.

Meanwhile, lawmakers in Sweden are also considering legislation that would require encrypted messaging companies, such as Signal and WhatsApp, to keep copies of messages that people send on their platforms so they could allow law enforcement to access suspects’ histories. Signal has said it would pull out of Sweden if the potential law goes ahead. While in France earlier this year, a proposed amendment to a drug trafficking law outlined plans to require encrypted messaging services to hand over decrypted chat messages within 72 hours of a request or face fines of up to 2 percent of annual global revenue. This week, the proposal was reportedly scrapped, while some politicians said they supported the idea.

“We’re seeing some democracies revert back to very crude approaches to circumventing encryption that we maybe thought were something of the past,” Callum Voge, the director of governmental affairs and advocacy at nonprofit Internet Society, says of efforts that could require a backdoor to be created.

In January, the head of EU law enforcement agency Europol told the Financial Times that tech companies have a “social responsibility” to provide access to encrypted messages. “Anonymity is not a fundamental right,” Catherine De Bolle told the publication. The comments expanded upon a previous statement from European police chiefs saying “we do not accept that there need be a binary choice between cybersecurity or privacy on the one hand and public safety on the other.”

The second threat, Maheshwari says, relates to an increase in proposals related to a technology known as “client-side scanning.” The process, which is sometimes called “on-device scanning,” involves scanning messages locally on a person’s device before they are encrypted, and comparing them against a database of prohibited content that is held elsewhere. Client-side scanning is an effort to contort encryption backdoors into something more palatable to privacy proponents by keeping people’s personal data on their own devices.

Ultimately, though, cryptographers and digital rights advocates have repeatedly warned that client-side scanning does not sidestep the fundamental dangers posed by creating a way for a third party to access encrypted data. The Internet Society’s Voge describes such efforts as a more “sophisticated” way that democracies have been trying to circumvent encryption in recent years.

For instance, politicians in the EU have been fiercely debating plans to scan billions of messages for potential child sexual abuse material using client-side scanning for more than three years. The unresolved debates have proved highly controversial, with multiple countries pushing to weaken encryption. “Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types,” Apple officials said in a letter first reported by WIRED in August 2023, after the company ditched its own, separate plans to introduce a form of client-side scanning on iPhones.

“It’s very divided in Europe, [there are] countries strongly in favor of scanning and countries strongly against it as well,” Voge says of the EU’s long-running chat monitoring plans. In May 2023, WIRED obtained leaked documents that stated many European countries’ positions on encryption. At the time, Spanish officials said they would like to prevent end-to-end encryption entirely in the EU, while many others were in favor of scanning people’s messages. Other countries, such as Germany, were against weakening encryption. Dutch political documentation says the country’s intelligence agency, AIVD, considers client-side scanning to be “too great a security risk for the digital resilience of the Netherlands.”

Finally, Maheshwari says, there is always the looming threat of potential bans or blocks for encrypted services. Toward the end of 2024, Russian officials blocked access to Signal amid the country’s ongoing full-scale war against Ukraine and widescale efforts to censor and control information environments. India has an ongoing lawsuit against WhatsApp, which could threaten its ability to operate in the country or necessitate that the platform retreat from end-to-end encryption in that market. Maheshwari also points out that while all virtual private networks do not specifically use end-to-end encryption, India has already banned multiple VPN services.

While each potential proposal that could undermine encryption is slightly different, the Internet Society’s Voge says that they’ve been met with some “stronger” pro-encryption voices coming from government or law enforcement services around the world, particularly when it comes to protecting national security.

In December, two officials from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, encouraged more people to use encrypted communications systems after China’s Salt Typhoon hackers gained deep access to US telecoms providers, exposing unencrypted calls and texts. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” one of the officials said.

Voge points out that as well as CISA and the FBI’s calls to use encrypted messaging, the Swedish armed forces has specifically cleared Signal for use with unclassified material, saying it can stop messages and calls from being intercepted by third parties.

Ahead of the UK’s March 14 legal hearing about the backdoor order reportedly made to Apple, US senators and privacy groups urged there to be more transparency about the demands and the risks to global encryption it presents. A bipartisan group of five members of Congress said the “cloak of secrecy” should be removed.

UK civil liberties groups Privacy International and Liberty also filed legal challenges over the secrecy of the proceedings. “While the UK Government seems to have come for Apple today, tomorrow it may be any other big tech companies, such as Google and Microsoft, and the day after it could be Signal, your VPN Provider, Proton and others,” Privacy International said in a statement.

Ultimately, Access Now’s Maheshwari says, efforts to defend encryption will almost certainly continue, as they have for decades, to protect people’s human rights.

“Encryption right now is exceptionally important because it's a crucial enabler of the full spectrum of human rights,” Maheshwari says. “It’s not just privacy. It is what enables you to speak freely, to exercise your freedom of expression, to organize, to assemble, to associate.”

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Reuters reports that the lawsuit was filed this week in a Paris court by leading French publishing and authors' associations, including the National Publishing Union (SNE), Society of Men of Letters (SGDL), and National Union of Authors and Composers (SNAC).

These organizations defending authors have accused the US-based tech giant of alleged copyright infringement and economic "parasitism." While it's the first such legal attempt made in France, Meta has faced similar AI copyright lawsuits in other parts of the world, including the US.

A lawsuit filed in the US accused Meta of using pirated ebooks to train its Llama AI models, which Mark Zuckerberg allegedly approved. Leaked emails allegedly revealed the company torrented terabytes of ebooks for AI training.

SNAC's general delegate, Maia Bensimon, accused the company of "monumental looting," per the report. "It's a bit of a David versus Goliath battle," said SNE Director General Renaud Lefebvre about the lawsuit, adding that "it's a procedure that serves as an example."

The French lawsuit came just months after Mark Zuckerberg announced that the company would spend $65 billion on AI investments. Meta is also working on laying a massive 50,000 Km subsea internet cable that will wrap around the earth and is expected to cost over $10 billion. According to reports, the company is developing its first in-house AI chip to reduce reliance on Nvidia.

Governments across the globe are also trying to match the pace of AI's progress. It was reported that the UK government was working on rules to increase the transparency of AI training data. Its consultation seeking views on objectives, such as enhancing right holders’ control over their work and boosting trust by offering right holders greater clarity on how their material is used, ended earlier this year.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Fixed in Windows security updates released during this month's Patch Tuesday, the security flaw is now tracked as CVE-2025-24983 and was reported to Microsoft by ESET researcher Filip Jurčacko.

The vulnerability is caused by a use-after-free weakness that lets attackers with low privileges gain SYSTEM privileges without requiring user interaction. However, Redmond tagged such attacks as high complexity since successful exploitation requires the threat actors to win a race condition.

ESET said on Tuesday that a zero-day exploit targeting the CVE-2025-24983 vulnerability was "first seen in the wild" in March 2023 on systems backdoored using PipeMagic malware.

This exploit targets only older Windows versions (Windows Server 2012 R2 and Windows 8.1) that Microsoft no longer supports. However, the vulnerability also affects newer Windows versions, including the still-supported Windows Server 2016 and Windows 10 systems running Windows 10 build 1809 and earlier.

"The Use-After-Free (UAF) vulnerability is related to improper memory usage during software operation. This can lead to software crashes, execution of malicious code (including remotely), privilege escalation, or data corruption," ESET also told BleepingComputer. "The exploit was deployed via the PipeMagic backdoor, capable of exfiltrating data and enabling remote access to the machine."

PipeMagic was discovered by Kaspersky in 2022, and it can be used to harvest sensitive data, provides the attackers with full remote access to infected devices, and enables them to deploy additional malicious payloads to move laterally through the victims' networks.

In 2023, Kaspersky saw it deployed in Nokoyawa ransomware attacks that exploited another Windows zero-day, a privilege escalation flaw in the Common Log File System Driver tracked as CVE-2023-28252.

Federal agencies ordered to patch by April 1st

During the March 2025 Patch Tuesday, Microsoft also patched the following five zero-day vulnerabilities tagged as actively exploited:

• CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability
• CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability
• CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability
• CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability
• CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability

Yesterday, CISA added all six zero-days to its Known Exploited Vulnerabilities Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by April 1st, as required by the Binding Operational Directive (BOD) 22-01.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the U.S. cybersecurity agency warned.

"Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice."

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

While X owner Elon Musk did not specifically state that DDoS attacks were behind the outages, he did confirm that it was caused by a "massive cyberattack.".

"There was (still is) a massive cyberattack against X," Musk posted on X.

"We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved. Tracing ..."

Dark Storm is a pro-Palestinian hacktivist group that launched in 2023 and has previously targeted organizations in Israel, Europe, and the US.

Today, the group posted to their Telegram channel that they were conducting DDoS attacks against Twitter, sharing screenshots and links [1, 2] to the check-host.net site as proof of the attack.

Check-host.net is a website that allows visitors to check the availability of a website from different servers throughout the world. The website is commonly used during DDoS attacks to show that an attack is taking place.

X is now being protected by the DDoS-protection service Cloudflare, which shows a captcha when suspicious IP addresses connect to the site when a single IP address generates too many requests.

The help.x.com section of the site currently displays a Cloudflare captcha for all requests, as shown below.

Hacktivists have demonstrated time and time again their ability to disrupt massive technology platforms using botnets and other resources.

In 2024, the United States indicted two Sudanese brothers for the suspected operation of the Anonymous Sudan hacktivist group.

Anonymous Sudan successfully took down the websites and APIs of some of the largest technology firms, including Cloudflare, Microsoft, and OpenAI, disrupting services for many worldwide.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.

This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid.

"Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer.

"Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls."

The researchers warned that ESP32 is one of the world's most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant.

Discovering undocumented commands in ESP32

In their RootedCON presentation, the Tarlogic researchers explained that interest in Bluetooth security research has waned but not because the protocol or its implementation has become more secure.

Instead, most attacks presented last year didn't have working tools, didn't work with generic hardware, and used outdated/unmaintained tools largely incompatible with modern systems.

Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.

Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.

In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.

The risks arising from these commands include malicious implementations on the OEM level and supply chain attacks.

Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the commands might be possible via malicious firmware or rogue Bluetooth connections.

This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access.

In general, though, physical access to the device's USB or UART interface would be far riskier and a more realistic attack scenario.

"In a context where you can compromise an IOT device with as ESP32 you will be able to hide an APT inside the ESP memory and perform Bluetooth (or Wi-Fi) attacks against other devices, while controlling the device over Wi-Fi/Bluetooth," explained the researchers to BleepingComputer.

"Our findings would allow to fully take control over the ESP32 chips and to gain persistence in the chip via commands that allow for RAM and Flash modification."

"Also, with persistence in the chip, it may be possible to spread to other devices because the ESP32 allows for the execution of advanced Bluetooth attacks."

BleepingComputer has contacted Espressif for a statement on the researchers' findings, but a comment wasn't immediately available.

Update 3/8/25: Added statement from Tarlogic.

Update 3/9/25: Added CVE-ID

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.

This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid.

"Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer.

"Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls."

The researchers warned that ESP32 is one of the world's most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk of any backdoor in them is significant.

Discovering a backdoor in ESP32

In their RootedCON presentation, the Tarlogic researchers explained that interest in Bluetooth security research has waned but not because the protocol or its implementation has become more secure.

Instead, most attacks presented last year didn't have working tools, didn't work with generic hardware, and used outdated/unmaintained tools largely incompatible with modern systems.

Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.

Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.

In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake.

The risks arising from these commands include malicious implementations on the OEM level and supply chain attacks.

Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections.

This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access.

In general, though, physical access to the device's USB or UART interface would be far riskier and a more realistic attack scenario.

"In a context where you can compromise an IOT device with as ESP32 you will be able to hide an APT inside the ESP memory and perform Bluetooth (or Wi-Fi) attacks against other devices, while controlling the device over Wi-Fi/Bluetooth," explained the researchers to BleepingComputer.

"Our findings would allow to fully take control over the ESP32 chips and to gain persistence in the chip via commands that allow for RAM and Flash modification."

"Also, with persistence in the chip, it may be possible to spread to other devices because the ESP32 allows for the execution of advanced Bluetooth attacks."

BleepingComputer has contacted Espressif for a statement on the researchers' findings, but a comment wasn't immediately available.

Update 3/8/25: Added statement from Tarlogic.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The idea of showing location-specific items is to make them easier to access, and 1Password claims it's the only password manager currently offering this feature. Its goal is for you to be able to "access your items faster wherever and whenever you need them."

The feature will automatically surface information, even if you don't know or remember a credential's name by simply being at the tagged location. The idea came to life during one of the hackathons, and 1Password got positive feedback during beta testing.

You can add one physical location to any new or existing 1Password credential by editing that item and selecting that location. It will appear in the app's Home tab when you arrive at that location. The password manager app also offers a map view showing all the locations you have tied to your passwords.

1Password said the 'view nearby items' option will only work when you add the Nearby section to your Home screen. To do so, go to the Home screen > select the customize button > select Nearby from the options > tap Done. Next, you must allow location access by tapping Nearby on the Home screen.

1Password lets you tie location data to various items, including debit cards when you reach a bank ATM, medical records, local Wi-Fi passwords, alarm codes at the workplace, or travel documents and itineraries at airports.

The company claims it doesn't store, share, or track your location data present in the vault. For those using the password manager at work, their employer won't be able to see their password locations.

The new feature is now available to users, and it's supported on Windows, Mac, Android, iOS, and Linux versions of the password manager app. You can try it if you have a 1Password subscription; its individual plan starts at $2.99/mo when paid annually, and the family plan is $4.99/mo.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.

The botnet, tracked under the name Eleven11bot, first came to light in late February when researchers inside Nokia’s Deepfield Emergency Response Team observed large numbers of geographically dispersed IP addresses delivering “hyper-volumetric attacks.” Eleven11bot has been delivering large-scale attacks ever since.

Volumetric DDoSes shut down services by consuming all available bandwidth either inside the targeted network or its connection to the Internet. This approach works differently than exhaustion DDoSes, which over-exert the computing resources of a server. Hypervolumetric attacks are volumetric DDoses that deliver staggering amounts of data, typically measured in the terabits per second.

Johnny-come-lately botnet sets a new record

At 30,000 devices, the Eleven11bot was already exceptionally large (although some botnets exceed well over 100,000 devices). Most of the IP addresses participating, Nokia researcher Jérôme Meyer told me, had never been seen engaging in DDoS attacks.

Besides a 30,000-node botnet seeming to appear overnight, another salient feature of Eleven11bot is the record-size volume of data it sends its targets. The largest one Nokia has seen from Eleven11bot so far occurred on February 27 and peaked at about 6.5 terabits per second. The previous record for a volumetric attack was reported in January at 5.6 Tbps.

"Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors," Meyer wrote. While in some cases the attacks are based on the volume of data, others focus on flooding a connection with more data packets than a connection can handle, with numbers ranging from a "few hundred thousand to several hundred million packets per second." Service degradation caused in some attacks has lasted multiple days, with some remaining ongoing as of the time this post went live.

A breakdown showed that the largest concentration of IP addresses, at 24.4 percent, was located in the US. Taiwan was next at 17.7 percent, and the UK at 6.5 percent.

In an online interview, Meyer made the following points:

• This botnet is much larger than what we're used to seeing in DDoS attacks (the only precedent I have in mind is an attack from 2022 right after the Ukraine invasion, at ~60k bots, but not public).
• The vast majority of its IPs were not involved in DDoS attacks prior to last week.
• Most of the IPs are security cameras (Censys thinks Hisilicon, I saw multiple sources talk to a Hikvision NVR too so that is a possibility but not my area of expertise).
• partly because the botnet is larger than average, the attack size is also larger than average.

According to a post updated on Wednesday from security firm Greynoise, Eleven11bot is most likely a variant of Mirai, a family of malware for infecting webcams and other Internet of Things devices. Mirai debuted in 2016, when tens of thousands of IoT devices infected by it delivered what at the time were record-setting DDoSes of about 1 Tbps and took down security news site KrebsOnSecurity for almost a week. Shortly after that, Mirai developers published their source code in a move that made it easy for copycats everywhere to deliver the same massive attacks. Greynoise said that the variant driving Eleven11bot is using a single new exploit to infect TVT-NVMS 9000 digital video recorders that run on HiSilicon chips.

There have been conflicting reports on the number of devices comprising Eleven11bot. Following Nokia's report last Saturday of roughly 30,000 devices, the nonprofit Shadowserver Foundation said Tuesday that the true size was more than 86,000. Then in Wednesday's update, Greynoise said that based on data from fellow security firm Censys, both numbers were inflated and the true number was likely fewer than 5,000.

The upward revision from Shadowserver was likely the result of the belief that all infected devices displayed unique device information. That suspicion now appears to be incorrect. Instead, Meyer believes the information seen on infected devices is displayed on all such hardware, whether infected or not. Researchers from Greynoise and Censys weren't immediately available to explain how they arrived at the much lower estimate of fewer than 5,000.

Meyer said that he has consistently observed as many as 20,000 to 30,000 IP addresses participating in follow-on attacks, although many attacks come from much smaller subsets. He said that he has since sent a list of all 30,000 or so IP addresses he has observed to Censys and plans to also send them to Shadowserver soon in hopes of getting consensus on the true size.

"I am still confident on the estimated count as this is what we keep seeing in attacks and after human review of the source IPs," he wrote.

Mirai-based botnets employ various methods for infecting their targets. One common method is to attempt to log in to device administrator accounts using username/password pairs commonly set as defaults by manufacturers. Mirai botnets have also been known to exploit vulnerabilities that bypass security settings.

In any case, anyone running any sort of IoT devices should position them behind a router or other form of firewall so they're not visible from outside a local network. Remote administration from outside the Internet should be enabled only when needed. Users should also ensure each device is protected by a strong unique password. Last, devices should be updated as soon as security patches become available.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Last week, Mozilla was trapped between a rock and a hard place after making a controversial update to its developer's Terms of Use (via PCGamer).

The update received backlash from Firefox users, especially because of a section indicating that Mozilla had the right to leverage user data, including "a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox."

Perhaps more concerning, the company scrapped a section of its Frequently Asked Questions (FAQs) that highlighted its promise to keep user data safe and private, away from third-party vendors.

The highlighted changes enraged users, prompting the company to update its documentation once again as an attempt to mitigate the arising issues and concerns about its dramatic data privacy shift.

Consequently, Mozilla issued an update addressing the issue. The company seemingly shifted blamed to a "confusion about the language regarding licenses."

Ajit Varma, VP of Firefox Product, indicated that the update was designed to introduce a new Terms of Use (TOU) and Privacy Notice for Firefox. However, the update seemingly brewed confusion among users about the company's Terms of Use, specifically on licensing.

According to Varma:

The Common Crawl non-profit organization maintains a massive open-source repository of petabytes of web data collected since 2008 and is free for anyone to use.

Because of the large dataset, many artificial intelligence projects may rely, at least in part, on the digital archive for training large language models (LLMs), including ones from OpenAI, DeepSeek, Google, Meta, Anthropic, and Stability.

AWS root keys and MailChimp API keys

Researchers at Truffle Security - the company behind the TruffleHog open-source scanner for sensitive data, found valid secrets after checking 400 terabytes of data from 2.67 billion web pages in the Common Crawl December 2024 archive.

They discovered 11,908 secrets that authenticate successfully, which developers hardcoded, indicating the potential of LLMs being trained on insecure code.

It should be noted that LLM training data is not used in raw form and goes through a pre-processing stage that involves cleaning and filtering out unnecessary content like irrelevant data, duplicate, harmful, or sensitive information.

Despite such efforts, it is difficult to remove confidential data, and the process offers no guarantee for stripping such a large dataset of all personally identifiable information (PII), financial data, medical records, and other sensitive content.

After analyzing the scanned data, Truffle Security found valid API keys for Amazon Web Services (AWS), MailChimp, and WalkScore services.

Overall, TruffleHog identified 219 distinct secret types in the Common Crawl dataset, the most common being MailChimp API keys.

The researchers explain that the developers’ mistake was to hardcode them into HTML forms and JavaScript snippets and did not use server-side environment variables.

An attacker could use these keys for malicious activity such as phishing campaigns and brand impersonation. Furthermore, leaking such secrets could lead to data exfiltration.

Another highlight in the report is the high reuse rate of the discovered secrets, saying that 63% were present on multiple pages. One of them though, a WalkScore API key, “appeared 57,029 times across 1,871 subdomains.”

The researchers also found one webpage with 17 unique live Slack webhooks, which should be kept secret because they allow apps to post messages into Slack.

Following the research, Truffle Security contacted impacted vendors and worked with them to revoke their users' keys. “We successfully helped those organizations collectively rotate/revoke several thousand keys,” the researchers say.

Even if an artificial intelligence model uses older archives than the dataset the researchers scanned, Truffle Security's findings serve as a warning that insecure coding practices could influence the behavior of the LLM.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The vulnerable drivers were exploited in 'Bring Your Own Vulnerable Driver' (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.

"An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine," explains a warning from CERT/CC.

"Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. "

As BioNTdrv.sys is a kernel-level driver, threat actors can exploit vulnerabilities to execute commands with the same privileges as the driver, bypassing protections and security software.

Microsoft researchers discovered all five flaws, noting that one of them, CVE-2025-0289, is leveraged in attacks by ransomware groups. However, the researchers did not disclose what ransomware gangs were exploiting the flaw as a zero-day.

"Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code," reads the CERT/CC bulletin.

"These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft's Vulnerable Driver Blocklist."

The Paragon Partition Manager flaws discovered by Microsoft are:

• CVE-2025-0288 – Arbitrary kernel memory write caused by the improper handling of the 'memmove' function, allowing attackers to write to kernel memory and escalate privileges.
• CVE-2025-0287 – Null pointer dereference arising from a missing validation of a 'MasterLrp' structure in the input buffer, enabling the execution of arbitrary kernel code.
• CVE-2025-0286 – Arbitrary kernel memory write caused by the improper validation of user-supplied data lengths, allowing attackers to execute arbitrary code.
• CVE-2025-0285 – Arbitrary kernel memory mapping caused by the failure to validate user-supplied data, enabling privilege escalation by manipulating kernel memory mappings.
• CVE-2025-0289 – Insecure kernel resource access caused by the failure to validate the 'MappedSystemVa' pointer before passing it to 'HalReturnToFirmware,' leading to potential compromise of system resources.

The first four vulnerabilities impact Paragon Partition Manager versions 7.9.1 and previous, while CVE-2025-0298, the actively exploited flaw, impacts version 17 and older.

Users of the software are recommended to upgrade to the latest version, which contains BioNTdrv.sys version 2.0.0, which addresses all of the mentioned flaws.

However, it's important to note that even users who don't have Paragon Partition Manager installed are not safe from attacks. BYOVD tactics don't rely on the software being present on the target's machine.

Instead, threat actors include the vulnerable driver with their own tools, allowing them to load it into Windows and escalate privileges.

Microsoft has updated its 'Vulnerable Driver Blocklist' to block the driver from loading in Windows, so users and organizations should verify the protection system is active.

You can check if the blocklist is enabled by going to Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist and making sure the setting is enabled.

A warning on Paragon Software's site also warns that users must upgrade Paragon Hard Disk Manager by today, as it utilizes the same driver, which will be blocked by Microsoft today.

While it is unclear what ransomware gangs are exploiting the Paragon flaw, BYOVD attacks have become increasingly popular among cybercriminals as they allow them to easily gain SYSTEM privileges on Windows devices.

Threat actors known to be utilizing BYOVD attacks include Scattered Spider, Lazarus, BlackByte ransomware, LockBit ransomware, and many more.

For this reason, it is important to enable the Microsoft Vulnerable Driver Blocklist feature to prevent vulnerable drivers from being used on your Windows devices.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Firefox maker Mozilla deleted a promise to never sell its users' personal data and is trying to assure worried users that its approach to privacy hasn't fundamentally changed. Until recently, a Firefox FAQ promised that the browser maker never has and never will sell its users' personal data. An archived version from January 30 says:

Does Firefox sell your personal data?

 

Nope. Never have, never will. And we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy. That's a promise.

That promise is removed from the current version. There's also a notable change in a data privacy FAQ that used to say, "Mozilla doesn't sell data about you, and we don't buy data about you."

The data privacy FAQ now explains that Mozilla is no longer making blanket promises about not selling data because some legal jurisdictions define "sale" in a very broad way:

Mozilla doesn't sell data about you (in the way that most people think about "selling data"), and we don't buy data about you. Since we strive for transparency, and the LEGAL definition of "sale of data" is extremely broad in some places, we've had to step back from making the definitive statements you know and love. We still put a lot of work into making sure that the data that we share with our partners (which we need to do to make Firefox commercially viable) is stripped of any identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like OHTTP).

Mozilla didn't say which legal jurisdictions have these broad definitions.

Users complain: “Not acceptable”

Users criticized Mozilla in discussions on GitHub and Reddit. One area of concern is over new terms of use that say, "When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox."

Update at 10:20 pm ET: Mozilla has since announced a change to the license language to address user complaints. It now says, "You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content."

Mozilla also took heat from users after a Mozilla employee solicited feedback in a connect.mozilla.org discussion forum. "This isn't a question of messaging or clarifying," one person wrote. "You cannot ask your users to give you these broad rights to their data. This agreement, as currently written, is not acceptable."

Mozilla announced the new terms of use and an updated privacy policy in a blog post on Wednesday. After seeing criticism, Mozilla added a clarification that said the company needs "a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice."

One of the uses described in the privacy notice has to do with users' location data. Mozilla says it takes steps to anonymize the data and that users can turn the functionality off entirely:

Mozilla may also receive location-related keywords from your search (such as when you search for "Boston") and share this with our partners to provide recommended and sponsored content. Where this occurs, Mozilla cannot associate the keyword search with an individual user once the search suggestion has been served and partners are never able to associate search suggestions with an individual user. You can remove this functionality at any time by turning off Sponsored Suggestions—more information on how to do this is available in the relevant Firefox Support page.

Some users were not convinced by Mozilla's statements about needing a license to use data to provide basic functionality. "That's a load of crap and you know it. 'Basic functionality' is to download and render webpages," one person wrote in response to Mozilla's request for feedback.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

RIP Matrix | Farewell my friend  

Microsoft writes:

DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks, and replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It's removed from Windows 11, version 24H2 and later, and Windows Server 2025 and later.

For those who may not be familiar with it, DES is a symmetric cipher that was developed back in the 1970s. It uses a 56-bit key to encrypt and decrypt 64-bit data blocks. Triple DES is the recommended form of DES these days through 2030 by the NIST (National Institute of Standards and Technology).

Microsoft has also updated the Windows message center to inform IT admins and system administrators about the upcoming removal of DES in Kerberos on Windows 11 24H2 and Windows Server 2025. It recommends moving to AES or Advanced Encryption Standard which uses longer key lengths of 128, 192, or 256 bits. It says:

IT admins: Prepare for removal of Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11, version 24H2. While it’s an optional component that isn’t installed by default, it’s important to detect and disable your DES use to avoid potential disruption before taking the September 2025 security update. Consider adopting the Advanced Encryption Standard (AES) algorithm as a stronger encryption method.

Microsoft also now allows the default-encryption of Windows 11 24H2 Home PCs with AES-based BitLocker as it recently explained how system requirements like TPM play a key part in that.

The company has also described how the disablement of DES in Kerberos will be done in two phases, Compatibility Mode and Disabled Mode:

This transition to disable DES in Kerberos on Windows devices will occurs in phases.

 

Compatibility Mode: DES in Kerberos is disabled by default on all Client and Server versions of Windows released on and after Windows 7 and Windows Server 2008 R2. If DES is required in Kerberos, administrators can manually configure the DES cipher on supported operating systems with the exception of Windows 11 24H2 and Windows Server 2025 devices that have installed updates released on and after September 9, 2025.

 

DES in Kerberos Disabled Mode: Once DES in Kerberos is removed, it will no longer be supported as an encryption cipher in any function of Kerberos in Windows Server 2025 and later and Windows 11, version 24H2 and later. Legacy scenarios using DES on those two operating system versions will stop working until Kerberos-related application and network security configuration changes are made by IT administrators, so a safer cipher can be used.

 

DES will not be removed from earlier Windows versions.

You can find a lot more details about it here on the Microsoft Tech Community blog post.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

RIP Matrix | Farewell my friend  

Microsoft’s Copilot AI assistant is exposing the contents of more than 20,000 private GitHub repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent and, ironically, Microsoft.

These repositories, belonging to more than 16,000 organizations, were originally posted to GitHub as public, but were later set to private, often after the developers responsible realized they contained authentication credentials allowing unauthorized access or other types of confidential data. Even months later, however, the private pages remain available in their entirety through Copilot.

AI security firm Lasso discovered the behavior in the second half of 2024. After finding in January that Copilot continued to store private repositories and make them available, Lasso set out to measure how big the problem really was.

Zombie repositories

“After realizing that any data on GitHub, even if public for just a moment, can be indexed and potentially exposed by tools like Copilot, we were struck by how easily this information could be accessed,” Lasso researchers Ophir Dror and Bar Lanyado wrote in a post on Thursday. “Determined to understand the full extent of the issue, we set out to automate the process of identifying zombie repositories (repositories that were once public and are now private) and validate our findings.”

‍After discovering Microsoft was exposing one of Lasso’s own private repositories, the Lasso researchers traced the problem to the cache mechanism in Bing. The Microsoft search engine indexed the pages when they were published publicly, and never bothered to remove the entries once the pages were changed to private on GitHub. Since Copilot used Bing as its primary search engine, the private data was available through the AI chat bot as well.

After Lasso reported the problem in November, Microsoft introduced changes designed to fix it. Lasso confirmed that the private data was no longer available through Bing cache, but it went on to make an interesting discovery—the availability in Copilot of a GitHub repository that had been made private following a lawsuit Microsoft had filed. The suit alleged the repository hosted tools specifically designed to bypass the safety and security guardrails built into the company’s generative AI services. The repository was subsequently removed from GitHub, but as it turned out, Copilot continued to make the tools available anyway.

Lasso ultimately determined that Microsoft’s fix involved cutting off access to a special Bing user interface, once available at cc.bingj.com, to the public. The fix, however, didn't appear to clear the private pages from the cache itself. As a result, the private information was still accessible to Copilot, which in turn would make it available to the Copilot user who asked.

The Lasso researchers explained:

Although Bing’s cached link feature was disabled, cached pages continued to appear in search results. This indicated that the fix was a temporary patch and while public access was blocked, the underlying data had not been fully removed.

 

When we revisited our investigation of Microsoft Copilot, our suspicions were confirmed: Copilot still had access to the cached data that was no longer available to human users. In short, the fix was only partial, human users were prevented from retrieving the cached data, but Copilot could still access it.

The post laid out simple steps anyone can take to find and view the same massive trove of private repositories Lasso identified.

There’s no putting toothpaste back in the tube

Developers frequently embed security tokens, private encryption keys and other sensitive information directly into their code, despite best practices that have long called for such data to be inputted through more secure means. This potential damage worsens when this code is made available in public repositories, another common security failing. The phenomenon has occurred over and over for more than a decade.

When these sorts of mistakes happen, developers often make the repositories private quickly, hoping to contain the fallout. Lasso’s findings show that simply making the code private isn’t enough. Once exposed, credentials are irreparably compromised. The only recourse is to rotate all credentials.

This advice still doesn’t address the problems resulting when other sensitive data is included in repositories that are switched from public to private. Microsoft incurred legal expenses to have tools removed from GitHub after alleging they violated a raft of laws, including the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influenced and Corrupt Organizations Act. Company lawyers prevailed in getting the tools removed. To date, Copilot continues undermining this work by making the tools available anyway.

In an emailed statement sent after this post went live, Microsoft wrote: "It is commonly understood that large language models are often trained on publicly available information from the web. If users prefer to avoid making their content publicly available for training these models, they are encouraged to keep their repositories private at all times."

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

RIP Matrix | Farewell my friend  

This is according to an investigation by Xlab, which has been tracking the new campaign since last November, reporting that the botnet peaked on January 14, 2025, and currently has 800,000 active bots.

In September 2024, Dr. Web antivirus researchers found 1.3 million devices across 200 countries compromised by Vo1d malware via an unknown infection vector.

XLab's recent report indicates that the new version of the Vo1d botnet continues its operations on a larger scale, not deterred by the previous exposure.

Moreover, the researchers underline that the botnet has evolved with advanced encryption (RSA + custom XXTEA), resilient DGA-powered infrastructure, and enhanced stealth capabilities.

Massive botnet size

The Vo1d botnet is one of the largest seen in recent years, surpassing Bigpanzi, the original Mirai operation, and the botnet responsible for a record-breaking 5.6 Tbps DDoS attack handled by Cloudflare last year.

As of February 2025, nearly 25% of the infections impact Brazilian users, followed by devices in South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%), Thailand (3.4%), and China (3.1%).

The researchers report that the botnet has had notable infection surges, like going from 3,900 to 217,000 bots in India within just three days.

The largest fluctuations suggest that the botnet operators may be "renting" devices as proxy servers, which are commonly used to conduct further illegal activity or botting.

The scale of its command and control (C2) infrastructure is also impressive, with the operation using 32 domain generation algorithm (DGA) seeds to produce over 21,000 C2 domains.

C2 communication is protected by a 2048-bit RSA key, so even if researchers identify and register a C2 domain, they are not able to issue commands to the bots.

Vo1d capabilities

The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices into proxy servers to facilitate illegal operations.

Infected devices relay malicious traffic for the cybercriminals, hiding the origin of their activity and blending in with residential network traffic. This also helps the threat actors bypass regional restrictions, security filtering, and other protections.

Another function of Vo1d is ad fraud, faking user interactions by simulating clicks on ads or views on video platforms to generate revenue for fraudulent advertisers.

The malware has specific plugins that automate ad interactions and simulate human-like browsing behavior, as well as the Mzmess SDK, which distributes fraud tasks to different bots.

Given that the infection chain remains unknown, it is recommended that Android TV users follow a holistic security approach to mitigate the Vo1d threat.

The first step is buying devices from reputable vendors and trustworthy resellers to minimize the likelihood of malware being pre-loaded from the factory or while in transit.

Secondly, it's crucially important to install firmware and security updates that close gaps that may be leveraged for remote infections.

Thirdly, users should avoid downloading apps outside of Google Play or third-party firmware images that promise extended and "unlocked" functionality.

Android TV devices should have their remote access features disabled if not needed, while taking them offline when not used is also an effective strategy. 

Ultimately, IoT devices should be isolated from valuable devices that hold sensitive data on the network level.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

RIP Matrix | Farewell my friend