Leftovers

• The Register UK ☛ Weaponized file name flaw allows RCE through glob

  Glob versions v10.2.0 through v11.0.3 are vulnerable, and even then only in specific environments that process files from untrusted sources on POSIX systems with CI/CD pipes or build scripts that invoke glob –c or glob –cmd.

  Glob v10.5.0, v11.1.0, and v12.0.0 fix the issue; glob users who can check off all the vulnerability criteria are advised to update as soon as possible.

• Science

  • Rlang ☛ Data Science Quiz For Humanities

    Test your skills with this interactive data science quiz covering statistics, Python, R, and data analysis.

• Career/Education

  • Futurism ☛ Here's an Interesting Theory About Why Kids' Test Results Have Fallen to Their Lowest Point in Two Decades

    But “although it once seemed like a good idea to give every child his or her own device,” Twenge added, “it’s clear that those policies have been a failure.”

    A lot of focus has been paid to smartphone’s soul-sucking, attention-span-destroying effects, which are hard to ignore since they’re everywhere. Schools, seeing the writing on the wall, have started banning phones — but not laptops, even though a portable computer can do everything distracting a smartphone can do, and perhaps more. It doesn’t help that many schools provide and even mandate that students be able to use laptops in class, meaning that parents can’t ask teachers or administrators to take the laptops away.

  • EFF ☛ Celebrating Books on Building a Better Future

    One of our favorite—and most important—things that we do at EFF is to work toward a better future. It can be easy to get caught up in all the crazy things that are happening in the moment, especially with the fires that need to be put out. But it’s just as important to keep our eyes on new technologies, how they are impacting digital rights, and how we can ensure that our rights and freedoms expand over time.

    That's why EFF is excited to spotlight two free book events this December that look ahead, providing insight on how to build this better future. Featuring EFF’s Executive Director Cindy Cohn, we’ll be exploring how stories, technology, and policy shape the world around us. Here’s how you can join us this year and learn more about next year’s events: [...]

  • Pete Brown ☛ Missing the point on school cellphone bans

    And yes, some kids figure out ways to sneak phones past the ban, but mostly it works. Does it ensure that no kids are using social media or reduce the amount of time they spend shouting the latest annoying TikTok meme? Not really—that still happens 6 or 7 times an hour (see what I did there?), but again—I don’t think that is or should be the point of these bans. The point is to reduce in-classroom disruptions, and at least in our experience here, it has been pretty effective.

• Hardware

  • Brian Sholis ☛ It’s nice to have a hobby

    Last May, I used a fountain pen for the first time. I had seen someone using one to take notes during a talk we were both attending, and asked him about it afterward. We chatted, he let me try his pen in my notebook, and the next day I bought one at the stationery shop in my neighborhood.

  • Daniel Lemire ☛ How good are Chinese CPUs? Benchmarking the Loongson 3A6000

    My understanding is that Loongson processors serve to reduce the dependence of China on architectures like x64 and ARM. They use their own proprietary architecture called LoongArch. These processors have two generations of SIMD (single instruction, multiple data) vector extensions designed for parallel processing : LSX and LASX. LSX (Loongson SIMD Extension) provides 128-bit wide vector registers and instructions roughly comparable to ARM NEON or early x64 SSE extensions. LASX (Loongson Advanced SIMD Extension), first appearing in the Loongson 3A6000 (2023), is the 256-bit successor that is somewhat comparable with x64 AVX/AVX2 present in most x64 (Intel and AMD) processors.

  • Tom's Hardware ☛ WWII Enigma machine sells for over half a million dollars at auction — one of the rare four-rotor 'M4' models

    A fully working wood encased Enigma machine went for double the expected price in Paris earlier this week. Batteries were included.

• Health/Nutrition/Agriculture

  • Michigan Advance ☛ AI vs. AI: Patients deploy bots to battle health insurers that deny care

    As states strive to curb health insurers’ use of artificial intelligence, patients and doctors are arming themselves with AI tools to fight claims denials, prior authorizations and soaring medical bills.

    Several businesses and nonprofits have launched AI-powered tools to help patients get their insurance claims paid and navigate byzantine medical bills, creating a robotic tug-of-war over who gets care and who foots the bill for it.

• Proprietary

  • Tom's Hardware ☛ The web's infrastructure has a concentration problem, exposing us all to crushing outages — from AWS and Azure to Cloudflare, the perils of having a centralized internet are being felt by all

    Internet outages happen all the time. Just this week, the recent Cloudflare outage disrupted millions of users. The infrastructure on which our digital lives are built is precarious and often prone to errors. When those happened, they used to have a small impact. A website’s servers crashing would bring down only that website and anything that relied on it. But as the web has become more centralised in its infrastructure, with a handful of companies dominating the market, any individual issue has the potential to domino into a much more significant one.

  • Tom's Hardware ☛ Windows 1.01 was launched 40 years ago, but it didn't start well — Microsoft's graphical OS adventures were uncompetitive at launch

    Windows 1.0X didn't set the world alight. Arriving against clearly superior competition, Windows wouldn’t really take off until version 3.X from 1990 onwards. This coincided with the wider adoption of SVGA graphics, networking (Windows for Workgroups), and important PC game milestones such as Wing Commander, Dune II, Alone in the Dark, and Syndicate. Before Microsoft’s significant leap forward with Windows 95, we also saw momentous FPS games such as Wolfenstein 3D (1992) and Doom (1993) – and the processors that could drive such titles - exert their gravitational pull on beleaguered Atari and Amiga home computer users.

  • Wired ☛ Game Theory Explains How Algorithms Can Drive Up Prices

    Imagine a town with two widget merchants. Customers prefer cheaper widgets, so the merchants must compete to set the lowest price. Unhappy with their meager profits, they meet one night in a smoke-filled tavern to discuss a secret plan: If they raise prices together instead of competing, they can both make more money. But that kind of intentional price-fixing, called collusion, has long been illegal. The widget merchants decide not to risk it, and everyone else gets to enjoy cheap widgets.

  • Artificial Intelligence (AI) / LLM Slop / Plagiarism

    • The Washington Post ☛ Is there an AI bubble? These charts show the evidence for and against.

      Soaring investment in artificial intelligence has triggered warnings about a risky financial bubble. These charts show reasons to be calm — or concerned.

    • Juan J Martínez ☛ Simplifying self-hosting repos

      I’ve been self-hosting my git repos for over 3 years.

      I already discussed here the problem with LLM crawlers, and that I wrote a script to automatically block these bots. Unfortunately, things are worse now.

      My script is not that effective any more because the requests are coming from lots of different IPs from different ranges that I can’t block, and the traffic coming from a single IP won’t trigger the script, despite the aggregate traffic being significant.

    • Mike Brock ☛ The Ethics Theater: Why We Need Democratic Oversight of AI Development

      I’ve been going back and forth in my mind about how to write what I’m about to write. Not because the argument is unclear—it’s devastatingly clear. But because the discourse around AI has become so polarized that any critique gets sorted into “doomer” or “accelerationist,” with no room for the most reasonable position: AI is a dual-use technology with extraordinary potential for both benefit and harm, and we need democratic oversight precisely because the people building it cannot be trusted to balance these risks on their own.

      Let me be precise about where I stand, because precision matters when the stakes are this high.

    • Eric McClure ☛ The Technological Tsunami

      My relationship with AI is getting increasingly strange. Generalist AIs are still mostly useless, but narrow AIs continue to produce very impressive results. We have plenty of AIs that are better than any human at specific tasks like spotting cancer, but no AIs that can exercise common sense. We can synthesize terrifyingly realistic recreations of almost anyone’s voice, but they must be handheld by humans to produce consistent emotional inflection. We have self-driving cars that work fine at noon on a clear day with no construction, but an errant traffic cone makes them panic.

    • Armin Ronacher ☛ LLM APIs are a Synchronization Problem

      At its core, a large language model takes text, tokenizes it into numbers, and feeds those tokens through a stack of matrix multiplications and attention layers on the GPU. Using a large set of fixed weights, it produces activations and predicts the next token. If it weren’t for temperature (randomization), you could think of it having the potential of being a much more deterministic system, at least in principle.

      As far as the core model is concerned, there’s no magical distinction between “user text” and “assistant text”—everything is just tokens. The only difference comes from special tokens and formatting that encode roles (system, user, assistant, tool), injected into the stream via the prompt template. You can look at the system prompt templates on Ollama for the different models to get an idea.

    • New York Times ☛ A.I. Toy Bear Speaks of Sex, Knives and Pills, Consumer Group Warns

      Instead of chatting about homework or bedtime or the joys of being loved, testers said the toy sometimes spoke of matches and knives and sexual topics that made adults bolt upright, unsure whether they had heard correctly.

    • Public Interest Network ☛ Trouble in Toyland 2025: Toys with artificial intelligence bots or toxics present hidden dangers. Tests show A.I. toys can have disturbing conversations. Other concerns include unsafe or counterfeit toys bought online.

      These AI toys are marketed for ages 3 to 12, but are largely built on the same large language model technology that powers adult chatbots – systems the companies themselves such as OpenAI don't currently recommend for children and that have well-documented issues with accuracy, inappropriate content generation and unpredictable behavior.

  • Social Control Media

    • India Times ☛ Meta buried 'causal' evidence of social media harm, US court filings allege

      In a 2020 research project code-named “Project Mercury,” Meta scientists worked with survey firm Nielsen to gauge the effect of “deactivating” Facebook, according to Meta documents obtained via discovery. To the company’s disappointment, “people who stopped using Facebook for a week reported lower feelings of depression, anxiety, loneliness and social comparison,” internal documents said.

      Rather than publishing those findings or pursuing additional research, the filing states, Meta called off further work and internally declared that the negative study findings were tainted by the “existing media narrative” around the company. Privately, however, a staffer insisted that the conclusions of the research were valid, according to the filing.

    • Fortune ☛ Mark Zuckerberg’s hate-speech gamble fuels Gen Z radicalization on Instagram as millions watch Hitler speeches and Holocaust denial clips

      Thirty-one million people have viewed the clip. More than 1.6 million liked it. The comments are full of adoration: “My time to shine.” “They’re not ready for the truth.” A verified user asks why everyone is “glorifying fascism,” and is drowned out by replies.

      And if you linger on that reel—or anything like it—you’ll quickly find that it’s almost quaint compared with what comes next.

  • Windows TCO / Windows Bot Nets

    • Deutsche Welle ☛ Russia's hybrid war: Germany steps up its defenses

      Europe is experiencing a steady increase in hybrid attacks. Military personnel, police officers, politicians and scientists have warned that the situation is serious.

      "We are experiencing cyberattacks, the circumvention of sanctions and arson attacks on a scale we have never seen before," said Silke Willems of the Federal Office for the Protection of the Constitution, Germany's domestic intelligence agency.

• Security

  • Privacy/Surveillance

    • Futurism ☛ Scam Altman's Eyeball-Scanning Orb Startup Made a Cult-Like Demand of Its Employees

      “We will neither fail, nor will we be an average outcome, and that’s what we want and that’s all I care about every day and all you should care about every day, and nothing else should matter,” the company’s CEO, Alex Blania told employees at an all-hands meeting, according to BI. “If you should care about something else, and if you want something else, you should just not be here. It’s as simple as that.”

    • Business Insider ☛ Scam Altman's Orb Startup Told Workers to Ignore Anything Outside Work - Business Insider

      "If you should care about something else, and if you want something else, you should just not be here," CEO Alex Blania said in January.

    • Digital Camera World ☛ Ask yourself this: "If I save $50 on a Ring Doorbell for Black Friday, how long before I've spent the same money in subscriptions?"

      But if you're not interested in paying a monthly subscription, the relative resolution of your camera – or any of the other benefits of the newer models especially, many of which are dependent on the cloud services that come with the subscription – will be a serious waste of money.

    • Mashable ☛ Amazon admits Ring gives cops footage without customers' knowledge or consent

      There have long been concerns about Ring cameras and how Amazon coordinates with law enforcement. In 2020 Mashable's Jess Joho wrote about Ring being "a cop," with more than 1,189 local police and fire departments joining Ring's Neighbors Portal program that year alone. In the response to Markey, Amazon reported there were now 2,161 law enforcement agencies on its Neighbors Public Safety Service, which allows law enforcement to request footage from Ring users. So even in non-emergency cases, there is a decent chance cops will be able to get footage from Amazon.

    • Jonathan Kamens ☛ Thoughts on proposed Massachusetts Consumer Data Privacy Act, H.4746 – Something better to do

      In September, I wrote about the consumer privacy bill proposed by the Massachusetts Senate, S.2608. As of a few days ago, the Massachusetts House has now released its version of the bill, H.4746. Here are my thoughts on the House bill and how it compares to the Senate version.

      Overall, H.4746 is a much better bill than S.2608. I still have some concerns, outlined below, but overall it’s a strong bill which would provide strong protections to consumers even if enacted without addressing any of my concerns. The Electronic Privacy Information Center (EPIC) agrees.

    • EFF ☛ Victory! Court Ends Dragnet Electricity Surveillance Program in Sacramento

      The Sacramento County Superior Court ruled that the surveillance program run by the Sacramento Municipal Utility District (SMUD) and police violated a state privacy statute, which bars the disclosure of residents’ electrical usage data with narrow exceptions. For more than a decade, SMUD coordinated with the Sacramento Police Department and other law enforcement agencies to sift through the granular smart meter data of residents without suspicion to find evidence of cannabis growing.

  • Confidentiality

    • SUSE's Corporate Blog ☛ Buying European: The Moment for Digital Sovereignty is Now

      This will definitely be the case at this week’s Summit between the French and German governments, where digital sovereignty takes center stage. Now is the moment to collectively answer the question – how can Europe become sovereign? It will take time, but we are seeing some of the most powerful voices on the continent get involved now on this issue. There will be many views expressed this week on what should happen next. Here is SUSE’s answer to that question: [...]

    • DJ Bernstein ☛ 2025.11.23: NSA and IETF, part 2

      A brief reintroduction to the villain. By 2013, NSA had a quarter-billion-dollar-a-year budget to "covertly influence and/or overtly leverage" systems to "make the systems in question exploitable"; in particular, to "influence policies, standards and specification for commercial public key technologies". NSA is quietly using stronger cryptography for the data it cares about, but meanwhile is spending money to promote a market for weakened cryptography, the same way that it successfully created decades of security failures by building up the market for, e.g., 40-bit RC4 and 512-bit RSA and Dual EC.

      Recap of the previous episode. I looked concretely at what was happening in IETF's TLS working group, compared to the consensus requirements for standards-development organizations. I reviewed how a call for "adoption" of an NSA-driven specification produced a variety of objections that weren't handled properly. ("Adoption" is a preliminary step before IETF standardization.)

    • DJ Bernstein ☛ 2025.11.23: NSA and IETF, part 3

      Last month I posted part 1 of this story. Today's part 2 highlighted the corruption. This blog post, part 3, highlights the dodging in a particular posting at the beginning of this month by an IETF "security area director". Part 4 will give an example of how dissent on this topic has been censored.

      Consensus means whatever the people in power want to do. Recall from my previous blog post that "adoption" of a document is a preliminary step before an IETF "working group" works on, and decides whether to standardize, the document. In April 2025, the chairs of the IETF TLS WG called for "adoption" of this NSA-driven document. During the call period, 20 people expressed unequivocal support for adoption, 2 people expressed conditional support for adoption, and 7 people expressed unequivocal opposition to adoption. (Details for verification.)

    • DJ Bernstein ☛ 2025.11.23: NSA and IETF, part 4

      Specifically, I was thinking about a point that had very briefly come up earlier, and I realized that it's actually a powerful objection to this document. Each WG has a charter, which according to IETF rules is a "contract between a working group and the IETF to perform a set of tasks". Groups can be rechartered, but chairs and other document proponents don't have authority to do this unilaterally; they have to stick to the charter unless and until it changes. In the case of the TLS WG, standardizing PQ in TLS turns out to be violating the TLS WG charter.

      I wrote up the details and sent this objection to the TLS mailing list more than 24 hours ago. The objection still hasn't appeared on the mailing list. As I'll explain below, it's clear why it hasn't appeared: as a technological matter, the WG chairs have power to set up filters, and did so to stop my messages from promptly appearing on the list. It's also clear that the chairs violated applicable IETF policy by blocking this message.

• Defence/Aggression

  • Deutsche Welle ☛ Nigeria: 50 children escape after Catholic school kidnapping

    Armed men raided the Catholic boarding school in the village of Papiri in Niger State on Friday morning, abducting 303 children and 12 teachers.

    Some 253 pupils remain in captivity, according to the Catholic bishop who heads the school.

  • US News And World Report ☛ Australia’s Teen Social Media Ban Pushes Content Creators to Look Abroad

    Now, with a world-first social media ban on Australian children younger than 16 set to take effect on December 10, he is thinking of leaving his Melbourne studio and moving abroad.

  • Omicron Limited ☛ The plague of frog costumes demonstrates the subversive power of play in protests

    Humor is subversive. When used strategically, it can help undermine the legitimacy of even the most powerful opponents.

  • The Guardian UK ☛ ‘That doesn’t exist’: [DOGE [sic]] reportedly quietly disbanded ahead of schedule

    The statement confirmed longstanding suspicions that [DOGE [sic]], created by an executive order that Donald Trump signed on his first day, was on its way out. The tech billionaire Elon Musk and the former Republican presidential candidate Vivek Ramaswamy were tapped to lead the effort and were expected to drive “large scale structural reform” through 24 July 2026.

  • The Verge ☛ DOGE [sic] is no more, and in its wake, only chaos

    In April, Elon Musk began backing away from his role as head of DOGE [sic]. By June, he was more or less fully gone from DC. In his wake, he left a power vacuum and significant ill will that has apparently led to the dissolution of DOGE [sic] eight months before its charter expires.

  • NPR ☛ U.N. climate talks end without agreement on phasing out fossil fuels

    They said world leaders need to start drawing up concrete plans to deliver on a landmark 2023 commitment to reduce the use of oil, coal and natural gas.

    However, major fossil-fuel producers including Russia and Saudi Arabia have opposed the creation of a process or timetable to move away from those energy resources.

• Transparency/Investigative Reporting

  • The Guardian UK ☛ Epstein survivor condemns Trump for calling file release fight a ‘hoax’

    Danielle Bensky, who was abused by Jeffrey Epstein, says president was ‘incredibly disrespectful’ in recent comments

• Environment

  • University of Michigan ☛ Michigan’s waterways need restoration

    This is not an issue unique to my hometown — waterways across the state of Michigan struggle with the adverse effects of factories. The concern lies in the fact that these streams, rivers and lakes all flow into the Great Lakes system, negatively impacting water quality. To protect the water bodies of the state, clean-up projects for Michigan’s waterways are essential to combat ecosystem damage and maintain human health.

  • Energy/Transportation

    • European Commission ☛ Europe leads pledging effort in campaign mobilising €15.5 billion for clean energy in Africa

      The European Union led the pledging effort, with more than €15.1 billion. This includes a pledge made by President von der Leyen, on behalf of Team Europe, of over €10 billion, as well as significant additional bilateral contributions by European financial institutions, Member States and their Development Finance Institutions, and estimated private investment mobilised.

• AstroTurf/Lobbying/Politics

  • Nicolas Fränkel ☛ My first real Rust project

    I have been learning Rust for a couple of years, and using it for pet projects and demos alike. Working for a JVM-heavy company, I thought it would be my fate forever. Last week, I had a nice surprise: I convinced my management that using Rust for a particular project was the right choice. It’s not a huge project, but I want to describe my experience using Rust in a "real" project.

  • Nick Heer ☛ We Need to Stop Talking About the Erosion of Privacy as Though It Is Inevitable

    The correct answer to corporate and government contempt for our privacy must be in legislation. A systemic problem is not solved by each of us individually fiddling with confusing settings. But we do not get to adequate laws by treating this as a lost argument.

  • CoryDoctorow ☛ Pluralistic: Boss preppers

    All this raises the question of what rich preppers are prepping for. If your contribution to society consists of "allocating capital" and/or giving people orders, what, exactly, is the disaster that fulfills your fantasy of a world where your unique skills are the only thing that can save us all? What kind of a disaster needs a boss?

    In Douglas Rushkoff's 2022 book Survival of the Richest, he describes a surreal "futurism" consulting gig in which a bunch of wealthy investor types asked him to help them figure out how to keep their mercenaries in line after "The Event" (the end of the world): [...]

  • Misinformation/Disinformation/Propaganda

    • Task And Purpose ☛ Why the Army set up a counter-disinformation unit in the Pacific

      U.S. Indo-Pacific Command said that the 1st TIAD is meant to “counter malign influence, protect friendly information, strengthen cooperation with key partners, and promote regional stability.” Essentially, when influence campaigns can be nearly as important as military positioning and logistics, the unit has to win the information and public affairs war. Col. Sean Heidgerken, the new unit’s commander, said that the 1st TIAD is “designed to maneuver within the information environment and maintain positions of advantage.”

• Civil Rights/Policing

  • Kansas Reflector ☛ Death penalty skeptics in Kansas seize 'pro-life,' high cost, wrongful conviction arguments

    “You don’t have to be a bleeding heart to hate the death penalty. This thing has flaws all over the place,” Sutton said. “I have absolutely zero qualms about being against the death penalty. It’s illogical. It’s expensive. It’s inconsistent with my beliefs.”

    From 1973 to 2024, courts in the United States exonerated 200 people who had previously been sentenced to death. Nationally, about 2,100 men and women remain incarcerated on death sentences. Forty-four people have been executed in this country during 2025.

  • The Register UK ☛ 70-hour work weeks no longer enough for Infosys founder

    His remarks have stirred controversy because few feel that 70-hour weeks make workers more productive, and make it extremely difficult to achieve decent work-life balance.

  • RFERL ☛ Chechnya's New Restrictions On Women's Fashion Are About Control, Not Tradition, Critics Say

    The ban follows hot on the heels of another recent restriction banning women from going outside without a head scarf.

• Digital Restrictions (DRM)

  • Dev Stack ☛ A Reverse Engineer’s Anatomy of the macOS Boot Chain & Security Architecture

    The security of the macOS platform on Apple Silicon is not defined by the kernel; it is defined by the physics of the die. Before the first instruction of kernelcache is fetched, a complex, cryptographic ballet has already concluded within the Application Processor (AP). This section dissects the immutable hardware logic that establishes the initial link in the Chain of Trust.

    [...]

    macOS is no longer just a Unix system. It is a distributed system running on a single die, governed by a hypervisor that doesn't exist in software. The kernel is dead; long live the Monitor.