Bonum Certa Men Certa

UEFI Firmware Vulnerable to Malware Implants; Worse Than “Legacy BIOS” Ever Was

Guest post by Ryan, reprinted with permission from the original

UEFI firmware vulnerable to malware implants; worse than “legacy BIOS” ever was.



According to security researchers at anti-virus firm Kaspersky, UEFI “implants” that put rootkits into Microsoft Windows are fairly common, and have been since at least six years ago.



Ever since Microsoft and Intel teamed up to foist this horrible PC firmware “standard” onto PC users, they’ve had people such as Security Theater person Matthew Garrett cheer-leading it for them and claiming that it makes great leaps and bounds to secure your computer.



He’s bounced around from one job to another over the years. At one point, he was working for Red Hat, when he came up with “Security Theater Boot” for Linux, which requires Microsoft to give permission for your PC to boot.



Ars Technica: Fedora could seek Microsoft code signing to contend with secure boot



Web / Gemini (NewsWaffle) / “WebWaffle”



Ever since Garrett’s specification was adopted, GNU/Linux distributors have had to beg Microsoft and pay them to sign their distribution’s bootloader, or else their operating systems don’t boot up on affected PCs.



Instead of telling users to turn off “Secure Boot” or at least just add the distribution’s certificate to the firmware instead, this is where we’ve ended up.



I always turn off “Secure Boot” because I’ve never had it prevent any actual attack, and as far as I’m aware, it never has.



It is part of an attack, on the user.



Matthew Garrett has attacked me repeatedly in the past, especially when I pointed out Lenovo’s 2016 assault on GNU/Linux, in which they crippled some of their laptops to lock them into a mode that only the supplied version of Windows would boot with.



Now he’s trying to gain relevance again, and some people are falling for it, by himself complaining about Lenovo and Microsoft’s current corrupt business practices, which is to disable the Microsoft certificate that allowed this scheme to work.



Thanks to Garrett enabling Microsoft to avoid the coming lawsuits that would have happened had Security Theater Boot stopped a Windows 8 laptop from allowing Linux to boot up, today if a person tries to boot a Linux kernel, a Windows sticker-compliant laptop with “Microsoft Pluton” will now simply say it’s not allowed “due to a security policy”.



When you enable thugs, they get worse, not better. They come back and try to get away with more.



While Lenovo has posted instructions for turning on the Microsoft Third-Party CA, Mr. Garrett pointed out that doing that will trip up Bitlocker, Microsoft’s backdoored and fake disk encryption setup, and lock you out of your computer, and potentially cause data loss. (It’s happened to me!)



Since flipping off “Secure Boot” makes GNU/Linux work and it’s ridiculous to even attempt to dual boot Windows with anything, since it has always eventually gone on the attack and corrupted the other OS, and turning it off gives you the freedom you used to have to modify your OS to do whatever you want, I persist in saying this is the only correct approach to dealing with it.



So, things have come full circle and the guy who actually accused me of being a conspiracy theorist and Microsoft basher when Lenovo did something far nastier to me, and I went to the Attorney General of Illinois and got that reversed, has co-opted my position about Lenovo from 6 years ago.



The facts about UEFI couldn’t be more of a 180 from what Garrett and other UEFI promoters have been saying over the years.



The code to implement UEFI is gargantuan. The standard that defines it was rushed and based largely on EFI, which was meant for Intel’s failed Itanium CPU architecture.



As such, the implementations were not debugged very well. On top of all of this, the existing “PC BIOS Mafia” of companies like Award, Phoenix, and AMI, was largely preserved.



When PC OEMs go to include a UEFI firmware package, they license an “off the shelf” solution, usually from one of these companies, and then add or remove features from it, much like they did before with the “Legacy BIOS”.



The way these companies got their start was by reverse engineering how the original IBM PC’s firmware (BIOS) worked, and so they’ve been an established cartel since the 1980s.



The problem is that the PC OEMs aren’t concerned about actually securing your computer, or the safety of the data that it stores.



They are more concerned with getting Windows booting and complying with some idiotic Windows sticker program requirements so that they can get kickbacks from Microsoft.



Without these “rebates”, the cost of Windows goes way up and they are at a competitive disadvantage with other PC makers in the marketplace.



Microsoft is also not really concerned with making progress in computer and IT security. The illusion of progress will suffice. Even when it really means that the situation on the ground is backsliding terribly.



Nobody punishes them for it. Governments like the United States federal government release “weak” and “watered down” security requirements and “executive orders” which mean nothing.



Then you hear about another business or government agency getting hit by ransomware, and there’s no gasoline or chickens for a month or so until they pay the criminals in Bitcoin and get their data back.



My last PC without UEFI, a Phenom II X4-based desktop with a “Legacy BIOS”, was very stable and I ran it for years.



I bought it like that deliberately, knowing that Linus Torvalds, the creator of the Linux kernel, spent about a decade with nothing really positive to say about “EFI”, describing it as “broken” and “hacked up”.



As Microsoft has been buying influence and control over outfits such as the “Linux Foundation” (which only spends 4% of its budget on Linux), Linus Torvalds was forced into silence.



He used to call bullshit on public mailing lists about something bad unfolding in the PC industry, and ever sense his forced “apology tour” and “time out”, he’s never really been the same.



(Various elements claiming to be part of the FOSS movement try to stir up shit against important figures to cause strife and conflict, by slandering them in public with spurious allegations, like what happened to Richard Stallman.)



The early days of UEFI were a complete shit show, where all kinds of computers shipping with it would be bricked when trying to use “standard” and “documented” native UEFI interfaces.



Even the PC OEMs shipping with it often knew to hide it behind a “Legacy BIOS” emulator and stop the OS from interacting with it directly, lest even Windows break something, and they would have to warranty the computer.



Fixing computers after they sell them is really not what OEMs want to do. Often on “consumer” oriented stuff, you don’t even get one UEFI update after they sell it.



The only reason why Lenovo ever updated the Yoga 900-ISK2 is because I took action against them. As far as I know, they never fixed any security problems with it, and Ubuntu actually broke that particular model by interacting with the firmware using the Intel Serial Peripheral Interface driver, which was useless for most people, and luckily not even built by Fedora, which is what I was using.



OMG Ubuntu!: Ubuntu 17.10 Breaks the BIOS on Some Lenovo Laptops



Web / Gemini (NewsWaffle) / “WebWaffle”



Aside from the garden-variety awfulness of the UEFI “standard” that you’d expect, given it came from Microsoft and Intel, and is implemented by the “BIOS Mafia” and OEMs, it’s vulnerable to malware that is essentially impossible for Windows anti-virus software to remove.



These “implants” are designed to get into the Windows kernel, patch it in-memory to turn off security features, and then deliver a malicious payload that becomes part of the operating system.



The one detected by Kaspersky appears to have been written by a “Chinese group”, possibly, likely, a state-sponsored one.



To have any chance at all against malware like this, you have to constantly security patch your UEFI firmware, but that too is dangerous and in some cases, difficult.



They don’t make any official flashers for GNU/Linux, and the only way I’ve seen to deal with this on most computers is to make a Windows Pre-Installation Environment USB stick with the flasher on it.



Flashing your firmware is dangerous. You can go from a working system to something totally corrupt that won’t boot. If you’re not in warranty, your OEM will make you pay to ship it both ways and to have the motherboard replaced, which will cause total data loss.



Even if the flash is successful, it often puts in crazy settings that were not the default in the last build, which you have to know to go into the setup program and fix.



If you get through all of that, there will just be more vulnerabilities next month. They’re endless.



Intel is incompetent. Apple gave up trying to fix them and started developing their own CPUs. Every year, Intel has only gotten much worse.



I would love to flash my UEFI firmware to knock out the security vulnerabilities that I know have been piling up since I last updated the firmware in September of 2021, right before switching the computer over to GNU/Linux permanently.



Lenovo UEFI updates require Windows, but the Hiran’s BootCD PE is a bootable Windows 10 on a flash drive.



It’s a gimpy version of Windows 10, but if all you’re using it for is to run a flasher and then get rid of it, it might be tolerable, if only barely.



I’m actually less afraid of Hiran’s BootCD PE and a flasher from some dodgy Chinese UEFI vendor than I am of what Lenovo may have done to “customize” it, given what unfolded in 2016 with my Yoga 900-ISK2, and what Matthew Garrett now admits Lenovo does openly.



I have absolutely no intention of updating the UEFI and risking bricking it, only to find out that Lenovo has retroactively added some new sort of fuckery that prevents my laptop from rebooting into Linux.



I’m not currently having any MAJOR firmware-related issues, which is unusual on a PC, much less a Lenovo, so I’m going to let sleeping dogs lie.



Lenovo shipped firmware so broken on the Release Engineering date just to get the Thinkpad 15 ITL Gen2 out in time for their Black Friday deal in 2020 that it had major problems even handling Windows 10.



Then when the USB-C failed several months in and I had to ship it back for a warranty repair, to their service depot in Texas, they sent it back again with the original firmware on it. Forcing me to update to the firmware that fucked up Microsoft Bitlocker.



So basically, the events that transpired were USB-C failed, back everything up, Lenovo had to replace the entire motherboard, of course.



They soldered the SSD into the old one, so they ship me back a computer with a new motherboard and SSD, exactly in the Release Engineering condition. First thing I do is update the UEFI, and have it trip up the TPM, and cause Bitlocker to refuse to release the SSD contents.



I recover Windows anyway using the “Novo” button and figure out how to get into the emergency recover partition, which isn’t easy, you know, but whatever. The emergency recovery system took about 5 hours to recover Windows 10 for some reason.



I used it for another month and then I patched the UEFI again and the firmware couldn’t find the Windows Bootloader on the next reboot. Emergency recovery mode, again.



By this time, I rebooted into the UEFI and changed the storage mode to AHCI in preparation for replacing the OS with GNU/Linux because I was getting tired of this Windows shit anyway, and reboot.



Microsoft Bitlocker comes up again and tells me it refuses to unlock the disk.



So I proceed to install GNU/Linux using a USB stick I made on my other laptop, and once it’s installed, I go back into the UEFI and disable Secure Boot.



Because Secure Boot can have a “dbx update” that fucks up your ability to load various operating systems, which bit me in the ass on my older laptop once when I tried to boot Fedora after Ubuntu had updated the dbx as part of “BootHole”.



The short version is that UEFI just keeps biting you in the ass, especially if you try leaving Secure Boot on or leaving Windows on the computer, and doing anything at all with the computer to try to have any hope of maybe staying one step ahead of Chinese and Russian UEFI malware implant groups.



If you use Windows 10 or 11 today, it’s really the “Windows 2000 Summer of Worms” all over again, except now you’re practically guaranteed to get UEFI malware putting a rootkit into the Windows kernel and then shoving invisible malware that no anti-virus program will ever detect, and it will probably happen so quickly that you’ll be lucky if nobody gets you on the way to replace Windows.



On top of the “UEFI Summer of Worms”, UEFI just generally isn’t reliable enough to entrust your data to, and you’ll likely lose it several times over, especially if you have Microsoft Bitlocker turned on and try updating the firmware or changing some settings. There won’t be any warning. It will just happen.



You’ll lose your data to Microsoft Bitlocker because TPM state is incredibly fragile and it pretty much panics Bitlocker if someone in the room sneezes.



It even got Garrett by surprise while he was trying to figure out his new laptop, and he says he’s an “expert” on UEFI that understands it quite well and has had paying jobs related to it.



So if he barely has a chance to save his data, and even then only because his system had backed up his unlock key to Microsoft (LOL), what chance do you have?



Real disk encryption never hands the unlock keys to anyone but you. GNU/Linux has real disk encryption.



Windows gives you….a mirage. It hands your unlock keys to the government so if Johnny Law ever comes knocking, your data will be State’s Exhibit A. Meanwhile, do enjoy losing your data over and over and over again. I hope you have backups.



I never had this sort of trouble out of PC BIOS.



Sure they had bugs, but it wasn’t anything like this UEFI mess.



You can install all of the updates you want. It won’t matter. They’ll just cause more problems if you do.



If Intel and Microsoft have proven anything, it’s that they design systems, hardware, and specifications that are so bad that you can patch them until they’re not “supported” anymore and still only barely be any better off than when you had the computer dumped in your lap like it was.



Windows XP is a great example of this. It got patched for over 20 years (including the EOL updates which normal users could only get with registry hacks and visiting Web sites that leaked them out from paying customers), and the security situation still wasn’t much better than it used to be. The same thing happens to all of their products.



Why?



Fixing bugs and making software more reliable is a cost center.



When you want to maximize profits, it’s always easier to dump something in the customer’s lap that only barely works and to actually take care of it as little as you can get by with.



That’s been the way Microsoft and Intel have gotten things done for decades, and it’s not getting any better.



At the same time, Free and Open Source Software has gradually improved because the process iterates as bugs are fixed over the years.



Even if proprietary software companies care about quality (some do), the nature of the proprietary software beast is such that everyone you get to work on it is paid and sworn to secrecy, which limits how much development can get done.



Pretty much the only programmers that try to defend the notion proprietary software and slander FOSS are the ones cashing paychecks building proprietary software that does unethical things to the users.



Dumping broken crap into the customer’s lap and moving right along is exactly what’s going on with UEFI.



By the time Lenovo sells a laptop, especially to Home users who don’t know what firmware is, much less a malicious “implant”, most of the time there are never any security updates at all.



Why would they? From Lenovo’s perspective, trying to fix it up would only cost them money.



Lenovo has demonstrated to me repeatedly that it is far too stupid to patch up my “business class” laptop without tripping up Bitlocker or doing something that causes it to be unable to find the Windows Bootloader. If they update your computer at all, chances are they’ll hose it and get angry customers demanding warranty repairs.



How any of this would make it past even the slightest amount of quality control is beyond explanation, which hints to me that there probably is nobody testing this stuff, and since it can ruin your computer at a hardware level (impossible to fix) if it goes wrong, you’re gambling by installing the updates.



As a Home user, your security doesn’t matter to them. That’s a “you problem”.



A parade of awfulness ensues about half the time you try to patch the UEFI on a Lenovo computer according to their instructions, and that’s if you PLAN to keep using Windows. Just get rid of Windows. You’ll be so glad you did. If your UEFI works at all, live with it.



On a final note, I am very amused that Lenovo bumped the UEFI almost monthly for the first 10 months I owned this “Professional” grade laptop and none of those patches ever fixed the typos in their firmware setup program.



If you watch how many CPU security bugs Intel springs and what has to be done to plug them, and how usually that doesn’t even work and OS vendors have to keep coming back and dealing with the same problem over and over again, you’ll leave with the distinct impression that UEFI updates are likely pointless anyway. Linux can update the CPU firmware at boot anyway, and that’s usually the biggest part of the UEFI update.



In my opinion, only a person of first-order stupidity or corruption could praise Intel and Microsoft knowing what the real score is.



Much less implement their specifications and tell others to use them.



Linus Torvalds said he managed the release for the latest Linux kernel using an “Apple Silicon” (ARM64) Mac using Asahi Linux.



If things keep going the way they are on the Intel PC, I may very well go that direction as well.



It sounds like things are really starting to shape up for Linux over there and I’m sure the computer is less of a disaster if that’s why Linus has switched to one.



Recent Techrights' Posts

IBM HR "Process is Similar to Raising Farm Animals"
IBM "silent layoffs" won't stop
Brett Wilson LLP Has Just Lost a Case of Its Biggest Client "IN THE COURT OF APPEAL (CIVIL DIVISION)"
Is Brett Wilson LLP proud of such clientele?
Gary Smith Says Brett Wilson LLP Engages in SLAPP Against Him Over LinkedIn Post, "This is the Streisand Effect in Real Time"
"Lawyers who front SLAPP‑style threats on behalf of powerful institutions are not “defending reputation”; they are abusing legal process to intimidate and silence legitimate public‑interest scrutiny."
 
Not Tolerating Death Threats
Death threads are a serious matter
Silent Layoffs, 'Happy' Layoffs, and 'Buyouts' (Pretending to Voluntarily Retire)
We've been seeing lots of that at IBM and Microsoft
SLAPP Censorship - Part 125 Out of 200: Litigants in Person (LIPs) Handling American Lawfare Funded by Third Parties (About a Million Pounds for 100 Kilograms of Legal Papers)
An appeal to the Court of Appeal can be justified at one point
Attacks on the Sites
These are clearly censorship attempts
Links 02/07/2026: Microsoft May be Shutting Down 5+ Studios, Slop Got Too Expensive, "RAMpocalypse" Discussed
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 01, 2026
IRC logs for Wednesday, July 01, 2026
Gemini Links 02/07/2026: Kondo, Theological Thought, and X4
Links for the day
Links 01/07/2026: Apple and Microsoft Price Hikes, Political Catchup
Links for the day
Parroting the Script of RAs and PIPs, "Buyouts" and Layoffs by Any Other Name
Over time people will find out just how many people "leave" IBM
Slop Gives No Real Edge, It's Just Falsely Marketed That Way (FOMO)
Plagiarism in some measurable form is always bad, irrespective of what we call it
The Microsoft-Owned Media Shows What Spin Microsoft Will Use Amid Mass Layoffs
Microsoft says goodbye to over 10,000 workers this month
The Media is Shooting Its Own Foot by Peddling Slop and Spam
Nobody wishes to read slop; as soon as people realise "the news" (or "news site") is LLM trash, they will walk away
Gemini Links 01/07/2026: Wild Flowers, Slop, and Waystone Tools
Links for the day
Links 01/07/2026: Bending Spoons Makes an 'Exit' ("Going Public"), US Supreme Court Rules on Many Issues
Links for the day
Misattributing Blame, the Core Issue is Slop
that issue has nothing to do with Bash
Microsoft: Layoffs Are an Investment
Sales of the console will take another plunge and debt will skyrocket
Links 01/07/2026: MElon (Elon Musk) "Confronted With List of People He Has Killed", Microsoft Ignores Union, Chooses "Bloodbath"
Links for the day
The Register MS: Paid-For SPAM Advocating Chinese Colonialism in Africa, Not Even a Disclosure (as Before)
Does The Register MS recognise what this piece is promoting and who for?
Techrights Never Defended Rapists
In the past, I and others got falsely accused of "defend[ing] a rapist"
"Regular Silent Layoffs and PIPs" at Microsoft, According to Microsoft Insider
Many people leave without a fuss, only a signed NDA
Gaming Companies Help Promote Rootkits ('Anticheat') and Help Microsoft Take Control of People's PCs
The industry in its current form acts a bit more like a cabal of power-hungry companies that actively try to back-door everything and smear people who oppose that
IRC (Internet Relay Chat) Turns 38 Next Month
IRC did well because over 300k users are on significant networks (simultaneous, also counting bots and cross-network overlaps)
opensourceforu.com is a Slopfarm, It's Not "Open Source" and It's Not "For U"
Slop "For U"
DRM and Ownership
We now even have PCs that "expire"
GNU/Linux Reaches 6% in North America
Tomorrow around 10AM we'll see what preliminary data they get for July
IBM Layoffs Still Happening in 2026, They're Just Not Being Reported
The demise of IBM accompanies the demise of the media
SLAPP Censorship - Part 124 Out of 200: The Court Deems My Wife Connected to the Case of the Serial Strangler From Microsoft, Invites Her to the Hearing Last Week
Brett Wilson LLP does not play by the rules
Paying Severance to Staff Laid Off by Microsoft Too Expensive for Microsoft Now?
When companies earn such a bad reputation (not paying severance to people they discard) it lowers morale even further
Microsoft Mass Layoffs Due to Money Problems (Debt, Lack of Money to Complete Payroll), Not "Hey Hi"
If Microsoft later comes up with some "Hey Hi" narrative, then immediately reject it
Stop Conflating Free Software With Slop Plagiarism and Time-wasting
Even decades ago people could use "compute" for lots of fuzzing, then file away false or unaudited reports using bots
What Security Means
Security does not mean asking Microsoft for permission
Microsoft May be Losing 10,000+ Workers This Month
Here's the quick math
BSN Senior School Leidschenveen is Shutting Down and What That Means to the European Patent Office (EPO)
Follow-up meeting with Site Manager VP1 on school matters
Gemini Links 01/07/2026: Keeping (Relatively) Cool plus Adventures in Solar, Camp Snap Cameras and XTEINK X4 Ereader Reviews
Links for the day
European Patent Office (EPO) Series: Different Strokes For Different Folks
Organisation operating in two parallel universes
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 30, 2026
IRC logs for Tuesday, June 30, 2026
GNU/Linux Measured at 4.4% by statCounter, Even More by analytics.usa.gov
GNU/Linux has fared well
Getting Skyped: Closure of Studios Microsoft Bought
wait till July and the mass layoffs outside XBox
Several Waves of Red Hat Layoffs This Year, Is This Still Going on Under IBM?
The PIPs and NDAs hard to get a clear picture
Sabine Hossenfelder Versus IBM Scamming Shareholders
IBM has become a garage of BS
Some XBox Layoffs Underway, At Least Five Studios to be Shut Down
Insiders are in a state of panic
Gemini Links 30/06/2026: Music Theory, Addiction, Clown Computing
Links for the day
Links 30/06/2026: France Recorded 1,000 Excess Deaths During Heat Wave, Slop Replaced by Human Staff
Links for the day
WordPress Becoming What We Feared It Would Become
WordPress and other such bloatware (WordPress used to be fast and light) are moving in the same trajectory that GAFAM leads
People Given the Totally Wrong Idea That "Secure Boot" is About Security (It's the Opposite, It's About Handing Control Over to NSA/Microsoft)
"Secure Boot" with capital "B" is conflating compromise with security.
Today The Register MS is Publishing Fake Articles About "AI", 100% of All "Content"
Maybe the media is dying because it is selling its soul [...] The Register MS has no standard
America Has Cost Europe Too Much
Countries ought to be controlling all their own systems
GAFAM Debt Will Surge, in July We'll Know by How Much
Do not fall for slop or sloppy narratives
Call for European Patent Office (EPO) Whistleblowers
The European Patent Organisation (EPO) might not reform the Office
400-Page US Federal Court Against Abuses by Google, Microsoft and Front Groups That Abuse Volunteers for American Corporations
There are 386 pages in total (in the US claim)
Projection Tactics - Part IV: SLAPP by Americans Against Techrights (UK) to Hide Serious Abuses Against American Women
"PRs need to stop being complicit in suppression of information via SLAPPs"
Five Years Ago, After We Broke the Story About Richard Stallman Rejoining the FSF's Board, All Hell Broke Loose (for Me and My Family)
They generally seem to target anyone who thinks Richard Stallman (RMS) should be in charge or thinks alike about computing
Projection Tactics - Part II: Causing "Serious Harm" to Many People (Even Animals)
Narcissists and sociopaths are like that
Too Many "Marketers on the Payroll" at IBM, Selling Impossible Products That Cannot be Delivered or Will Never Deliver
IBM is rotting away
Media Says Microsoft's (XBox) Layoffs May be Record-Breaking
think somewhere in the range of ~5000 for gaming/XBox alone
Sirius Open Source's Latest Report: Fake (False) Number of Staff, Almost No Money in the Bank, Overdraft, and Growing Debt (About £100,000 More Borrowed)
massive (and still growing) debt
Links 30/06/2026: What's Wrong With EU Age Verification, RSA Keys with Many Zeros
Links for the day
This is Not a Security, This is a Circus
Security does not mean "asked Microsoft for permission"
Communities Need Strong Leadership, Not Dictators Like IBM
Leadership in Free software is not ownership [...] Fedora will only last as long as IBM can somehow make some money out of it or leverage it to attract sharecropping
Patents Are Not "Cash Cows"
People who deliberately don't understand patents (or believe lies about them) will fail to understand how the world works (or does not work)
Sad Lives of People Who Think Women Are Just Sexual Toys (All They Have is Money)
money is still a man-made concept and life is finite
SLAPP Censorship - Part 123 Out of 200: Why Violence Against Animals Matters
Starting tomorrow (Wednesday) we'll begin telling stories about what happened last week
EPO Staff Union's (SUEPO) The Hague Committee, With Help of Lawyer, Challenges Lack of Rewards for Hard Work
The EPO is not about granting valid patents anymore. The horse-trading corrupt officials just see the EPO as some thing that "prints money"
Massive EPO Demonstration Today
It'll start in about 6 hours
More Layoffs in Microsoft's PR Department, Even Ahead of 'D-Day'
Notice they are not even waiting for the official date (nor week)
European Patent Office (EPO) Series: Photo-Ops Galore and Suspicions of Influence-Peddling
coverage of the EPO's Croatian junket
Gemini Links 30/06/2026: Music and Broken Hearts
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 29, 2026
IRC logs for Monday, June 29, 2026