Then: Don’t download applications and run executables you don’t fully trust. Now: Download everyone’s new snazzy app just because and scan everything with your phone that contains all your most private information so you can unlock a surprise!
I don’t know about yts, but last time I checked 1337x is totally safe as long as you download from trustworthy sources.
| Software | Description | |-----------------------|-----------------------------------------------------------------------------| | LocalSend | Open-source AirDrop alternative for transferring files wirelessly via Wi-Fi. | | Obfuscate | Rust-based app for quick and intuitive redactions on sensitive photos. | | Floorp Browser | Privacy-focused browser forked from Firefox with customizable workspaces. | | Dosage | Medication management app with reminders and inventory tracking. | | AB Download Manager | Cross-platform downloader supporting batch downloads and browser integration. | | Cartridges | Game launcher supporting multiple platforms and sources like Steam and Lutris. | | Zen Browser | Firefox-based browser with innovative tab management and split-view mode. | | RustDesk | Secure, cross-platform remote desktop client with self-hosting capability. |
After some brainstorming with @[email protected], @[email protected] and a few accounts from Gaza Verified in these days, I have decided to set up an automated backup solution for all the content that verified accounts are uploading to the Fediverse. What Palestinian accounts are uploading to the Fediverse is priceless. It’s invaluable first-hand evidence of a genocide that many are trying to hide and erase. It’s the kind of stuff that one day could be shown in a museum, or used as evidence against Israel in its pending international trials. We must ensure that it is properly preserved. We can’t just assume that Fediverse admins will always be cooperative in keeping those accounts online (as the case of @[email protected] proved yesterday). In Mahmoud’s case the account was only hidden. But if sufficient external pressure is applied to instance admins there may be cases were accounts are just permanently deleted, without even getting a chance to download a backup of their data, and without means to neatly migrate their profiles and followers to another instance. Our duty towards history preservation and towards the Palestinian accounts entrusting us with their words and images imposes us not to lose this content. Tonight I will start working on a solution that will periodically scrape their feeds and automatically archive any new content (post, attachment or follower) to my S3 bucket (a self-hosted MinIO instance in my house). What I need is: If possible, explicit permissions from the Gaza Verified accounts for me to create a permanent record of their online activities Permissions from instance admins to run these scrapers on profiles on their instances (except for mastodon.social’s case, where the staff rarely responds and there’s already a lot of scraping activity anyway, so in their case I can afford to feel better sorry than safe) If possible, support from other self-hosting enthusiasts. I don’t want to be the single point of failure in historic preservation. The more redundancy, the better. I am planning to release the code for the scraper, and probably also a Web UI that allows to easily index and browse content. Once ready, I may probably ask for some volunteers to join and help running the scraper in as many locations as possible. @[email protected] #gaza #selfhosting
I may not always be the biggest fan of my government, but I would never willingly download a Chinese social media app because I trust communist China infinitely less. Never again, at least. My teen years were dumb and reckless and I’m glad I’ve grown since then.
Java? Sorry OP I only download open source software developed with Rust /s
You shouldn’t install software from someone you don’t trust anyway because even if the installation process is save, the software itself can do whatever it has permission to. “So if you trust their software, why not their install script?” you might ask. Well, it is detectable on server side, if you download the script or pipe it into a shell. So even if the vendor it trustworthy, there could be a malicious middle man, that gives you the original and harmless script, when you download it, and serves you a malicious one when you pipe it into your shell. And I think this is not obvious and very scary.
Not technical at all, I work in Learning & Development at a company. I am always reading the comments and try to learn, but sometimes I have really no clue what you guys are talking about haha! Yesterday someone was expleaning about adblocker and all the comments were like: “Yeah, who can live without it…” Well, me I guess? And I saw one that was highly recommended so I downloaded it, because why not try it out right? But apparently it’s not for your phone. Or I didn’t have the right app to support it on my phone. I was thinking about asking it in the comments of the thread, but like you said: I think a lot of people here have a tech background and although everyone is very nice, I think the explanation might go over my head. I don’t want to give people the feeling I get when I’m trying to explain to my mom over the phone how she can e-mail a file on her computer. It can be very frustrating ;)
All of this would be avoided if Debian downloaded from GitHub’s distributions of the source code, albeit unsigned. In that case they would have just put it in the repo, and I’m not convinced anyone would have caught it. They may have obfuscated it slightly more. It’s totally reasonable to trust a tarball signed by the maintainer, but there probably needs to be more scrutiny when a package changes hands like this one did.
Randomness is hard. To be precise, without dedicated hardware, randomness is impossible for a computer. This is actually important to keep in mind when writing software. When there’s not hardware providing true randomness, most rnd implementations use a seed value and a pseudo random number generator (PRNG). A PRNG is a function that takes a seed value, and turns it into a seemingly random value, and also produces a new seed for the next time a random value is needed. This could be as simple as a SHA256 sum, where the hash output is split to become the next seed and the random value. The PRNG approach does still have a challenge. Where does the initial seed come from? There are a few common, if flawed, approaches, and one of the most common is to use the system clock. It’s not a bulletproof solution, but using the microsecond counter since the last system boot is often good enough, because there are a lot of them to choose from — the entropy is high. With that brief background in mind, let’s talk about what happens in VBScript. The Randomize call is used to seed that initial value, but Randomize has some quirks. The first is a great feature: calling Randomize a second time with the same seed doesn’t reset the PRNG engine back to the same initial state. And second, when called without a value, Randomize uses the number of system ticks since midnight as the PRNG seed. There are 64 ticks per second, giving five-and-a-half million possible seeds, or 22 bits of entropy. This isn’t great on its own, but Randomize internally typecasts that number of ticks into a narrower value, with a maximum possible of time-based seeds set at 65,536, which is a lot easier to brute-force. We don’t know the exact application where the researchers at Doyensec found VBScript generating secure tokens, but in their Proof of Concept (PoC) test run, the generated token could be found in four guesses. It’s a terrible security fail for basically any use, and it’s a deceptively easy mistake to make. GoAnywhere Exploit The folks at WatchTowr have a report on a blistering 10.0 CVE in the GoAnywhere Managed File Transfer (MFT) product. This vulnerability was first published on September 18, and the WatchTowr crew took a look at it, and had questions. This bug is a deserialization attack that can land even without any authentication. It can result in command injection, and the latest update from GoAnywhere vendor Forta vaguely indicates that it is being used for attacks in the wild. But this is particularly odd: before the vulnerable interface deserializes, it first checks for a valid signature. And WatchTowr researchers couldn’t find a leak of a valid private key. So how was the vulnerability in use in the wild? Lucky for us, there’s a part two to this story, but not all of the mysteries are explained. This CVE is indeed being exploited in the wild, with the earliest known exploit being September 10th. Since there was a full week between the earliest known compromise and the release of the patch, it seems unfortunate that it took WatchTowr this long to confirm that this vulnerability was actually exploited in the wild. Cisco and Public SNMP Two million Cisco systems are at risk from CVE-2025-20352. This is a remotely accessible flaw in the handling of Simple Network Management Protocol traffic. The attack does require valid credentials, but the attack works using SNMPv1, v2, or v3. While SNMPv3 has more secure user credentials, the earlier SNMP versions just used “community strings”, a text based password that was often set to “public”. This vulnerability seems to lead to either a crash or a Remote Code Exploitation (RCE). It’s not entirely clear how difficult it is to achieve RCE, but it’s noteworthy that RCE here is run as root, a level of access not usually available even to administrators of Cisco equipment. So far there’s no indication that this was used in the wild, but now that some information and a patch is available, it’s likely not going to take long for someone to reverse-engineer the vulnerability and weaponize it. More Spilled Tea Remember the Tea Spilling from a couple months ago? The Tea app had an unsecured Firebase database. It turns out that wasn’t an isolated incident. [Mike Oude Reimer] has been working on OpenFirebase, an auditing tool for FireBase installs. And to prove the point, did an audit on 400 of the most popular Android apps from a trio of categories in the play store, and found 150 Firebase servers that granted unintended access of some sort. That’s a bit stunning, that over one in three Android apps have insecure Firebase servers associated with them. Github Malware Delivery There’s a malware campaign that has happened in the last couple weeks, based around Search Engine Optimization and GitHub repositories. The instructions peddle malicious commands to users looking for popular software on the Mac, like LastPass and others. I was prepared to write about how Ad Blocking is really a form of security protection, as these campaigns are often delivered via advertising, but this one seems to primarily be based on real search engine placement. This isn’t the only malware campaign that takes advantage of GitHub’s reputation as a trusted source of software. A phishing campaign was also recently spotted, where spam messages were added as GitHub issues, with the spammers tagging their victims, and offering fake Y Combinator sponsorships. Since the messages were sent via GitHub, most spam blockers treated them as legitimate. This campaign was a bit more clever than most, making use of domain typo-squatting, with the y-comblnator.com domain used as part of the campaign. The goal here being draining the crypto accounts of people sufficiently fooled by the messages. Bits and Bytes Is nothing sacred? In addition to GitHub, malware appears to be distributed via Steam, in updates to games. The most recent example was the Block Blasters game, which was on Steam for nearly two months before shipping malicious code. How can you figure out whether an image is AI, or has been manipulated with AI or other tools? There’s quite a few approaches, but one of the interesting ones is to look at the JPEG artifacting. If part of the image has ever been compressed via JPEG, this results in blocky artifacts that are hard for the human eye to spot, but easy to see with the right tools. And finally, in a blast from the past, Supermicro has another pair of vulnerabilities that could allow malicious firmware on server Baseboard Management Controller (BMCs). The way these images are signed is slightly odd, with the various portions of the file signed independently. The attack is to treat these sections like cards in a deck, and shuffle malicious slices into the stack. The verification routine thinks all the important pieces are signed, but during a real boot, the malicious code runs instead. Patches coming soon. From Blog – Hackaday via this RSS feed
The free community version of Rustdesk Server (a competitor to the Teamviewer remote access software) is AGPL licensed. https://github.com/rustdesk/rustdesk-server The paid, proprietary Pro version builds on top of the community edition by adding extra features such as user authentication and a web backend for administration. There exists a repo for the pro server: https://github.com/rustdesk/rustdesk-server-pro But it only contains install scripts and no actual source code of the application. The github releases page of this repo however, contains the compiled code of the proprietary pro version and is available for anyone to download for free. Analyzing the disassembly of the pro and open source binaries shows that the pro version is definitely based on the open source version. The company previously associated with Rustdesk, Purslane Limited of the UK, is no longer in operation since 2023. The project has no CLA and so the dozens of previous contributors still hold the copyright to their code and have not given permission for it to be used in a proprietary version. There have been multiple requests for the source code of this pro version, but either there was no response or the issue was closed without comment. EDIT: The repo owner has completely deleted the issue, here is a screenshot: https://0x0.st/KaqD.png To me this just proves they know what they’re doing is wrong.
cross-posted from: https://ibbit.at/post/58642 It wasn’t all that long ago that we were anticipating the imminent arrival of Subnautica 2. The sequel to the superb underwater survival game has yet to appear, though, and the founders of Unknown Worlds have been ousted by owner Krafton, leading to a messy legal dispute between the two parties. One of the reasons given for the termination was the state of the game. The founders believed that it was ready for an early access launch and planned to go through with it; Krafton, meanwhile, believed it wasn’t ready for its debut and that the founders had been shirking their duties. But there’s been a surprising U-turn, with Krafton significantly changing its argument. The lawsuit is now in the discovery phase, so Fortis Advisors, which represents the ousted founders, sought discovery to see if Krafton held evidence to back up its claims. “But despite its obvious relevance, Krafton feigned astonishment during the parties’ meet and confers at how it could possibly be part of Phase I,” Fortis said. Essentially, Krafton said that documents relating to the readiness of the game were irrelevant to the termination—which is what this phase of discovery is focused on—despite this being the reason cited in the termination notices, which was also repeated publicly and in court. “The termination notices of the founders gave one reason for their termination,” said Fortis, “and that was the supposed lack of readiness of Subanutica 2 for release. Krafton reiterated that basis for its actions repeatedly.” Fortis called it a “seismic shift in the case” and “a little bit bewildering”. This was also echoed by the judge, Lori W. Will, when the parties met for a ruling on the filed motions, saying: “Well, that’s something that we definitely need to get to the bottom of today, because that is precisely what was cited as the reason in the answer.” Krafton’s representatives were not clear about why this argument has been taken off the table, only that it has been, and that it’s no longer why they are saying the founders were terminated. Instead, Krafton is focusing on the argument that the founders “abandoned their posts” and “deceived” their employer. Causing more confusion is the accusation that the founders downloaded files and kept devices with confidential information on them. This only came to light after the termination, so its relevance has been questioned. Krafton’s position is that this justified their termination after the fact, and it filed a motion to forensically inspect the founders’ devices. The founders, meanwhile, contend that they had a right to those documents and devices, and that the motion is too invasive—and to the latter point, the judge agreed. Fortis also alleged that Krafton hasn’t been playing ball, pushing back against some of its requests for discovery and refusing to confer. It claimed it needs emails and documents that relate to the earnout (the founders have accused Krafton of intentionally delaying the game so it wouldn’t have to pay a $250 million earnout) but Krafton is only willing to provide data from two people high up in the company, rather than employees who were “on the ground”. Another point of contention is what documents Krafton is willing to provide: specifically, only where the word “earnout” intersects with the word “termination”. “That’s very narrow,” the judge replied. “That sounds like a really terrible email for someone to write, and it’s hard for me to imagine that they’d be that blunt about it.” Krafton also argued that the plaintiff requested too many custodians—people who possess relevant data—and that it would take too long. The judge agreed the number was too high, but that the two parties would need to confer—something that Krafton had previously declined to do after it changed its argument. “That’s very frustrating,” the judge said. The discussion of the motions ended with both parties agreeing to confer, at least, and confirmation that game readiness was not the reason why the founders were terminated. Still, the whole thing remains rather messy, and it continues to be unclear why Krafton has made a U-turn when it was so adamant before that the state of Subnautica 2 was one of the reasons the founders were fired, which only happened after discovery was sought. What does seem clear, though, is that this likely won’t be resolved any time soon. 2025 games: This year’s upcoming releasesBest PC games: Our all-time favoritesFree PC games: Freebie festBest FPS games: Finest gunplayBest RPGs: Grand adventuresBest co-op games: Better together From PCGamer latest via this RSS feed
By Carmen Wilson, Director of Operations at Demilitarise Education (dED), September 19, 2025 The demilitarise education movement in the UK has achieved a recent policy win! After sustained campaigning and public consultation, the University of Sussex is set to adopt a policy that fully excludes arms companies from its investments. After going through consultation and engagement by both the wider and immediate university community, the draft policy has passed and is now with the University Council for final approval in October 2025. This is a major step forward, and it reflects the power of collective advocacy. As part of the consultation process, Demilitarise Education (dED for short) submitted detailed comments rooted in the principles of peace, transparency, and ethical education. Our submission helped shape the draft and push for stronger commitments aligned with the dED Treaty — a practical framework to help universities end all investments and partnerships with the arms trade. This article will provide a breakdown of how this policy win was achieved and what more we can do to advocate and ensure accountability to ethical divestment from the global arms trade. How We Got Here: The Context & Timeline This marks a significant moment for campaigners who have long called on higher education institutions to cut ties with the arms trade. It demonstrates how sustained advocacy, transparency, and community engagement can lead to concrete policy change. Timeline of Events April 2024 – dED gave a policy-reform focused workshop to student and staff campaignersMay 13, 2024 – Encampment for Palestine launched on campus, followed by engagement with the Vice Chancellor and negotiationsFebruary 2025 – Sussex announces review of Socially Responsible Investment PolicyMarch 2025 – dED responded to the open consultationJune 2025 – Next round of consultation for University members onlyJuly 2025 – University Council final approval of the policy draftOctober 2025 – New policy version set to be published A Detailed Breakdown In February 2024, Sussex announced that its Council (the University’s governing body) would form a working group of student and staff representatives, and review the university’s Socially Responsible Investment Policy. The statement emphasised the need to ensure the policy considered “changing global contexts and investment opportunities, it was agreed that a review would be carried out to ensure that the policy aligns with our institutional values and remains sector-leading.” We were happy to see the university engaging with the wider community, showing a commitment to both transparency and inclusion in the policy review process. In March 2025, dED submitted a detailed response to the open consultation. The policy framework contained 10 guiding principles, including one particularly important addition: Guiding Principle #5 — Excluded Investments “Armaments — production of weapon systems or their critical components. The University will not invest in any organisation where there is confirmed involvement in the production of weapons regulated or prohibited by international convention (controversial weapons); antipersonnel mines, cluster munitions, chemical, biological and nuclear weapons, or the supply of their key components.” dED’s Recommendations Building on this foundation, dED proposed stronger commitments rooted in transparency, inclusion, and long-term accountability, the core values set out in the dED Treaty. Among the recommendations were: Emphasis on human rights and recognition that arms investments undermine the UN Sustainable Development Goals (SDGs). Through arms divestment, the University can actively work towards the achievement of the SDGs through social impact investment.Full arms exclusion by removing turnover limits and clearly defining ‘arms companies’ by using the SIPRI and Defence News Top 100 arms-producing companies as the source lists, ensuring exclusions extend beyond controversial weapons. Changing “minimise exposure” to “eliminate exposure,” demonstrating a complete commitment to divestment.Extending exclusions to companies supplying arms to countries in violation of UN international law.Transparency and accountability measures: public disclosure through publishing full policies as downloadable PDFs, disclosing third-party fund managers, their policies, and alignment with university values, and sharing meeting minutes with the wider university community. A clear and transparent divestment process, including at least one-third reductions per year, with progress reported annually in financial statements.As public institutions, universities should be held accountable beyond immediate university stakeholders, with clear governance over investment decision-making — including frequency, criteria, and oversight mechanismsInclusion in governance: ensuring diverse student and staff participation (beyond union representatives), regular opportunities to comment before and after each review, and open consultations with the wider community.Ethical compliance with charity obligations, reminding trustees that investing in arms companies contradicts the university’s charitable purpose and duty to provide public benefit. Engagement and Next Steps On June 18th, the university hosted an engagement session with staff and students to discuss the draft. dED members attended and contributed to the dialogue. The draft policy was then presented to the University Council in July for discussion and revision, and is scheduled for final approval in October. The full draft policy can be read here. Why This Win Matters Investments in arms companies violate the university’s charitable purposes and public benefit responsibilities. Sussex’s approach demonstrates the value of diverse inclusion and public engagement. It shows that when universities open space for dialogue, community voices can strengthen policy and push institutions toward greater accountability. This outcome also reflects the momentum of wider public advocacy, including dED’s recently launched Open Letter Campaign, which has so far mobilised over 600 university students, staff and alumni to call on UK universities to end their partnerships with arms companies. Sussex’s willingness to listen and act is a reminder of what collective pressure can achieve and the importance of policy change, turning commitments into action to secure accountability in the long term. Stand with Us This is a win. But it’s also a model for how change happens: together, and from the inside. It’s the dED Treaty in action. We’re building a higher education system that lives its values — of peace, transparency, inclusion, and global justice. But we’re just getting started. Support the campaign to help us achieve more wins like this one – If you’re a student, staff member or alumni of a UK university, add your name to this historic call and help ensure that universities live up to their values Open Letter: A Call to End University War Complicity Many UK universities still invest heavily in the arms trade. Together, we can hold them to higher standards. Add your name to our Open Letter and help ensure that universities live up to their values of peace, transparency, and global responsibility. Don’t worry, if you’re not affiliated with a UK university, you can sign our petition co-hosted with World BEYOND War. The post Policy Win at Sussex: Kicking Out the Arms Trade Through Ethical Investment appeared first on World BEYOND War. From World BEYOND War via this RSS feed
Hardly a week goes by that there isn’t a story to cover about malware getting published to a repository. Last week it was millions of downloads on NPM, but this week it’s something much more concerning. Malware published on NPM is now looking for NPM tokens, and propagating to other NPM packages when found. Yes, it’s a worm, jumping from one NPM package to another, via installs on developer machines. It does other things too, like grabbing all the secrets it can find when installed on a machine. If the compromised machine has access to a Github account, a new repo is created named Shai-Hulud, borrowed from the name of the sandworms from Dune. The collected secrets and machine info gets uploaded here, and a workflow also uploads any available GitHub secrets to the webhook.site domain. How many packages are we talking about? At least 187, with some reports of over 500 packages compromised. The immediate attack has been contained, as NPM has worked to remove the compromised packages, and apparently has added filtering code that blocks the upload of compromised packages. So far there hasn’t been an official statement on the worm from NPM or its parent companies, GitHub or Microsoft. Malicious packages uploaded to NPM is definitely nothing new. But this is the first time we’ve seen a worm that specializes in NPM packages. It’s not a good step for the trustworthiness of NPM or the direct package distribution model. Token Impersonation in Azure There’s an interesting write-up from [Dirk-jan Mollema] detailing his findings regarding Azure impersonation tokens and how to abuse them. This is about the Entra ID service, the identity and access management component of the Azure cloud. Azure has a function that allows a service like Exchange to generate an actor token, allowing the service to interact with the rest of Azure on behalf of a user. These tokens are just signed JSON Web Tokens (JWTs). For a service to actually use one of these tokens, it’s embedded inside yet another, unsigned JWT. This outer token container has multiple fields indicating the the tenant that signed the inner token and the tenant the request is intended for. You may already wonder, what happens if we could get our hands on one of these double-wrapped tokens, and manipulate the target tenant field? If an attacker can discover the tenant ID and a valid netId for a user in the victim tenant, one of these impersonation tokens could be generated from the attacker-owned tenant, and then manipulated to point to the victim tenant. From there, the attacker could perform any action as that user. It was an extremely significant flaw, and Microsoft pushed an immediate patch within days. The CVE scores a perfect 10 base score in the CVSS 3.1 scale. ShadowLeak and Prompt Injection, the Attack That Won’t Go Away There’s yet another example of weaponizing prompt injections against LLMs, in the form of ShadowLeak. And again, it’s the case where agentic AI can fall to social engineering. The setup is that the AI is handling incoming emails, and the prompt is hidden inside an incoming email, perhaps as white text on a white background. The real challenge here isn’t sneaking the prompt in, but how to exfiltrate data afterwards. OpenAI’s Deep Research agent includes browser.open, to allow the AI to interact with the Internet. And of course, this gives the agent the ability to send data to a remote endpoint. Firewall Warnings SonicWall has announced that their MySonicWall systems were breached, and customers have been warned that their firewall configuration backups may have been compromised. These backups appear to include passwords. Watchguard Firebox firewalls have an out-of-bounds write that can allow Remote Code Execution (RCE) on firewalls running VPNs with IKEv2. A fix is available for the units that are still actively supported, and it’s possible to mitigate against the flaw. Inside The Great Wall There was a huge, 600 GB leak last week, of source code and information about the Great Firewall of China. If you click through, the 600 GB leak is available to download, but it’s not something to download and interact with lightly. Put simply, it’s a lot of data produced by level state-sponsored actors, dealing with rather sensitive capabilities. Among the non-source files, there are some interesting details, such as how the Chinese firewall has been exported to multiple other countries. The source code itself is still being analyzed, and so far it’s an interesting look into the cat and mouse game that has been long played between the Chinese government and VPN technologies. This leak will likely take quite some time to fully analyze, but promises to provide a significant look into the internals of the Great Firewall. Bits and Bytes LG TVs running WebOS had a fun issue, where plugging in a USB drive exposed the files on a web endpoint. The filename to download is specified via a parameter to that url, and that parameter doesn’t do path traversal filtering. This gives arbitrary read access to the whole device filesystem. Google has uncovered and then squashed the SlopAds advertising fraud campaign. This campaign was a collection of apps that presented themselves as hastily made, “AI slop” apps. But when installed, these apps clicked as fast as they could on ads that paid out for the attackers. This represents 224 malicious applications removed, and was resulting in 2.3 billion ad hits per day. From Blog – Hackaday via this RSS feed
It wasn’t all that long ago that we were anticipating the imminent arrival of Subnautica 2. The sequel to the superb underwater survival game has yet to appear, though, and the founders of Unknown Worlds have been ousted by owner Krafton, leading to a messy legal dispute between the two parties. One of the reasons given for the termination was the state of the game. The founders believed that it was ready for an early access launch and planned to go through with it; Krafton, meanwhile, believed it wasn’t ready for its debut and that the founders had been shirking their duties. But there’s been a surprising U-turn, with Krafton significantly changing its argument. The lawsuit is now in the discovery phase, so Fortis Advisors, which represents the ousted founders, sought discovery to see if Krafton held evidence to back up its claims. “But despite its obvious relevance, Krafton feigned astonishment during the parties’ meet and confers at how it could possibly be part of Phase I,” Fortis said. Essentially, Krafton said that documents relating to the readiness of the game were irrelevant to the termination—which is what this phase of discovery is focused on—despite this being the reason cited in the termination notices, which was also repeated publicly and in court. “The termination notices of the founders gave one reason for their termination,” said Fortis, “and that was the supposed lack of readiness of Subanutica 2 for release. Krafton reiterated that basis for its actions repeatedly.” Fortis called it a “seismic shift in the case” and “a little bit bewildering”. This was also echoed by the judge, Lori W. Will, when the parties met for a ruling on the filed motions, saying: “Well, that’s something that we definitely need to get to the bottom of today, because that is precisely what was cited as the reason in the answer.” Krafton’s representatives were not clear about why this argument has been taken off the table, only that it has been, and that it’s no longer why they are saying the founders were terminated. Instead, Krafton is focusing on the argument that the founders “abandoned their posts” and “deceived” their employer. Causing more confusion is the accusation that the founders downloaded files and kept devices with confidential information on them. This only came to light after the termination, so its relevance has been questioned. Krafton’s position is that this justified their termination after the fact, and it filed a motion to forensically inspect the founders’ devices. The founders, meanwhile, contend that they had a right to those documents and devices, and that the motion is too invasive—and to the latter point, the judge agreed. Fortis also alleged that Krafton hasn’t been playing ball, pushing back against some of its requests for discovery and refusing to confer. It claimed it needs emails and documents that relate to the earnout (the founders have accused Krafton of intentionally delaying the game so it wouldn’t have to pay a $250 million earnout) but Krafton is only willing to provide data from two people high up in the company, rather than employees who were “on the ground”. Another point of contention is what documents Krafton is willing to provide: specifically, only where the word “earnout” intersects with the word “termination”. “That’s very narrow,” the judge replied. “That sounds like a really terrible email for someone to write, and it’s hard for me to imagine that they’d be that blunt about it.” Krafton also argued that the plaintiff requested too many custodians—people who possess relevant data—and that it would take too long. The judge agreed the number was too high, but that the two parties would need to confer—something that Krafton had previously declined to do after it changed its argument. “That’s very frustrating,” the judge said. The discussion of the motions ended with both parties agreeing to confer, at least, and confirmation that game readiness was not the reason why the founders were terminated. Still, the whole thing remains rather messy, and it continues to be unclear why Krafton has made a U-turn when it was so adamant before that the state of Subnautica 2 was one of the reasons the founders were fired, which only happened after discovery was sought. What does seem clear, though, is that this likely won’t be resolved any time soon. 2025 games: This year’s upcoming releasesBest PC games: Our all-time favoritesFree PC games: Freebie festBest FPS games: Finest gunplayBest RPGs: Grand adventuresBest co-op games: Better together From PCGamer latest via this RSS feed
From Into Action. Download here. Hi, all, and happy Monday. I hope you had a great weekend— it is, as always, a wild moment in the news and I trust you’re caring for yourself accordingly. This will be an eventful week in Congress, as some sort of spending bill must be passed by both chambers before September 30. The House will likely be voting on a Continuing Resolution today or tomorrow that goes for about 7 weeks, but it’s unclear—surprise surprise—whether Johnson has the votes to pass it. In the Senate there’s even less clarity. Remember, Schumer has some leverage in this fight, as Democrats have filibuster power in the Senate. One would like to think that Dems, as a result, had a unified and powerful ask in this moment, but I’m not convinced that they do. Schumer and Jeffries are making vague noises about healthcare, but mostly they’re just asking Republicans to come to the bargaining table—something the GOP has thus far been unwilling to do. As far as demanding anything beyond a permanent extension of the ACA premium tax credits and maybe a repeal of the cuts to Medicaid funding (which they’ll never get) Democratic leadership seems thus far uninterested in demanding real concessions. We’ve got to try to change that. I’ve provided call scripts below. It is imperative that we keep trying to push Democrats to ask for more than they currently are. Polling shows that Americans will support them in shutting down the government if Democrats demand, in return, a repeal of both Medicaid cuts and the billionaire tax cuts, too, and more checks on Trump’s power! But Schumer, as always, is approaching the fight armed with a metaphorical plastic fork. His jumble of tepid asks and unclear demands does not, in short, inspire confidence. It’s frustrating, to say the least. Folks, Democrats need new leadership. Desperately. I will continue to call for it every time I call my representatives, and I hope you will, too. In the meantime we must push the leaders we have as hard as we can. Will they listen? Hard to say. Schumer is well aware of how furious we were with him for his capitulation in March. He appears to be determined to do better. Perhaps if we push him he will. OK. This newsletter is already late so I’ll leave it there. I’m sending love and strength to every one of you. If I have to be in a seemingly endless slog to save our democracy there is no one I’d rather be in it with than you. Let’s get to work. Correction I inadvertently posted something false in yesterday’s “Extra Extra.” I wrote that the UN had moved its summit from NYC to Geneva in response to the Trump administration’s refusal to grant Palestinian leadership entry to the US. This was apparently misinformation. I’m terribly sorry about that! I’ve removed the item from the online version of the newsletter and will, again, endeavor to be more careful about what I post. Call Your Senators (find yours here) 📲 Hi, I’m a constituent calling from [zip]. My name is ______. First, please ask the Senator to oppose the nomination of Stephen Miran for the Federal Reserve Board. Allowing a White House advisor to serve on the board will disrupt its independence and put the stability of our already shaky economy at greater risk. [H/T] [If Democrat:] Also, I’m furious to hear that Senate Democrats are considering caving to Republicans on the government spending package. I’m hearing they are thinking of allowing Trump some rescissions and that they’re not demanding a reversal of tax cuts for the richest Americans—even though Americans support these asks. In short, they’re not using their leverage to fight for popular policies. I can’t begin to express my frustration with this. Democrats wonder why they’re not popular? THIS is why. They should be saying NO to any rescissions. They should demand a permanent extension of the ACA tax credits, a reversal of all Medicaid cuts, and a reversal of tax cuts for billionaires. Otherwise they should vote no. [If Republican] I understand that Republicans have made no move to negotiate with Democrats on the spending bill, even though we are two weeks away from a shutdown. I find this so disappointing. The Senator knows Trump’s rescissions are wrong and that we must permanently extend the ACA premium tax credits and reverse Trump’s Medicaid cuts. S/he knows that bipartisanship matters. Please ask him/her to uphold his/her values and work with Democrats to achieve these ends. Thanks. Call Your House Rep (find yours here) 📲 Hi, I’m a constituent calling from [zip]. My name is _______. [If Republican] I understand that Republicans have made no move to negotiate with Democrats on a spending bill, even though we are two weeks away from a shutdown. I find this so disappointing. The Congressmember knows that bipartisanship matters. Please ask him/her to uphold his/her values and work with Democrats to achieve a spending bill that represents all Americans. Thanks. [If Democrat:] Please ask the Congressmember to vote no on the upcoming Continuing Resolution unless it contains provisions preventing all future rescissions, codifying a permanent extension of the ACA tax credits, reversing all Medicaid cuts, and reversing Trump’ tax cuts for billionaires. Thanks. Extra Credit ✅ A great action from reader Katharine H. I’ve written a letter to SCOTUS [asking each member to uphold their oath to the Constitution] that your readers are welcome to use and edit as necessary. I’ve saved it in a Google Drive folder (“LETTERS FOR DEMOCRACY”) along with letters to the 15 cabinet secretaries, and a letter people can use if they have Republican members of congress. Here’s the link to the SCOTUS letters. Here’s the link to the folder with ALL the letters. I copied the text of the letter and pasted it onto my own Google doc, then edited as I wished. I will be mailing my letter to John Roberts today. You can write only him, or to all of the justices individually. There is a template for each one. Get Smart! 📚 Reminder, Activate America’s next Organizer 101 training is coming up on Tuesday, September 16 at 5 PM Pacific / 8 PM Eastern. They host these to give people the skills they need to start organizing for the critical upcoming election. They have trained nearly 500 organizers across the country since Spring, especially in the swing districts and states that will determine control of Congress. These skills will also be very useful for anyone organizing around California’s redistricting initiative, Prop 50, on the ballot this November. You can sign up HERE. Give 💰! See below regarding the Zoom fundraiser on Wednesday at which I’ll be speaking. It’s a great description of Swing Blue Alliance’s goals and the rationale behind all of their grassroots work. And I do hope some of you can come! The Grassroots ConnectorTurning Virginia’s Red Districts Blue in 2025 – The Path to Winning in 2026By Michelle Moore, Swing Blue Alliance-Virginia…Read more4 days ago · 21 likes · 5 comments · Robbin Warner Win Races! 🗳 Join Sister District on September 16 for Fight for our Future: Momentum Starts Now. Hear from a Sister District alum elected official preparing for 2026, a volunteer leader, and members of their team powering grassroots action every day. Learn why state legislatures are the key to lasting change, and how volunteering with Sister District can make the difference. Sign up below! https://sisterdistrict.com/event-details/eventid/828665/ Chop Wood, Save the Planet 🔥 There are just 10 days to go until Sun Day! Over 350 events are planned across 46 states, making it the biggest day of action for clean energy in decades. All we need is YOU. You can search their events page here to see what’s planned! Resistbot Letter (new to Resistbot? Go here! And then here.) 💻 [To: all 3 reps] [H/T ] [Text SIGN PWZIIK to 50409, or to @Resistbot on Apple Messages, Messenger, Instagram, or Telegram] (Note that for the most effective RESISTBOT it’s best to personalize this text. More about how to do this here. But if you’re short on time just send it as is using the above code.) Treasury Secretary Scott Bessent’s recent behavior — reportedly screaming threats of violence, including “I’m gonna punch you in your f***ing face,” at a journalist — is not only disgraceful but also disqualifying. A man entrusted with the nation’s economic stability must not behave like an unhinged playground bully. This is not a partisan issue; it is a matter of basic competence and dignity in office. Bessent’s tantrums and sleazy smears, documented by respected journalists including Paul Krugman, show a pattern of behavior that is both childish and dangerous. How can Congress expect the American people to trust an official who lashes out like an angry adolescent when asked hard questions? Congress must hold hearings to investigate Bessent’s conduct and fitness for office. The Treasury Secretary wields enormous influence over our economy, our markets, and our international credibility. If he cannot manage his temper, or if he cannot engage with criticism without resorting to threats, then he is not grown-up enough to handle this job. I urge you to take immediate action. The American people deserve leadership marked by integrity, not intimidation. OK, you did it again! You’re helping to save democracy! You’re amazing. Talk soon. Jess Chop Wood, Carry Water is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber. Share Leave a comment From Chop Wood, Carry Water via this RSS feed
The International Space Station has been in orbit around the Earth, at least in some form, since November of 1998 — but not without help. In the vacuum of space, an object in orbit can generally be counted on to remain zipping around more or less forever, but the Station is low enough to experience a bit of atmospheric drag. It isn’t much, but it saps enough velocity from the Station that without regular “reboosts” to speed it back up , the orbiting complex would eventually come crashing down. Naturally, the United States and Russia were aware of this when they set out to assemble the Station. That’s why early core modules such as Zarya and Zvezda came equipped with thrusters that could be used to not only rotate the complex about all axes, but accelerate it to counteract the impact of drag. Eventually the thrusters on Zarya were disabled, and its propellant tanks were plumbed into Zvezda’s fuel system to provide additional capacity. An early image of ISS, Zarya module in center and Zvezda at far right. Visiting spacecraft attached to the Russian side of the ISS can transfer propellant into these combined tanks, and they’ve been topped off regularly over the years. In fact, the NASA paper A Review of In-Space Propellant Transfer Capabilities and Challenges for Missions Involving Propellant Resupply, notes this as one of the most significant examples of practical propellant transfer between orbital vehicles, with more than 40,000 kgs of propellants pumped into the ISS as of 2019. But while the thrusters on Zvezda are still available for use, it turns out there’s an easier way to accelerate the Station; visiting spacecraft can literally push the orbital complex with their own maneuvering thrusters. Of course this is somewhat easier said than done, and not all vehicles have been able to accomplish the feat, but over the decades several craft have taken on the burden of lifting the ISS into a higher orbit. Earlier this month, a specially modified SpaceX Cargo Dragon became the newest addition to the list of spacecraft that can perform a reboost. The craft will boost the Station several times over the rest of the year, which will provide valuable data for when it comes time to reverse the process and de-orbit the ISS in the future. Reboosting the Russian Way By far the easiest way for a visiting spacecraft to reboost the ISS is to dock with the rear of the Zvezda module. This not only places the docked spacecraft at what would be considered the “rear” of the Station given its normal flight orientation, but puts the craft as close as possible to the Station’s own thrusters. This makes it relatively easy to compute the necessary parameters for the thruster burn. Progress 72 in 2019 Historically, reboosts from this position have been performed by the Russian Progress spacecraft. Introduced in 1978, Progress is essentially an uncrewed version of the Soyuz spacecraft, and like most of Russia’s space hardware, has received various upgrades and changes over the decades. Progress vehicles are designed specifically for serving long-duration space stations, and were used to bring food, water, propellants, and cargo to the Salyut and Mir stations long before the ISS was even on the drawing board. Reboosts could also be performed by the Automated Transfer Vehicle (ATV). Built by the European Space Agency (ESA), the ATV was essentially the European counterpart to Progress, and flew similar resupply missions. The ATV had considerably greater cargo capacity, with the ability to bring approximately 7,500 kg of materials to the ISS compared to 2,400 kg for Progress. Only five ATVs were flown, from 2008 to 2014. There were several proposals to build more ATVs, including modified versions that could potentially even carry crew. None of these versions ever materialized, although it should be noted that the design of the Orion spacecraft’s Service Module is based on the ATV. American Muscle Reboosting the ISS from the American side of the Station is possible, but involves a bit more work. For one thing, the entire Station needs to flip over, as the complex’s normal orientation would have the American docking ports facing fowards. Of course, there’s really no such thing as up or down in space, so this maneuver doesn’t impact the astronauts’ work. There are however various experiments and devices aboard the Station that are designed to point down towards Earth, so this reorientation can still be disruptive. Depending on the spacecraft, simply flipping the Station over might not be sufficient. In the case of the Space Shuttle, which of the American vehicles performed the most reboost maneuvers by far, the entire complex had to be rotated into just the right position so that the thrusters on the spaceplane would be properly aligned with the Stations’ center of mass. As described in the “AUTO REBOOST” section of the STS-129 Orbit Operations Checklist, the Shuttle’s computer would actually be given control of the maneuvering systems of the ISS so the entire linked structure can be rotated into the correct position. A diagram in the Checklist even shows the approximate angle the vehicle’s should be at for the Shuttle’s maneuvering thrusters to line up properly. With the retirement of the Space Shuttle in 2011, maintaining the Station’s orbit became the sole domain of the Russians until 2018, when the Cygnus became the first commercial spacecraft to perform a reboost. The cargo spacecraft had a swiveling engine which helped get the direction of thrust aligned, but the Station did still need to rotate to get into the proper position. After performing a second reboost in 2022, the Cygnus spacecraft was retired. It’s replacement, the upgraded Cygnus XL — is currently scheduled to launch its first mission to the ISS no earlier than September 14th. Preparing for the Final Push That brings us to the present day, and the Cargo Dragon. SpaceX had never designed the spacecraft to perform a reboost, and indeed, it would at first seem uniquely unsuited for the task as its “Draco” maneuvering thrusters are actually located on the front and sides of the capsule. When docked, the primary thrusters used for raising and lowering the Dragon’s own orbit are essentially pressed up against the structure of the ISS, and obviously can’t be activated. Crew Dragon approaching the ISS, note four Draco thrusters around docking port. To make reboosting with the Dragon possible, SpaceX added additional propellant tanks and a pair of rear-firing Draco thrusters within the spacecraft’s un-pressurized “trunk” module. This hollow structure is usually empty, but occasionally will hold large or bulky cargo that can’t fit inside the spacecraft itself. It’s also occasionally been used to deliver components destined to be mounted to the outside of the ISS, such as the for the outside of the ISS, such as the International Docking Adapter (IDA) and the roll-out solar panels. Additional propellant tanks mounted in the trunk of the Cargo Dragon. While the ability to have the Dragon raise the orbit of the International Space Station obviously has value to NASA, the implications of this experiment go a bit farther. SpaceX has already been awarded the contract to develop and operate the “Deorbit Vehicle” which will ultimately be used to slow down the ISS and put it on a targeted reentry trajectory sometime after 2030. Now that the company has demonstrated the ability to add additional thrusters and propellant to a standard Dragon spacecraft via a module installed in the trunk, it’s likely that the Deorbit Vehicle will take a similar form. So while the development of this new capability is exciting from an operational standpoint, especially given deteriorating relations with Russia, it’s also a reminder that the orbiting laboratory is entering its final days. From Blog – Hackaday via this RSS feed
Katanaut just dropped on Steam—and it’s a blood-soaked beast. This is a Metroidvania-flavored roguelite where you descend through a space station ravaged by a grotesque infection. Once-human inhabitants are now nightmares. You carve them apart with a katana, unload what little ammo you’ve got, and push deeper with every death. Each run feeds into meta-progression—downloaded “memory fragments” unlock new skills, perks, and weapons. And at the end of each elevator descent, you carry those gains forward into the abyss. Boss fights? Enormous and nasty. Think Dead Cells in motion, Dead Space in mood. The visuals are rich pixel art built in Godot. Detailed sprites, hand-crafted rooms, and backgrounds that drip with atmosphere. For all the darkness, it’s vivid—blood reds, cold steel blues, cosmic purples. Accessibility is baked in too: adjustable text size, subtitle support, color alternatives, and save-anywhere. The combat feels incredibly tight. Keyboard and mouse were a breeze—I found myself slicing and shooting with the mouse buttons alone. It clicked instantly. The katana swings have real bite, and when you land a shot, the crisp sound effects make it satisfying every time. I tested it with gamepads too—Xbox and PlayStation both—and they worked flawlessly. And best of all, no timed input nonsense. Just raw reaction and skill. Audio slams just as hard. A pounding synthwave score fuels the pace. It’s become the default genre for action indies, and here it works—neon soundscapes with sharp, surgical effects. I loved how every katana strike felt amplified by the soundtrack. Custom volume controls let me balance music against effects, and surround support made headphones a joy. Specs are modest. Any halfway-decent CPU, 4GB of RAM, 1GB of space. Runs on Godot’s Vulkan renderer, but if your GPU isn’t up to snuff, there’s a compatibility mode too. Having played it myself, I can say this: Katanaut is tuned to perfection. I never hit that cheap frustration wall that so many roguelites throw up. Instead, it’s tough but fair. Voidmaw may be a first-time developer, but this feels like the work of a seasoned studio. It launched today with a 20% discount—C$18.71—and for the time I’ve already sunk in, that’s absurdly good value. This is no mere rogue-like. It’s a finely honed 2D side-scroller that absolutely nails the mix of speed, atmosphere, and challenge. https://store.steampowered.com/app/3032830/Katanaut/ @[email protected]
The whole Project 2025 was online long before the election. Complete, for free for everyone to download and read. It’s all written down. I bet my ass that not one MAGA and very few humans read this. It starts bad and only gets worse down the road. It’s like good satire, because no one would be that stupid, that reckless, that inhumane, that sadistic or that shameless to really push through, what is described in Project 2025. I read it before the election and was sure, that that was the end of MAGA. I was so wrong, that i lost trust in common sense among humans. Turns out, that without law or rules, people really turn into animals.
Gog.com are selling DRM-free games, so there’s no copy protection, Internet activation, mandatory launcher, etc. It used to stand for “good old games”, but they also have new titles these days. Same parent company as The Witcher developers. There is a launcher, but it’s entirely optional - you can just pay prices that are generally comparable to Steam and download the installation files for a game, which require no Internet connection at all (apart from some edge cases, e.g. a very small number of multiplayer games). Gog-games meanwhile is a piracy site that redistributes these DRM-free installers to people who are not inclined to pay for the privilege. What makes them preferable to other sites is that you get the trustworthy installers from gog and do not have to fiddle with potentially malicious cracks yourself. They are also uploading to fast file hosts. One thing they are particularly useful for is preservation, games that are now delisted on gog.com and elsewhere, only available there if you have purchased them in the past. The rather decent licensed Back to the Future game from Telltale for example can’t be bought anywhere anymore (since the license for the movie franchise was only granted for a few years), but it’s still available in its most convenient shape on gog-games.