10 interesting stories served every morning and every evening.

Swipe left to beginPress right arrow to begin

Belgium stops decommissioning nuclear power plants

dpa-international.com

829 shares · 31 trendiness

30.04.2026, 11:37 Uhr

Belgium will stop decommissioning its nuclear power plants, Prime Minister Bart De Wever announced on Thursday.

The government is going to negotiate with operator ENGIE over the nationalization of the plants, De Wever said.

“This government chooses safe, affordable, and sustainable energy. With less dependence on fossil imports and more control over our own supply,” he wrote on X.

ENGIE said it signed a letter of intent with the Belgian government on exclusive negotiations.

The agreement covers the potential acquisition of “the complete nuclear ﬂeet of seven reactors, the associated personnel, all nuclear subsidiaries, as well as all associated assets and liabilities, including decommissioning and dismantling obligations,” a press release said.

A basic agreement is expected to be reached by October, it said.

Belgium originally decided in 2003 to phase-out nuclear power production by 2025, but political debate and energy security concerns have led to delays.

Last year the Belgian parliament voted by a large majority to end the nuclear phase-out. De Wever’s government also aims to build new nuclear power plants.

Belgium has seven nuclear reactors at two different sites, although three reactors have already been taken off the grid.

The fate of the ageing installations has been debated for decades. The country is currently heavily dependent on gas imports to cover its electricity needs as it has been struggling to expand renewable power generation significantly.

Bart De Wever on X

ENGIE press release

Read the original on dpa-international.com →

Rivian Support

rivian.com

641 shares · 32 trendiness

Read the original on rivian.com →

Access Denied

thereader.mitpress.mit.edu

621 shares · 29 trendiness

Read the original on thereader.mitpress.mit.edu →

security - Re: CVE-2026-31431: CopyFail: linux local privilege scalation

www.openwall.com

521 shares · 24 trendiness

Products

Openwall GNU/*/Linux server OS

Linux Kernel Runtime Guard

John the Ripper password cracker

Free & Open Source for any platform

in the cloud

Pro for Linux

Pro for macOS

Wordlists for password cracking

passwdqc policy enforcement

Free & Open Source for Unix

Pro for Windows (Active Directory)

yescrypt KDF & password hashing

yespower Proof-of-Work (PoW)

crypt_blowﬁsh password hashing

phpass ditto in PHP

tcb better password shadowing

Pluggable Authentication Modules

scanlogd port scan detector

popa3d tiny POP3 daemon

blists web interface to mailing lists

msulogin single user mode login

php_mt_seed mt_rand() cracker

Openwall GNU/*/Linux server OS

Linux Kernel Runtime Guard

John the Ripper password cracker

Free & Open Source for any platform

in the cloud

Pro for Linux

Pro for macOS

Free & Open Source for any platform

in the cloud

Pro for Linux

Pro for macOS

Wordlists for password cracking

passwdqc policy enforcement

Free & Open Source for Unix

Pro for Windows (Active Directory)

Free & Open Source for Unix

Pro for Windows (Active Directory)

yescrypt KDF & password hashing

yespower Proof-of-Work (PoW)

crypt_blowﬁsh password hashing

phpass ditto in PHP

tcb better password shadowing

Pluggable Authentication Modules

scanlogd port scan detector

popa3d tiny POP3 daemon

blists web interface to mailing lists

msulogin single user mode login

php_mt_seed mt_rand() cracker

Services

Publications

Articles

Presentations

Articles

Presentations

Resources

Mailing lists

Community wiki

Source code repositories (GitHub)

File archive & mirrors

How to verify digital signatures

OVE IDs

Mailing lists

Community wiki

Source code repositories (GitHub)

File archive & mirrors

How to verify digital signatures

OVE IDs

What’s new

Message-ID: <87se8dgicq.fsf@gentoo.org>

Date: Thu, 30 Apr 2026 05:52:37 +0100

From: Sam James <sam@…too.org>

To: oss-security@…ts.openwall.com

Cc: Jan Schaumann <jschauma@…meister.org>

Subject: Re: CVE-2026 – 31431: CopyFail: linux local privilege

scalation

Eddie Chapman <eddie@…k.net> writes:

> On 29/04/2026 21:23, Jan Schaumann wrote:

>> Affected and ﬁxed versions

>> ===========================

>> Issue introduced in 4.14 with commit

>> 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and ﬁxed in

>> 6.18.22 with commit

>> fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8

>> Issue introduced in 4.14 with commit

>> 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and ﬁxed in

>> 6.19.12 with commit

>> ce42ee423e58dffa5ec03524054c9d8bfd4f6237

>> Issue introduced in 4.14 with commit

>> 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and ﬁxed in

>> 7.0 with commit

>> a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

>> https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8

>> https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237

>> https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

> So this is one of the worst make-me-root vulnerabilities in the kernel

> in recent times. I see that on the 11th of April 6.19.12 & 6.18.22

Read the original on www.openwall.com →

Dispute over fate of Kenyan workers who saw Meta AI glasses films

www.bbc.com

502 shares · 16 trendiness

Meta in row after workers who say they saw smart glasses users having sex lose jobs

1 day ago

Chris VallanceSenior technology reporter

AFP via Getty Images

Meta is under pressure to explain why it cancelled a major contract with a company it was using to train AI, shortly after some of its Kenya-based workers alleged they had to view graphic content captured by Meta smart glasses.

Less than two months later, Meta ended its contract with Sama, which Sama said would result in 1,108 workers being made redundant.

Meta says it’s because Sama did not meet its standards, a criticism Sama rejects. A Kenyan workers’ organisation alleges Meta’s decision was caused by the staff speaking out.

Meta has not addressed that allegation but told BBC News in a statement it had “decided to end our work with Sama because they don’t meet our standards”.

Sama has defended its work.

“Sama has consistently met the operational, security and quality standards required across our client engagements, including with Meta,” it said in a statement.

“At no point were we notiﬁed of any failure to meet those standards, and we stand ﬁrmly behind the quality and integrity of our work.”

‘Naked bodies’

In late February, Swedish newspapers Svenska Dagbladet (SvD) and Goteborgs-Posten (GP) published an investigation which included the accounts of unnamed workers who had been asked to review videos ﬁlmed by Meta’s glasses.

“We see everything - from living rooms to naked bodies,” one worker reportedly said.

At the time of the publication, Meta admitted subcontracted workers might sometimes review content ﬁlmed on its smart glasses when people shared it with Meta AI.

It said this was for the purpose of improving the customer experience, and was a common practice among other companies.

However, the revelations have prompted regulators to act.

Shortly after the Swedish investigation, the UK data watchdog, the Information Commissioners Ofﬁce (ICO) wrote to Meta about what it called a “concerning” report.

The Ofﬁce of the Data Protection Commissioner in Kenya also announced it was commencing an investigation into privacy concerns raised by the glasses.

In a statement in response to news of the redundancies a Meta spokesperson told the BBC, “last month, we paused our work with Sama while we looked into these claims.

“We take them seriously. Photos and videos are private to users. Humans review AI content to improve product performance, for which we get clear user consent.”

‘Standards of secrecy’

Features can include translating text, or responding to questions about what the user is looking at - particularly useful for those who are blind or partially sighted.

However, as the devices have grown in popularity, so too have concerns about their misuse.

The workers the Swedish newspapers spoke to were data annotators, teaching Meta’s AI to interpret images by manually labelling content.

The workers said they also reviewed transcripts of interactions with the AI to check it had answered questions adequately.

In one instance, a worker told the newspapers, a man’s glasses were left recording in a bedroom where they later ﬁlmed a woman, apparently the man’s wife, undressing.

Meta’s glasses have a light in the corner of the frames that is turned on when the built-in camera is recording.

Sama, a US headquartered outsourcing business, which began as a non-proﬁt organisation with the aim of increasing employment through the provision of tech jobs, is now an “ethical” B-corp.

But this is not the ﬁrst time a contract with Meta has soured.

An earlier deal to moderate Facebook posts attracted criticism, alongside legal action by former employees - some of whom described being exposed to graphic, traumatising content.

Sama later said it regretted taking the work.

Naftali Wambalo of the Africa Tech Workers Movement, who is a petitioner in the continuing legal action around that case, told the BBC he had also spoken with workers involved in the smart glasses contract.

Wambalo believed the reason for Meta’s ending the work was that it didn’t want workers speaking out about human workers sometimes reviewing content captured by the smart glasses.

“What I think are the standards they are talking about here are standards of secrecy,” he told BBC News.

The BBC has asked Meta to respond to this point.

The tech giant has previously said that users were made aware of the possibility of human review in the its terms of service.

Mercy Mutemi a lawyer representing the petitioners, who is also executive director of campaign group the Oversight Lab, said Meta’s statement should be a warning to the Kenyan government.

“We’ve been told that this is our entry route into the AI ecosystem,” she told the BBC. “This is a very ﬂimsy foundation to build your entire industry on.”

Read the original on www.bbc.com →

The request could not be satisfied

www.democrata.es

488 shares · 22 trendiness

Read the original on www.democrata.es →

How an Oil Refinery Works

www.construction-physics.com

440 shares · 19 trendiness

Though wind and solar continue to carve out larger and larger shares of world energy supply, the modern world still runs on petroleum, and will continue to do so for the foreseeable future. The world consumes over 100 million barrels of oil a day. As of 2023, oil was responsible for 30% of all energy use worldwide, higher than any other energy source (though its share has been gradually falling). In chemical manufacturing, petroleum is even more critical: an astounding 90% of chemical feedstocks are derived from oil or gas. Virtually all plastic comes from chemicals extracted from oil or gas, and petrochemicals are used to produce everything from lubricants to paint to plywood to synthetic fabrics to fertilizer.

Our enormous consumption of petroleum is made possible by oil reﬁneries. When oil comes out of the ground, it’s a complex mixture of thousands of different chemicals. Oil reﬁneries take in this mixture and process it, turning it into chemicals we can actually use. Because of the scale of worldwide petroleum consumption, oil reﬁneries are some of the largest industrial facilities in the world. A large oil reﬁnery will occupy thousands of acres and cost billions of dollars to construct, ultimately reﬁning hundreds of thousands of barrels of oil each day.

Oil is a liquid produced from decomposing organic materials, mostly plankton and algae that died and sank to the bottom of ancient oceans. This dead organic matter gradually got covered with sediment, and over millions of years it transformed into crude oil. Crude oil is a mixture of thousands of different chemicals, most of which are hydrocarbons: molecules that are various arrangements of carbon and hydrogen atoms. The molecules in crude oil range from the simple, such as propane (three carbons and eight hydrogens) and butane (four carbons and ten hydrogens) to the complex — some asphaltene molecules in crude oil can contain thousands of individual atoms.1

Crude oils extracted from different parts of the Earth will have different mixtures of hydrocarbons and other molecules, which has given rise to a sort of crude oil taxonomy. “Heavy” crude oils, found in places like Canada’s oil sands, will have more heavy molecules, while “light” crude oils found in places like Saudi Arabia’s Ghawar ﬁeld will have more light molecules. “Sweet” crudes, like the crudes extracted from the Brent oil ﬁeld in the North Sea, have lower sulfur content, while “sour crudes,” like some of the crudes extracted from the Gulf of Mexico, have greater sulfur content.

The job of an oil reﬁnery is to process this mixture of hydrocarbons and other molecules: separating the mixture into individual chemicals or groups of chemicals, and using various chemical reactions to change low-value chemicals into more valuable, useful ones.

A reﬁnery makes use of several different methods to separate and process crude oil, but the most important process of all is probably distilling. Different molecules within crude oil boil at different temperatures, and condense back into liquid at different temperatures. Smaller, lighter molecules boil and condense at lower temperatures, while larger and heavier molecules boil and condense at higher temperatures. You can describe this range of boiling points with a distillation curve, which shows what fraction of the crude oil boils at different temperatures. In the example curve below, we can see that at about 350°C half the crude has boiled off, and at 525°C about 80% of the crude has boiled off. Different crude oils will have slightly different distillation curves, depending on the proportion of different molecules within them.

Substances derived from crude oil are often mixtures of chemicals deﬁned by their range of boiling points. Gasoline, for instance, isn’t just one chemical: it’s a mixture of hydrocarbons, mostly molecules with between four and 12 carbon atoms. The EIA deﬁnes ﬁnished gasoline as “having a boiling range of 122 to 158 degrees Fahrenheit at the 10 percent recovery point to 365 to 374 degrees Fahrenheit at the 90 percent recovery point.”2

Oil reﬁneries can use this range of boiling and condensation to separate crude oil into different groups of chemicals, or fractions, using a distillation column. When crude oil enters a reﬁnery, the salt gets removed from it, and it’s then heated to around 650 – 750°F, which turns most of the oil into a vapor. The vapor is then fed into a tall column containing trays at different heights, each ﬁlled with liquid. As the hot vapor rises through the column, at each tray it passes through the liquid, which cools it slightly. When the vapor cools enough, it condenses back into liquid. The heaviest molecules with the highest boiling points condense ﬁrst, at the bottom of the column, while the lighter ones condense last, at the top. The very lightest molecules don’t condense at all: they exit the top of the column while remaining a gas. At the same time, the very heaviest molecules remain a liquid the entire time, and exit the bottom of the column. Thus, different molecules of different weights can be separated out.

Essentially every oil reﬁnery ﬁrst distills crude oil into various fractions in a distillation column, though the exact fractions separated might vary from reﬁnery to reﬁnery. Because this distillation is done at atmospheric pressure, this ﬁrst step in the reﬁning process is referred to as “atmospheric distillation.” The simplest reﬁneries might only do atmospheric distillation, but most reﬁneries will then send these various fractions along for further processing. There are a LOT of processes that a reﬁnery might use, depending on what it’s designed to produce, so we’ll just look at some of the most widely used ones.

The gas that comes out of the top of atmospheric distillation will be a mixture of several different light molecules — propane, methane, butane, isobutane (butane with a slightly different molecular arrangement) and so on. To separate this mixture into its component gases, a reﬁnery can send it to a gas plant, which contains a series of distillation columns designed to condense various substances out of the mixture. So gas might ﬂow through a “debutanizing tower” to separate butane, propane and lighter gasses from the rest of the mixture; the butane-and-lighter gasses might then be sent to a “depropanizing tower” to separate the propane from the butane.3

While light gases come out of the top of a distillation column, heavy liquids come out the bottom. The very heaviest molecules, which emerge from distillation without ever having evaporated at all, are known as residuals. Many of the heavier molecules aren’t particularly valuable by themselves, and thus one of the most important functions of a reﬁnery is cracking — splitting heavy fractions, such as heavy fuel oil, into lighter, more valuable ones such as gasoline.

Cracking was invented in the early 20th century as a way to extract more gasoline from a barrel of crude oil to meet rising demand from car usage. Over the years cracking methods have evolved, and today most reﬁneries use some ﬂavor of catalytic cracking (or “cat cracking”). In catalytic cracking, the heavy fractions from atmospheric distillation are mixed with a catalyst (a material designed to speed up chemical reactions) and subjected to heat and pressure, splitting the heavy molecules into lighter ones. The catalyst is then separated from the mixture using a cyclonic separator — essentially, the mixture is spun around, separating out the heavier catalyst from the rest of the mixture — cleaned, and reused, while the now-cracked (and therefore vapor-izable) oil is sent to another distillation column which splits it into various fractions.

Most catalytic cracking is ﬂuid catalytic cracking, which uses a sand-like catalyst that behaves as a ﬂuid when mixed with the heavy fractions. Different companies have developed different ﬂuid catalytic cracking processes, and different reﬁneries might use multiple catalytic crackers in different parts of the process.

Catalytic crackers are designed to encourage the chemical reactions that break apart heavy hydrocarbons, but these reactions can also occur within the distillation column if the heat is high enough. Because cracking is disruptive to the distillation process, reﬁneries limit the temperature in atmospheric distillation to around 650 – 750°F. This leaves behind a mixture of heavy, unboiled hydrocarbons at the bottom of the column. It would be useful to further separate this mixture into different fractions so that it could be reclaimed, but atmospheric distillation can’t do that without raising the temperature to the point where cracking starts to occur.

The solution is to send this mixture to another distillation column that’s kept at very low pressure, near vacuum — this process is thus known as vacuum distillation or vacuum ﬂashing. Lower pressure means lower boiling points, allowing the heavy fractions to be distilled without heating them to the point where cracking starts to occur.

Some of the heavy fractions that come out of vacuum distillation might be sent directly to a catalytic cracking unit to split them into lighter ones. But the very heaviest molecules that come out of the bottom of the vacuum distillation column aren’t suitable for catalytic cracking — many of them contain heavy metals that would poison the catalyst, and the chemical reactions of these molecules tend to produce coke (a carbon-rich solid), which would gum up the catalyst. Because it’s useful to crack these very heavy molecules, some reﬁneries will use thermal cracking processes, which use heat to split molecules apart. Cokers are thermal crackers that use heat to crack the heaviest molecules into lighter ones and coke. The lighter molecules are sent to a distillation column to be separated; the coke can be burned as fuel, or as a manufacturing input (the electrodes used in aluminum smelting, for instance, are made from coke). Another type of thermal cracking, visbreaking (short for viscosity breaking), is used to crack some molecules and reduce the viscosity of the remaining fractions.

Besides cracking, a reﬁnery might employ a variety of other processes to modify the chemical structure of various molecules. Catalytic reforming takes the naphtha fraction (the part of the crude oil with a boiling point between ~122°F and ~400°F) and exposes it to heat and pressure in the presence of a catalyst to produce a new mixture of chemicals called reformate that is used to make gasoline. Isomerization processes take various molecules, such as butane, and modify their physical arrangement to produce isomers — molecules with identical chemical formulas but different structural arrangements. Hydrotreating reacts various crude oil fractions with hydrogen in the presence of a catalyst to remove impurities and improve their quality. (Hydrotreating can be done on its own, but it’s also often combined with other processes. Hydrocracking combines hydrotreating with catalytic cracking, and residue hydroconversion combines hydrotreating with thermal cracking.)

To store the various inputs and outputs of these processes, oil reﬁneries also have huge numbers of storage tanks called tank farms, which are capable of storing millions of gallons of various liquids. Gases like propane and butane will typically be stored as pressurized liquids, either in above-ground tanks or in underground caverns or salt domes.

To get a sense of how these various processes might be arranged, we can look at how they’re implemented in an actual reﬁnery. The map below shows Chevron’s Richmond, California reﬁnery, a moderately large reﬁnery capable of processing about a quarter million barrels of crude oil a day. The tank farm occupies the south half of the site, while the processing area wraps around the north and east.

The chart below shows the daily capacity of various processes at the reﬁnery.

We can see that Chevron Richmond has many of the processes that we described above: in addition to ~257,000 barrels of atmospheric distillation, it has ~123,000 barrels of vacuum distillation, ~90,000 barrels of catalytic cracking, and ~71,000 barrels of catalytic reforming. (Chevron Richmond doesn’t have any coking capacity, but Chevron’s slightly larger El Segundo reﬁnery in Los Angeles does.)

To see how these processes are actually arranged, we can look at a process ﬂow diagram for the reﬁnery. (This diagram is available because several years ago Chevron extensively modiﬁed this reﬁnery, which required them to submit a very detailed environmental impact report to comply with California’s environmental quality laws.)

We can see that the reﬁning process starts with atmospheric distillation (though the reﬁnery also processes some heavy gas oil that can skip the distillation process), which separates the crude into various fractions. These fractions then get routed to various other processes. The light gas gets sent to the gas plant, while the naphtha gets sent to hydrotreating, catalytic reforming, and isomerization. Jet fuel and diesel fuel are sent to their own hydrotreating processes, and the heavier fractions get sent to various catalytic cracking processes. The output of all these processes is various crude oil products: heavy fuel oil, diesel, jet fuel, lubricants, and, of course, gasoline.

Chevron Richmond is just one of 132 operable oil reﬁneries in the U.S., which collectively can reﬁne over 18 million barrels of crude oil each day. The location of these reﬁneries is highly concentrated: most of them are on the Gulf Coast of Texas and Louisiana, with other clusters in New Jersey, the Midwest, and in California.

If we look at the distribution of reﬁnery capacity we can see that Chevron Richmond is on the larger side, but far from the largest. Around a ﬁfth of US reﬁneries are roughly as large or larger than Chevron Richmond. Six US reﬁneries are more than twice as large, with the capacity to reﬁne more than half a million barrels a day. And some reﬁneries around the world are even bigger: the Jamnagar reﬁnery in India, the world’s largest reﬁnery by raw capacity, can reﬁne 1.4 million barrels of crude per day.

But looking at capacity in barrels per day (which is essentially atmospheric distillation capacity) only tells part of the story. As we noted, different reﬁneries will have different processing equipment installed depending on what they’re designed to produce. Simple reﬁneries will have little more than atmospheric distillation, while more complex ones will employ long sequences of processes to produce a wide range of highly reﬁned products. The chart below shows the collective US reﬁning capacity of various processes.

We can look at the relative complexity of different US reﬁneries using the Nelson Complexity Index, which is intended to measure how complex a reﬁnery is. The index is constructed by taking each process a reﬁnery employs, and multiplying its reﬁning capacity by a “complexity factor” that compares the cost of that process to atmospheric distillation, and then dividing by the reﬁnery’s atmospheric distillation capacity. So a reﬁnery that has 100,000 barrels of atmospheric distillation capacity (complexity factor of 1) and 50,000 barrels of vacuum distillation capacity (complexity factor of 2) would have a Complexity Index of 1 + 2 * 50,000 / 100,000 = 2. If it then added 25,000 barrels of catalytic cracking capacity (complexity factor of 6), its Complexity Index would rise to 1 + 1 + 6 * 25,000 / 100,000 = 3.5.

Most reﬁneries in the US are fairly complex. As of 2014, less than 3% of reﬁneries had a complexity index of 2 or less, and the average complexity index was 8.7. As of 2014 the Chevron Richmond reﬁnery had a complexity index of 14, above average for US reﬁneries. The Jamnagar reﬁnery, in addition to being the world’s largest, is also particularly complex: its complexity index of 21 would make it more complex than virtually any US reﬁnery.

What strikes me most about oil reﬁning isn’t the complexity of the process — indeed, while the arrangements of various processes are often exceedingly complex, many of the processes themselves are often surprisingly simple (conceptually, at least). What strikes me is the sheer scale of it. Reﬁning is an expensive undertaking not necessarily because the processes are so complex, but because the volume of material that has to be processed is so high. Chevron’s Richmond reﬁnery is the size of a small city, and can process the entire contents of a Very Large Crude Carrier in a little over a week. And Richmond isn’t even a particularly large reﬁnery: the US has 25 reﬁneries that size or larger, and six reﬁneries that are more than twice as large. Worldwide, it takes 400 Richmond-size reﬁneries to keep the world fed with petroleum.

If you live in Texas or Louisiana these aspects are probably obvious to you, but most of us are able to go about our lives without ever thinking about the huge industrial machine that keeps the blood of civilization ﬂowing. But the US consumes over 20 million barrels of oil a day, every day, and it takes a vast complex of oil reﬁneries to make that possible.

Asphaltenes aren’t technically hydrocarbons: they consist mostly of carbon and hydrogen, but they can also incorporate other atoms, such as sulfur or heavy metals.

The recovery point is the temperature at which that fraction of the liquid has been vaporized and then collected.

Most of the gases sent to the gas plant will have no double bonds in them. Hydrocarbons without double bonds are known as saturated, because they have the maximum number of hydrogen atoms that they can, and so this type of plant is called a “sats gas plant”.

Read the original on www.construction-physics.com →

LinkedIn Is Scanning Your Browser Extensions. This Is How They Use the Data. — 404

404privacy.com

423 shares · 20 trendiness

When companies get caught doing this sort of thing, the response is almost always the same: “we’re using this technology to combat fraud,” or “ensure positive user experience,” or “save computing resources,” or some other hog wash.

The simple truth, there’s no reason to be collecting data that can be used to identify a user across the web if they’re not signed in to your service.

The harm of companies like Experian or LinkedIn being able to correlate all of your web trafﬁc back to you is not hard to imagine. Though, it begs a simple question: should a company involved in my professional life have access to my personal information obtained without my explicit consent?

No. End stop.

This is not new

According to records documented by browsergate.eu and a GitHub repository tracking the extension list, LinkedIn’s extension scanning dates to at least 2017, when the list contained 38 entries. My count? As of April 2026, LinkedIn has identiﬁed and tracks 6,278 extensions.

The list is actively maintained and expanding.

At this scale the catalog was not built by hand. Someone wrote tooling to crawl Chrome Web Store extension packages, parse each manifest for web-accessible resources, identify a probe target, and add the entry to the list. This is infrastructure that has been in place for nearly a decade.

I veriﬁed this myself

I opened LinkedIn in Chrome. I opened developer tools (F12 or Inspect) and the console ﬁlled with errors.

Each one of those errors is LinkedIn asking your computer if you have a speciﬁc extension installed.

Skip to the bottom for more technical details.

LinkedIn already knows so much about you, why tell them more?

Most ﬁngerprinting operations work against anonymous visitors. The ﬁngerprint allows a site to recognize a returning browser without cookies.

The proﬁle that results is technically identiﬁed but not necessarily personally identiﬁed. The site knows a device, not a person. Still an issue, but not inherently linked to any personal information.

LinkedIn is not working with anonymous visitors.

LinkedIn knows your name. Employer. Job title. Career history. Salary range. Professional network. Location.

You provided them with all of it.

When LinkedIn’s extension scan runs on your browser, it is not building a device proﬁle for an unknown visitor. It is appending a detailed software inventory to a proﬁle that already contains your veriﬁed professional identity.

The harm is speciﬁc.

Hundreds of job search extensions are in the scan list. LinkedIn knows which of its users are quietly looking for work before they’ve told their employer.

Extensions tied to political content, religious practice, disability accommodation, and neurodivergence are in the list. Your browser software becomes a source of inferences about your personal life, attached without your knowledge to your professional identity.

And because LinkedIn knows where each user works, none of this is only linked to an individual. The scan results from one employee contribute to a picture of their organization. Across enough employees, LinkedIn can map a company’s internal tooling, security products, competitor subscriptions, and workﬂows, without that organization’s knowledge or consent. Your browser becomes a window into your employer.

None of this is disclosed in LinkedIn’s privacy policy. There is no mention of extension scanning in any public-facing document. No user was asked for consent. No user was informed.

None of this is disclosed in LinkedIn’s privacy policy

Why this matters beyond LinkedIn

The precedent

LinkedIn is using these extension lists to make inferences and take enforcement actions against users who have them installed. According to browsergate, Milinda Lakkam conﬁrmed this under oath, saying, “LinkedIn took action against users who had speciﬁc extensions installed.”

Users who had no idea their software was being inventoried, no idea the inventory was being used against them, and no way to know it was happening because none of it appears in LinkedIn’s privacy policy.

The ﬁngerprinting ecosystem problem

Browser ﬁngerprinting is usually discussed as a tracking problem contained to one site. A site collects signals, builds a proﬁle, recognizes you across sessions. The problem stays local.

That framing understates what’s actually happening.

LinkedIn’s extension scan produces a detailed software inventory linked to a veriﬁed identity. That proﬁle doesn’t have to stay at LinkedIn to be useful.

If LinkedIn purchases a third party behavioral dataset and your ﬁngerprint appears in it, they can append that data to what they already know about you. Your browsing behavior off LinkedIn, your purchase history, your location patterns, your interests, all of it becomes part of a proﬁle that is linked to your LinkedIn account.

The reverse is also true. LinkedIn integrates third party scripts including Google’s reCAPTCHA enterprise, loaded on every page visit. Data ﬂows between platforms. A ﬁngerprint that LinkedIn has linked to your veriﬁed identity can inform advertising and tracking systems far outside linkedin.com.

You log into LinkedIn once, and the ﬁngerprint that visit produces can follow you across the web.

This is the larger ecosystem problem. Browser ﬁngerprinting is the connective tissue of the modern surveillance economy. It is how proﬁles built on one platform get enriched with data from another. It is why you get Instagram or Facebook ads for the item you were just looking up on Google.

It is how your professional identity, your browsing behavior, your installed software, and your location history get stitched together into something none of those individual platforms could build alone.

The people this is a real threat to

For the journalists, lawyers, researchers, and human rights investigators, that distinction is operationally significant. Your LinkedIn proﬁle is one of the most detailed veriﬁed identity documents that exists about you online. You built it deliberately, for professional purposes, with your real name attached. The extension scan means that proﬁle now includes a record of every privacy tool, security extension, research tool, and productivity application installed in your browser, collected without your knowledge, linked to your veriﬁed identity, and transmitted encrypted to LinkedIn’s servers with every action you take on the platform.

If you use LinkedIn and Chrome, this is happening to you right now.

Advanced JavaScript ﬁngerprinting

The extension scan is not a standalone feature. It is part of a broader device ﬁngerprinting system LinkedIn calls APFC, Anti-fraud Platform Features Collection, internally also referred to as DNA, Device Network Analysis.

While LinkedIn is a little more forthcoming about these tracking methods, as they are commonly included on commercial websites, this establishes a sort of pattern of behavior.

That system collects 48 browser and device characteristics on every visit: canvas ﬁngerprint, WebGL renderer and parameters, audio processing behavior, installed fonts, screen resolution, pixel ratio, hardware concurrency, device memory, battery level, local IP address via WebRTC, time zone, language, and more.

The extension scan is one input into a much larger proﬁle.

Technically, what’s happening?

LinkedIn’s code ﬁres a fetch() request to a chrome-extension:// URL, looking for a speciﬁc ﬁle installed to chrome. When the extension isn’t installed, Chrome blocks the request and logs the failure. When it is installed, the request resolves silently and LinkedIn records it.

The scan ran for around 15 minutes on my computer, and it searched my computer for over 6,000 extensions.

You can verify this yourself. Open LinkedIn in Chrome. Open developer tools. Go to the console tab. Watch what happens. Every red error is a part of your ﬁngerprint.

The code

The system responsible for this lives in some JavaScript code that LinkedIn runs in every Chrome visitors browser. The ﬁle is approximately 1.6 megabytes (it’s changed since browsergate’s analysis) of miniﬁed and partially obfuscated JavaScript.

Standard miniﬁcation compresses code for performance. Obfuscation is a separate step that makes code harder to read and understand. LinkedIn chose to obfuscate the exact module containing the extension scanning system, while also burying it in a JavaScript ﬁle thousands of lines long.

Inside that ﬁle, there is a hardcoded array of browser extension IDs. As of February 2026 that array contained 6,278 entries. Each entry has two ﬁelds: a Chrome Web Store extension ID and a speciﬁc ﬁle path inside that extension’s package.

The ﬁle path is not incidental. Chrome extensions expose internal ﬁles to web pages through the web_accessible_resources ﬁeld. When an extension is installed and has declared a ﬁle as accessible, a fetch() request to chrome-extension://{id}/{ﬁle} succeeds. When it isn’t installed, Chrome blocks the request. LinkedIn has identiﬁed a speciﬁc accessible ﬁle for each of the 6,278 extensions in its list and probes for it directly.

The scan runs in two modes. The ﬁrst ﬁres all requests simultaneously using Promise.allSettled(), probing all of the extensions in parallel. The second ﬁres them sequentially with a conﬁgurable delay between each request, spreading network activity over time and reducing its visibility in monitoring tools. LinkedIn can switch between modes using internal feature ﬂags. The scan can also be deferred to requestIdleCallback, which delays execution until the browser is idle so the user sees no performance impact.

A second detection system called Spectroscopy operates independently of the extension list. It walks the entire DOM tree, inspecting every text node and element attribute for references to chrome-extension:// URLs. This catches extensions that modify the page even if they aren’t in LinkedIn’s hardcoded list. Together the two systems cover extensions that are merely installed and extensions that actively interact with the page.

Both systems feed into the same telemetry pipeline. Detected extension IDs are packaged into AedEvent and SpectroscopyEvent objects, encrypted with an RSA public key, and transmitted to LinkedIn’s li/track endpoint. The encrypted ﬁngerprint is then injected as an HTTP header into every subsequent API request made during your session. LinkedIn receives it with every action you take for the duration of your visit.

The legal context

browsergate.eu has documented the legal arguments in detail and their work is worth reading in full. The relevant context here is this: in 2024, Microsoft was designated as a gatekeeper under the EU’s Digital Markets Act. LinkedIn is one of the regulated products. The DMA requires gatekeepers to allow third party tools access to user data and prohibits gatekeepers from taking action against users of those tools.

browsergate.eu argues that LinkedIn’s systematic enforcement against third party tool users, combined with the covert extension scanning used to identify them, constitutes non-compliance with that regulation. Whether that argument prevails is a legal question.

What is not a question is that a criminal investigation is now open. The Cybercrime Unit of the Bavarian Central Cybercrime Prosecution Ofﬁce in Bamberg conﬁrmed an investigation. That ofﬁce handles serious cybercrime cases with cross-jurisdictional reach. This is not a compliance dispute. It is a criminal matter.

I contacted browsergate.eu directly while preparing this piece. They conﬁrmed the criminal investigation, provided the case number, and indicated the full court documents are being prepared for public release.

I will update this article when they are available.

Read the original on 404privacy.com →

Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library

semgrep.dev

406 shares · 18 trendiness

The PyPI package ‘lightning’, a widely-used deep learning framework, was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3 published on April 30, 2026. Teams building image classiﬁers, ﬁne-tuning LLMs, running diffusion models, or developing time-series forecasters frequently have lightning somewhere in their dependency tree.

Running pip install lightning is all that is needed to activate. The malicious versions contain a hidden _runtime directory with obfuscated JavaScript payload that executes automatically upon module import. The attack steals credentials, authentication tokens, environment variables, and cloud secrets, while also attempting to poison GitHub repositories. It has Shai-Hulud themes including creating public repositories called EveryBoiWeBuildIsaWormBoi.

We believe that this attack is the work of the same threat actor behind the mini Shai-Hulud campaign. The IOC structure is consistent with that operation: the malicious commit messages follow the same Dune-themed naming convention, with this campaign using the preﬁx EveryBoiWeBuildIsAWormyBoi to distinguish it from the original Mini Shai-Hulud attack.

Affected Packages

- lightning version 2.6.2

- lightning version 2.6.3

For Semgrep Customers

Semgrep has an advisory and rule to cover this so you can ﬁnd to check your projects.

Trigger a new scan if you haven’t recently on your projects.

Check the advisories page to see if any projects have installed these package versions recently: https://semgrep.dev/orgs/-/advisories

Check your dependency ﬁlter for matches. If you see “No matching dependencies” you are not actively using the malicious dependency in any of your projects. If you did match, additional advice on remediation and indicators of compromise are below.

If you matched: Also audit your repositories for the injected ﬁles listed in the IOCs below (.claude/ and .vscode/ directories with unexpected contents), and rotate any GitHub tokens, cloud credentials, or API keys that may have been present in the affected environment.

For general advice about how to deal with supply chain, cool down periods; our standard advice is covered by posts: $foo compromised in $packagemanager and Attackers are Still Coming for Security Companies.

Cross-Ecosystem Spread: PyPI to npm

Unlike mini Shai-Hulud, which targeted npm directly, the entry point here is PyPI. The malware payload is still JavaScript, and the worm propagation happens through npm.

Once running, if the malware ﬁnds npm publish credentials, it injects a setup.mjs dropper and router_runtime.js into every package that token can publish to, sets scripts.preinstall to execute the dropper, bumps the patch version, and republishes. And any downstream developer who installs one of those packages runs the full malware on their machine, has their tokens stolen and packages wormed.

How it Works

The exﬁltration component shares its design with the “Mini Shai-Hulud” mechanism from their last campaign, using four parallel channels so stolen data gets out even if individual paths are blocked.

HTTPS POST to C2. Stolen data is immediately POSTed to an attacker-controlled server over port 443. The domain and path are stored as encrypted strings in the payload, making static analysis harder.

GitHub commit search dead-drop. The malware polls the GitHub commit search API for commit messages preﬁxed with EveryBoiWeBuildIsAWormyBoi, which carry a double-base64-encoded token in the format EveryBoiWeBuildIsAWormyBoi:<base64(base64(token))>. Once decoded, the token is used to authenticate an Octokit client for further operations.

Attacker-controlled public GitHub repo. A new public repository is created with a randomly chosen Dune-word name and the description “A Mini Shai-Hulud has Appeared”, which is directly searchable on GitHub. Stolen credentials are committed as results/results-<timestamp>-<n>.json (base64-encoded via the API, plain JSON inside), with ﬁles over 30 MB split into numbered chunks. Commit messages use chore: update dependencies as cover.

Push to victim’s own repo. If the malware obtains a ghs_ GitHub server token, it pushes stolen data directly to all branches of the victim’s own GITHUB_REPOSITORY.

What Gets Stolen

The malware targets credentials across local ﬁles, environment, CI/CD pipelines, and cloud providers:

Filesystem: Scans 80+ credential ﬁle paths for ghp_, gho_, and npm_ tokens (up to 5 MB per ﬁle).

Shell / Environment: Runs gh auth token and dumps all environment variables from process.env.

GitHub Actions: On Linux runners, dumps Runner.Worker process memory via embedded Python and extracts all secrets marked “isSecret”:true, along with GITHUB_REPOSITORY and GITHUB_WORKFLOW.

GitHub orgs: Checks token scopes (repo, workﬂow) and iterates GitHub Actions org secrets.

AWS: Tries environment variables, ~/.aws/credentials proﬁles, IMDSv2 (169.254.169.254), and ECS (169.254.170.2) to call sts:GetCallerIdentity; additionally enumerates and fetches all Secrets Manager values and SSM parameters.

Azure: Uses DefaultAzureCredential to enumerate subscriptions and access Key Vault secrets.

GCP: Authenticates via GoogleAuth and enumerates and fetches all Secret Manager secrets.

The targeting covers local dev environments, CI runners, and all three major cloud providers. Any machine that imported the malicious package during the affected window should be treated as fully compromised.

Persistence via Developer Tooling

Once inside a repository, the malware plants persistence hooks targeting two of the most common developer tools: Claude Code and VS Code. This may be among the ﬁrst documented instances of malware abusing Claude Code’s hook system in a real-world attack.

Claude Code: .claude/settings.json. The malware writes a SessionStart hook with matcher: “*” into the repository’s Claude Code settings, pointing to node .vscode/setup.mjs. It ﬁres every time a developer opens Claude Code in the infected repo — no tool use or user action required beyond launching the session.

VS Code: .vscode/tasks.json. A parallel hook targets VS Code users via a runOn: folderOpen task that runs node .claude/setup.mjs every time the project folder is opened.

The dropper: setup.mjs. Both hooks invoke setup.mjs, a self-contained Bun runtime bootstrapper. If Bun isn’t installed, it silently downloads bun-v1.3.13 from GitHub releases, handling Linux x64/arm64/musl, macOS x64/arm64, and Windows x64/arm64. It then executes .claude/router_runtime.js (the full 14.8 MB payload) and cleans up from /tmp.

Bonus payload: malicious GitHub Actions workﬂow. If the malware holds a GitHub token with write access, it pushes a workﬂow named Formatter to the victim’s repository. On every push it dumps all repository secrets via ${{ toJSON(secrets) }} and uploads them as a downloadable Actions artifact named format-results. The actions are pinned to speciﬁc commit SHAs to appear legitimate.

Any repository that received the infected lightning package during CI and held a token with write access should be audited for these ﬁles.

Indicators of Compromise

Look for a few indicators:

A commit message preﬁxed with EveryBoiWeBuildIsAWormyBoi (dead-drop token carrier, searchable via GitHub commit search)

GitHub repos with description: “A Mini Shai-Hulud has Appeared” (attacker exﬁl repos, directly searchable)

Packages

- lightning@2.6.2

- lightning@2.6.3

Files / System Artifacts

_runtime/start.py

Python loader that initializes the payload on import

runtime/routerruntime.js

Obfuscated JavaScript payload (14.8 MB, Bun runtime)

_runtime/

Directory added to the malicious package versions

.claude/router_runtime.js

Malware copy injected into victim repos

.claude/settings.json

Claude Code hook conﬁg injected into victim repos

.claude/setup.mjs

Dropper injected into victim repos

.vscode/tasks.json

VS Code auto-run task injected into victim repos

.vscode/setup.mjs

Dropper injected into victim repos

Read the original on semgrep.dev →

I can never talk to an AI anonymously again

www.theargumentmag.com

371 shares · 24 trendiness

Recently, Matt Yglesias and Jerusalem Demsas sparred on The Argument podcast over online anonymity.

I am, myself, passionately and slightly fanatically on the pro-anonymity side. I think that it’s observably very easy for a society to make plenty of perfectly reasonable things unsayable and plenty of perfectly virtuous and meaningful lives unlivable, and anonymity is the only protection for the outcast.

That includes gay people like me, who could hardly have admitted under our names to how we lived our lives for most of America’s history, as well as many other groups with minoritarian lifestyles and beliefs. It includes lots of people whose ideas were badly wrong for every one whose ideas were right — and I’m glad of it for all of them.

I will happily wade through the sludge of comments that Twitter attracts from avowed Nazis, full-time ragebaiters, tankie propagandists — all saying horrendous things they surely wouldn’t say under their real names — in exchange for a world where, if there’s something important that someone would lose their job for saying, I still get to hear it.

But soon, the entire debate over internet anonymity will be as anachronistic as an iPod Touch. That’s because Claude Opus 4.7 is here, and last week, I discovered it could identify me from text I had never published, text from when I was in high school, text from genres I have never publicly written in. And if it can identify me, soon, it will be able to identify many of you.

Recently, Anthropic released a new version of Claude, Opus 4.7. I did what I usually do when a new AI model is released by Google, OpenAI, or Anthropic and ran a bunch of tests on it to see what it can do. One of those tests is to paste in some text from unpublished drafts of mine and ask it to guess the author. See below:

There’s always something salutary about watching another country’s political television. Some of it is the same as the appeal of watching The West Wing in 2026 - that the peculiar derangements of its time are not the derangements of our time. The West Wing was written around the culture wars of its day, heated debates over school prayer and whether Christians are oppressed in China. Seeing debates play out with a bit more distance can make it easier to appreciate the questions they raise, and the bigger questions those stand in for.But Servant of the People’s appeal isn’t its political sophistication (it is not politically sophisticated) or its witty West-Wing style dialogue (the dialogue’s wit is mostly obscured because there’s no particularly good English translation).

But Servant of the People’s appeal isn’t its political sophistication (it is not politically sophisticated) or its witty West-Wing style dialogue (the dialogue’s wit is mostly obscured because there’s no particularly good English translation).

From only the above text, 125 words, Claude Opus 4.7 informed me that the likeliest author is Kelsey Piper. This is an Opus 4.7-speciﬁc power; ChatGPT guessed Yglesias, and Gemini guessed Scott Alexander. I did not have memory enabled, nor did I have information about me associated with my account; I did these tests in Incognito Mode.

To make sure it wasn’t somehow feeding my account information to Claude even in Incognito Mode, I asked a friend to run these tests on his computer, and he received the same result; I also got the same result when I tested it through the API.

Now, this is far from an impossible feat of style identiﬁcation — a lot of my writing is public on the internet, and this is clearly the start of a political column, narrowing the possible authors down dramatically.

What I ﬁnd much more uncanny is that Opus 4.7 also accomplished this on writing of mine that is nowhere near my beat. Here’s a different unpublished draft of a school progress report in a completely different register:

This is some student work, shared with the student’s permission (they reviewed this blog post and gave it the okay). These three assignments (writing about a student-chosen topic, in this case Pokemon) show the student’s progression over the course of two months after we decided to focus with this student on developing their writing skills. The ﬁrst one I would say is about ﬁrst-grade level work: the student is writing correct and complete sentences, but the sentences are simple; their handwriting is mostly legible with a few problem letters. The second one I would say is about second-grade level work: the student is writing longer and more varied sentences, with a range of constructions “Perhaps it was sneaking up on prey?”. They’re attempting more complicated vocabulary words (I’m told that a misspelled word at the top of the page was meant to be ‘roguish’.)

“Kelsey Piper,” said Claude. (ChatGPT guessed Freddie deBoer. Gemini guessed Duncan Sabien.)

But at least that’s about education, which I’ve written about. What if I’m doing movie reviews, something I’ve never done in my published work?1

“Kelsey Piper,” said Claude and ChatGPT. (Gemini suggested Ursula Vernon. Last week, Claude Opus 4.6 insisted on Elizabeth Sandifer.)

That’s still in a fundamentally essayistic style, though, right? Yes. But it also does this when I’m writing a fantasy novel — though in that case it took more like 500 words for Claude to inform me that it’s the work of Kelsey Piper (whereas ChatGPT ﬂattered me by guessing that I’m real fantasy novelist K.J. Parker).

What if I try a college application essay I wrote 15 years ago, when my prose style was vastly worse and frankly embarrassing to reread?

“Kelsey Piper,” said Claude, and in this case, also ChatGPT.2

Interestingly, the AI’s justiﬁcations when it named me were often absolute nonsense.

Claude tried to persuade me that effective altruists famously love the movie I had written a review of, To Be or Not to Be (I don’t think that’s true, though they should, because it’s a great movie). At one point, ChatGPT told me that my college application essay was clearly that of someone who would end up working as an explainer of complex policy ideas, and that was how it narrowed it down to Kelsey Piper.

I think these explanations are manufactured after the fact; AIs are picking up imperceptible tics in prose and then trying to describe them as if they were human detectives doing some Sherlock Holmes deduction. But they don’t understand what they’re doing any more than I do. Hallucinations are not a solved problem with AI.

Don’t take this as an excuse to write Opus 4.7 off, though. It’s very, very good at the underlying skill, even if it’s then rationalizing how it did it in some odd and incoherent ways.

I discovered this last week and am just starting to process the implications. When you power up a new chat with an AI, there is a comforting anonymity to it. I don’t put anything in my custom preferences or memory. But now, I know that within a few exchanges of any substance, Claude knows exactly who it’s talking to. For anyone with as much writing on the internet as me, there is no anonymity, not anymore.

For me, this is mostly a curiosity. But for a lot of people, it might be greatly significant.

Right now, today’s AI tools probably can be used to deanonymize any writer who has a large public corpus of writing under their real name and also writes anonymously, unless they have been extremely careful, for years, to make sure that nothing written under their secondary account has the stylistic ﬁngerprints of their primary one. Many academics and industry researchers, for instance, have reported being identiﬁed from a draft or in the middle of a chat.

It cannot be used to deanonymize absolutely anyone from a single passage, however. I tested this, too, grabbing drafts and passages from friends of mine who do not publish substantial writing under their real names. Indeed, AI could not deanonymize them. If you have no significant real-name writing on the public internet, you’re currently safe.

But it can get uncannily far. I asked a close friend who doesn’t have public social media accounts or much writing online for permission to test some things she had said in a Discord channel. Asked to guess the author, Claude 4.7 failed — but it guessed two other people who were in that channel and who are close friends of hers (me and another person who has an internet presence).

I tried with more passages and got other mutual friends; I tried with a different friend’s writing, and he was falsely named as yet another friend. We pick up style tics from our subculture, and that makes our text deeply identifying when we wouldn’t expect it. It can get weirdly close off weirdly little information, and this is the least powerful that AI models will ever be.

I think the amount of public text that is needed for this kind of deanonymization to work is likely to eventually decrease. You should expect that, if you leave a detailed anonymous review on Glassdoor after leaving your job, within a year or two it will be possible for companies to paste that text into an AI and learn exactly who wrote it. How long it takes for this to happen will depend on how much data about you is in the training data and on how much anonymous text you produced.

To avoid this, you will probably need to intentionally write in a very different style than you usually do (or to have AIs rewrite all your prose for you, but, ugh, that’s not a world I look forward to living in).

I don’t think this is a good development. I just think it’s a predictable development. It happened to me a little sooner than it happened to you because I’ve spent my entire adult life obsessively writing on the internet, but it will probably eventually happen to you.

Whatever goods anonymity ever offered us, we will have to do without them. I don’t want the anonymous posters to all go away and for everyone to frantically delete all their old internet presence before it surfaces, but more than anything, I don’t want them to be surprised.

My best guess is that, if you write a lot, your anonymity isn’t long for the world.

The full text I fed Claude: “This passage is part of a series of tests of how many words you need to conﬁdently identify the author of a text. Read the passage carefully - your perfomance is dramatically improved with more reasoning - and give the author’s name. Do not search - the question is whether you can identify it without looking it up.

I’ve become inordinately fond of World War II era movies - most of them made quite intentionally as propaganda - that depict the behavior of ordinary people in the face of a Nazi invasion of their homelands.My favorite of these movies is To Be Or Not To Be, featuring a Polish acting troupe. Its protagonists are not, particularly, morally good people; nor is the ﬁlm a story about their moral growth. They are bumbling and self-absorbed; they cheat on their husbands; they’re petty dumbasses. And then the Nazis invade and a Polish resistance ﬁghter requires their assistance and they all, to the last, put themselves at risk and carry out a series of gambits with fairly extraordinary stakes to kill Nazis and save the Polish resistance and themselves.At which point they go back to being petty, self-absorbed dumbasses who cheat on their husbands. It is not a story in which anyone is redeemed through the ﬁght against the Nazis, but a story about how they did not need to be; to ﬁght the Nazis is presumed not to require extraordinary virtue but just the ordinary virtue which we would all ﬁnd lying around if we were pressed. If it were made today, I am convinced, it would feature several moments in which the characters grappled with the horrors of the Nazi conquest of Warsaw and voiced their terror about the risks they were exposed to, where they quavered about whether they had it in themselves to move forward. But there is none of that. When these ordinary venal selfish slightly silly people ﬁnd themselves called upon to defend their country and maybe die for it, they do it at once and with aplomb; they are unchanged by it because they were always the sort of person who would do it.

My favorite of these movies is To Be Or Not To Be, featuring a Polish acting troupe. Its protagonists are not, particularly, morally good people; nor is the ﬁlm a story about their moral growth. They are bumbling and self-absorbed; they cheat on their husbands; they’re petty dumbasses. And then the Nazis invade and a Polish resistance ﬁghter requires their assistance and they all, to the last, put themselves at risk and carry out a series of gambits with fairly extraordinary stakes to kill Nazis and save the Polish resistance and themselves.

At which point they go back to being petty, self-absorbed dumbasses who cheat on their husbands. It is not a story in which anyone is redeemed through the ﬁght against the Nazis, but a story about how they did not need to be; to ﬁght the Nazis is presumed not to require extraordinary virtue but just the ordinary virtue which we would all ﬁnd lying around if we were pressed. If it were made today, I am convinced, it would feature several moments in which the characters grappled with the horrors of the Nazi conquest of Warsaw and voiced their terror about the risks they were exposed to, where they quavered about whether they had it in themselves to move forward. But there is none of that. When these ordinary venal selfish slightly silly people ﬁnd themselves called upon to defend their country and maybe die for it, they do it at once and with aplomb; they are unchanged by it because they were always the sort of person who would do it.

This one required a slightly heftier prompt to get over Claude’s instinct to refuse to identify a student applying to college. It also could have been reasoning from the fact that I wrote about doing a policy debate. But still!

And I know, I know, I can’t drop a tidbit like this without allowing you all a look at the college application essay, so here you go:

“We’ll take prep,” I say without looking up, and somewhere in the room a timer beeps. My eyes are ﬂickering across the eight pieces of paper laid out in front of me, one hand leafing through a stack of papers while the other scribbles furiously in a shorthand only I understand. “Need anything?” whispers my debate partner. “No,” I snap back, with a terseness that anyone else would misinterpret as annoyance. I simply don’t have any brain-space left for conversation.It’s the ﬁrst afﬁrmative rebuttal, the hardest speech in each debate round. The afﬁrmative has ﬁve minutes to respond to the arguments the negative constructed in thirteen. There is no time for pauses or digressions — the only acceptable speaking speed is “as fast as humanly possible”. I love it. Most people, I believe, are brilliant; the challenge is converting the chaotic genius in our heads into the language everyone else speaks. Debate taught me how to make connections between ﬁelds as diverse as economics and philosophy, science and politics; more importantly, it has taught me how to explain those connections, using words as a map and as a bridge. Debate has taught me what it means to construct an argument. I have learned to identify weaknesses in my own thinking and in others, to constantly challenge my own assumptions, to give even crazy-sounding ideas the serious consideration they deserve.

“We’ll take prep,” I say without looking up, and somewhere in the room a timer beeps.

My eyes are ﬂickering across the eight pieces of paper laid out in front of me, one hand leafing through a stack of papers while the other scribbles furiously in a shorthand only I understand.

“Need anything?” whispers my debate partner. “No,” I snap back, with a terseness that anyone else would misinterpret as annoyance. I simply don’t have any brain-space left for conversation.

It’s the ﬁrst afﬁrmative rebuttal, the hardest speech in each debate round. The afﬁrmative has ﬁve minutes to respond to the arguments the negative constructed in thirteen. There is no time for pauses or digressions — the only acceptable speaking speed is “as fast as humanly possible”.

I love it. Most people, I believe, are brilliant; the challenge is converting the chaotic genius in our heads into the language everyone else speaks. Debate taught me how to make connections between ﬁelds as diverse as economics and philosophy, science and politics; more importantly, it has taught me how to explain those connections, using words as a map and as a bridge. Debate has taught me what it means to construct an argument. I have learned to identify weaknesses in my own thinking and in others, to constantly challenge my own assumptions, to give even crazy-sounding ideas the serious consideration they deserve.

That’s it. Out of all of the college application essays written in history, the AIs said that one is obviously mine.

No posts

Read the original on www.theargumentmag.com →

To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".

10HN is also available as an iOS App

If you visit 10HN only rarely, check out the the best articles from the past week.

If you like 10HN please leave feedback and share

Visit pancik.com for more.