10 interesting stories served every morning and every evening.
Three years ago, I was part of a team responsible for developing and maintaining Kubernetes clusters for end user customers. A main source for downtime in customer environments occurred when image registries went down. The traditional way to solve this problem is to set up a stateful mirror, however we had to work within customer budget and time constraints which did not allow it. During a Black Friday, we started getting hit with a ton of traffic while GitHub container registries were down. This limited our ability to scale up the cluster as we depended on critical images from that registry. After this incident, I started thinking about a better way to avoid these scalability issues. A solution that did not need a stateful component and required minimal operational oversight. This is where the idea for Spegel came from.
As a sole maintainer of an open source project, I was enthused when Microsoft reached out to set up a meeting to talk about Spegel. The meeting went well, and I felt there was going to be a path forward ripe with cooperation and hopefully a place where I could onboard new maintainers. I continued discussions with one of the Microsoft engineers, helping them get Spegel running and answering any architecture questions they had. At the time I was positive as I saw it as a possibility for Micorosft to contribute back changes based on their learnings. As time went on, silence ensued, and I assumed work priorities had changed.
It was not until KubeCon Paris where I attended a talk that piqued my interest. The talk was about strategies to speed up image distribution where one strategy discussed was P2P sharing. The topics in the abstract sounded similar to Spegel so I was excited to hear other’s ideas about the problem. During the talk, I was enthralled seeing Spegel, my own project, be discussed as a P2P image sharing solution. When Peerd, a peer to peer distributor of container content in Kubernetes clusters made by Microsoft, was mentioned I quickly researched it. At the bottom of the README there was a thank you to myself and Spegel. This acknowledgement made it look like they had taken some inspiration from my project and gone ahead and developed a version of their own.
While looking into Peerd, my enthusiasm for understanding different approaches in this problem space quickly diminished. I saw function signatures and comments that looked very familiar, as if I had written them myself. Digging deeper I found test cases referencing Spegel and my previous employer, test cases that have been taken directly from my project. References that are still present to this day. The project is a forked version of Spegel, maintained by Microsoft, but under Microsoft’s MIT license.
Spegel was published with an MIT license. Software released under an MIT license allows for forking and modifications, without any requirement to contribute these changes back. I default to using the MIT license as it is simple and permissive. The license does not allow removing the original license and purport that the code was created by someone else. It looks as if large parts of the project were copied directly from Spegel without any mention of the original source. I have included a short snippet comparing the code which adds the mirror configuration where even the function comments are the same.
A negative impact from the creation of Peerd is that it has created confusion among new users. I am frequently asked about the differences between Spegel and Peerd. As a maintainer, it is my duty to come across as unbiased and factual as possible, but this tumultuous history makes it challenging. Microsoft carries a large brand recognition, so it has been difficult for Spegel to try and take up space next to such a behemoth.
As an open source maintainer I have dedicated ample time to community requests, bug fixes, and security fixes. In my conversation with Microsoft I was open to collaboration to continue building out a tool to benefit the open source community. Over the years I have contributed to a multitude of open source projects and created a few of my own. Spegel was the first project I created from the ground up that got some traction and seemed to be appreciated by the community. Seeing my project being forked by Microsoft made me feel like I was no longer useful. For a while I questioned if it was even worth continuing working on Spegel.
Luckily, I persisted. Spegel still continues strong with over 1.7k stars and 14.4 million pulls since its first release over two years ago. However, I am not the first and unfortunately not the last person to come across this David versus Goliath-esque experience. How can sole maintainers work with multi-billion corporations without being taken advantage of? With the changes of Hashicorp licensing having a rippling effect through the open source community, along with the strong decline in investment in open source as a whole, how does the community prevail? As an effort to fund the work on Spegel I have enabled GitHub sponsors. This experience has also made me consider changing the license of Spegel, as it seems to be the only stone I can throw.
...
Read the original on philiplaine.com »
Please turn on your JavaScript
...
Read the original on fedi.rib.gay »
On the SilentPatch GitHub issue tracker, I received a rather specific bug report:
When I upgraded my windows to version 24H2, the Skimmer plane disappear completely from the game. It can’t be spawn using trainer nor it can’t be found anywhere on it’s normal spawn points. I’m using both my modded copy (which is before the update, is completely fine) and vanilla copy with only silentpatch (I tried the 2018, 2020 and the most recent version of silentpatch) and the plane still won’t exist.
If this was the first time I had heard about it, I’d likely consider it dubious and suspect there are more things at play, and it’s not specifically Windows 11 24H2. However, on GTAForums, I’ve been receiving comments about this exact issue since November last year. Some of them said SilentPatch causes this issue, others however stated the same happens on a completely unmodded game:
Apparently the skimmer cant spawn when playing on Windows 11 24h2 update, hope this bug gets fixed.
EDIT: So I think I confirmed it, I set up a VM with Windows 11 23h2 and the damn plane spawns fine, and updating that same VM to 24h2 breaks the skimmer, why would a small feature update in 2024 break a random plane in a 2005 game is anyone’s guess.
After the latest Silent patch update there is no Skimmer in the game and when I try to spawn it with RZL-Trainer or Cheat Menu by Grinch, the game freezes and I have to close it via Task Manager.
[…] I was forced to update to 24H2, and now after the update, I have the same problem with the Skimmer in GTA SA as others. This means that mods or anything else are not causing the issue, the problem appeared after the latest Windows update.
My home PC is still on Windows 10 22H2, while my work machine is on Windows 11 23H2, and, to no surprise, neither machine reproduced the issue — Skimmer spawned on the water just fine, creating one via script and putting CJ in a driver’s seat worked too.
That said, I also asked a few people who upgraded to 24H2 to test this on their machines and they all hit this bug. Attempts to debug “remotely” by giving instructions over the chat didn’t go anywhere, so I set up a 24H2 virtual machine on my own. I copied the game over to the machine, set it up for remote debugging from the host OS, headed to the usual place the Skimmer spawns, and sure enough, it wasn’t there. All other planes and boats still spawned fine, only this one vehicle did not:
I then used the script to spawn a Skimmer and put CJ inside it, just to be launched
1.0287648030984853e+0031 = 10.3 nonillion meters, or 10.3 octillion kilometers, or 1.087 quadrillion light-years up in the sky 😆
With SilentPatch installed, the game freezes shortly after launching the player up, as the game code gets stuck in a loop. Without SilentPatch, the game doesn’t freeze, but instead, it succumbs to a famous “burn-in effect” known to occur when the camera gets launched into infinity or close to it. Funny enough, you can still kind of make out the shape of the plane even though the animations give up completely to the inaccuracies of the floating point values:
But, enough messing around; now I knew it was a real bug and I needed to figure out the root cause. At this point it wasn’t possible to say whether the game was at fault, or if I was really dealing with an API bug introduced in 24H2, as looking at how many games have issues with this OS version, it could go either way.
I didn’t have much to go with, but the fact the game froze with SilentPatch installed provided me with a good starting point. Upon entering the seaplane, the game froze in a very small loop in CPlane::PreRender, attempting to normalize the rotor blade angle to the 0-360 degree range:
In the debugged session, this->m_fBladeSpeed was 3.73340132e+29. This value is obviously enormous, big enough to make decrementing the value by 6.2831855
entirely ineffective due to the difference in floating point exponents of these two values. But why is the blade speed so ridiculously high? The blade speed is derived from the following formula:
where v34 is proportional to the plane’s altitude. This matches the initial findings — as mentioned earlier, the “burn-in effect” traditionally happens when the camera is very far away from the map center, or at a great height.
What caused the plane to shoot so high up? There are two possibilities:
The plane spawns high up in the sky already.
The plane spawns at ground level and then shoots up in the next frame.
As for this test, I was spawning the Skimmer myself with a test script, so I could start from the function used in the game’s SCM (script) interpreter, named CCarCtrl::CreateCarForScript. This function spawns a vehicle with a specified ID at the provided coordinates, and those come from my test script, so I know they are correct. However, this function transforms the supplied Z coordinate slightly:
CEntity::GetDistanceFromCentreOfMassToBaseOfModel contains multiple code paths, but the one used in this case simply gets the negated maximum Z value of the model’s bounding box:
At this point, I expected this value to be incorrect, so I peeked into Skimmer’s bounding box values just to find out that the maximum Z value is indeed corrupted:
If all the components of the bounding box were corrupted, I would have suspected some memory corruption, like another code writing past boundaries and overwriting these values, but it’s specifically sup.z that is corrupted that is neither the first nor the last field in the bounding box. Once again, two possibilities came to my mind:
The collision file is read incorrectly and some fields remain uninitialized, or read unrelated data instead of the bounding box? Highly unlikely, but not impossible given that
this issue could potentially have been an OS bug.
The bounding box is read correctly, but then it’s updated with an outrageously incorrect value.
A data breakpoint set up at pColModel reveals that at the time of the initial setup, the bounding box is correct, and the value of the Z coordinate is completely reasonable:
Turns out, the first time a vehicle with a specific model is spawned, the game sets up the suspension in a function SetupSuspensionLines, and updates the Z coordinate of the bounding box to reflect the car’s natural suspension height:
This is where things went wrong first. The suspension lines are computed using a combination of values from handling.cfg and the wheel scale parameter coming from vehicles.ide:
Since I knew colModel->lines[0].p1 is corrupted, this meant either pHandling->fSuspensionLowerLimit, pHandling->fSuspensionUpperLimit, or wheelScale were bogus. Skimmer’s handling.cfg values didn’t seem any different to any other plane in the game, but then I spotted something interesting in vehicles.ide. Skimmer’s line looks like this:
Compare this line to any other plane in the game, in this example Rustler:
The line is shorter and it’s missing the last four parameters, moreover, two of the missing parameters are the front and rear wheel scale!
This is normal for boats, but Skimmer is the only plane to omit these parameters.
Does re-adding those parameters fix the seaplane? Unsurprisingly, it does!
I have a likely explanation for why Rockstar made this specific mistake in the data to begin with — in Vice City, Skimmer was defined as a boat, and therefore did not have those values defined by design! When in San Andreas they changed Skimmer’s vehicle type to a plane, someone forgot to add those now-required extra parameters. Since this game seldom verifies the completeness of its data, this mistake simply slipped under the radar.
Problem solved? Not quite yet, as for SilentPatch, I need to fix it from the code. A peek into the pseudocode of CFileLoader::LoadVehicleObject
reveals the true nature of this bug: the game assumes all parameters are always present in the definition line and it doesn’t default any but two parameters, nor it checks the return value of sscanf, and so in the case of all boats and Skimmer, those parameters remained uninitialized:
void CFileLoader::LoadVehicleObject(const char* line)
int objID = -1;
char modelName[24];
char texName[24];
char type[8];
char handlingID[16];
char gameName[32];
char anims[16];
char vehClass[16];
int frq;
int flags;
int comprules;
int wheelModelID; // Uninitialized!
float frontWheelScale, rearWheelScale; // Uninitialized!
int wheelUpgradeClass = -1; // Funny enough, this one IS initialized
int TxdSlot = CTxdStore::FindTxdSlot(“vehicle”);
if (TxdSlot == -1)
TxdSlot = CTxdStore::AddTxdSlot(“vehicle”);
sscanf(line, “%d %s %s %s %s %s %s %s %d %d %x %d %f %f %d”, &objID, modelName, texName, type, handlingID,
gameName, anims, vehClass, &frq, &flags, &comprules, &wheelModelID, &frontWheelScale, &rearWheelScale,
&wheelUpgradeClass);
// More processing here…
Given the symptoms, those uninitialized values must have evaluated to small, valid floating point values all the way until now, whereas with Windows 11 24H2 they got out of hand and tripped the bounding box calculations.
In SilentPatch, the fix is easy — I wrap this call to sscanf and provide reasonable defaults for the final four parameters:
static int (*orgSscanf)(const char* s, const char* format, …);
static int sscanf_Defaults(const char* s, const char* format, int* objID, char* modelName, char* texName, char* type,
char* handlingID, char* gameName, char* anims, char* vehClass, int* frequency, int* flags, int* comprules,
int* wheelModelID, float* frontWheelSize, float* rearWheelSize, int* wheelUpgradeClass)
*wheelModelID = -1;
// Why 0.7 and not 1.0, I’ll explain later
*frontWheelSize = 0.7;
*rearWheelSize = 0.7;
*wheelUpgradeClass = -1;
return orgSscanf(s, format, objID, modelName, texName, type, handlingID, gameName, anims, vehClass,
frequency, flags, comprules, wheelModelID, frontWheelSize, rearWheelSize, wheelUpgradeClass);
If this was a regular bug, I would’ve ended the post right here. However, in the case of this rabbit hole, the discovery of this fix only raised more questions — why did this break only now? What made the game work fine despite of this issue for over twenty years, before a new update to Windows 11 suddenly challenged this status quo?
Finally, is this somehow caused by a problem in Windows 11 24H2, or is this just an unfortunate coincidence, stars aligning just right?
At this point, the working theory was that the uninitialized local variables in CFileLoader::LoadVehicleObject
happened to have reasonable values until something changed in Windows 11 24H2, and those values became “unreasonable”. What I knew could not be the cause was the CRT (and thus, the sscanf call) — San Andreas uses a statically compiled CRT, and therefore any OS-level hotfixes wouldn’t apply to it. However, considering the plethora of security enhancements in Windows 11, I couldn’t rule out that one of those enhancements, for example, Kernel-mode Hardware-enforced Stack Protection, ends up scrambling the stack in a way the game’s bugged function doesn’t like.
I set up an experiment where I broke into a debugger before a sscanf call when parsing Skimmer’s line (vehicle ID 460) specifically, and the observed variable values supported that claim. On my Windows 10 machine, they happened to be both 0.7:
while on the Win11 24H2 VM, they are huge, similar in order of magnitude to the wrong values observed in the bounding box earlier. The stack pointer has also shifted by 4 bytes for some reason, but that is unlikely to be related — and it’s likely caused by some changes to the thread startup boilerplate inside kernel32.dll:
This got me curious - 0.7 is a bit “too good” of a value to be a result of interpreting random garbage from the stack as a floating point; what’s more likely is that it’s an actual floating point value that was sitting on the stack in exactly the right spot. I then inspected vehicles.ide for TopFun — the vehicle defined directly before Skimmer. Sure enough, its wheel scale is 0.7!
vehicles.ide is parsed in order, in a function working similarly to this (pseudocode):
void CFileLoader::LoadObjectTypes(const char* filename)
// Open the file…
while ((line = fgets(file)) != NULL)
// Parse the section indicators…
switch (section)
// Different sections…
case SECTION_CARS:
LoadVehicleObject(line);
break;
Seems like the code somehow persisted the stale wheel scale values, so Skimmer ends up getting the same wheel scales as Topfun. I set up another experiment to verify this claim:
Set up a breakpoint before sscanf again, but this time before Topfun’s line (vehicle ID 459) gets parsed.
Set up write breakpoints on frontWheelScale and rearWheelScale.
Resume execution until the game gets to parsing the next vehicle definition.
Windows 10 verified my claim — nothing wrote to these two stack values between the calls to CFileLoader::LoadVehicleObject,
so the function’s effective behavior was to preserve (albeit, unintentionally) the wheel scale values between the consecutive calls!
Repeating the same exercise on Windows 11 24H2 triggered the write breakpoint! However, it wasn’t anywhere close to any security feature: the stack values were overwritten by… LeaveCriticalSection inside fgets:
Seems like a change in Windows 11 24H2 modified the way Critical Section Objects
work internally, and the new code unlocking the critical section uses more stack space than the old one. I ran one more experiment, comparing the changes to the stack space that happened after sscanf inside LoadVehicleObject, until the next invocation of this function. Changed values are highlighted in red:
This is the exact proof I needed — notice that in the Windows 10 run, some of the local variables are even still visible to the human eye (like the normal vehicle class), while in Windows 11, they are completely gone. It’s also worth pointing out that even in Windows 10, the very next local variable after the wheel scales has been overwritten by LeaveCriticalSection, which means the game was 4 bytes away from hitting this exact bug years earlier! The luck at display here is insane.
...
Read the original on cookieplmonster.github.io »
Ask just about anybody, and they’ll tell you that new cars are too expensive. In the wake of tariffs shaking the auto industry and with the Trump administration pledging to kill the federal EV incentive, that situation isn’t looking to get better soon, especially for anyone wanting something battery-powered. Changing that overly spendy status quo is going to take something radical, and it’s hard to get more radical than what Slate Auto has planned.
Meet the Slate Truck, a sub-$20,000 (after federal incentives) electric vehicle that enters production next year. It only seats two yet has a bed big enough to hold a sheet of plywood. It only does 150 miles on a charge, only comes in gray, and the only way to listen to music while driving is if you bring along your phone and a Bluetooth speaker. It is the bare minimum of what a modern car can be, and yet it’s taken three years of development to get to this point.
But this is more than bargain-basement motoring. Slate is presenting its truck as minimalist design with DIY purpose, an attempt to not just go cheap but to create a new category of vehicle with a huge focus on personalization. That design also enables a low-cost approach to manufacturing that has caught the eye of major investors, reportedly including Jeff Bezos. It’s been engineered and will be manufactured in America, but is this extreme simplification too much for American consumers?
Instead of steel or aluminum, the Slate Truck’s body panels are molded of plastic. Or, as Slate calls them, “injection molded polypropylene composite material.” The theory is that this makes them more durable and scratch-resistant, if only because the lack of paint means they’re one color all the way through. Auto enthusiasts of a certain age will remember the same approach used by the now-defunct Saturn Corporation, a manufacturing technique that never caught on across the industry.
While most buyers will rightly fixate on the cost of the truck, the bigger story here might just be this radically simplified approach to manufacturing. “From the very beginning, our business model has been such that we reach cash flow positivity very shortly after start of production. And so from an investment standpoint, we are far less cash-reliant than any other EV startup that has ever existed, as far as I know,” Snyder says.
...
Read the original on www.theverge.com »
A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk’s Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency’s sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub. Further investigation into one of those code bundles shows it is remarkably similar to a program published in January 2025 by Marko Elez, a 25-year-old DOGE employee who has worked at a number of Musk’s companies.
According to a whistleblower complaint filed last week by Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several all-powerful “tenant admin” accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.
Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever used. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.
A search on that description in Google brings up a code repository at GitHub for a user with the account name “Ge0rg3” who published a program roughly four years ago called “requests-ip-rotator,” described as a library that will allow the user “to bypass IP-based rate-limits for sites and services.”
“A Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing,” the description reads.
Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or “forked” from Ge0rg3’s code — called “async-ip-rotator” — and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.
A key DOGE staff member who gained access to the Treasury Department’s central payments system, Elez has worked for a number of Musk companies, including X, SpaceX, and xAI. Elez was among the first DOGE employees to face public scrutiny, after The Wall Street Journal linked him to social media posts that advocated racism and eugenics.
Elez resigned after that brief scandal, but was rehired after President Donald Trump and Vice President JD Vance expressed support for him. Politico reports Elez is now a Labor Department aide detailed to multiple agencies, including the Department of Health and Human Services.
“During Elez’s initial stint at Treasury, he violated the agency’s information security policies by sending a spreadsheet containing names and payments information to officials at the General Services Administration,” Politico wrote, citing court filings.
KrebsOnSecurity sought comment from both the NLRB and DOGE, and will update this story if either responds.
The NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function. Both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U. S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.
Berulis’s complaint alleges the DOGE accounts at NLRB downloaded more than 10 gigabytes of data from the agency’s case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents. Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as they’d previously agreed.
Berulis told KrebsOnSecurity he worried the unauthorized data transfer by DOGE could unfairly advantage defendants in a number of ongoing labor disputes before the agency.
“If any company got the case data that would be an unfair advantage,” Berulis said. “They could identify and fire employees and union organizers without saying why.”
Berulis said the other two GitHub archives that DOGE employees downloaded to NLRB systems included Integuru, a software framework designed to reverse engineer application programming interfaces (APIs) that websites use to fetch data; and a “headless” browser called Browserless, which is made for automating web-based tasks that require a pool of browsers, such as web scraping and automated testing.
On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
“If this were a side project, it would just be bad code,” the reviewer wrote. “But if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.”
Update 7:06 p.m. ET: Elez’s code repo was deleted after this story was published. An archived version of it is here.
...
Read the original on krebsonsecurity.com »
MILWAUKEE (AP) — The FBI on Friday arrested a Milwaukee judge accused of helping a man evade immigration authorities, escalating a clash between the Trump administration and local authorities over the Republican president’s sweeping immigration crackdown.
Milwaukee County Circuit Court Judge Hannah Dugan is accused of escorting the man and his lawyer out of her courtroom through the jury door last week after learning that immigration authorities were seeking his arrest. The man was taken into custody outside the courthouse after agents chased him on foot.
President Donald Trump’s administration has accused state and local officials of interfering with his immigration enforcement priorities. The arrest also comes amid a growing battle between the administration and the federal judiciary over the president’s executive actions over deportations and other matters.
Dugan was taken into custody by the FBI on Friday morning on the courthouse grounds, according to U. S. Marshals Service spokesperson Brady McCarron. She appeared briefly in federal court in Milwaukee later Friday before being released from custody. She faces charges of “concealing an individual to prevent his discovery and arrest” and obstructing or impeding a proceeding.
“Judge Dugan wholeheartedly regrets and protests her arrest. It was not made in the interest of public safety,” her attorney, Craig Mastantuono, said during the hearing. He declined to comment to an Associated Press reporter following her court appearance.
Democratic Wisconsin Gov. Tony Evers, in a statement on the arrest, accused the Trump administration of repeatedly using “dangerous rhetoric to attack and attempt to undermine our judiciary at every level.”
“I will continue to put my faith in our justice system as this situation plays out in the court of law,” he said.
Court papers suggest Dugan was alerted to the presence of U. S. Immigration and Customs Enforcement agents in the courthouse by her clerk, who was informed by an attorney that they appeared to be in the hallway.
The FBI affidavit describes Dugan as “visibly angry” over the arrival of immigration agents in the courthouse and says that she pronounced the situation “absurd” before leaving the bench and retreating to her chambers. It says she and another judge later approached members of the arrest team inside the courthouse, displaying what witnesses described as a “confrontational, angry demeanor.”
After a back-and-forth with officers over the warrant for the man, Eduardo Flores-Ruiz, she demanded that the arrest team speak with the chief judge and led them away from the courtroom, the affidavit says.
After directing the arrest team to the chief judge’s office, investigators say, Dugan returned to the courtroom and was heard saying words to the effect of “wait, come with me” before ushering Flores-Ruiz and his lawyer through a jury door into a non-public area of the courthouse. The action was unusual, the affidavit says, because “only deputies, juries, court staff, and in-custody defendants being escorted by deputies used the back jury door. Defense attorneys and defendants who were not in custody never used the jury door.”
A sign that remained posted on Dugan’s courtroom door Friday advised that if any attorney or other court official “knows or believes that a person feels unsafe coming to the courthouse to courtroom 615,” they should notify the clerk and request an appearance via Zoom.
Flores-Ruiz, 30, was in Dugan’s court for a hearing after being charged with three counts of misdemeanor domestic battery. Confronted by a roommate for playing loud music on March 12, Flores-Ruiz allegedly fought with him in the kitchen and struck a woman who tried to break them up, according to the police affidavit in the case.
Another woman who tried to break up the fight and called police allegedly got elbowed in the arm by Flores-Ruiz.
Flores-Ruiz faces up to nine months in prison and a $10,000 fine on each count if convicted. His public defender, Alexander Kostal, did not immediately return a phone message Friday seeking comment.
A federal judge, the same one Dugan would appear before a day later, had ordered Thursday that Flores-Ruiz remain jailed pending trial. Flores-Ruiz had been in the U. S. since reentering the country after he was deported in 2013, according to court documents.
Attorney General Pam Bondi said victims were sitting in the courtroom with state prosecutors when the judge helped him escape immigration arrest.
“The rule of law is very simple,” she said in a video posted on X. “It doesn’t matter what line of work you’re in. If you break the law, we will follow the facts and we will prosecute you.”
White House officials echoed the sentiment of no one being above the law.
Sen. Tammy Baldwin, a Democrat who represents Wisconsin, called the arrest of a sitting judge a “gravely serious and drastic move” that “threatens to breach” the separation of power between the executive and judicial branches.
Emilio De Torre, executive director of Milwaukee Turners, said during a protest Friday afternoon outside the federal courthouse that Dugan was a former board member for the local civic group who “was certainly trying to make sure that due process is not disrupted and that the sanctity of the courts is upheld.”
“Sending armed FBI and ICE agents into buildings like this will intimidate individuals showing up to court to pay fines, to deal with whatever court proceedings they may have,” De Torre added.
The case is similar to one brought during the first Trump administration against a Massachusetts judge, who was accused of helping a man sneak out a back door of a courthouse to evade a waiting immigration enforcement agent.
That prosecution sparked outrage from many in the legal community, who slammed the case as politically motivated. Prosecutors dropped the case against Newton District Judge Shelley Joseph in 2022 under the Democratic Biden administration after she agreed to refer herself to a state agency that investigates allegations of misconduct by members of the bench.
The Justice Department had previously signaled that it was going to crack down on local officials who thwart federal immigration efforts.
The department in January ordered prosecutors to investigate for potential criminal charges any state and local officials who obstruct or impede federal functions. As potential avenues for prosecution, a memo cited a conspiracy offense as well as a law prohibiting the harboring of people in the country illegally.
Dugan was elected in 2016 to the county court Branch 31. She also has served in the court’s probate and civil divisions, according to her judicial candidate biography.
Before being elected to public office, Dugan practiced at Legal Action of Wisconsin and the Legal Aid Society. She graduated from the University of Wisconsin-Madison in 1981 with a bachelor of arts degree and earned her Juris Doctorate in 1987 from the school.
Richer reported from Washington. Associated Press reporters Eric Tucker in Washington, Corey Williams in Detroit and Hallie Golden in Seattle contributed.
...
Read the original on apnews.com »
I never would have read Careless People, Sarah Wynn-Williams’s tell-all memoir about her years running global policy for Facebook, but then Meta’s lawyer tried to get the book suppressed and secured an injunction to prevent her from promoting it:
So I’ve got something to thank Meta’s lawyers for, because it’s a great book! Not only is Wynn-Williams a skilled and lively writer who spills some of Facebook’s most shameful secrets, but she’s also a kick-ass narrator (I listened to the audiobook, which she voices):
I went into Careless People with strong expectations about the kind of disgusting behavior it would chronicle. I have several friends who took senior jobs at Facebook, thinking they could make a difference (three of them actually appear in Wynn-Williams’s memoir), and I’ve got a good sense of what a nightmare it is for a company.
But Wynn-Williams was a lot closer to three of the key personalities in Facebook’s upper echelon than anyone in my orbit: Mark Zuckerberg, Sheryl Sandberg, and Joel Kaplan, who was elevated to VP of Global Policy after the Trump II election. I already harbor an atavistic loathing of these three based on their public statements and conduct, but the events Wynn-Williams reveals from their private lives make these three out to be beyond despicable. There’s Zuck, whose underlings let him win at board-games like Settlers of Catan because he’s a manbaby who can’t lose (and who accuses Wynn-Williams of cheating when she fails to throw a game of Ticket to Ride while they’re flying in his private jet). There’s Sandberg, who demands the right to buy a kidney for her child from someone in Mexico, should that child ever need a kidney.
Then there’s Kaplan, who is such an extraordinarily stupid and awful oaf that it’s hard to pick out just one example, but I’ll try. At one point, Wynn-Williams gets Zuck a chance to address the UN General Assembly. As is his wont, Zuck refuses to be briefed before he takes the dais (he’s repeatedly described as unwilling to consider any briefing note longer than a single text message). When he gets to the mic, he spontaneously promises that Facebook will provide internet access to refugees all over the world. Various teams at Facebook then race around, trying to figure out whether this is something the company is actually doing, and once they realize Zuck was just bullshitting, set about trying to figure out how to do it. They get some way down this path when Kaplan intervenes to insist that giving away free internet to refugees is a bad idea, and that instead, they should sell internet access to refugees. Facebookers dutifully throw themselves into this absurd project, which dies when Kaplan fires off an email stating that he’s just realized that refugees don’t have any money. The project dies.
The path that brought Wynn-Williams into the company of these careless people is a weird — and rather charming — one. As a young woman, Wynn-Williams was a minor functionary in the New Zealand diplomatic corps, and during her foreign service, she grew obsessed with the global political and social potential of Facebook. She threw herself into the project of getting hired to work on Facebook’s global team, working on strategy for liaising with governments around the world. The biggest impediment to landing this job is that it doesn’t exist: sure, FB was lobbying the US government, but it was monumentally disinterested in the rest of the world in general, and the governments of the world in particular.
But Wynn-Williams persists, pestering potentially relevant execs with requests, working friends-of-friends (Facebook itself is extraordinarily useful for this), and refusing to give up. Then comes the Christchurch earthquake. Wynn-Williams is in the US, about to board a flight, when her sister, a news presenter, calls her while trapped inside a collapsed building (the sister hadn’t been able to get a call through to anyone in NZ). Wynn-Williams spends the flight wondering if her sister is dead or alive, and only learns that her sister is OK through a post on Facebook.
The role Facebook played in the Christchurch quake transforms Wynn-Williams’s passion for Facebook into something like religious zealotry. She throws herself into the project of landing the job, and she does, and after some funny culture-clashes arising from her Kiwi heritage and her public service background, she settles in at Facebook.
Her early years there are sometimes comical, sometimes scary, and are characteristic of a company that is growing quickly and unevenly. She’s dispatched to Myanmar amidst a nationwide block of Facebook ordered by the ruling military junta and at one point, it seems like she’s about to get kidnapped and imprisoned by goons from the communications ministry. She arranges for a state visit by NZ Prime Minister John Key, who wants a photo-op with Zuckerberg, who — oblivious to the prime minister standing right there in front of him — berates Wynn-Williams for demanding that he meet with some jackass politician (they do the photo-op anyway).
One thing is clear: Facebook doesn’t really care about countries other than America. Though Wynn-Williams chalks this up to plain old provincial chauvinism (which FB’s top eschelon possess in copious quantities), there’s something else at work. The USA is the only country in the world that a) is rich, b) is populous, and c) has no meaningful privacy protections. If you make money selling access to dossiers on rich people to advertisers, America is the most important market in the world.
But then Facebook conquers America. Not only does FB saturate the US market, it uses its free cash-flow and high share price to acquire potential rivals, like Whatsapp and Instagram, ensuring that American users who leave Facebook (the service) remain trapped by Facebook (the company).
At this point, Facebook — Zuckerberg — turns towards the rest of the world. Suddenly, acquiring non-US users becomes a matter of urgency, and overnight Wynn-Williams is transformed from the sole weirdo talking about global markets to the key asset in pursuit off the company’s top priority.
Wynn-Williams’s explanation for this shift lies in Zuckerberg’s personality, his need to constantly dominate (which is also why his subordinates have learned to let him win at board games). This is doubtless true: not only has this aspect of Zuckerberg’s personality been on display in public for decades, Wynn-Williams was able to observe it first-hand, behind closed doors.
But I think that in addition to this personality defect, there’s a material pressure for Facebook to grow that Wynn-Williams doesn’t mention. Companies that grow get extremely high price-to-earnings (P:E) ratios, meaning that investors are willing to spend many dollars on shares for every dollar the company takes in. Two similar companies with similar earnings can have vastly different valuations (the value of all the stock the company has ever issued), depending on whether one of them is still growing.
High P:E ratios reflect a bet on the part of investors that the company will continue to grow, and those bets only become more extravagant the more the company grows. This is a huge advantage to companies with “growth stocks.” If your shares constantly increase in value, they are highly liquid — that is, you can always find someone who’s willing to buy your shares from you for cash, which means that you can treat shares like cash. But growth stocks are better than cash, because money grows slowly, if at all (especially in periods of extremely low interest rates, like the past 15+ years). Growth stocks, on the other hand, grow.
Best of all, companies with growth stocks have no trouble finding more stock when they need it. They just type zeroes into a spreadsheet and more shares appear. Contrast this with money. Facebook may take in a lot of money, but the money only arrives when someone else spends it. Facebook’s access to money is limited by exogenous factors — your willingness to send your money to Facebook. Facebook’s access to shares is only limited by endogenous factors — the company’s own willingness to issue new stock.
That means that when Facebook needs to buy something, there’s a very good chance that the seller will accept Facebook’s stock in lieu of US dollars. Whether Facebook is hiring a new employee or buying a company, it can outbid rivals who only have dollars to spend, because that bidder has to ask someone else for more dollars, whereas Facebook can make its own stock on demand. This is a massive competitive advantage.
But it is also a massive business risk. As Stein’s Law has it, “anything that can’t go on forever eventually stops.” Facebook can’t grow forever by signing up new users. Eventually, everyone who might conceivably have a Facebook account will get one. When that happens, Facebook will need to find some other way to make money. They could enshittify — that is, shift value from the company’s users and customers to itself. They could invent something new (like metaverse, or AI). But if they can’t make those things work, then the company’s growth will have ended, and it will instantaneously become grossly overvalued. Its P:E ratio will have to shift from the high value enjoyed by growth stocks to the low value endured by “mature” companies.
When that happens, anyone who is slow to sell will lose a ton of money. So investors in growth stocks tend to keep one fist poised over the “sell” button and sleep with one eye open, watching for any hint that growth is slowing. It’s not just that growth gives FB the power to outcompete rivals — it’s also the case that growth makes the company vulnerable to massive, sudden devaluations. What’s more, if these devaluations are persistent and/or frequent enough, the key FB employees who accepted stock in lieu of cash for some or all of their compensation will either demand lots more cash, or jump ship for a growing rival. These are the very same people that Facebook needs to pull itself out of its nosedives. For a growth stock, even small reductions in growth metrics (or worse, declines) can trigger cascades of compounding, mutually reinforcing collapse.
This is what happened in early 2022, when Meta posted slightly lower-than-anticipated US growth numbers, and the market all pounded on the “sell” button at once, lopping $250,000,000,000 of the company’s valuation in 24 hours. At the time, it was the worst-ever single day losses for any company in human history:
Facebook’s conquest of the US market triggered an emphasis on foreign customers, but not just because Zuck is obsessed with conquest. For Facebook, a decline in US growth posed an existential risk, the possibility of mass stock selloffs and with them, the end of the years in which Facebook could acquire key corporate rivals and executives with “money” it could print on the premises, on demand.
So Facebook cast its eye upon the world, and Wynn-Williams’s long insistence that the company should be paying attention to the political situation abroad suddenly starts landing with her bosses. But those bosses — Zuck, Sandberg, Kaplan and others — are “careless.” Zuck screws up opportunity after opportunity because he refuses to be briefed, forgets what little information he’s been given, and blows key meetings because he refuses to get out of bed before noon. Sandberg’s visits to Davos are undermined by her relentless need to promote herself, her “Lean In” brand, and her petty gamesmanship. Kaplan is the living embodiment of Green Day’s “American Idiot” and can barely fathom that foreigners exist.
Wynn-Williams’s adventures during this period are very well told, and are, by turns, harrowing and hilarious. Time and again, Facebook’s top brass snatch defeat from the jaws of victory, squandering incredible opportunities that Wynn-Williams secures for them because of their pettiness, short-sightedness, and arrogance (that is, their carelessness).
But Wynn-Williams’s disillusionment with Facebook isn’t rooted in these frustrations. Rather, she is both personally and professionally aghast at the company’s disgusting, callous and cruel behavior. She describes how her boss, Joel Kaplan, relentlessly sexually harasses her, and everyone in a position to make this stop tells her to shut up and take it. When Wynn-Williams give birth to her second child, she hemorrhages, almost dies, and ends up in a coma. Afterwards, Kaplan gives her a negative performance review because she was “unresponsive” to his emails and texts while she was dying in an ICU. This is a significant escalation of the earlier behavior she describes, like pestering her with personal questions about breastfeeding, video-calling her from bed, and so on (Kaplan is Sandberg’s ex-boyfriend, and Wynn-Williams describes another creepy event where Sandberg pressures her to sleep next to her in the bedroom on one of Facebook’s jets, something Wynn-Williams says she routinely does with the young women who report to her).
Meanwhile, Zuck is relentlessly pursuing Facebook’s largest conceivable growth market: China. The only problem: China doesn’t want Facebook. Zuck repeatedly tries to engineer meetings with Xi Jinping so he can plead his case in person. Xi is monumentally hostile to this idea. Zuck learns Mandarin. He studies Xi’s book, conspicuously displays a copy of it on his desk. Eventually, he manages to sit next to Xi at a dinner where he begs Xi to name his next child. Xi turns him down.
After years of persistent nagging, lobbying, and groveling, Facebook’s China execs start to make progress with a state apparatchik who dangles the possibility of Facebook entering China. Facebook promises this factotum the world — all the surveillance and censorship the Chinese state wants and more. Then, Facebook’s contact in China is jailed for corruption, and they have to start over.
At this point, Kaplan has punished Wynn-Williams — she blames it on her attempts to get others to force him to stop his sexual harassment — and cut her responsibilities in half. He tries to maneuver her into taking over the China operation, something he knows she absolutely disapproves of and has refused to work on — but she refuses. Instead, she is put in charge of hiring the new chief of China operations, giving her access to a voluminous paper-trail detailing the company’s dealings with the Chinese government.
According to Wynn-Williams, Facebook actually built an extensive censorship and surveillance system for the Chinese state — spies, cops and military — to use against Chinese Facebook users, and FB users globally. They promise to set up caches of global FB content in China that the Chinese state can use to monitor all Facebook activity, everywhere, with the implication that they’ll be able to spy on private communications, and censor content for non-Chinese users.
Despite all of this, Facebook is never given access to China. However, the Chinese state is able to use the tools Facebook built for it to attack independence movements, the free press and dissident uprisings in Hong Kong and Taiwan.
Meanwhile, in Myanmar, a genocide is brewing. NGOs and human rights activists keep reaching out to Facebook to get them to pay attention to the widespread use of the platform to whip up hatred against the country’s Muslim minority group, the Rohinga. Despite having expended tremendous amounts of energy to roll out “Free Basics” in Myanmar (a program whereby Facebook bribes carriers to exclude its own services from data caps), with the result that in Myanmar, “the internet” is synonymous with “Facebook,” the company has not expended any effort to manage its Burmese presence. The entire moderation staff consists of one (later two) Burmese speakers who are based in Dublin and do not work local hours (later, these two are revealed as likely stooges for the Myanmar military junta, who are behind the genocide plans).
The company has also failed to invest in Burmese language support for its systems — posts written in Burmese script are not stored as Unicode, meaning that none of the company’s automated moderation systems can parse it. The company is so hostile to pleas to upgrade these systems that Wynn-Williams and some colleagues create secret, private Facebook groups where they can track the failures of the company and the rising tide of lethal violence in the country (this isn’t the only secret dissident Facebook group that Wynn-Williams joins — she’s also part of a group of women who have been sexually harassed by colleagues and bosses).
The genocide that follows is horrific beyond measure. And, as with the Trump election, the company’s initial posture is that they couldn’t possibly have played a significant role in a real-world event that shocked and horrified its rank-and-file employees.
The company, in other words, is “careless.” Warned of imminent harms to its users, to democracy, to its own employees, the top executives simply do not care. They ignore the warnings and the consequences, or pay lip service to them. They don’t care.
Take Kaplan: after figuring out that the company can’t curry favor with the world’s governments by selling drone-delivered wifi to refugees (the drones don’t fly and the refugees are broke), he hits on another strategy. He remakes “government relations” as a sales office, selling political ads to politicians who are seeking to win over voters, or, in the case of autocracies, disenfranchised hostage-citizens. This is hugely successful, both as a system for securing government cooperation and as a way to transform Facebook’s global policy shop from a cost-center to a profit-center.
But of course, it has a price. Kaplan’s best customers are dictators and would-be dictators, formenters of hatred and genocide, authoritarians seeking opportunities to purge their opponents, through exile and/or murder.
Wynn-Williams makes a very good case that Facebook is run by awful people who are also very careless — in the sense of being reckless, incurious, indifferent.
But there’s another meaning to “careless” that lurks just below the surface of this excellent memoir: “careless” in the sense of “arrogant” — in the sense of not caring about the consequences of their actions.
To me, this was the most important — but least-developed — lesson of Careless People. When Wynn-Williams lands at Facebook, she finds herself surrounded by oafs and sociopaths, cartoonishly selfish and shitty people, who, nevertheless, have built a service that she loves and values, along with hundreds of millions of other people.
She’s not wrong to be excited about Facebook, or its potential. The company may be run by careless people, but they are still prudent, behaving as though the consequences of screwing up matter. They are “careless” in the sense of “being reckless,” but they care, in the sense of having a healthy fear (and thus respect) for what might happen if they fully yield to their reckless impulses.
Wynn-Williams’s firsthand account of the next decade is not a story of these people becoming more reckless, rather, it’s a story in which the possibility of consequences for that recklessness recedes, and with it, so does their care over those consequences.
Facebook buys its competitors, freeing it from market consequences for its bad acts. By buying the places where disaffected Facebook users are seeking refuge — Instagram and Whatsapp — Facebook is able to insulate itself from the discipline of competition — the fear that doing things that are adverse to its users will cause them to flee.
Facebook captures its regulators, freeing it from regulatory consequences for its bad acts. By playing a central role in the electoral campaigns of Obama and then other politicians around the world, Facebook transforms its watchdogs into supplicants who are more apt to beg it for favors than hold it to account.
Facebook tames its employees, freeing it from labor consequences for its bad acts. As engineering supply catches up with demand, Facebook’s leadership come to realize that they don’t have to worry about workforce uprisings, whether incited by impunity for sexually abusive bosses, or by the company’s complicity in genocide and autocratic oppression.
First, Facebook becomes too big to fail.
Then, Facebook becomes too big to jail.
Finally, Facebook becomes too big to care.
This is the “carelessness” that ultimately changes Facebook for the worse, that turns it into the hellscape that Wynn-Williams is eventually fired from after she speaks out once too often. Facebook bosses aren’t just “careless” because they refuse to read a briefing note that’s longer than a tweet. They’re “careless” in the sense that they arrive at a juncture where they don’t have to care who they harm, whom they enrage, who they ruin.
There’s a telling anaecdote near the end of Careless People. Back in 2017, leaks revealed that Facebook’s sales-reps were promising advertisers the ability to market to teens who felt depressed and “worthless”:
Wynn-Williams is — rightly — aghast about this, and even more aghast when she sees the company’s official response, in which they disclaim any knowledge that this capability was being developed and fire a random, low-level scapegoat. Wynn-Williams knows they’re lying. She knows that this is a routine offering, one that the company routinely boasts about to advertisers.
But she doesn’t mention the other lies that Facebook tells in this moment: for one thing, the company offers advertisers the power to target more teens than actually exist. The company proclaims the efficacy of its “sentiment analysis” tool that knows how to tell if teens are feeling depressed or “worthless,” even though these tools are notoriously inaccurate, hardly better than a coin-toss, a kind of digital phrenology.
Facebook, in other words, isn’t just lying to the public about what it offers to advertisers — it’s lying to advertisers, too. Contra those who say, “if you’re not paying for the product, you’re the product,” Facebook treats anyone it can get away with abusing as “the product” (just like every other tech monopolist):
Wynn-Williams documents so many instances in which Facebook’s top executives lie — to the courts, to Congress, to the UN, to the press. Facebook lies when it is beneficial to do so — but only when they can get away with it. By the time Facebook was lying to advertisers about its depressed teen targeting tools, it was already colluding with Google to rig the ad market with an illegal tool called “Jedi Blue”:
Facebook’s story is the story of a company that set out to become too big to care, and achieved that goal. The company’s abuses track precisely with its market dominance. It enshittified things for users once it had the users locked in. It screwed advertisers once it captured their market. It did the media-industry-destroying “pivot to video” fraud once it captured the media:
The important thing about Facebook’s carelessness is that it wasn’t the result of the many grave personality defects in Facebook’s top executives — it was the result of policy choices. Government decisions not to enforce antitrust law, to allow privacy law to wither on the vine, to expand IP law to give Facebook a weapon to shut down interoperable rivals — these all created the enshittogenic environment that allowed the careless people who run Facebook to stop caring.
The corollary: if we change the policy environment, we can make these careless people — and their successors, who run other businesses we rely upon — care. They may never care about us, but we can make them care about what we might do to them if they give in to their carelessness.
Meta is in global regulatory crosshairs, facing antitrust action in the USA:
And muscular enforcement pledges in the EU:
The law cannot make a man love me, but it can stop him from lynching me, and I think that’s pretty important.
What Happens When Private Equity Owns Your Kid’s Day Care https://jacobin.com/2025/04/private-equity-day-care-childcare/
#15yrsago India’s copyright bill gets it right https://web.archive.org/web/20100425031519/https://www.michaelgeist.ca/content/view/4974/196/
#15yrsago Hitler’s pissed off about fair use https://www.youtube.com/watch?v=kBO5dh9qrIQ
#5yrsago Unmasking the registrants of the “reopen” websites https://pluralistic.net/2020/04/22/filternet/#krebs
#1yrago Paying for it doesn’t make it a market https://pluralistic.net/2024/04/22/kargo-kult-kaptialism/#dont-buy-it
* Can we use the Internet for Democracy?
https://www.youtube.com/watch?v=Zh_HON6iql8
* Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/
Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026
Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026
* Enshittification: a nonfiction book about platform decay for Farrar, Straus, Giroux. Status: second pass edit underway (readaloud)
Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS FEB 2025
This work — excluding any serialized fiction — is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
“When life gives you SARS, you make sarsaparilla” -Joey “Accordion Guy” DeVilla
READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies (“BOGUS AGREEMENTS”) that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
...
Read the original on pluralistic.net »
A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.
The allegations came in an April 14 letter to the Senate Select Committee on Intelligence, signed by Daniel J. Berulis, a 38-year-old security architect at the NLRB.
NPR, which was the first to report on Berulis’s whistleblower complaint, says NLRB is a small, independent federal agency that investigates and adjudicates complaints about unfair labor practices, and stores “reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.”
The complaint documents a one-month period beginning March 3, during which DOGE officials reportedly demanded the creation of all-powerful “tenant admin” accounts in NLRB systems that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.
Berulis writes that on March 3, a black SUV accompanied by a police escort arrived at his building — the NLRB headquarters in Southeast Washington, D. C. The DOGE staffers did not speak with Berulis or anyone else in NLRB’s IT staff, but instead met with the agency leadership.
“Our acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level of access,” Berulis wrote of their instructions after that meeting.
“We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”
Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a “container,” which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.
Berulis said he also noticed that early the next morning — between approximately 3 a.m. and 4 a.m. EST on Tuesday, March 4 — there was a large increase in outgoing traffic from the agency. He said it took several days of investigating with his colleagues to determine that one of the new accounts had transferred approximately 10 gigabytes worth of data from the NLRB’s NxGen case management system.
Berulis said neither he nor his co-workers had the necessary network access rights to review which files were touched or transferred — or even where they went. But his complaint notes the NxGen database contains sensitive information on unions, ongoing legal cases, and corporate secrets.
“I also don’t know if the data was only 10gb in total or whether or not they were consolidated and compressed prior,” Berulis told the senators. “This opens up the possibility that even more data was exfiltrated. Regardless, that kind of spike is extremely unusual because data almost never directly leaves NLRB’s databases.”
Berulis said he and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U. S. locations.
“Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”
According to Berulis, the naming structure of one Microsoft user account connected to the suspicious activity suggested it had been created and later deleted for DOGE use in the NLRB’s cloud systems: “DogeSA_2d5c3e0446f9@nlrb.microsoft.com.” He also found other new Microsoft cloud administrator accounts with nonstandard usernames, including “Whitesox, Chicago M.” and “Dancehall, Jamaica R.”
On March 5, Berulis documented that a large section of logs for recently created network resources were missing, and a network watcher in Microsoft Azure was set to the “off” state, meaning it was no longer collecting and recording data like it should have.
Berulis said he discovered someone had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever use. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.
The complaint alleges that by March 17 it became clear the NLRB no longer had the resources or network access needed to fully investigate the odd activity from the DOGE accounts, and that on March 24, the agency’s associate chief information officer had agreed the matter should be reported to US-CERT. Operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), US-CERT provides on-site cyber incident response capabilities to federal and state agencies.
But Berulis said that between April 3 and 4, he and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.
Tim Bearese, the NLRB’s acting press secretary, told NPR that DOGE neither requested nor received access to its systems, and that “the agency conducted an investigation after Berulis raised his concerns but ‘determined that no breach of agency systems occurred.’” The NLRB did not respond to questions from KrebsOnSecurity.
Nevertheless, Berulis has shared a number of supporting screenshots showing agency email discussions about the unexplained account activity attributed to the DOGE accounts, as well as NLRB security alerts from Microsoft about network anomalies observed during the timeframes described.
As CNN reported last month, the NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function.
“Despite its limitations, the agency had become a thorn in the side of some of the richest and most powerful people in the nation — notably Elon Musk, Trump’s key supporter both financially and arguably politically,” CNN wrote.
Both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U. S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.
Berulis shared screenshots with KrebsOnSecurity showing that on the day the NPR published its story about his claims (April 14), the deputy CIO at NLRB sent an email stating that administrative control had been removed from all employee accounts. Meaning, suddenly none of the IT employees at the agency could do their jobs properly anymore, Berulis said.
Berulis shared a screenshot of an agency-wide email dated April 16 from NLRB director Lasharn Hamilton saying DOGE officials had requested a meeting, and reiterating claims that the agency had no prior “official” contact with any DOGE personnel. The message informed NLRB employees that two DOGE representatives would be detailed to the agency part-time for several months.
Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts.
“That would give us way more insight,” he said. “Microsoft has to be able to see the picture better than we can. That’s my goal, anyway.”
Berulis’s attorney told lawmakers that on April 7, while his client and legal team were preparing the whistleblower complaint, someone physically taped a threatening note to Mr. Berulis’s home door with photographs — taken via drone — of him walking in his neighborhood.
“The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority,” reads a preface by Berulis’s attorney Andrew P. Bakaj. “While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems.”
Berulis said the response from friends, colleagues and even the public has been largely supportive, and that he doesn’t regret his decision to come forward.
“I didn’t expect the letter on my door or the pushback from [agency] leaders,” he said. “If I had to do it over, would I do it again? Yes, because it wasn’t really even a choice the first time.”
For now, Mr. Berulis is taking some paid family leave from the NLRB. Which is just as well, he said, considering he was stripped of the tools needed to do his job at the agency.
“They came in and took full administrative control and locked everyone out, and said limited permission will be assigned on a need basis going forward” Berulis said of the DOGE employees. “We can’t really do anything, so we’re literally getting paid to count ceiling tiles.”
...
Read the original on krebsonsecurity.com »
Dealing with open source software, I regularly encounter many kinds of licenses — MIT, Apache, BSD, GPL being the most prominent — and I’ve taken time out to read them. Of the many, the GNU General Public License (GPL) stands out the most. It reads like a letter to the reader rather than legalese, and feels quite in tune with the spirit of open source and software freedom.
Although GPLv3 is the most current version, I commonly encounter software that makes use of GPLv2. I got curious about the last line in its license notice:
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Why does this license notice have a physical address, and not a URL? After all, even though the full license doesn’t often get included with software, it’s a simple matter to do a search and find the text of the GPLv2. Do people write to this address, and what happens if you do?
I turned to the Open Source Stack Exchange and got a very helpful answer. It’s because the GPLv2 was published in 1991, and most people were not online. Most people would have acquired software through physical media (such as tape or floppies) rather than a download.
Considering the storage constraints back then, it wouldn’t be surprising if developers only included the license notice, and not the entire license. It makes sense that the most common form of communication would have been through post.
The GPLv3, published in 2007, does contain a URL in the license notice since Internet usage was more widespread at the time.
I decided to write to the address to see what would happen. To do that, I would need some stamps and envelopes (I found one at my workplace) to send the request, and a self addressed enveloped with an international reply coupon to cover the cost of the reply.
I was disappointed to find out that the UK’s Royal Mail discontinued international reply coupons in 2011. The only alternative that I could think of was to buy some US stamps.
The easiest place to look for US stamps was on Ebay. I didn’t realize that I was stepping briefly into the world of philately; most stamp listings on Ebay were covered in phrases and terminology such as very fine grade, MNH (Mint Never Hinged), FDC (First Day Cover), NDC (No Die Cut), NDN (Nondenominated), and so on. It’s pretty easy to glean that these are properties that collectors would be looking for.
I ordered what seemed to be a ‘global’ stamp, for the smallest but safest amount that I could (about £3.86). The listing mentioned that it was ‘uncertified’ which was mildly unnerving, did that mean it was an invalid stamp? I decided to chance it, and quickly exited that world.
After a few weeks of waiting, I eventually received the ‘African Daisy global forever vert pair’ stamp which was round! I should have noticed that the seller sent me the item using stamps at a much lower denomination that those I had ordered. Oh well.
With the self addressed envelope ready, I wrote the request and addressed it to the GPLv2 address. Luckily I did have some UK stamps available to send the letter with.
Writing the address on the envelope was awkward, as I haven’t used a pen in several years; it took a few attempts and some wasted envelopes, printing the address would have taken less time. But it was ready so I posted it in my nearest Royal Mail box.
I had posted the letter in June 2022 and about five later weeks later, I received a reply. The round stamps looked sufficiently stamped upon with wavy lines, known as cancellation marks, which are yet another thing that philatelists like to collect!
Anyway the letter inside contained the full license text on 5 sheets of double-sided paper.
The first thing that came to attention, the paper that the text was printed on wasn’t an A4, it was smaller and not a size I was familiar with. I measured it and found that it’s a US letter size paper at about 21.5cm x 27.9cm. I completely forgot that the US, Canada, and a few other countries don’t follow the standard international paper sizes, even though I had written about it earlier.
There was a problem that I noticed right away, though: this text was from the GPL v3, not the GPL v2. In my original request I had never mentioned the GPL version I was asking about.
The original license notice makes no mention of GPL version either. Should the fact that the license notice contained an address have been enough metadata or a clue, that I was actually requesting the GPL v2 license? Or should I have mentioned that I was seeking the GPLv2 license?
I could choose to pursue by writing again and requesting the right thing, but it would take too much effort to follow up on, and I’m overall satisfied with what I received. As a postal introvert, I will now need a long period of rest to recoup.
...
Read the original on code.mendhak.com »
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
If you like 10HN please leave feedback and share
Visit pancik.com for more.