Democrats Infringe on Open Source, Legislate Spyware

Adafruit, the maker-focused electronics design house and manufacturer based in New York, keeps finding that it needs to defend open source from busy-body politicians. Last month, the outwardly non-political, tech-focused company spoke out against New York Mayor Mamdami’s misinformed actions against Raspberry Pis.

Now Adafruit is speaking out against proposed legislation in Democratically-controlled Colorado that would require Linux and other open source operating systems to implement unsound age-verification practices. The Electronic Frontier Foundation maintains a website on the perils of age-verification technlogy.

Adafruit’s blog post also points out other recent challenges to makers and 3D printing, highlighting legislation in the Democratically-controlled states of New York and California that would limit 3D printers from printing parts that are somehow deemed usable in firearms. Adafruit is correct in asserting that such laws do not work, infringe on other uses of 3D printing technology, and drive up the costs and legal risks for manufacturers of maker-focused manufacturers and hobbyists.

Hundreds of Malicious OpenClaw Skills Discovered

OpenClaw, is a self-hosted personal AI assistant that is all the rage lately. However, its centralized skills repository, ClawHub, has been found to have 314 malicious AI skills to be used in malware campaigns and other compromises.

Indications are that the malicious AI skills uploaded to ClawHub are not just one-off attacks but are a “systemic threat” to OpenClaw and ClawHub.

These AI skills appear a legitimate agents, but are intended to exfiltrate data, install backdoors, and execute other compromises.

As predicted, OpenClaw is an opsec nightmare.

237 Repos Hit with AI Hallucinated NPM Vulnerability

Charlie Eriksen of Aikido Security discovered an npx command that was hallucinated by Artificial Intelligence and found its way into 237 GitHub repositories.

The command, “npx react-codeshift”, has never existed, yet it replicated in so many code bases due to AI hallucinations.

The package for the command did not exist, so Charlie claimed the package before a bad actor could, thus preventing what could have been a very damaging exploit.

This incident highlights the need for humans to double check the output of AI.

ISP Goes Bankrupt Because Rats Keep Chewing Through Their Fiber

UK internet service provider G.Network has gone bankrupt in part because rats keeping chewing through their fiber optic cables made with biodegradable sheathing composed of soy and corn substances.

FitzWalter Capital, the private equity firm who owns G.Network, was attempting to unload the business on Community Fibre. However, Community Fibre backed out of the deal upon learning of G.Network’s underground rodent snacks.

Cloudflare Makes a Post-Quantum Matrix Server

Ok. Cloudflare did not do it, but one of their employees did it as a side-project and the results are impressive.

Nick Kuntz ported the Matrix server Synapse to Cloudflare infrastructure making it serverless. And as a side benefit, every connection to this Cloudflare-hosted Matrix home server can take advantage of post-quantum cryptography.

The code is available on GitHub under the MIT license.

Microsoft Hijacks Example.com

For six years, Microsoft has been rerouting example.com to a company in Japan according to tinyapps.org and first reported on 1 January. Assessment of the damage is unknown, but configurations of email services that used example.com were being incorrectly set to the services of Sumitomo Electric at sei.co.jp. According to ArsTechnica, it appears any credentials used with this configuration were sent to Sumitomo Electric.

According to the ArsTechnica article, it does appear Microsoft is now aware of the problem and has taken steps to correct the issue.

Lingering Vulnerability In Telnetd Found

A recently discovered vulnerability in the GNU InetUtils telnetd server has just been revealed. The bug allows a user to obtain root access by passing in a simple environment variable.

Though recently revealed, the bug has been in the code since 2015.

“Do not run a telnetd server at all.” advises Simon Joseffson, one of the patch submitters.

New Raspberry Pi AI HAT +2

The Raspberry Pi has introduced the new AI Hat +2, an AI co-processor and add-on board, featuring the Hailo-10H neural network accelerator and 8GB of dedicated on-board RAM. With this new AI board, generative AI workloads maybe off-loaded from the main CPU on to the Hailo-10H.

The product is available now for $130.

Italy Moves to Censor DNS

The Italian government has fined Cloudflare 14 mllion Euros for defying it’s order to censor Cloudflare’s public DNS resolver, 1.1.1.1.

Cloudflare is appealing the fine, but is also considering abandoning all points of presence in Italy, including the withdrawal of millions of dollars of free cybersecurity services to the Olympics being hosted in Italy next month.

Anthropic Bans OpenCode

Anthropic has implemented new restrictions to prevent the use of their AI models with third-party applications, which means OpenCode – the popular open source coding agent and widely considered to be the most popular third-party AI coding tool.

Controversial developer David Heinemeier Hansson has called the move “Vintage Microsoft evil shit”, noting it is a “Terrible policy for a company built on training models on our code, our writing, our everything.”

The End of 2025 is the End of HP-UX

As of the end of 2025, Hewlett Packard Enterprise (HPE) will no longer support their proprietary Unix, HP-UX.

According to Stromasys:

It was the pioneering Unix operating system that introduced access-control lists for file access permissions. It provides an alternative to the traditional Unix permission system. Additionally, HP-UX OS was one of the early Unix systems to integrate a built-in logical volume manager.

Adafruit Speaks Out Against Mamdani RPi Ban

New York-based Adafruit, a legendary company in the maker and electronics-education industry, has posted about the Flipper Zero and Raspberry Pi ban at the inauguration for NYC Mayor Zohran Mamdani.

Raspberry Pi is a general-purpose single-board computer. It shows up in classrooms, newsrooms, accessibility rigs, art installations, and civic tech demos. Flipper Zero is a consumer electronics testing tool, but its functional territory overlaps heavily with laptops, smartphones, radios, and microcontrollers that remain perfectly legal to carry. If the concern is electronic interference, signal disruption, or hacking, the policy does not say that. It gestures vaguely by naming a couple of gadgets and hoping the implication sticks. Curiosity is now contraband.

FFmpeg project issued a DMCA takedown of a Rockhhip Linux repo, after 2 years of violation. They are defending opensource code as per LGPL-2.1-or-later and GPL-2.0-or-later etc.

Repo https://github.com/rockchip-linux/mpp

More on https://xcancel.com/FFmpeg/status/2004599109559496984

Rockchip copied lots of code from ffmpeg to its mpp video acceleration lib and applied another license over the code. They refused to give credit and remove that code etc. That is the gist of it.

Qualcomm Buys RISC-V Chip Designer

Qualcomm has purchased, Ventana, a RISC-V chip design firm aimed at the datacenter-class processor market.

Ventana holds 48 patents on processor designs, leading to speculation that Qualcomm is interested in IPR defense as they strength their datacenter-class products.

Given Qualcomm’s ongoing legal battle with Arm Limited, this may also signal the company’s pivot away from an unencumbered CPU architecture.

System76 Ships the COSMIC Desktop

System76 has signaled that the COSMIC Desktop has now reached its first stable version, dubbed the COSMIC Desktop Environment Epoch 1, with its inclusion in Pop_OS! 24.04 LTS.

System76 notes that development of the COSMIC Desktop was funded entirely through sales of System76 hardware.

COSMIC is also written in #Rust, giving certain reactionary segments of the tech community another reason to shake their fists at the sky.

Campbell’s Fires Whistle-blower, CISO Epically Screws Up

Campbell’s, the soup company, fired an IT analyst for reporting derogatory and racist remarks made by the company’s Chief Information Security Officer (CISO).

From KTVU:

In the recording, a voice alleged to be Bally’s can be heard criticizing Campbell’s products and mocking its consumers.

“We have s— for f—ing poor people. Who buys our s—? I don’t buy Campbell’s products barely anymore,” the voice allegedly belonging to Bally can be heard saying.

“Bioengineered meat — I don’t wanna eat a piece of chicken that came from a 3-D printer,” Bally allegedly says, belittling Campbell’s soup ingredients.

He also allegedly made derogatory comments about Indian coworkers and – according to the recording – claimed he sometimes came to work under the influence of marijuana.

“F—ing Indians don’t know a f—ing thing,” the voice on the recording says. “They couldn’t think for their f—ing selves.”

According to the Washington Post, Campbell’s Company has now fired their CISO after the recordings were made public from a law suit by the fired whistle-blower and IT analyst.

#it #ciso #whistleblower

GrapheneOS Exiled From France

The GrapheneOS project has announced that they have moved all their server infrastructure (e.g. Mastodon, Matrix) out of France for fear of government prosecution, and that developers for the project should no longer travel to France to avoid arrest. This comes as a reaction to the French interpretation of the European Union Chat Control

#grapheneos #france

Massive NPM Worm Attack

GitLab has discovered an NPM worm that is impacting a massive number of Git repositories and npm projects, ex-filtrating sensitive data such as cloud API keys and other security credentials.

According to Wiz, the scope of the attack is massive:

• 27% of code and cloud environments
• 700 npm packages
• 25,000 git repositories
• 500 GitHub users
• 775 compromised GitHub access tokens
• 373 AWS credentials
• 300 GCP credentials
• 115 Azure credentials

#npm #javascript #git

BentoPDF

The release notes for BentoPDF v1.7.4 contain trojan horse API keys to the OpenAI, Anthropic, and Gemini platforms that link to a RickRoll.

The ZBT-2

Home Assistant has released the Home Assistant Connect ZBT-2, the successor to the ZBT-1. The ZBT-2 has a USB adapter and a precisely tuned antenna for connecting Zigbee, Thread, or Matter networks to Home Assistant. It is available immediately at a cost for $49.