Pluralistic

Back to top

Pluralistic: The Reverse-Centaur’s Guide to Criticizing AI (05 Dec 2025)
Today's links The Reverse Centaur’s Guide to Criticizing AI: My speech for U Washington's Neuroscience, AI and Society lecture series. Hey look at this: Delights to delectate. Object permanence: Pac Man ghost algorithms; The US wrote Spain's copyright law; Illinois makes prisoners rent their cells; "Urban Transport Without the Hot Air"; "Ministry for the Future": Canada sues Google; In defense of 230; NYPD racist murder postmortem; Student debt trap; "That makes me smart." Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. The Reverse Centaur’s Guide to Criticizing AI (permalink) Last night, I gave a speech for the University of Washington's "Neuroscience, AI and Society" lecture series, through the university's Computational Neuroscience Center. It was called "The Reverse Centaur’s Guide to Criticizing AI," and it's based on the manuscript for my next book, "The Reverse Centaur’s Guide to Life After AI," which will be out from Farrar, Straus and Giroux next June: https://www.eventbrite.com/e/future-tense-neuroscience-ai-and-society-with-cory-doctorow-tickets-1735371255139 The talk was sold out, but here's the text of my lecture. I'm very grateful to UW for the opportunity, and for a lovely visit to Seattle! == I'm a science fiction writer, which means that my job is to make up futuristic parables about our current techno-social arrangements to interrogate not just what a gadget does, but who it does it for, and who it does it to. What I don't do is predict the future. No one can predict the future, which is a good thing, since if the future were predictable, that would mean that what we all do couldn't change it. It would mean that the future was arriving on fixed rails and couldn't be steered. Jesus Christ, what a miserable proposition! Now, not everyone understands the distinction. They think sf writers are oracles, soothsayers. Unfortunately, even some of my colleagues labor under the delusion that they can "see the future." But for every sf writer who deludes themselves into thinking that they are writing the future, there are a hundred sf fans who believe that they are reading the future, and a depressing number of those people appear to have become AI bros. The fact that these guys can't shut up about the day that their spicy autocomplete machine will wake up and turn us all into paperclips has led many confused journalists and conference organizers to try to get me to comment on the future of AI. That's a thing I strenuously resisted doing, because I wasted two years of my life explaining patiently and repeatedly why I thought crypto was stupid, and getting relentless bollocked by cryptocurrency cultists who at first insisted that I just didn't understand crypto. And then, when I made it clear that I did understand crypto, insisted that I must be a paid shill. This is literally what happens when you argue with Scientologists, and life is Just. Too. Short. So I didn't want to get lured into another one of those quagmires, because on the one hand, I just don't think AI is that important of a technology, and on the other hand, I have very nuanced and complicated views about what's wrong, and not wrong, about AI, and it takes a long time to explain that stuff. But people wouldn't stop asking, so I did what I always do. I wrote a book. Over the summer I wrote a book about what I think about AI, which is really about what I think about AI criticism, and more specifically, how to be a good AI critic. By which I mean: "How to be a critic whose criticism inflicts maximum damage on the parts of AI that are doing the most harm." I titled the book The Reverse Centaur's Guide to Life After AI, and Farrar, Straus and Giroux will publish it in June, 2026. But you don't have to wait until then because I am going to break down the entire book's thesis for you tonight, over the next 40 minutes. I am going to talk fast. # Start with what a reverse centaur is. In automation theory, a "centaur" is a person who is assisted by a machine. You're a human head being carried around on a tireless robot body. Driving a car makes you a centaur, and so does using autocomplete. And obviously, a reverse centaur is machine head on a human body, a person who is serving as a squishy meat appendage for an uncaring machine. Like an Amazon delivery driver, who sits in a cabin surrounded by AI cameras, that monitor the driver's eyes and take points off if the driver looks in a proscribed direction, and monitors the driver's mouth because singing isn't allowed on the job, and rats the driver out to the boss if they don't make quota. The driver is in that van because the van can't drive itself and can't get a parcel from the curb to your porch. The driver is a peripheral for a van, and the van drives the driver, at superhuman speed, demanding superhuman endurance. But the driver is human, so the van doesn't just use the driver. The van uses the driver up. Obviously, it's nice to be a centaur, and it's horrible to be a reverse centaur. There are lots of AI tools that are potentially very centaur-like, but my thesis is that these tools are created and funded for the express purpose of creating reverse-centaurs, which is something none of us want to be. But like I said, the job of an sf writer is to do more than think about what the gadget does, and drill down on who the gadget does it for and who the gadget does it to. Tech bosses want us to believe that there is only one way a technology can be used. Mark Zuckerberg wants you to think that it's technologically impossible to have a conversation with a friend without him listening in. Tim Cook wants you to think that it's technologically impossible for you to have a reliable computing experience unless he gets a veto over which software you install and without him taking 30 cents out of every dollar you spend. Sundar Pichai wants you think that it's impossible for you to find a webpage unless he gets to spy on you from asshole to appetite. This is all a kind of vulgar Thatcherism. Margaret Thatcher's mantra was "There is no alternative." She repeated this so often they called her "TINA" Thatcher: There. Is. No. Alternative. TINA. "There is no alternative" is a cheap rhetorical slight. It's a demand dressed up as an observation. "There is no alternative" means "STOP TRYING TO THINK OF AN ALTERNATIVE." Which, you know, fuck that. I'm an sf writer, my job is to think of a dozen alternatives before breakfast. So let me explain what I think is going on here with this AI bubble, and sort out the bullshit from the material reality, and explain how I think we could and should all be better AI critics. # Start with monopolies: tech companies are gigantic and they don't compete, they just take over whole sectors, either on their own on in cartels. Google and Meta control the ad market. Google and Apple control the mobile market, and Google pays Apple more than $20 billion/year not to make a competing search engine, and of course, Google has a 90% Search market-share. Now, you'd think that this was good news for the tech companies, owning their whole sector. But it's actually a crisis. You see, when a company is growing, it is a "growth stock," and investors really like growth stocks. When you buy a share in a growth stock, you're making a bet that it will continue to grow. So growth stocks trade at a huge multiple of their earnings. This is called the "price to earnings ratio" or "P/E ratio." But once a company stops growing, it is a "mature" stock, and it trades at a much lower P/E ratio. So for ever dollar that Target – a mature company – brings in, it is worth ten dollars. It has a P/E ratio of 10, while Amazon has a P/E ratio of 36, which means that for every dollar Amazon brings in, the market values it at $36. It's wonderful to run a company that's got a growth stock. Your shares are as good as money. If you want to buy another company, or hire a key worker, you can offer stock instead of cash. And stock is very easy for companies to get, because shares are manufactured right there on the premises, all you have to do is type some zeroes into a spreadsheet, while dollars are much harder to come by. A company can only get dollars from customers or creditors. So when Amazon bids against Target for a key acquisition, or a key hire, Amazon can bid with shares they make by typing zeroes into a spreadsheet, and Target can only bid with dollars they get from selling stuff to us, or taking out loans. which is why Amazon generally wins those bidding wars. That's the upside of having a growth stock. But here's the downside: eventually a company has to stop growing. Like, say you get a 90% market share in your sector, how are you gonna grow? Once the market decides that you aren't a growth stock, once you become mature, your stocks are revalued, to a P/E ratio befitting a mature stock. If you are an exec at a dominant company with a growth stock, you have to live in constant fear that the market will decide that you're not likely to grow any further. Think of what happened to Facebook in the first quarter of 2022. They told investors that they experienced slightly slower growth in the USA than they had anticipated, and investors panicked. They staged a one-day, $240B sell off. A quarter-trillion dollars in 24 hours! At the time, it was the largest, most precipitous drop in corporate valuation in human history. That's a monopolist's worst nightmare, because once you're presiding over a "mature" firm, the key employees you've been compensating with stock, experience a precipitous pay-drop and bolt for the exits, so you lose the people who might help you grow again, and you can only hire their replacements with dollars. With dollars, not shares. And the same goes for acquiring companies that might help you grow, because they, too, are going to expect money, not stock. This is the paradox of the growth stock. While you are growing to domination, the market loves you, but once you achieve dominance, the market lops 75% or more off your value in a single stroke if they don't trust your pricing power. Which is why growth stock companies are always desperately pumping up one bubble or another, spending billions to hype the pivot to video, or cryptocurrency, or NFTs, or Metaverse, or AI. I'm not saying that tech bosses are making bets they don't plan on winning. But I am saying that winning the bet – creating a viable metaverse – is the secondary goal. The primary goal is to keep the market convinced that your company will continue to grow, and to remain convinced until the next bubble comes along. So this is why they're hyping AI: the material basis for the hundreds of billions in AI investment. # Now I want to talk about how they're selling AI. The growth narrative of AI is that AI will disrupt labor markets. I use "disrupt" here in its most disreputable, tech bro sense The promise of AI – the promise AI companies make to investors – is that there will be AIs that can do your job, and when your boss fires you and replaces you with AI, he will keep half of your salary for himself, and give the other half to the AI company. That's it. That's the $13T growth story that MorganStanley is telling. It's why big investors and institutionals are giving AI companies hundreds of billions of dollars. And because they are piling in, normies are also getting sucked in, risking their retirement savings and their family's financial security. Now, if AI could do your job, this would still be a problem. We'd have to figure out what to do with all these technologically unemployed people. But AI can't do your job. It can help you do your job, but that doesn't mean it's going to save anyone money. Take radiology: there's some evidence that AIs can sometimes identify solid-mass tumors that some radiologists miss, and look, I've got cancer. Thankfully, it's very treatable, but I've got an interest in radiology being as reliable and accurate as possible If my Kaiser hospital bought some AI radiology tools and told its radiologists: "Hey folks, here's the deal. Today, you're processing about 100 x-rays per day. From now on, we're going to get an instantaneous second opinion from the AI, and if the AI thinks you've missed a tumor, we want you to go back and have another look, even if that means you're only processing 98 x-rays per day. That's fine, we just care about finding all those tumors." If that's what they said, I'd be delighted. But no one is investing hundreds of billions in AI companies because they think AI will make radiology more expensive, not even if it that also makes radiology more accurate. The market's bet on AI is that an AI salesman will visit the CEO of Kaiser and make this pitch: "Look, you fire 9/10s of your radiologists, saving $20m/year, you give us $10m/year, and you net $10m/year, and the remaining radiologists' job will be to oversee the diagnoses the AI makes at superhuman speed, and somehow remain vigilant as they do so, despite the fact that the AI is usually right, except when it's catastrophically wrong. "And if the AI misses a tumor, this will be the human radiologist's fault, because they are the 'human in the loop.' It's their signature on the diagnosis." This is a reverse centaur, and it's a specific kind of reverse-centaur: it's what Dan Davies calles an "accountability sink." The radiologist's job isn't really to oversee the AI's work, it's to take the blame for the AI's mistakes. This is another key to understanding – and thus deflating – the AI bubble. The AI can't do your job, but an AI salesman can convince your boss to fire you and replace you with an AI that can't do your job. This is key because it helps us build the kinds of coalitions that will be successful in the fight against the AI bubble. If you're someone who's worried about cancer, and you're being told that the price of making radiology too cheap to meter, is that we're going to have to re-home America's 32,000 radiologists, with the trade-off that no one will every be denied radiology services again, you might say, "Well, OK, I'm sorry for those radiologists, and I fully support getting them job training or UBI or whatever. But the point of radiology is to fight cancer, not to pay radiologists, so I know what side I'm on." AI hucksters and their customers in the C-suites want the public on their side. They want to forge a class alliance between AI deployers and the people who enjoy the fruits of the reverse centaurs' labor. They want us to think of ourselves as enemies to the workers. Now, some people will be on the workers' side because of politics or aesthetics. They just like workers better than their bosses. But if you want to win over all the people who benefit from your labor, you need to understand and stress how the products of the AI will be substandard. That they are going to get charged more for worse things. That they have a shared material interest with you. Will those products be substandard? There's every reason to think so. Earlier, I alluded to "automation blindness, "the physical impossibility of remaining vigilant for things that rarely occur. This is why TSA agents are incredibly good at spotting water bottles. Because they get a ton of practice at this, all day, every day. And why they fail to spot the guns and bombs that government red teams smuggle through checkpoints to see how well they work, because they just don't have any practice at that. Because, to a first approximation, no one deliberately brings a gun or a bomb through a TSA checkpoint. Automation blindness is the Achilles' heel of "humans in the loop." Think of AI software generation: there are plenty of coders who love using AI, and almost without exception, they are senior, experienced coders, who get to decide how they will use these tools. For example, you might ask the AI to generate a set of CSS files to faithfully render a web-page across multiple versions of multiple browsers. This is a notoriously fiddly thing to do, and it's pretty easy to verify if the code works – just eyeball it in a bunch of browsers. Or maybe the coder has a single data file they need to import and they don't want to write a whole utility to convert it. Tasks like these can genuinely make coders more efficient and give them more time to do the fun part of coding, namely, solving really gnarly, abstract puzzles. But when you listen to business leaders talk about their AI plans for coders, it's clear they're not looking to make some centaurs. They want to fire a lot of tech workers – 500,000 over the past three years – and make the rest pick up their work with coding, which is only possible if you let the AI do all the gnarly, creative problem solving, and then you do the most boring, soul-crushing part of the job: reviewing the AIs' code. And because AI is just a word guessing program, because all it does is calculate the most probable word to go next, the errors it makes are especially subtle and hard to spot, because these bugs are literally statistically indistinguishable from working code (except that they're bugs). Here's an example: code libraries are standard utilities that programmers can incorporate into their apps, so they don't have to do a bunch of repetitive programming. Like, if you want to process some text, you'll use a standard library. If it's an HTML file, that library might be called something like lib.html.text.parsing; and if it's a DOCX file, it'll be lib.docx.text.parsing. But reality is messy, humans are inattentive and stuff goes wrong, so sometimes, there's another library, this one for parsing PDFs, and instead of being called lib.pdf.text.parsing, it's called lib.text.pdf.parsing. Now, because the AI is a statistical inference engine, because all it can do is predict what word will come next based on all the words that have been typed in the past, it will "hallucinate" a library called lib.pdf.text.parsing. And the thing is, malicious hackers know that the AI will make this error, so they will go out and create a library with the predictable, hallucinated name, and that library will get automatically sucked into your program, and it will do things like steal user data or try and penetrate other computers on the same network. And you, the human in the loop – the reverse centaur – you have to spot this subtle, hard to find error, this bug that is literally statistically indistinguishable from correct code. Now, maybe a senior coder could catch this, because they've been around the block a few times, and they know about this tripwire. But guess who tech bosses want to preferentially fire and replace with AI? Senior coders. Those mouthy, entitled, extremely highly paid workers, who don't think of themselves as workers. Who see themselves as founders in waiting, peers of the company's top management. The kind of coder who'd lead a walkout over the company building drone-targeting systems for the Pentagon, which cost Google ten billion dollars in 2018. For AI to be valuable, it has to replace high-wage workers, and those are precisely the experienced workers, with process knowledge, and hard-won intuition, who might spot some of those statistically camouflaged AI errors. Like I said, the point here is to replace high-waged workers And one of the reasons the AI companies are so anxious to fire coders is that coders are the princes of labor. They're the most consistently privileged, sought-after, and well-compensated workers in the labor force. If you can replace coders with AI, who cant you replace with AI? Firing coders is an ad for AI. Which brings me to AI art. AI art – or "art" – is also an ad for AI, but it's not part of AI's business model. Let me explain: on average, illustrators don't make any money. They are already one of the most immiserated, precartized groups of workers out there. They suffer from a pathology called "vocational awe." That's a term coined by the librarian Fobazi Ettarh, and it refers to workers who are vulnerable to workplace exploitation because they actually care about their jobs – nurses, librarians, teachers, and artists. If AI image generators put every illustrator working today out of a job, the resulting wage-bill savings would be undetectable as a proportion of all the costs associated with training and operating image-generators. The total wage bill for commercial illustrators is less than the kombucha bill for the company cafeteria at just one of Open AI's campuses. The purpose of AI art – and the story of AI art as a death-knell for artists – is to convince the broad public that AI is amazing and will do amazing things. It's to create buzz. Which is not to say that it's not disgusting that former OpenAI CTO Mira Murati told a conference audience that "some creative jobs shouldn't have been there in the first place," and that it's not especially disgusting that she and her colleagues boast about using the work of artists to ruin those artists' livelihoods. It's supposed to be disgusting. It's supposed to get artists to run around and say, "The AI can do my job, and it's going to steal my job, and isn't that terrible?" Because the customers for AI – corporate bosses – don't see AI taking workers' jobs as terrible. They see it as wonderful. But can AI do an illustrator's job? Or any artist's job? Let's think about that for a second. I've been a working artist since I was 17 years old, when I sold my first short story, and I've given it a lot of thought, and here's what I think art is: it starts with an artist, who has some vast, complex, numinous, irreducible feeling in their mind. And the artist infuses that feeling into some artistic medium. They make a song, or a poem, or a painting, or a drawing, or a dance, or a book, or a photograph. And the idea is, when you experience this work, a facsimile of the big, numinous, irreducible feeling will materialize in your mind. Now that I've defined art, we have to go on a little detour. I have a friend who's a law professor, and before the rise of chatbots, law students knew better than to ask for reference letters from their profs, unless they were a really good student. Because those letters were a pain in the ass to write. So if you advertised for a postdoc and you heard from a candidate with a reference letter from a respected prof, the mere existence of that letter told you that the prof really thought highly of that student. But then we got chatbots, and everyone knows that you generate a reference letter by feeding three bullet points to an LLM, and it'll barf up five paragraphs of florid nonsense about the student. So when my friend advertises for a postdoc, they are flooded with reference letters, and they deal with this flood by feeding all these letters to another chatbot, and ask it to reduce them back to three bullet points. Now, obviously, they won't be the same bullet-points, which makes this whole thing terrible. But just as obviously, nothing in that five-paragraph letter except the original three bullet points are relevant to the student. The chatbot doesn't know the student. It doesn't know anything about them. It cannot add a single true or useful statement about the student to the letter. What does this have to do with AI art? Art is a transfer of a big, numinous, irreducible feeling from an artist to someone else. But the image-gen program doesn't know anything about your big, numinous, irreducible feeling. The only thing it knows is whatever you put into your prompt, and those few sentences are diluted across a million pixels or a hundred thousand words, so that the average communicative density of the resulting work is indistinguishable from zero. It's possible to infuse more communicative intent into a work: writing more detailed prompts, or doing the selective work of choosing from among many variants, or directly tinkering with the AI image after the fact, with a paintbrush or Photoshop or The Gimp. And if there will ever be a piece of AI art that is good art – as opposed to merely striking, or interesting, or an example of good draftsmanship – it will be thanks to those additional infusions of creative intent by a human. And in the meantime, it's bad art. It's bad art in the sense of being "eerie," the word Mark Fisher uses to describe "when there is something present where there should be nothing, or is there is nothing present when there should be something." AI art is eerie because it seems like there is an intender and an intention behind every word and every pixel, because we have a lifetime of experience that tells us that paintings have painters, and writing has writers. But it's missing something. It has nothing to say, or whatever it has to say is so diluted that it's undetectable. The images were striking before we figured out the trick, but now they're just like the images we imagine in clouds or piles of leaves. We're the ones drawing a frame around part of the scene, we're the ones focusing on some contours and ignoring the others. We're looking at an inkblot, and it's not telling us anything. Sometimes that can be visually arresting, and to the extent that it amuses people in a community of prompters and viewers, that's harmless. I know someone who plays a weekly Dungeons and Dragons game over Zoom. It's transcribed by an open source model running locally on the dungeon master's computer, which summarizes the night's session and prompts an image generator to create illustrations of key moments. These summaries and images are hilarious because they're full of errors. It's a bit of harmless fun, and it bring a small amount of additional pleasure to a small group of people. No one is going to fire an illustrator because D&D players are image-genning funny illustrations where seven-fingered paladins wrestle with orcs that have an extra hand. But bosses have and will fire illustrators, because they fantasize about being able to dispense with creative professionals and just prompt an AI. Because even though the AI can't do the illustrator's job, an AI salesman can convince the illustrator's boss to fire them and replace them with an AI that can't do their job. This is a disgusting and terrible juncture, and we should not simply shrug our shoulders and accept Thatcherism's fatalism: "There is no alternative." So what is the alternative? A lot of artists and their allies think they have an answer: they say we should extend copyright to cover the activities associated with training a model. And I'm here to tell you they are wrong: wrong because this would inflict terrible collateral damage on socially beneficial activities, and it would represent a massive expansion of copyright over activities that are currently permitted – for good reason!. Let's break down the steps in AI training. First, you scrape a bunch of web-pages This is unambiguously legal under present copyright law. You do not need a license to make a transient copy of a copyrighted work in order to analyze it, otherwise search engines would be illegal. Ban scraping and Google will be the last search engine we ever get, the Internet Archive will go out of business, that guy in Austria who scraped all the grocery store sites and proved that the big chains were colluding to rig prices would be in deep trouble. Next, you perform analysis on those works. Basically, you count stuff on them: count pixels and their colors and proximity to other pixels; or count words. This is obviously not something you need a license for. It's just not illegal to count the elements of a copyrighted work. And we really don't want it to be, not if you're interested in scholarship of any kind. And it's important to note that counting things is legal, even if you're working from an illegally obtained copy. Like, if you go to the flea market, and you buy a bootleg music CD, and you take it home and you make a list of all the adverbs in the lyrics, and you publish that list, you are not infringing copyright by doing so. Perhaps you've infringed copyright by getting the pirated CD, but not by counting the lyrics. This is why Anthropic offered a $1.5b settlement for training its models based on a ton of books it downloaded from a pirate site: not because counting the words in the books infringes anyone's rights, but because they were worried that they were going to get hit with $150k/book statutory damages for downloading the files. OK, after you count all the pixels or the words, it's time for the final step: publishing them. Because that's what a model is: a literary work (that is, a piece of software) that embodies a bunch of facts about a bunch of other works, word and pixel distribution information, encoded in a multidimensional array. And again, copyright absolutely does not prohibit you from publishing facts about copyrighted works. And again, no one should want to live in a world where someone else gets to decide which truthful, factual statements you can publish. But hey, maybe you think this is all sophistry. Maybe you think I'm full of shit. That's fine. It wouldn't be the first time someone thought that. After all, even if I'm right about how copyright works now, there's no reason we couldn't change copyright to ban training activities, and maybe there's even a clever way to wordsmith the law so that it only catches bad things we don't like, and not all the good stuff that comes from scraping, analyzing and publishing. Well, even then, you're not gonna help out creators by creating this new copyright. If you're thinking that you can, you need to grapple with this fact: we have monotonically expanded copyright since 1976, so that today, copyright covers more kinds of works, grants exclusive rights over more uses, and lasts longer. And today, the media industry is larger and more profitable than it has ever been, and also: the share of media industry income that goes to creative workers is lower than its ever been, both in real terms, and as a proportion of those incredible gains made by creators' bosses at the media company. So how it is that we have given all these new rights to creators, and those new rights have generated untold billions, and left creators poorer? It's because in a creative market dominated by five publishers, four studios, three labels, two mobile app stores, and a single company that controls all the ebooks and audiobooks, giving a creative worker extra rights to bargain with is like giving your bullied kid more lunch money. It doesn't matter how much lunch money you give the kid, the bullies will take it all. Give that kid enough money and the bullies will hire an agency to run a global campaign proclaiming "think of the hungry kids! Give them more lunch money!" Creative workers who cheer on lawsuits by the big studios and labels need to remember the first rule of class warfare: things that are good for your boss are rarely what's good for you. The day Disney and Universal filed suit against Midjourney, I got a press release from the RIAA, which represents Disney and Universal through their recording arms. Universal is the largest label in the world. Together with Sony and Warner, they control 70% of all music recordings in copyright today. It starts: "There is a clear path forward through partnerships that both further AI innovation and foster human artistry." It ends: "This action by Disney and Universal represents a critical stand for human creativity and responsible innovation." And it's signed by Mitch Glazier, CEO of the RIAA. It's very likely that name doesn't mean anything to you. But let me tell you who Mitch Glazier is. Today, Mitch Glazier is the CEO if the RIAA, with an annual salary of $1.3m. But until 1999, Mitch Glazier was a key Congressional staffer, and in 1999, Glazier snuck an amendment into an unrelated bill, the Satellite Home Viewer Improvement Act, that killed musicians' right to take their recordings back from their labels. This is a practice that had been especially important to "heritage acts" (which is a record industry euphemism for "old music recorded by Black people"), for whom this right represented the difference between making rent and ending up on the street. When it became clear that Glazier had pulled this musician-impoverishing scam, there was so much public outcry, that Congress actually came back for a special session, just to vote again to cancel Glazier's amendment. And then Glazier was kicked out of his cushy Congressional job, whereupon the RIAA started paying more than $1m/year to "represent the music industry." This is the guy who signed that press release in my inbox. And his message was: The problem isn't that Midjourney wants to train a Gen AI model on copyrighted works, and then use that model to put artists on the breadline. The problem is that Midjourney didn't pay RIAA members Universal and Disney for permission to train a model. Because if only Midjourney had given Disney and Universal several million dollars for training right to their catalogs, the companies would have happily allowed them to train to their heart's content, and they would have bought the resulting models, and fired as many creative professionals as they could. I mean, have we already forgotten the Hollywood strikes? I sure haven't. I live in Burbank, home to Disney, Universal and Warner, and I was out on the line with my comrades from the Writers Guild, offering solidarity on behalf of my union, IATSE 830, The Animation Guild, where I'm a member of the writers' unit. And I'll never forget when one writer turned to me and said, "You know, you prompt an LLM exactly the same way an exec gives shitty notes to a writers' room. You know: 'Make me ET, except it's about a dog, and put a love interest in there, and a car chase in the second act.' The difference is, you say that to a writers' room and they all make fun of you and call you a fucking idiot suit. But you say it to an LLM and it will cheerfully shit out a terrible script that conforms exactly to that spec (you know, Air Bud)." These companies are desperate to use AI to displace workers. When Getty Images sues AI companies, it's not representing the interests of photographers. Getty hates paying photographers! Getty just wants to get paid for the training run, and they want the resulting AI model to have guardrails, so it will refuse to create images that compete with Getty's images for anyone except Getty. But Getty will absolutely use its models to bankrupt as many photographers as it possibly can. A new copyright to train models won't get us a world where models aren't used to destroy artists, it'll just get us a world where the standard contracts of the handful of companies that control all creative labor markets are updated to require us to hand over those new training rights to those companies. Demanding a new copyright just makes you a useful idiot for your boss, a human shield they can brandish in policy fights, a tissue-thin pretense of "won't someone think of the hungry artists?" When really what they're demanding is a world where 30% of the investment capital of the AI companies go into their shareholders' pockets. When an artist is being devoured by rapacious monopolies, does it matter how they divvy up the meal? We need to protect artists from AI predation, not just create a new way for artists to be mad about their impoverishment. And incredibly enough, there's a really simple way to do that. After 20+ years of being consistently wrong and terrible for artists' rights, the US Copyright Office has finally done something gloriously, wonderfully right. All through this AI bubble, the Copyright Office has maintained – correctly – that AI-generated works cannot be copyrighted, because copyright is exclusively for humans. That's why the "monkey selfie" is in the public domain. Copyright is only awarded to works of human creative expression that are fixed in a tangible medium. And not only has the Copyright Office taken this position, they've defended it vigorously in court, repeatedly winning judgments to uphold this principle. The fact that every AI created work is in the public domain means that if Getty or Disney or Universal or Hearst newspapers use AI to generate works – then anyone else can take those works, copy them, sell them, or give them away for free. And the only thing those companies hate more than paying creative workers, is having other people take their stuff without permission. The US Copyright Office's position means that the only way these companies can get a copyright is to pay humans to do creative work. This is a recipe for centaurhood. If you're a visual artist or writer who uses prompts to come up with ideas or variations, that's no problem, because the ultimate work comes from you. And if you're a video editor who uses deepfakes to change the eyelines of 200 extras in a crowd-scene, then sure, those eyeballs are in the public domain, but the movie stays copyrighted. But creative workers don't have to rely on the US government to rescue us from AI predators. We can do it ourselves, the way the writers did in their historic writers' strike. The writers brought the studios to their knees. They did it because they are organized and solidaristic, but also are allowed to do something that virtually no other workers are allowed to do: they can engage in "sectoral bargaining," whereby all the workers in a sector can negotiate a contract with every employer in the sector. That's been illegal for most workers since the late 1940s, when the Taft-Hartley Act outlawed it. If we are gonna campaign to get a new law passed in hopes of making more money and having more control over our labor, we should campaign to restore sectoral bargaining, not to expand copyright. Our allies in a campaign to expand copyright are our bosses, who have never had our best interests at heart. While our allies in the fight for sector bargaining are every worker in the country. As the song goes, "Which side are you on?" OK, I need to bring this talk in for a landing now, because I'm out of time, so I'm going to close out with this: AI is a bubble and bubbles are terrible. Bubbles transfer the life's savings of normal people who are just trying to have a dignified retirement to the wealthiest and most unethical people in our society, and every bubble eventually bursts, taking their savings with it. But not every bubble is created equal. Some bubbles leave behind something productive. Worldcom stole billions from everyday people by defrauding them about orders for fiber optic cables. The CEO went to prison and died there. But the fiber outlived him. It's still in the ground. At my home, I've got 2gb symmetrical fiber, because AT&T lit up some of that old Worldcom dark fiber. All things being equal, it would have been better if Worldcom hadn't ever existed, but the only thing worse than Worldcom committing all that ghastly fraud would be if there was nothing to salvage from the wreckage. I don't think we'll salvage much from cryptocurrency, for example. Sure, there'll be a few coders who've learned something about secure programming in Rust. But when crypto dies, what it will leave behind is bad Austrian economics and worse monkey JPEGs. AI is a bubble and it will burst. Most of the companies will fail. Most of the data-centers will be shuttered or sold for parts. So what will be left behind? We'll have a bunch of coders who are really good at applied statistics. We'll have a lot of cheap GPUs, which'll be good news for, say, effects artists and climate scientists, who'll be able to buy that critical hardware at pennies on the dollar. And we'll have the open source models that run on commodity hardware, AI tools that can do a lot of useful stuff, like transcribing audio and video, describing images, summarizing documents, automating a lot of labor-intensive graphic editing, like removing backgrounds, or airbrushing passersby out of photos. These will run on our laptops and phones, and open source hackers will find ways to push them to do things their makers never dreamt of. If there had never been an AI bubble, if all this stuff arose merely because computer scientists and product managers noodled around for a few year coming up with cool new apps for back-propagation, machine learning and generative adversarial networks, most people would have been pleasantly surprised with these interesting new things their computers could do. We'd call them "plugins." It's the bubble that sucks, not these applications. The bubble doesn't want cheap useful things. It wants expensive, "disruptive" things: Big foundation models that lose billions of dollars every year. When the AI investment mania halts, most of those models are going to disappear, because it just won't be economical to keep the data-centers running. As Stein's Law has it: "Anything that can't go on forever eventually stops." The collapse of the AI bubble is going to be ugly. Seven AI companies currently account for more than a third of the stock market, and they endlessly pass around the same $100b IOU. Bosses are mass-firing productive workers and replacing them with janky AI, and when the janky AI is gone, no one will be able to find and re-hire most of those workers, we're going to go from disfunctional AI systems to nothing. AI is the asbestos in the walls of our technological society, stuffed there with wild abandon by a finance sector and tech monopolists run amok. We will be excavating it for a generation or more. So we need to get rid of this bubble. Pop it, as quickly as we can. To do that, we have to focus on the material factors driving the bubble. The bubble isn't being driven by deepfake porn, oOr election disinformation, or AI image-gen, or slop advertising. All that stuff is terrible and harmful, but it's not driving investment. The total dollar figure represented by these apps doesn't come close to making a dent in the capital expenditures and operating costs of AI. They are peripheral, residual uses: flashy, but unimportant to the bubble. Get rid of all those uses and you reduce the expected income of AI companies by a sum so small it rounds to zero. Same goes for all that "AI Safety" nonsense, that purports to concern itself with preventing an AI from attaining sentience and turning us all into paperclips. First of all, this is facially absurd. Throwing more words and GPUs into the word-guessing program won't make it sentient. That's like saying, "Well, we keep breeding these horses to run faster and faster, so it's only a matter of time until one of our mares gives birth to a locomotive." A human mind is not a word-guessing program with a lot of extra words. I'm here for science fiction thought experiments, don't get me wrong. But also, don't mistake sf for prophesy. SF stories about superintelligence are futuristic parables, not business plans, roadmaps, or predictions. The AI Safety people say they are worried that AI is going to end the world, but AI bosses love these weirdos. Because on the one hand, if AI is powerful enough to destroy the world, think of how much money it can make! And on the other hand, no AI business plan has a line on its revenue projections spreadsheet labeled "Income from turning the human race into paperclips." So even if we ban AI companies from doing this, we won't cost them a dime in investment capital. To pop the bubble, we have to hammer on the forces that created the bubble: the myth that AI can do your job, especially if you get high wages that your boss can claw back; the understanding that growth companies need a succession of ever-more-outlandish bubbles to stay alive; the fact that workers and the public they serve are on one side of this fight, and bosses and their investors are on the other side. Because the AI bubble really is very bad news, it's worth fighting seriously, and a serious fight against AI strikes at its roots: the material factors fueling the hundreds of billions in wasted capital that are being spent to put us all on the breadline and fill all our walls will high-tech asbestos. (Image: Cryteria, CC BY 3.0, modified) Hey look at this (permalink) Politics and Capitalist Stagnation https://www.unpopularfront.news/p/politics-and-capitalist-stagnation An Analysis of the Proposed Spirit Financial-Credit Union 1 Merger. The Consequences for the Credit Union System https://chipfilson.com/2025/12/an-analysis-of-the-proposed-spirit-financal-credit-union-1-merger/ Zillow deletes climate risk data from listings after complaints it harms sales https://www.theguardian.com/environment/2025/dec/01/zillow-removes-climate-risk-data-home-listings After Years of Controversy, the EU’s Chat Control Nears Its Final Hurdle: What to Know https://www.eff.org/deeplinks/2025/12/after-years-controversy-eus-chat-control-nears-its-final-hurdle-what-know How the dollar-store industry overcharges cash-strapped customers while promising low prices https://www.theguardian.com/us-news/2025/dec/03/customers-pay-more-rising-dollar-store-costs Object permanence (permalink) #20yrsago Haunted Mansion papercraft model adds crypts and gates https://www.haunteddimensions.raykeim.com/index313.html #20yrsago Print your own Monopoly money https://web.archive.org/web/20051202030047/http://www.hasbro.com/monopoly/pl/page.treasurechest/dn/default.cfm #15yrsago Bunnie explains the technical intricacies and legalities of Xbox hacking https://www.bunniestudios.com/blog/2010/usa-v-crippen-a-retrospective/ #15yrsago How Pac Man’s ghosts decide what to do: elegant complexity https://web.archive.org/web/20101205044323/https://gameinternals.com/post/2072558330/understanding-pac-man-ghost-behavior #15yrsago Glorious, elaborate, profane insults of the world https://www.reddit.com/r/AskReddit/comments/efee7/what_are_your_favorite_culturally_untranslateable/?sort=confidence #15yrsago Walt Disney World castmembers speak about their search for a living wage https://www.youtube.com/watch?v=f5BMQ3xQc7o #15yrsago Wikileaks cables reveal that the US wrote Spain’s proposed copyright law https://web.archive.org/web/20140723230745/https://elpais.com/elpais/2010/12/03/actualidad/1291367868_850215.html #15yrsago Cities made of broken technology https://web.archive.org/web/20101203132915/https://agora-gallery.com/artistpage/Franco_Recchia.aspx #10yrsago The TPP’s ban on source-code disclosure requirements: bad news for information security https://www.eff.org/deeplinks/2015/12/tpp-threatens-security-and-safety-locking-down-us-policy-source-code-audit #10yrsago Fossil fuel divestment sit-in at MIT President’s office hits 10,000,000,000-hour mark https://twitter.com/FossilFreeMIT/status/672526210581274624 #10yrsago Hacker dumps United Arab Emirates Invest Bank’s customer data https://www.dailydot.com/news/invest-bank-hacker-buba/ #10yrsago Illinois prisons spy on prisoners, sue them for rent on their cells if they have any money https://www.chicagotribune.com/2015/11/30/state-sues-prisoners-to-pay-for-their-room-board/ #10yrsago Free usability help for privacy toolmakers https://superbloom.design/learning/blog/apply-for-help/ #10yrsago In the first 334 days of 2015, America has seen 351 mass shootings (and counting) https://web.archive.org/web/20151209004329/https://www.washingtonpost.com/news/wonk/wp/2015/11/30/there-have-been-334-days-and-351-mass-shootings-so-far-this-year/ #10yrsago Not even the scapegoats will go to jail for BP’s murder of the Gulf Coast https://arstechnica.com/tech-policy/2015/12/manslaughter-charges-dropped-in-bp-spill-case-nobody-from-bp-will-go-to-prison/ #10yrsago Urban Transport Without the Hot Air: confusing the issue with relevant facts! https://memex.craphound.com/2015/12/03/urban-transport-without-the-hot-air-confusing-the-issue-with-relevant-facts/ #5yrsago Breathtaking Iphone hack https://pluralistic.net/2020/12/03/ministry-for-the-future/#awdl #5yrsago Graffitists hit dozens of NYC subway cars https://pluralistic.net/2020/12/03/ministry-for-the-future/#getting-up #5yrsago The Ministry For the Future https://pluralistic.net/2020/12/03/ministry-for-the-future/#ksr #5yrsago Monopolies made America vulnerable to covid https://pluralistic.net/2020/12/03/ministry-for-the-future/#big-health #5yrsago Section 230 is Good, Actually https://pluralistic.net/2020/12/04/kawaski-trawick/#230 #5yrsago Postmortem of the NYPD's murder of a Black man https://pluralistic.net/2020/12/04/kawaski-trawick/#Kawaski-Trawick #5yrsago Student debt trap https://pluralistic.net/2020/12/04/kawaski-trawick/#strike-debt #1yrago "That Makes Me Smart" https://pluralistic.net/2024/12/04/its-not-a-lie/#its-a-premature-truth #1yrago Canada sues Google https://pluralistic.net/2024/12/03/clementsy/#can-tech Upcoming appearances (permalink) Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Denver: Enshittification at Tattered Cover Colfax, Jan 22 https://www.eventbrite.com/e/cory-doctorow-live-at-tattered-cover-colfax-tickets-1976644174937 Recent appearances (permalink) Enshittification (Future Knowledge) https://futureknowledge.transistor.fm/episodes/enshittification We have become slaves to Silicon Valley (Politics JOE) https://www.youtube.com/watch?v=JzEUvh1r5-w How Enshittification is Destroying The Internet (Frontline Club) https://www.youtube.com/watch?v=oovsyzB9L-s Escape Forward with Cristina Caffarra https://escape-forward.com/2025/11/27/enshittification-of-our-digital-experience/ Why Every Platform Betrays You (Trust Revolution) https://fountain.fm/episode/bJgdt0hJAnppEve6Qmt8 Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE. "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: A year in illustration (2025 edition) (03 Dec 2025)
Today's links A year in illustration (2025 edition): I think I'm getting the hang of this? Hey look at this: Delights to delectate. Object permanence: HADOPI is born; Tea Party wants to disenfranchise renters; How to kill TPP; Mozilla ejects Thunderbird; Rosa Parks was a lifelong radical activist. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. A year in illustration (2025 edition) (permalink) One of the most surprising professional and creative developments of my middle-age has been discovering my love of collage. I have never been a "visual" person – I can't draw, I can't estimate whether a piece of furniture will fit in a given niche, I can't catch a ball, and I can't tell you if a picture is crooked. When Boing Boing started including images with our posts in the early 2000s, I hated it. It was such a chore to find images that were open licensed or public domain, and so many of the subjects I wrote about are abstract and complex and hard to illustrate. Sometimes, I'd come up with a crude visual gag and collage together a few freely usable images as best as I could and call it a day. But over the five years that I've been writing Pluralistic, I've found myself putting more and more effort and thought into these header images. Without realizing it, I put more and more time into mastering The GIMP (a free/open Photoshop alternative), watching tutorial videos and just noodling from time to time. I also discovered many unsuspected sources of public domain work, such as the Library of Congress, whose search engine sucks, but whose collection is astounding (tip: use Kagi or Google to search for images with the "site:loc.gov" flag). I also discovered the Met's incredible collection: https://www.metmuseum.org/art/collection/search And the archives of H Armstrong Roberts, an incredibly prolific stock photographer whose whole corpus is in the public domain. You can download more than 14,000 of his images from the Internet Archive (I certainly did!): https://archive.org/details/h-armstrong-roberts Speaking of the Archive and search engine hacks, I've also developed a method for finding hi-rez images that are otherwise very hard to get. Often, an image search will turn up public domain results on commercial stock sites like Getty. If I can't find public domain versions elsewhere (e.g. by using Tineye reverse-image search), I look for Getty's metadata about the image's source (that is, which book or collection it came from). Then I search the Internet Archive and other public domain repositories for high-rez PDF scans of the original work, and pull the images out of there. Many of my demons come from Compendium rarissimum totius Artis Magicae sistematisatae per celeberrimos Artis hujus Magistros, an 18th century updating of a 11th century demonolgy text, which you can get as a hi-rez at the Wellcome Trust: https://wellcomecollection.org/works/cvnpwy8d Five years into my serious collage phase, I find myself increasingly pleased with the work I'm producing. I actually self-published a little book of my favorites this year (Canny Valley), which Bruce Sterling provided an intro for and which the legendary book designed John Berry laid out fot me, and I'm planning future volumes: https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce I've been doing annual illustration roundups for the past several years, selecting my favorites from the year's crop: 2022: https://pluralistic.net/2022/12/25/a-year-in-illustration/ 2023: https://pluralistic.net/2023/12/21/collages-r-us/ 2024: https://pluralistic.net/2024/12/07/great-kepplers-ghost/ It's a testament to how much progress I've made that when it came time to choose this year's favorites, I had 33 images I wanted to highlight. Much of this year's progress is down to my friend and neighbor Alistair Milne, an extremely talented artist and commercial illustrator who has periodically offered me little bits of life-changing advice on composition and technique. I've also found a way to use these images in my talks: I've pulled together a slideshow of my favorite (enshittification-related) images, formatted for 16:9 (the incredibly awkward aspect ratio that everyone seems to expect these days), with embedded Creative Commons attributions. When I give a talk, I ask to have this run behind me in "kiosk mode," looping with a 10-second delay between each slide. Here's an up-to-date (as of today) version: https://archive.org/download/enshittification-slideshow/enshittification.pptx If these images intrigue you and you'd like hi-rez versions to rework on your own, you can get full rez versions of all my blog collagesin my "Pluralistic Collages" Flickr set: https://www.flickr.com/photos/doctorow/albums/72177720316719208 They're licensed CC BY-SA 4.0, though some subelements may be under different licenses (check the image descriptions for details). But everything is licensed for remix and commercial distribution, so go nuts! All the books I reviewed in 2025 The underlying image comes from the Library of Congress (a search for "reading + book") (because "reading" turns up pictures of Reading, PA and Reading, UK). I love the poop emoji from the cover of the US edition of Enshittification and I'm hoping to get permission to do a lot more with it. https://pluralistic.net/2025/12/02/constant-reader/#too-many-books Meta's new top EU regulator is contractually prohibited from saying mean things about Meta Mark Zuckerberg's ghastly Metaverse avatar is such a gift to his critics. I can't believe his comms team let him release it! The main image is an H Armstrong Roberts classic of a beat cop wagging his finger at a naughty lad on a bicycle. The Wachowskis' 'code waterfall' comes from this generator: https://github.com/yeaayy/the-matrix https://pluralistic.net/2025/12/01/erin-go-blagged/#big-tech-omerta The long game In my intro to last year's roundup, I wrote about Joseph Keppler, the incredibly prolific illustrator and publisher who founded Puck magazine and drew hundreds of illustrations, many of them editorial cartoons that accompanied articles that criticized monopolies and America's oligarch class. As with so much of his work, Keppler's classic illustration of Rockefeller as a shrimpy, preening king updates very neatly to today's context, through the simple expedient of swapping in Zuck's metaverse avatar. https://pluralistic.net/2025/11/20/if-you-wanted-to-get-there/#i-wouldnt-start-from-here Facebook's fraud files I love including scanned currency in my illustrations. Obviously, large-denomination bills make for great symbols in posts about concentrated wealth and power, but also, US currency is iconic, covered in weird illustrations, and available as incredibly high-rez scans, like this 7,300+ pixel-wide C-note: https://commons.wikimedia.org/wiki/File:U.S._hundred_dollar_bill,_1999.jpg It turns out that intaglio shading does really cool stuff when you tweak the curves. I love what happened to Ben Franklin's eyes in this one. (Zuck's body is another Keppler/Puck illo!) https://pluralistic.net/2025/11/08/faecebook/#too-big-to-care There's one thing EVERY government can do to shrink Big Tech This is another Keppler/Roberts mashup. Keppler's original is Teddy Roosevelt as a club-wielding ("speak softly and carry a big stick") trustbusting Goliath. The crying baby and money come from an H Armstrong Roberts tax-protest stock photo (one of the money sacks was originally labeled "TAXES"). This one also includes one of my standbys, Cryteria's terrific vector image of HAL 9000's glaring red eye, always a good symbolic element for stories about Big Tech, surveillance, and/or AI: https://commons.wikimedia.org/wiki/File:HAL9000.svg https://pluralistic.net/2025/11/01/redistribution-vs-predistribution/#elbows-up-eurostack When AI prophecy fails The chain-gang photo comes from the Library of Congress. That hacker hoodie is a public domain graphic ganked from Wikimedia Commons. I love how the HAL 9000 eye pops as the only color element in this one. https://pluralistic.net/2025/10/29/worker-frightening-machines/#robots-stole-your-jerb-kinda Checking in on the state of Amazon's chickenized reverse-centaurs Another H Armstrong Roberts remix: originally, this was a grinning delivery man jugging several parcels. I reskinned him and his van with Amazon delivery livery, and matted in the horse-head to create a "reverse centaur" (another theme I return to often). I used one of Alistair Milne's tips to get that horse's head right: rather than trying to trace all the stray hairs on the mane, I traced them with a fine brush tool on a separate layer, then erased the strays from the original and merged down to get a nice, transparency-enabled hair effect. https://pluralistic.net/2025/10/23/traveling-salesman-solution/#pee-bottles The mad king's digital killswitch The Uncle Sam image is Keppler's (who else?). In the original (which is about tariffs! everything old is new!), Sam's legs have become magnets that are drawing in people and goods from all over the world. The Earth-from-space image is a NASA pic. Love that all works of federal authorship are born in the public domain! https://pluralistic.net/2025/10/20/post-american-internet/#huawei-with-american-characteristics Microsoft, Tear Down That Wall! Clippy makes a perfect element for posts about chatbots. It's hard to think that Microsoft shipped a product with such a terrible visual design, but at the same time, I gotta give 'em credit, it's so awful that it's still instantly recognizable, 25 years later. https://pluralistic.net/2025/10/15/freedom-of-movement/#data-dieselgate A disenshittification moment from the land of mass storage Another remix of Keppler's excellent Teddy Roosevelt/trustbuster giant image, this time with Ben Franklin's glorious C-note phiz. God, I love using images from money! https://pluralistic.net/2025/10/10/synology/#how-about-nah Apple's unlawful evil Alistair Milne helped me work up a super hi-rez version of Trump's hair from his official (public domain) 2024 presidential portrait. Lots of tracing those fine hairs, and boy does it pay off. Apple's "Think Different" wordmark (available as a vector on Wikimedia Commons) is a gift to the company's critics. The fact that the NYPD actually routinely show up for protests dressed like this makes my job too easy. https://pluralistic.net/2025/10/06/rogue-capitalism/#orphaned-syrian-refugees-need-not-apply Blue Bonds Another C-note remix. One of the things I love about remixing US currency is that every part of it is so immediately identifiable, meaning that just about any crop works. The California bear comes from a public domain vector on Wikimedia Commons. I worked hard to get the intaglio effect to transfer to the bear, but only with middling success. Thankfully, I was able to work at massive resolution (like, 4,000 px wide) and reduce the image, which hides a lot of my mistakes. https://pluralistic.net/2025/10/04/fiscal-antifa/#post-trump The real (economic) AI apocalypse is nigh Another money scan, this time a hyperinflationary Zimbabwean dollar (I also looked at some Serbian hyperinflationary notes, but the Zimbabwean one was available at a higher rez). Not thrilled about the engraving texture on the HAL 9000, but the Sam Altman intaglio kills. I spent a lot of time tweaking that using G'mic, a good (but uneven) plugin suite for the GIMP. https://pluralistic.net/2025/09/27/econopocalypse/#subprime-intelligence Rage Against the (Algorithmic Management) Machine This one made this year's faves list purely because I was so happy with how the Doordash backpack came out. The belligerent worker is part of a Keppler diptych showing a union worker and a boss facing off against one another with a cowering consumer caught in the crossfire. I'm not thrilled about this false equivalence, but I'll happily gank the figures, which are great. https://pluralistic.net/2025/09/25/roboboss/#counterapps The enshittification of solar (and how to stop it) I spent a lot of time tweaking the poop emoji on those solar panels, eventually painstakingly erasing the frames from the overlay image. It was worth it. https://pluralistic.net/2025/09/23/our-friend-the-electron/#to-every-man-his-castle AI psychosis and the warped mirror One of those high-concept images that came out perfect. Replacing Narcissus's face (and reflection) with HAL 9000 made for a striking image that only took minutes to turn out. https://pluralistic.net/2025/09/17/automating-gang-stalking-delusion/#paranoid-androids Reverse centaurs are the answer to the AI paradox The businessman trundling up a long concrete staircase is another H Armstrong Roberts. That staircase became very existential as soon as I stripped out the grass on either side of it. Finding that horse-head took a lot of doing (the world needs more CC-licensed photos of horses from that angle!). The computer in the background comes from a NASA Ames archive of photos of all kinds of cool stuff – zeppelins, spacesuits, and midcentury "supercomputers." https://pluralistic.net/2025/09/11/vulgar-thatcherism/#there-is-an-alternative Radical juries Another high-concept image that just worked. It took me more time to find a good public domain oil painting of a jury than it did to transform each juror into Karl Marx. I love how this looks. https://pluralistic.net/2025/08/22/jury-nullification/#voir-dire LLMs are slot-machines It's surprisingly hard to find a decent public domain photo of a slot machine in use. I eventually started to wonder if Vegas had a no-cameras policy in the early years. Eventually, the Library of Commerce came through with a scanned neg that was high enough rez that I could push the elements I wanted to have stand out from an otherwise muddy, washed-out image. https://pluralistic.net/2025/08/16/jackpot/#salience-bias Zuckermuskian solipsism The laborers come from an LoC collection of portraits of children who worked in coal mines in the 1910s. They're pretty harrowing stuff. I spent a long plane ride cropping each individual out of several of these images. https://pluralistic.net/2025/08/18/seeing-like-a-billionaire/#npcs Good ideas are popular The original crowd scene (a presidential inauguration, if memory serves) was super high-rez, which made it very easy to convincingly matte in the monkeys and the Congressional dome. I played with tinting this one, but pure greyscale looked a lot better. https://pluralistic.net/2025/08/07/the-people-no-2/#water-flowing-uphill By all means, tread on those people Another great high concept. The wordiness of Wilhoit's Law makes this intrinsically funny. There's a public domain vector-art Gadsen flag on Wikimedia Commons. I found a Reddit forum where font nerds had sleuthed out the typeface for the words on the original. https://pluralistic.net/2025/08/26/sole-and-despotic-dominion/#then-they-came-for-me AI's pogo-stick grift The pogo stick kid is another H Armstrong Roberts gank. I spent ages trying to get the bounce effect to look right, and then Alistair Milne fixed it for me in like 10 seconds. The smoke comes from an oil painting of the eruption of Vesuvius from the Met. It's become my go-to "hellscape" background. https://pluralistic.net/2025/08/02/inventing-the-pedestrian/#three-apis-in-a-trenchcoat The worst possible antitrust outcome The smoke from Vesuvius makes another appearance. I filled the Android droid with tormented figures from Bosch's "Garden of Earthly Delights," which is an amazing painting that is available as a more than 15,000 pixel wide (!) scan on Wikimedia Commons. https://pluralistic.net/2025/09/03/unpunishing-process/#fucking-shit-goddammit-fuck Conservatism considered as a movement of bitter rubes Boy, I love this one. The steamship image is from the Met. The carny barker is a still of WC Fields, whose body language is impeccable. It took a long-ass time to get a MAGA hat in the correct position, but I eventually found a photo of an early 20th C baseball player and then tinted his hat and matted in the MAGA embroidery. https://pluralistic.net/2025/07/22/all-day-suckers/#i-love-the-poorly-educated Your Meta AI prompts are in a live, public feed These guys on the sofa come from Thomas Hawke, who has recovered and scanned nearly 30,000 "found photos" – collections from estates, yard-sales, etc: https://www.flickr.com/search/?sort=date-taken-desc&safe_search=1&tags=foundphotograph&user_id=51035555243%40N01&view_all=1 The Shining-esque lobby came from the Library of Congress, where it is surprisingly easy to find images of buildings with scary carpets. https://pluralistic.net/2025/06/19/privacy-breach-by-design/#bringing-home-the-beacon Strange Bedfellows and Long Knives Another great high-concept that turned out great. I think that matting the Heritage Foundation chiselwork into the background really pulls it together, and I'm really happy with the glow-up I did for the knives. https://pluralistic.net/2025/05/21/et-tu-sloppy-steve/#fractured-fairytales Are the means of computation even seizable? I spent so long cutting out this old printing press, but boy has it stood me in good stead. I think there's like five copies of that image layered on top of each other here. The figure is an inside joke for all my Luddite trufan pals outthere, a remix of a classic handbill depicting General Ned Ludd. https://pluralistic.net/2025/05/14/pregnable/#checkm8 Mark Zuckerberg announces mind-control ray (again) I was worried that this wouldn't work unless you were familiar with the iconic portrait photo of Rasputin, but that guy was such a creepy-ass-looking freak, and Zuck's metaverse avatar is so awful, that it works on its own merits, too. https://pluralistic.net/2025/05/07/rah-rah-rasputin/#credulous-dolts Mike Lee and Jim Jordan want to kill the law that bans companies from cheating you The original image was so grainy, but it was also fantastic and I spent hours rehabbing it. It's a posed, comedic photo of two Australian miners in the bush cheating at cards, rooking a third man. The Uncle Sam is (obviously) from Keppler. https://pluralistic.net/2025/04/29/cheaters-and-liars/#caveat-emptor-brainworms Mark Zuckerberg personally lost the Facebook antitrust case This one got more, "Wow is that ever creepy" comments than any of the other ones. I was going for Chatty Cathy, but that Zuck metaverse avatar is so weird and bad that it acts like visual MSG in any image, amplifying its creepiness to incredible heights. https://pluralistic.net/2025/04/18/chatty-zucky/#is-you-taking-notes-on-a-criminal-fucking-conspiracy Machina economicus The image is from an early illustrated French edition of HG Wells's War of the Worlds. I love how this worked out, and a family of my fans in Ireland commissioned a paint-by-numbers of it and painted it in and mailed it to me. It's incredible. If I re-use this, I will probably swap out the emoji for the graphic from the book's cover. https://pluralistic.net/2025/04/14/timmy-share/#a-superior-moral-justification-for-selfishness How the world's leading breach expert got phished I don't understand how composition works, but I know when I've lucked into a good composition. This is a good composition! I made this on the sofa of Doc and Joyce Searles in Bloomington, Indiana while I was in town for my Picks and Shovels book tour. https://pluralistic.net/2025/04/05/troy-hunt/#teach-a-man-to-phish Anyone who trusts an AI therapist needs their head examined I worked those tentacles for so long, trying to get Freud/Cthulhu/HAL's lower half just right. In the end, it all paid off. https://pluralistic.net/2025/04/01/doctor-robo-blabbermouth/#fool-me-once-etc-etc You can't save an institution by betraying its mission The "fireman" is an image from the Department of Defense of a soldier demoing a flamethrower (I hacked in the firefighter's uniform). I spent a lot of time trying to get a smoky look for the foreground here, but I don't think it succeeded. https://pluralistic.net/2025/03/19/selling-out/#destroy-the-village-to-save-it

Pluralistic: All the books I reviewed in 2025 (02 Dec 2025)
Today's links All the books I reviewed in 2025: A year in books. Hey look at this: Delights to delectate. Object permanence: David Byrne v RIAA; Sam Buck vs Starbucks; Eek-A-Trad; Mesopotamian DRM; Distanced stage plays. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. All the books I reviewed in 2025 (permalink) I read as much as I could in 2025, but as ever, I have finished the year bitterly aware of how many wonderful books I didn't get to, whose spines glare daggers at me whenever I sit down at my desk, beneath my groaning To Be Read shelf. But I did write nearly two dozen reviews here on Pluralistic in calendar 2025, which I round up below. If these aren't enough for you, please check out the lists from previous years. 2024: https://pluralistic.net/2024/12/02/booklish/#2024-in-review 2023: https://pluralistic.net/2023/12/01/bookmaker/#2023-in-review 2022: https://pluralistic.net/2022/12/01/bookishness/#2022-in-review 2021: https://pluralistic.net/2021/12/08/required-ish-reading/#bibliography 2020: https://pluralistic.net/2020/12/08/required-reading/#recommended-reading Now that my daughter is off at college (!), I have a lot fewer kids' books in my life than I did when she was growing up. I miss 'em! (And I miss her, too, obviously). But! I did manage to read a couple great kids' books this year that I recommend to you without reservation, both for your own pleasure and for any kids in your life, and I wanted to call them out separately, since (good) books are such good gifts for kids: Daniel Pinkwater's Jules, Penny and the Rooster (middle-grades novel) https://pluralistic.net/2025/03/11/klong-you-are-a-pickle-2/#martian-space-potato Perry Metzger, Penelope Spector and Jerel Dye's Science Comics Computers: How Digital Hardware Works (graphic novel nonfiction) https://pluralistic.net/2025/11/05/xor-xand-xnor-nand-nor/#brawniac NONFICTION I. Cooking in Maximum Security, Matteo Guidi Cooking in Maximum Security is a slim volume of prisoners' recipes and improvised cooking equipment, a testament to the ingenuity of a network of prisoners in Italy's maximum security prisons. https://pluralistic.net/2025/11/24/moca-moka/#culinary-apollo-13 II. 9 Times My Work Has Been Ripped Off, Raymond Biesinger A masterclass in how creative workers can transform the endless, low-grade seething about the endless ripoffs of the industry into something productive and even profound. https://pluralistic.net/2025/10/28/productive-seething/#fuck-you-pay-me III. Three Rocks, Bill Griffiths What better format for a biography of Ernie Bushmiller, creator of the daily Nancy strip, than a graphic novel? And who better to write and draw it than Bill Griffith, creator of Zippy the Pinhead, a long-running and famously surreal daily strip? Griffith is carrying on the work of Scott McCloud, whose definitive Understanding Comics used the graphic novel form to explain the significance and method of sequential art, singling out Nancy for special praise. https://pluralistic.net/2025/06/27/the-snapper/#9-to-107-spikes IV. The Blues Brothers, Daniel de Visé A brilliantly told, brilliantly researched tale that left me with a much deeper understanding of – and appreciation for – the cultural phenomenon that I was (and am) swept up in. https://pluralistic.net/2025/06/21/1060-west-addison/#the-new-oldsmobiles-are-in-early-this-year V. Close to the Machine, Ellen Ullman Ullman's subtitle for the book is "Technophilia and its discontents," and therein lies the secret to its magic. Ullman loves programming computers, loves the way they engage her attention, her consciousness, and her intelligence. Her descriptions of the process of writing code – of tackling a big coding project – are nothing less than revelatory. She captures something that a million technothriller movies consistently fail to even approach: the dramatic interior experience of a programmer who breaks down a complex problem into many interlocking systems, the momentary and elusive sense of having all those systems simultaneously operating in a high-fidelity mental model, the sense of being full, your brain totally engaged in every way. It's a poetics of language that meets and exceeds the high bar set by the few fiction writers who've ever approached a decent rendering of this feeling, like William Gibson. https://pluralistic.net/2025/07/16/beautiful-code/#hackers-disease VI. Chasing Shadows, Ron Deibert Deibert's pulse-pounding, sphinter-tightening true memoir of his battles with the highly secretive cyber arms industry whose billionaire owners provide mercenary spyware that's used by torturers, murderers and criminals to terrorize their victims. https://pluralistic.net/2025/02/04/citizen-lab/#nso-group VII. Little Bosses Everywhere, Bridget Read Read, an investigative journalist at Curbed, takes us through the history of the multi-level marketing "industry," which evolved out of Depression-era snake oil salesmen, Tupperware parties, and magical thinking cults built around books like Think and Grow Rich. This fetid swamp gives rise to a group of self-mythologizing scam artists who founded companies like Amway and Mary Kay, claiming outlandish – and easily debunked – origin stories that the credulous press repeats, alongside their equally nonsensical claims about the "opportunities" they are creating for their victims. https://pluralistic.net/2025/05/05/free-enterprise-system/#amway-or-the-highway VIII. Careless People, Sarah Wynn-Williams Wynn-Williams was a lot closer to three of the key personalities in Facebook's upper echelon than anyone in my orbit: Mark Zuckerberg, Sheryl Sandberg, and Joel Kaplan, who was elevated to VP of Global Policy after the Trump II election. I already harbor an atavistic loathing of these three based on their public statements and conduct, but the events Wynn-Williams reveals from their private lives make them out to be beyond despicable. There's Zuck, whose underlings let him win at board-games like Settlers of Catan because he's a manbaby who can't lose (and who accuses Wynn-Williams of cheating when she fails to throw a game of Ticket to Ride while they're flying in his private jet). There's Sandberg, who demands the right to buy a kidney for her child from someone in Mexico, should that child ever need a kidney. https://pluralistic.net/2025/04/23/zuckerstreisand/#zdgaf IX. More Everything Forever, Adam Becker Astrophysicist Adam Becker knows a few things about science and technology – enough to show, in a new book called More Everything Forever that the claims that tech bros make about near-future space colonies, brain uploading, and other skiffy subjects are all nonsense dressed up as prediction. https://pluralistic.net/2025/04/22/vinges-bastards/#cyberpunk-is-a-warning-not-a-suggestion X. Murder the Truth, David Enrich A brave, furious book about the long-running plan by America's wealthy and corrupt to "open up the libel laws" so they can destroy their critics. In taking on the libel-industrial complex – a network of shadowy, thin-skinned, wealthy litigation funders; crank academics; buck-chasing lawyer lickspittle sociopaths; and the most corrupt Supreme Court justice on the bench today – Enrich is wading into dangerous territory. After all, he's reporting on people who've made it their life's mission to financially destroy anyone who has the temerity to report on their misdeeds. https://pluralistic.net/2025/03/17/actual-malice/#happy-slapping FICTION I. Letters From an Imaginary Country, Theodora Goss Goss spins extremely weird, delightful and fun scenarios in these stories and she slides you into them like they were a warm bath. Before you know it, you're up to your nostrils in story, the water filling your ears, and you don't even remember getting in the tub. They're that good. Goss has got a pretty erudite and varied life-history to draw on here. She's a Harvard-trained lawyer who was born in Soviet Hungary, raised across Europe and the UK and now lives in the USA. She's got a PhD in English Lit specializing in gothic literature and monsters and was the research assistant on a definitive academic edition of Dracula. Unsurprisingly, she often writes herself into her stories as a character. https://pluralistic.net/2025/11/11/athena-club/#incluing II. The Immortal Choir Holds Every Voice, Margaret Killjoy A collection of three linked short stories set in Killjoy's celebrated Danielle Cain series, which Alan Moore called "ideal reading for a post-truth world. Danielle Cain is a freight-train-hopping, anarcho-queer hero whose adventures are shared by solidaristic crews of spellcasting, cryptid-battling crustypunk freaks and street-fighters. https://pluralistic.net/2025/06/18/anarcho-cryptid/#decameron-and-on III. Fever Beach, Carl Hiaasen Hiaasen's method is diabolical and hilarious: each volume introduces a bewildering cast of odd, crooked, charming, and/or loathsome Floridians drawn from his long experience chronicling the state and its misadventures. After 20-some volumes in this vein (including Bad Monkey, lately adapted for Apple TV), something far weirder than anything Hiaasen ever dreamed up came to pass: Donald Trump, the most Florida Man ever, was elected president. If you asked an LLM to write a Hiaasen novel, you might get Trump: a hacky, unimaginative version of the wealthy, callous, scheming grifters of the Hiaasenverse. Back in 2020, Hiaasen wrote Trump into Squeeze Me, a tremendous and madcap addition to his canon. Fever Beach is the first Hiaasen novel since Squeeze Me, and boy, does Hiaasen ever have MAGA's number. It's screamingly funny, devilishly inventive, and deeply, profoundly satisfying. With Fever Beach, Hiaasen makes a compelling case for Florida as the perfect microcosm of the terrifying state of America, and an even more compelling case for his position as its supreme storyteller. https://pluralistic.net/2025/10/21/florida-duh/#strokerz-for-liberty IV. Jules, Penny and the Rooster, Daniel Pinkwater Jules and her family have just moved to a suburb called Bayberry Acres in the sleepy dormitory city of Turtle Neck and now she's having a pretty rotten summer. All that changes when Jules enters an essay contest in the local newspaper to win a collie (a contest she enters without telling her parents, natch) and wins. Jules names the collie Penny, and they go for long rambles in the mysterious woods that Bayberry Acres were carved out of. It's on one of these walks that they meet the rooster, a handsome, proud, friendly fellow who lures Penny over the stone wall that demarcates the property line ringing the spooky, abandoned mansion/castle at the center of the woods. Jules chases Penny over the wall, and that's when everything changes. On the other side of that wall is a faun, and little leprechaun-looking guys, and a witch (who turns out to be a high-school chum of her city-dwelling, super-cool aunt), and there's a beast in a hidden dilapidated castle. After Jules sternly informs the beast that she's far too young to be anyone's girlfriend – not even a potentially enchanted prince living as a beast in a hidden castle – he disabuses her of this notion and tells her that she is definitely the long-prophesied savior of the woods, whose magic has been leaking out over years. Nominally this is a middle-grades book, and while it will certainly delight the kids in your life, I ate it up. The purest expression of Pinkwater's unique ability to blend the absurd and the human and make the fantastic normal and the normal fantastic. I laughed long and hard, and turned the final page with that unmissable Pinkwatertovian sense of satisfied wonder. https://pluralistic.net/2025/03/11/klong-you-are-a-pickle-2/#martian-space-potato V. Where the Axe Is Buried, Ray Nayler An intense, claustrophobic novel of a world run by "rational" AIs that purport to solve all of our squishy political problems with empirical, neutral mathematics. It's a birchpunk tale of AI skulduggery, lethal robot insects, radical literature, swamp-traversing mechas, and political intrigue that flits around a giant cast of characters, creating a dizzying, in-the-round tour of Nayler's paranoid world. A work of first-rate science fiction, which provides an emotional flythrough of how Larry Ellison's vision of an AI-driven surveillance state where everyone is continuously observed, recorded and judged by AIs so we are all on our "best behavior" would obliterate the authentic self, authentic relationships, and human happiness. https://pluralistic.net/2025/03/20/birchpunk/#cyberspace-is-everting VI. Lessons in Magic and Disaster, Charlie Jane Anders A novel about queer academia, the wonder of thinking very hard about very old books, and the terror and joy of ambiguous magic. Anders tosses a lot of differently shaped objects into the air, and then juggles them, interspersing the main action with excerpts from imaginary 18th century novels (which themselves contain imaginary parables) that serve as both a prestige and a framing device. It's the story of Jamie, a doctoral candidate at a New England liberal arts college who is trying to hold it all together while she finishes her dissertation. That would be an impossible lift, except for Jamie's gift for maybe-magic – magic that might or might not be real. Certain places ("liminal spaces") call to Jamie. These are abandoned, dirty, despoiled places, ruins and dumps and littered campsites. When Jamie finds one of these places, she can improvise a ritual, using the things in her pockets and school bag as talismans that might – or might not – conjure small bumps of luck and fortune into Jamie's path. There's a lot of queer joy in here, a hell of a lot of media theory, and some very chewy ruminations on the far-right mediasphere. There's romance and heartbreak, danger and sacrifice, and most of all, there's that ambiguous magic, which gets realer and scarier as the action goes on. https://pluralistic.net/2025/08/19/revenge-magic/#liminal-spaces VII. The Adventures of Mary Darling, Pat Murphy The titular Mary Darling here is the mother of Wendy, John and and Michael Darling, the three children who are taken by Peter Pan to Neverland in JM Barrie's 1902 book The Little White Bird, which later became Peter Pan. After Mary's children go missing, Mary's beloved uncle, John Watson, is summoned to the house, along with his famous roommate, the detective Sherlock Holmes. However, Holmes is incapable of understanding where the Darling children have gone, because to do so would be to admit the existence of the irrational and fantastic, and, more importantly, to accept the testimony of women, lower-class people, and pirates. Holmes has all the confidence of the greatest detective alive, which means he is of no help at all. Only Mary can rescue her children. John Watson discovers her consorting with Sam, a one-legged Pacific Islander who is a known fence and the finest rat-leather glovemaker in London, these being much prized by London's worst criminal gangs. Horrified that Mary is keeping such ill company, Watson confronts her and Sam (and Sam's parrot, who screeches nonstop piratical nonsense), only to be told that Mary knows what she is doing, and that she is determined to see her children home safe. What follows is a very rough guide to fairyland. It's a story that recovers the dark asides from Barrie's original Pan stories, which were soaked with blood, cruelty and death. The mermaids want to laugh as you drown. The fairies hate you and want you to die. And Peter Pan doesn't care how many poorly trained Lost Boy starvelings die in his sorties against pirates, because he knows where there are plenty more Lost Boys to be found in the alienated nurseries of Victorian London, an ocean away. https://pluralistic.net/2025/05/06/nevereverland/#lesser-ormond-street GRAPHIC NOVELS AND COMICS I. Science Comics Computers: How Digital Hardware Works, Perry Metzger, Penelope Spector and Jerel Dye Legendary cypherpunk Perry Metzger teams up with Penelope Spector and illustrator Jerel Dye for a tour-de-force young adult comic book that uses hilarious steampunk dinosaurs to demystify the most foundational building-blocks of computers. The authors take pains to show the reader that computing can be abstracted from computing. The foundation of computing isn't electrical engineering, microlithography, or programming: it's logic. While there's plenty of great slapstick, fun art, and terrific characters in this book that will make you laugh aloud, the lasting effect upon turning the last page isn't just entertainment, it's empowerment. https://pluralistic.net/2025/11/05/xor-xand-xnor-nand-nor/#brawniac II. Feeding Ghosts, Tessa Hulls A stunning memoir that tells the story of three generations of Hulls's Chinese family. It was a decade in the making, and it is utterly, unmissably brilliant. It tells the story of Hulls's quest to understand – and heal – her relationship with her mother, a half-Chinese, half-Swiss woman who escaped from China as a small child with her own mother, a journalist who had been targeted by Mao's police. Each of the intertwined narratives – revolutionary China, Rose's girlhood, Hulls's girlhood, the trips to contemporary China, Hulls's adulthood and Sun Yi's institutionalizations and long isolation – are high stakes, high-tension scenarios, beautifully told. Hulls hops from one tale to the next in ways that draw out the subtle, imporant parallels between each situation, subtly amplifying the echoes across time and space. Feeding Ghosts has gone on to win the Pulitzer Prize, only the second graphic novel in history to take the honor (the first was Maus, another memoir of intergenerational trauma, horrific war, and the American immigrant experience). https://pluralistic.net/2025/07/02/filial-piety/#great-leap-forward III. The Murder Next Door, Hugh D'Andrade Hugh D'Andrade is a brilliant visual communicator, the art director responsible for the look-and-feel of EFF's website. He's also haunted by a murder – the killing of the mother of his childhood playmates, which cast a long, long shadow over his life, as he recounts in his debut graphic novel. It's a haunting, beautiful meditation on masculinity, trauma, and fear. Hugh is a superb illustrator, particularly when it comes to bringing abstract ideas to life, and this is a tale beautifully told. https://pluralistic.net/2025/02/10/pivot-point/#eff IV. Simplicity, Mattie Lubchansky Simplicity is set in the not-so-distant future, in which the US has dissolved and its major centers have been refashioned as "Administrative and Security Territories" – a fancy way of saying "walled corporate autocracies." Lucius Pasternak is an anthropology grad student in the NYC AST, a trans-man getting by as best as he can, minimizing how much he sells out. Pasternak's fortunes improve when he gets a big, juicy assignment: to embed with a Catskills community of weirdo sex-hippies who supply the most coveted organic produce in the NYC AST. They've been cloistered in an old summer camp since the 1970s, and when civilization collapsed, it barely touched them. Pasternak's mission is to chronicle the community and its strange ways for a billionaire's vanity-project museum of New York State. This is post-cyberpunk, ecosexual revolutionary storytelling at its finest. https://pluralistic.net/2025/08/01/ecosexuality/#nyc-ast V. The Weight, Melissa Mendes A book that will tear your heart out, it will send you to a dreamy world of pastoral utopianism, then it will tear your heart out. Again. A story of cyclic abuse, unconditional love, redemption, and tragedy, the tale of Edie, born to an abusive father and a teen mother, who is raised away from her family, on a military base where she runs feral with other children, far from the brutality of home. This becomes a sweet and lovely coming-of-age tale as Edie returns to her grandparents' home, and then turns to horror again. The Weight is a ferocious read, the sweetness of the highs there to provide texture for the bitterness of the lows. https://pluralistic.net/2025/08/21/weighty/#edie-is-a-badass TWO MORE (BY ME) This was a light reading year for me, but, in my defense, I did some re-reading, including all nine volumes of Naomi Novik's incredible Temeraire: https://pluralistic.net/2023/01/08/temeraire/#but-i-am-napoleon But the main reason I didn't read as much as I normally would is that I published two international bestsellers of my own this year. The first was Picks and Shovels, a historical technothriller set in the early 1980s, when the PC was first being born. It's the inaugural adventure of Martin Hench, my hard-fighting, two-fisted, high-tech forensic accountant crimefighter, and it's designed to be read all on its own. Marty's first adventure sees him pitted against the owners of a weird PC pyramid-sales cult: a Mormon bishop, an orthodox rabbi and a Catholic priest, whose PC business is a front for a predatory faith-based sales cult: https://us.macmillan.com/books/9781250865908/picksandshovels/ The other book was Enshittification, the nonfiction book I'm touring now (I wrote all this up on the train to San Diego, en route to an event at the Mission Hills Library). It's a book-length expansion of my theory of platform decay ("enshittification"), laying out the process by which the tech platforms we rely on turn themselves into piles of shit, and (more importantly), explaining why this is happening now: https://us.macmillan.com/books/9780374619329/enshittification/ I've got a stack of books I'm hoping to read in the new year, but I'm going to have to squeeze them in among several other book projects of my own. First, there's The Reverse Centaur's Guide to Life After AI," a short book about being a better AI critic, which drops in June from Farrar, Straus and Giroux. I'm also *writing a new book, The Post-American Internet (about the internet we could have now that Trump has destroyed America's soft power and its grip on global tech policy. There's also a graphic novel adaptation of Unauthorized Bread (with Blue Delliquanti), which Firstsecond will publish in late 2026 or 2027; and a graphic novel adaptation of Enshittification (with Koren Shadmi), which Firstsecond will publish in 2027. But of course I'm gonna get to at least some of those books on my overflowing TBR shelf, and when I do, I'll review them here on Pluralistic for you. You can follow my Reviews tag if you want to stay on top of these (there's also an RSS feed for that tag): https://pluralistic.net/tag/reviews/ Hey look at this (permalink) RETRACTED: Safety Evaluation and Risk Assessment of the Herbicide Roundup and Its Active Ingredient, Glyphosate, for Humans https://www.sciencedirect.com/science/article/pii/S0273230099913715 Prisoners’ Inventions https://www.lapl.org/events/exhibits/no-prior-art/exhibitions/ Inside a Group of Vigilantes with One Goal: Painting Crosswalks to Protect Pedestrians https://people.com/inside-secretive-group-vigilantes-one-goal-painting-crosswalks-save-pedestrians-11849437 The AI bubble isn’t new — Karl Marx explained the mechanisms behind it nearly 150 years ago https://theconversation.com/the-ai-bubble-isnt-new-karl-marx-explained-the-mechanisms-behind-it-nearly-150-years-ago-270663 Let's See What's Going On Down At The Piss Factory https://www.todayintabs.com/p/let-s-see-what-s-going-on-down-at-the-piss-factory Object permanence (permalink) #20yrsago Man flies 1MM miles on a 60 day unlimited ticket, wins 10 more flights https://web.archive.org/web/20051203031434/http://au.news.yahoo.com/051201/15/x0z4.html #20yrsago Schneier: Aviation security is a bad joke https://web.archive.org/web/20060212060858/http://www.wired.com/news/privacy/0,1848,69712,00.html?tw=wn_tophead_2 #20yrsago David Byrne gets RIAA warning https://web.archive.org/web/20051223160922/http://journal.davidbyrne.com/2005/12/12105_rant_abou.html #20yrsago Sam Buck sued for naming her coffee shop after herself https://web.archive.org/web/20051231144818/https://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/12/01/financial/f132605S26.DTL #20yrsago Eek-A-Mouse jamming with Irish pub musicians https://web.archive.org/web/20051211095248/http://www.alphabetset.net/audio/t-woc/eek_trad.mp3 #15yrsago Bowls made from melted army men https://web.archive.org/web/20071011212754/http://www.associatedcontent.com/article/388073/how_to_make_a_bowl_from_melted_army.html #15yrsago TSA recommends using sexual predator tactics to calm kids at checkpoints https://web.archive.org/web/20101204044209/https://www.rawstory.com/rs/2010/12/airport-patdowns-grooming-children-sex-predators-abuse-expert/ #15yrsago University of Glasgow gives away software, patents, consulting https://www.gla.ac.uk/news/archiveofnews/2010/november/headline_181588_en.html #15yrsago Judge in Xbox hacker trial unloads both barrels on the prosecution https://web.archive.org/web/20101203054828/https://www.wired.com/threatlevel/2010/12/xbox-judge-riled/ #10yrsago Scholars and activists stand in solidarity with shuttered research-sharing sites https://custodians.online/ #10yrsago Mesopotamian boundary stones: the DRM of pre-history https://web.archive.org/web/20151130212151/https://motherboard.vice.com/read/before-drm-there-were-mesopotamian-boundary-stones #10yrsago Canadian civil servants grooming new minister to repeat Harper’s Internet mistakes https://www.michaelgeist.ca/2015/11/what-canadian-heritage-officials-didnt-tell-minister-melanie-joly-about-copyright/ #5yrsago Distanced stage plays https://pluralistic.net/2020/12/01/autophagic-buckeyes/#xanadu #5rsago Ohio spends tax dollars to destroy Ohio https://pluralistic.net/2020/12/01/autophagic-buckeyes/#subsidized-autophagia Upcoming appearances (permalink) Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) We have become slaves to Silicon Valley (Politics JOE) https://www.youtube.com/watch?v=JzEUvh1r5-w How Enshittification is Destroying The Internet (Frontline Club) https://www.youtube.com/watch?v=oovsyzB9L-s Escape Forward with Cristina Caffarra https://escape-forward.com/2025/11/27/enshittification-of-our-digital-experience/ Why Every Platform Betrays You (Trust Revolution) https://fountain.fm/episode/bJgdt0hJAnppEve6Qmt8 How the internet went to sh*t (Prospect Magazine) https://www.prospectmagazine.co.uk/podcasts/prospect-podcast/71663/cory-doctorow-how-the-internet-went-to-sht Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE. "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: Meta's new top EU regulator is contractually prohibited from hurting Meta's feelings (01 Dec 2025)
Today's links Meta's new top EU regulator is contractually prohibited from saying mean things about Meta: It's one thing to hire an ex-Meta lobbyist, another entirely if she's signed a non-disparagement contract. Hey look at this: Delights to delectate. Object permanence: Custom M&M restrictions; Vacuum-bag dust houses; Winner-Take-All Politics; Pre-mutated products; Disney World on strike; "Ship Breaker"; TSA patdowns a "homosexual agenda"; RÄT. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. Meta's new top EU regulator is contractually prohibited from saying mean things about Meta (permalink) "Regulatory capture" is one of those concepts that can seem nebulous and abstract. How can you really know when a regulator has failed to protect you because they were in bed with the companies they were supposed to be regulating, and when this is just because they're bad at their job. "Never attribute to malice," etc etc. The difficulty of pinning down real instances of regulatory capture is further complicated by the arguments of right-wing economists, who claim that regulatory capture is inevitable, that companies will always grow to the point where they can overpower the state and use it to shut down smaller companies before they can become a threat. They use this as an argument for abolishing all regulation, rather than, you know, stopping monopolies from growing until they are more powerful than the state: https://pluralistic.net/2022/06/05/regulatory-capture/ Despite this confusion, there are times when regulatory capture is anything but subtle. Especially these times, when the corporate world, spooked by the pandemic-era surge in antitrust enforcement, have launched a gloves-off/mask-off offensive to simply take over their governments, abandoning any pretext of being responsive to democratically accountable processes or agencies. You've got David Sacks, Trump's billionaire AI czar, who is directing American AI policy while holding (hundreds of?) millions of dollars worth of stock in companies that stand to directly benefit from his work in the US government: https://www.nytimes.com/2025/11/30/technology/david-sacks-white-house-profits.html?unlocked_article_code=1.5E8.Nb2d.3L204EF4nliq Sacks has threatened the New York Times, demanding that they "abandon" the story about his conflicts of interest: https://protos.com/david-sacks-sends-silly-legal-threat-to-the-new-york-times/ And he's hired the law-firm that is at the center of a decades-long open conspiracy to end press freedom in America, bankrolled and overseen by the same people who planned and executed the destruction of American abortion rights: https://pluralistic.net/2025/03/17/actual-malice/#happy-slapping This isn't a strictly US affair, either. In the UK, Prime Minister Keir Starmer rang in 2025 by firing the country's top competition regulator and replacing him with the former head of Amazon UK, one of the country's most notorious monopolists, whose tax evasion, labor abuses, and anticompetitive mergers and tactics had been on the Competition and Markets Authority's agenda for years: https://pluralistic.net/2025/01/22/autocrats-of-trade/#dingo-babysitter Today, this same swindle is playing out in Canada. Competition Commissioner Matthew Boswell – recently endowed with the most sweeping enforcement powers of any competition regulator in the world – has resigned early. Now, Canada's monopolists are openly calling for one of their own top execs to take over the office for the next five years, citing a bizarre Canadian tradition of alternating between civil servants and revolving-door corporate insiders in turn: https://www.donotpassgo.ca/p/competition-commissioner-matthew However, there is one country that always, always brings home the gold in the Regulatory Capture Olympics: Ireland. Ireland had the misfortune to establish itself as a tax haven, meaning it makes pennies by helping the worst corporations in the world (especially US Big Tech companies) hide billions from global tax authorities. Being a tax haven sucks, because tax havens must also function as crime havens. After all, the tech companies that pretend to be Irish have no loyalty to the country – they are there solely because Ireland will help them cheat the rest of the world. What's more, any company that can hire lawyers to do the paperwork to let it pretend that it's Irish this week could pay those lawyers to pretend that it is Cypriot, or Maltese, or Dutch, or Luxembourgeois next week. To keep these American companies from skipping town, Ireland must bend its entire justice system to the facilitation of all of American tech companies' crimes. Of course, there is no class of crime that American tech companies commit more flagrantly or consequentially than the systematic, ruthless invasion of our privacy. Nine years ago, the EU passed the landmark General Data Protection Regulation (GDPR), a big, muscular privacy law that bans virtually all of the data-collection undertaken by America's tech companies. However, because these companies pretend they are Irish, they have been able to move all GDPR enforcement to Ireland, where the Data Protection Commissioner could always be relied upon to let these companies get away with murder: https://pluralistic.net/2023/05/15/finnegans-snooze/#dirty-old-town If you have formed the (widespread) opinion that the GDPR is worse than useless, responsible for nothing more than an endless stream of bullshit "cookie consent" pop-ups, blame the Irish DPC. American tech companies have pretended that they are allowed to substitute these cookie popups for doing the thing the GDPR demands of them (not spying on you at all). This is an obvious violation of the GDPR, and the only way an enforcer could possibly fail to see this is if they served a government whose entire economy depended on keeping Mark Zuckerberg, Tim Cook and Sundar Pichai happy. It's impossible to explain something to a regulator when their paycheck depends on them not understanding it. Incredibly, Ireland has found a way to make this awful situation even worse. They've appointed Niamh Sweeney, an ex-Meta lobbyist, to the role of Irish Data Protection Commissioner. Her resume includes "six years at Meta, according to her LinkedIn profile. She was head of public policy, Ireland for Facebook before becoming WhatsApp’s director of public policy for Europe, Middle East and Africa": https://www.irishtimes.com/business/2025/09/17/ex-tech-lobbyist-named-to-data-protection-commission/ In their complaint to the European Commission, the Irish Council for Civil Liberties lays out a devastating case against Sweeney's fitness to serve – the fact that she has broad, deep, obvious conflicts of interest that should automatically disqualify her from the role: https://www.iccl.ie/digital-data/complaint-v-ireland-to-european-commission-re-process-appointing-ex-meta-lobbyist-as-data-protection-commissioner/#_ftn11 Among other things, Meta execs – like Sweeney – are given piles of stock options and shares in the company. The decisions that Sweeney will be called upon to make as DPC will have a significant and lasting negative effect on Meta's stocks – if Meta is banned from surveilling 500m affluent European consumers, they will make a lot less money. But that's just for starters. Meta execs also sign contracts that bind them to: Nondisparagement: ex-Meta executives are permanently barred from "making any disparaging, critical or otherwise detrimental comments to any person or entity concerning [Meta's] products, services or programs; its business affairs, operation, management and financial condition…" Nondisclosure: ex-Meta executives are broadly prohibited from discussing their employment, or disclosing the things they learned while working at the company. Forced arbitration: if Meta believes that a former exec has violated these clauses, they can order the former exec to be silent, and bill them tens of thousands of dollars every time they speak out. Former executives sign away the right to contest these fines and orders in front of a judge; instead, all claims are heard by an "arbitrator" – a corporate lawyer who is paid by Meta and is in charge of deciding whether Meta (who pays their invoices) is right or wrong. We know about these contractual terms because they have been applied to Sarah Wynn-Williams, a former top Meta exec who published a whistleblower memoir, Careless People, which discloses many of Meta's most terrible practices, from systemic sexual harassment at the highest echelon to a worldwide surveillance collaboration with the Chinese government to complicity in the Rohingya genocide, to the fact that Mark Zuckerberg cheats at Settlers of Catan and his underlings let him win: https://pluralistic.net/2025/04/23/zuckerstreisand/#zdgaf Meta dragged Wynn-Williams in front of Meta's pet arbitrator over the statements in her book (without disputing their truthfulness). The arbitrator has fined Wynn-Williams $111,000,000 for speaking out ($50,000 per violation), and has barred her from promoting her book in any way. The company has ordered her not to testify before the US Congress or the UK Parliament. The clauses in Wynn-Williams contract are very similar (if not identical) to the clauses that the US National Labor Relations Board ruled unenforceable: https://www.hcamag.com/us/specialization/employment-law/nlrb-rules-metas-7200-confidentiality-agreements-unlawful/499180 Wynn-Williams appeared on stage with me last month at London's Barbican Centre, in a book-tour event moderated by Chris Morris. Whenever we talked about Meta or Careless People, Wynn-Williams would fall silent and assume a blank facial expression, lest she make another statement that would result in Meta seeking another $50,000 from her under the terms of her contract. In their complaint to the EU, ICCL raises the extremely likely probability that Sweeney is bound by the same contractual terms as Wynn-Williams, meaning that Meta's top regulator in Ireland, the country where Meta pretends to be based, will be contractually prohibited from saying anything that makes Mark Zuckerberg feel bad about himself. This isn't just a matter for Ireland, either. Given the nature of European federalism, most of Meta's violations of European privacy laws will start with the Irish DPC – in other words, all 500,000,000 Europeans will be forced to complain to someone who is legally barred from upsetting Zuck's digestion. Tax havens are a global scourge. By allowing American tech companies to evade their taxes around the world, Ireland is complicit in starving countries everywhere of tax revenue they are properly owed. Perhaps even worse than this, though, is the fact that these cod-Irish American companies can always out-compete their domestic rivals all over the world, because those companies have to pay tax, while Meta does not. Ireland has been every bit as important in exporting US Big Tech around the world as the US has been. But Ireland has another key export, one that is confined to the European Union. Because every tax haven must be a crime haven, and because Big Tech's favorite crime is illegal surveillance, Ireland has exported American tech spying to the whole European Union. That's how things stand today, and how they've stood since the passage of the GDPR. If you'd asked me a year ago, I would have said that this is as terrible as things could get. But now that Ireland has put an ex-Meta exec in charge of deciding whether Meta is invading Europeans' privacy, without confirming whether this dingo babysitter is even allowed to criticize Meta, it's clear that things could get much worse than I ever imagined. (Image: Cryteria, CC BY 3.0, modified) Hey look at this (permalink) A Remarkable Assertion from A16Z https://nealstephenson.substack.com/p/a-remarkable-assertion-from-a16z NYC Realtime Subway Clock https://nookwoodworking.com/products/nyc-realtime-subway-clock?variant=42620252717218 Big Tech’s Invisible Hand https://apublica.org/especial/big-techs-invisible-hand/ Santa plc https://open.spotify.com/episode/1HpeETwCsmYAUWM1g06lhI MAGA Antitrust Is Officially Dead: DOJ Sanctions Price Fixing With Slap on the Wrist Settlement Against Rental Housing Collusion Kingpin RealPage https://www.nakedcapitalism.com/2025/12/maga-antitrust-is-officially-dead-doj-sanctions-illegal-behavior-with-slap-on-the-wrist-settlement-against-price-fixing-kingpin-realpage.html Object permanence (permalink) #20yrsago Custom M&Ms: just don’t mention the war, your hometown, or nouns https://memex.craphound.com/2005/11/28/custom-mms-just-dont-mention-the-war-your-hometown-or-nouns/ #20yrsago Sony CD spyware installs and can run permanently, even if you click “Decline” https://blog.citp.princeton.edu/2005/11/28/mediamax-permanently-installs-and-runs-unwanted-software-even-if-user-declines-eula/ #20yrsago Programmers on Sony’s spyware DRM asked for newsgroup help too https://groups.google.com/g/microsoft.public.windowsmedia.sdk/c/kWKbc54lLxo?hl=en&pli=1#cf2c1677c4ce5138 #20yrsago Vacuum-bag dust houses sculpted by former house-cleaner https://web.archive.org/web/20051127031640/http://mocoloco.com/art/archives/001661.php #20yrsago Sony knew about rootkits 28 days before the story broke https://web.archive.org/web/20051202044828/http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm #20yrsago How the next version of the GPL will be drafted https://gplv3.fsf.org/process-definition/ #20yrsago No Xmas for Sony protest badge https://web.archive.org/web/20051203044536/https://gigi.pixcode.com/noxmas.gif #20yrsago HOWTO defeat Apple’s anti-DVD-screenshot DRM https://highschoolblows.blogspot.com/2005/11/take-screenshot-of-dvd-player-in-os-x.html #20yrsago EFF: DMCA exemption process is completely bullshit https://web.archive.org/web/20051204031027/https://www.eff.org/deeplinks/archives/004212.php #15yrsago Paolo Bacigalupi’s SHIP BREAKER: YA adventure story in a post-peak-oil world https://memex.craphound.com/2010/11/30/paolo-bacigalupis-ship-breaker-ya-adventure-story-in-a-post-peak-oil-world/ #15yrsago Walt Disney World employees demand a living wage https://thedisneyblog.com/2010/12/01/disney-world-union-takes-offensive/ #15yrsago Hotel peephole doctored for easy removal and spying https://www.flickr.com/photos/kentbrew/5221903189/ #15yrsago DC-area county official says TSA patdowns are “homosexual agenda” https://dcist.com/story/10/11/30/loudoun-county-official-tsa-pat-dow/ #15yrsago Dmitry Sklyarov and co. crack Canon’s “image verification” anti-photoshopping tool https://web.archive.org/web/20110808200303/https://www.networkworld.com/news/2010/113010-analyst-finds-flaws-in-canon.html #15yrsago TSA scans uniformed pilots, but airside caterers bypass all screening https://web.archive.org/web/20101125095532/https://www.salon.com/technology/ask_the_pilot/2010/11/22/tsa_screening_of_pilots/index.html #15yrsago BP sued in Ecuador for violating the “rights of Nature” https://www.democracynow.org/2010/11/29/headlines/bp_sued_in_ecuadorian_court_for_violating_rights_of_nature #15yrsago Four horsemen of the information apocalypse: Cohen, Fanning, Johansen and Frankel https://web.archive.org/web/20101126191152/https://time.com/time/specials/packages/printout/0,29239,2032304_2032746_2032903,00.html #15yrsago Winner-Take-All Politics: how America’s super-rich got so much richer https://memex.craphound.com/2010/11/29/winner-take-all-politics-how-americas-super-rich-got-so-much-richer/ #15yrsago EFF on US domain copyright seizures https://www.eff.org/deeplinks/2010/11/us-government-seizes-82-websites-draconian-future #15yrsago Where’s Molly: heartbreaking reunion with developmentally disabled sister institutionalized 47 years ago https://web.archive.org/web/20101129193304/http://www.cbsnews.com/stories/2010/11/28/sunday/main7096335.shtml #15yrsago “Death-row inmate” seeks last meal advice on Amazon message-board https://web.archive.org/web/20101130212132/http://www.amazon.com/tag/health/forum/ref=cm_cd_pg_pg1?_encoding=UTF8&cdForum=Fx1EO24KZG65FCB&cdPage=1&cdSort=oldest&cdThread=Tx3FNFNI6N592DI #10yrsago You’re only an “economic migrant” if you’re poor and brown https://historyned.blog/2015/09/09/the-wandering-academic-or-how-no-one-seems-to-notice-that-i-am-an-economic-migrant/ #10yrsago Pre-mutated products: where did all those “hoverboards” come from? https://memex.craphound.com/2015/11/29/pre-mutated-products-where-did-all-those-hoverboards-come-from/ #10yrsago Millennials are cheap because they’re broke https://www.theatlantic.com/business/archive/2014/12/millennials-arent-saving-money-because-theyre-not-making-money/383338/?utm_source=SFFB #5yrsago Attack Surface in the New York Times https://pluralistic.net/2020/11/30/selmers-train/#times #5yrsago RÄT https://pluralistic.net/2020/11/30/selmers-train/#honey-morello #5yrsago Open law and the rule of law https://pluralistic.net/2020/11/30/selmers-train/#rogue-archivist #5yrsago Twitter is more redeemable than Facebook https://pluralistic.net/2020/11/30/selmers-train/#epistemic-superiority Upcoming appearances (permalink) San Diego: Enshittification at the Mission Hills Branch Library, Dec 1 https://libraryfoundationsd.org/events/doctorow Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) We have become slaves to Silicon Valley (Politics JOE) https://www.youtube.com/watch?v=JzEUvh1r5-w How Enshittification is Destroying The Internet (Frontline Club) https://www.youtube.com/watch?v=oovsyzB9L-s Escape Forward with Cristina Caffarra https://escape-forward.com/2025/11/27/enshittification-of-our-digital-experience/ Why Every Platform Betrays You (Trust Revolution) https://fountain.fm/episode/bJgdt0hJAnppEve6Qmt8 How the internet went to sh*t (Prospect Magazine) https://www.prospectmagazine.co.uk/podcasts/prospect-podcast/71663/cory-doctorow-how-the-internet-went-to-sht Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE. "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: (Digital) Elbows Up (28 Nov 2025)
Today's links (Digital) Elbows Up: How Canada Can Become a Nation of Jailbreakers, Reclaim Our Digital Sovereignty, Win the Trade-War, and Disenshittify Our Technology. Hey look at this: Delights to delectate. Object permanence: Workaholic Goethe; Prehistory of the Sony rootkit; Wunderkammer front room; Dolphin teleportation symposium: now with more Eisenhowers Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. (Digital) Elbows Up (permalink) I'm in Toronto to participate in a three-day "speculative design" workshop at OCAD U, where designers, technologists and art students are thinking up cool things Canadians could do if we reformed our tech law: https://www.ocadu.ca/events-and-exhibitions/jailbreaking-canada As part of that workshop, I delivered a keynote speech last night, entitled "(Digital) Elbows Up: How Canada Can Become a Nation of Jailbreakers, Reclaim Our Digital Sovereignty, Win the Trade-War, and Disenshittify Our Technology." The talk was recorded and I'll add the video to this post when I get it, but in the meantime, here's the transcript of my speech. Thank you to all my collaborators at OCAD U for bringing me in and giving me this wonderful opportunity! == My theory of enshittification describes the process by which platforms decay. First, they are good to their end users, while finding a way to lock those users in. Then, secure in the knowledge that they can make things worse for those users without risking their departure, the platforms make things worse in order to make things attractive for business customers. Who also get locked in, dependent on those captive users. And then, in the third stage of enshittification, platforms raid those business customers, harvesting all available surpluses for their shareholders and executives, leaving behind the bare, mingy homeopathic residue of value needed to keep users locked to the platform and businesses locked to the users, such that the final, ideal stage of the enshittified platform is attained: a giant pile of shit. This observational piece of the theory is certainly valuable, inasumuch as it lets us scoop up this big, diffuse, enraging phenomenon, capture it in a net, attach a handle to it and call it "enshittification," recognising how we're being screwed. But much more important is the enshittification hypothesis's theoretical piece, its account of why this is happening now. Let me start by saying that I do not attribute blame for enshittification to your poor consumer choices. Despite the endless insistences of the right, your consumption choices aren't the arbiters of policy. The reason billionaires urge you to vote with your wallets is that their wallets are so much thicker than yours. This is the only numeric advantage the wealthy and powerful enjoy. They are in every other regards an irrelevant, infinitesimal minority. In a vote of ballots, rather than wallets, they will lose every time, which is why they are so committed to this wallet-voting nonsense. The wallet-vote is the only vote they can hope to win. The idea that consumers are the final arbiters of society is a laughable, bitter counsel of despair. You will not shop your way free of a monopoly, any more than you will recycle your way out of wildfires. Shop as hard as you like, you will not – cannot – end enshittification. Enshittification is not the result of your failure to grasp that "if you're not paying for the product, you're the product." You're the product if you pay. You're the product if you don't pay. The determinant of your demotion to "the product" is whether the company can get away with treating you as the product. So what about the companies? What about the ketamine-addled zuckermuskian failures who have appointed themselves eternal dictators over the digital lives of billions of people? Can we blame them for enshittifying our world? Well, yes…and no. It's obviously true that it takes a certain kind of sociopath to run a company like Facebook or Google or Apple. The suicide nets around Chinese iPhone factories are a choice, not an integral component of the phone manufacturing process. But these awful men are merely filling the niches that our policy environment has created. If Elon Musk ODs on ket today, there will be an overnight succession battle among ten horrible Big Balls, and the victor who emerges from that war will be indistinguishable from Musk himself. The problem isn't that the wrong person is running Facebook and thus exercising a total veto over the digital lives of four billion people, the problem is that such a job exists. We don't need to perfect Zuck. We don't need to replace Zuck. We need to abolish Zuck. So where does the blame lie? It lies with policy makers. Regulators and politicians who created an enshittogenic environment: a rigged game whose terrible rules guarantee that the worst people doing the worst things will fare best. These are the true authors of enshittification: the named individuals who, in living memory, undertook specific policy decisions, that had the foreseeable and foreseen outcome of ushering in the enshittocene. Policymakers who were warned at the time that this would happen, who ignored that advice and did it anyway. It is these people and their terrible, deliberate misconduct that we need to remember. It is their awful policies that we must overthrow, otherwise all we can hope to do is replace one monster with another. So, in that spirit, let us turn to the story of one of these enshittogenic policy choices and the men who made it. This policy is called "anti-circumvention" and it is the epicenter of the enshittogenic policy universe. Under anti-circumvention law, it is a crime to modify a device that you own, if the company that sold it to you would prefer that you didn't. All a company has to do is demarcate some of its code as off-limits to modification, by adding something called an "access control," and, in so doing, they transform the act of changing any of that code into a felony, a jailable offense. The first anticircumvention law is America's Digital Millennium Copyright Act, or DMCA. Under Section 1201 of the DMCA, helping someone modify code behind an access control is a serious crime, punishable by a five-year prison sentence and a $500,000 fine. Crucially, this is true whether or not you break any other law. Under DMCA 1201, simply altering a digital device to do a perfectly legal thing becomes a jailable crime, if the manufacturer wills it so and manifests that will with an "access control." I recognize that this is all very abstract, so let me make it concrete. When you buy a printer from HP, it becomes your property. What's property? Well, let's use the standard definition that every law student learns in first year property law, from Sir William Blackstone's 1753 treatise: "Property: that sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe." The printer is yours. It's your property. You have sole and despotic dominion over it in exclusion of any other individual in the universe. But HP printers ship with a program that checks to see whether you're using HP ink, and if it suspects that you've bought generic ink, the printer refuses to use it. Now, Congress never passed a law saying "If you buy an HP printer, you have to buy HP ink, too." That would be a weird law, given the whole sole-and-despotic dominion thing. But because HP puts an "access control" in the ink-checking code, they can conjure up a brand new law: a law that effectively requires you to use HP ink. Anticircumvention is a way for legislatures to outsource law-making to corporations. Once a corporation adds an access control to its product, they can create a new felony for using it in ways that benefit you at the expense of the company's shareholders. So another way of saying "anticircumvention law" is "felony contempt of business model." It's a way for a corporation to threaten you with prison if you don't use your property in the way they want you to. That's anti-circumvention law. The DMCA was an enshittifier's charter, an invitation for corporations to use tactical "access controls" to write invisible, private laws that would let them threaten their customers – and competitors who might help those customers – with criminal prosecution. Now, the DMCA has a known, living author, Bruce Lehman, a corporate IP lawyer who did a turn in government service as Bill Clinton's IP Czar. Lehman tried several ways to get American policymakers to adopt this stupid idea, only to be rebuffed. So, undaunted, he traveled to Geneva, home of the World Intellectual Property Organization or WIPO, a UN "specialized agency" that makes the world's IP treaties. At Lehman's insistence, WIPO passed a pair of treaties in 1996, collectively known as the "Internet Treaties," and in 1998, he got Congress to pass the DMCA, in order to comply with the terms of these treaties, a move he has since repeatedly described as "doing an end-run around Congress." This guy, Bruce Lehman, is still with us, breathing the same air as you and me. We are sharing a planet with the Louis Pasteur of making everything as shitty as possible. But Bruce Lehman only enshittified America, turning our southern cousins into fodder for the immortal colony organisms we call limited liability corporations. To understand how Canada enshittified, we have to introduce some Canadian enshittifiers. Specifically, two of Stephen Harper's ministers: James Moore, Harper's Heritage minister, and the disgraced sex-pest Tony Clement, who was then Industry minister. Stephen Harper really wanted a Canadian anti-circumvention law, and he put Clement and Moore in charge of the effort. Everyone knew that it was going to be a hard slog. After all, Canadians had already rejected anti-circumvention law three times. Back in 2006, Sam Bulte – a Liberal MP in Paul Martin's government – tried to get this law through, but it was so unpopular that she lost her seat in Parkdale, which flipped to the NDP for a generation. Moore and Clement hatched a plan to sell anti-circumvention to the Canadian people. They decided to do a consultation on the law. The thinking was that if we all "felt heard" then we wouldn't be so angry when they rammed it through. Boy, did that backfire. 6,138 of us filed consultation responses categorically rejecting this terrible law, and only 53 responses offered support for the idea. How were Moore and Clement going to spin this? Simple. Moore went to a meeting of the International Chamber of Commerce in Toronto, and gave a speech where he denounced all 6,138 of us as "babyish" and "radical extremists." Then Harper whipped his caucus and in 2012, Bill C-11, the Copyright Modernisation Act passed, and we got a Made-in-Canada all-purpose, omnienshittificatory anti-circumvention law. Let's be clear about what this law does: because it makes no exemptions for circumvention for lawful purposes, Canada's anti-circumvention law criminalizes anything you do with your computer, phone or device, if it runs counter to the manufacturer's wishes. It's an invitation for foreign manufacturers to use Canada's courts to punish Canadian customers and Canadian companies for finding ways to make the products we buy and use less shitty. Anti-circumvention is at the root of the repair emergency. All companies have to do is add an "initialization" routine to their devices, so that any new parts installed in a car, or a tractor, or a phone, or a ventilator have to be unlocked by the manufacturer's representative before the device will recognize the new part, and it becomes a crime for an independent mechanic, or a farmer, or an independent repair shop, or a hospital technician to fix a car, or a tractor, or a phone, or a ventilator. This is called "parts pairing" or "VIN locking." Now, we did pass C-244, a national Right to Repair law, last year, but it's just a useless ornament, because it doesn't override anti-circumvention. So Canadians can't fix their own technology if the manufacturer uses an access control to block the repair. Anti-circumvention means we can't fix things when they break, and it also means that we can't fix them when they arrive pre-broken by their enshittifying manufacturers. Take the iPhone: it can only use one app store, Apple's official one, and everyone who puts an app in the app store has to sign up to use Apple's payment processor, which takes 30 cents out of every dollar you spend inside an app. That means that when a Canadian user sends $10 a month to a Canadian independent news outlet or podcast, $3 out of that $10 gets sucked out of the transaction and lands in Cupertino, California, where it is divvied by Apple's shareholders and executives. It's not just news sites. Every dollar you send through an app to a performer on Patreon, a crafter on Etsy, a games company, or a software company takes a roundtrip through Silicon Valley and comes back 30 cents lighter. A Canadian company could bypass the iPhone's "access controls" and give you a download or a little hardware dongle that installed a Canadian app store, one that used the Interac network to process payments for free, eliminating Apple and Google's 30% tax on Canada's entire mobile digital economy. And indeed, we have 2024's Bill C-294, an interoperability law, that lets Canadians do this. But just as with the repair law, our interoperability law is also useless, because it doesn't repeal the anti-circumvention law, meaning you are only allowed to reverse engineer products to make interoperable alternatives if there is no access control in the way. Of course, every company that's in a position to rip you off just adds an access control. The fact that foreign corporations have the final say over how Canadians use their own property is a font of endless enshittification. Remember when we told Facebook to pay news outlets for links and Facebook just removed all links to the news? Our anti-circumvention law is the only reason that a Canadian company couldn't jailbreak the Facebook app and give you an alternative app, one that slurped up everything Facebook was waiting to show you in your feed, all the updates from your friend and your groups while blocking all the surveillance, the ads and the slop and the recommendations, and then mixing in the news that you wanted to see. Remember when we tried to get Netflix to show Canadian content in your recommendations and search results? Anti-circumvention is the only reason some Canadian company can't jailbreak the Netflix app and give you an alternative client that lets you stream all your Netflix shows but also shows you search results from the NFB and any other library of Canadian media, while blocking Netflix's surveillance. Anticircumvention means that Canadian technologists can't seize the means of computation, which means that we're at the mercy of American companies and we only get the rights that they decide to give us. Apple will block Facebook's apps from spying on you while you use your iPhone, but they won't let you block Apple from spying on you while you use your iPhone, to gather exactly the same data Facebook steals from you, for exactly the same purpose: to target ads to you. Apple will screen the apps in its app store to prevent malicious code from running on your iPhone, but if you want to run a legitimate app and Apple doesn't want you to, they will block it from the app store and you will just have to die mad. That's what's happened in October, when Apple kicked an app called ICE Block out of the App Store. ICE Block is an app that warns you if masked thugs are at large in your neighborhood waiting to kidnap you and send you to a camp. Apple decided that ICE thugs were a "protected class" that ICE Block discriminated against. They decided that you don't deserve to be safe from ICE kidnappings, and what they say goes. The road to enshittification hell is paved with anticircumvention. We told our politicians this, a decade and a half ago, and they called us "babyish radical extremists" and did it anyway. Now, I've been shouting about this for decades. I was one of those activists who helped get Sam Bulte unelected and flipped her seat for 20 years. But I will be the first person to tell you that I have mostly failed at preventing enshittification. Bruce Lehman, James Moore and even Tony "dick pic" Clement are way better at enshittifying the world than I am at disenshittifying it. Of course, they have an advantage over me: they are in a coalition with the world's most powerful corporations and their wealthy investors. Whereas my coalition is basically, you know, you folks. People who care about human rights, workers' rights, consumer rights, privacy rights. And guys, I hate to tell you, but we're losing. Let's talk about how we start winning. Any time you see a group of people successfully push for a change that they've been trying to make unsuccessfully for a long-ass time it's a sure bet that they've found some coalition partners. People who want some of the same things, who've set aside their differences and joined the fight. That's the Trump story, all over. The Trump coalition is basically, all the billionaires, plus the racists, plus the dopes who'd vote for a slime mold if it promised to lower their taxes by a nickle, even though they somehow expect to have roads and schools. Well, maybe not schools. You know, Ford Nation. Plus everyone who correctly thinks the Democratic Party are a bunch of do-nothing sellouts, who think they can bully you into voting for genocide because the other guy is an out-and-out fascist. Billionaires, racists, freaks with low-tax brain-worms and people who hate the sellout Dems: Trump's built a coalition that gets stuff done. Sure, it's terrible stuff, but you can't deny that they're getting it done. To escape from the enshittificatory black hole that Clement and Moore blew in Canadian policy, we need a coalition, too. And thanks to Trump and his incontinent belligerence, we're getting one. Let's start with the Trump tariffs. When I was telling you about how anticircumvention law took four tries under two different Prime Ministers, perhaps you wondered "Why did all these Canadian politicians want this stupid law in the first place?" After all, it's not like Canadian companies are particularly enriched by this law. Sure, it lets Ted Rogers rent you a cable box that won't let you attach a video recorder, so you have to pay for Rogers' PVR, which only lets you record some shows, and deletes them after a set time, and won't let you skip the ads. But the amount of extra money Rogers makes off this disgusting little racket is dwarfed by the billions that Canadian businesses leave on the table every year, by not going into business disenshittifying America's shitty tech exports. To say nothing of the junk fees and app taxes and data that those American companies rip off every Canadian for. So why were these Canadian MPs and prime ministers from both the Liberals and the Tories so invested in getting anticircumvention onto our law-books? Simple: the US Trade Rep threatened us with tariffs if we didn't pass an anti-circuvmention law. Remember, digital products are slippery. If America bans circumvention, and American companies start screwing the American public, that just opens an opportunity for companies elsewhere in the world to make disenshittifying products, which any American with an internet connection and a payment method can buy. Downloading jailbreaking code is much easier than getting insulin shipped from a Canadian pharmacy! So the US Trade Rep's top priority for the past quarter-century has been bullying America's trading partners into passing anti-circumvention laws to render their own people defenseless against American tech companies' predation and to prevent non-American tech companies from going into business disenshittifying America's defective goods. The threat of tariffs was so serious that multiple Canadian PMs from multiple parties tried multiple times to get a law on the books that would protect us from tariffs. And then in comes Trump, and now we have tariffs anyway. And let me tell you: when someone threatens to burn your house down if you don't follow their orders, and you follow their orders, and they burn your house down anyway, you are an absolute sucker if you keep following their orders. We could respond to the tariffs by legalizing circumvention, and unleashing Canadian companies to go into business raiding the margins of the most profitable lines of business of the most profitable corporations the world has ever seen. Sure, Canada might not ever have a company like Research In Motion again, but what we could have is a company that sells the tools to jailbreak iPhones to anyone who wants to set up an independent iPhone store, bypassing Apple's 30% app tax and its high-handed judgments about what apps we can and can't have. Apple's payment processing business is worth $100b/year. We could offer people a 90% discount and still make $10b/year. And unlike Apple, we wouldn't have to assume the risk and capital expenditure of making phones. We could stick Apple with all of the risk and expense, and cream off the profits. That's fair, isn't it? It's certainly how Big Tech operates. When Amazon started, Jeff Bezos said to the publishers, "Your margin is my opportunity." $100b/year off a 30% payment processing fee is a hell of a margin, and a hell of an opportunity. With Silicon Valley, it's always "disruption for thee, not for me." When they do it to us, that's progress, when we do it to them, it's piracy (and every pirate wants to be an admiral). Now, of course, Canada hasn't responded to the Trump tariffs with jailbreaking. Our version of "elbows up" turns out to mean retaliatory tariffs. Which is to say, we're making everything we buy from America more expensive for us, which is a pretty weird way of punishing America, eh? It's like punching yourself in the face really hard and hoping the downstairs neighbour says "Ouch." Plus, it's pretty indiscriminate. We're not angry at Americans. We're angry at Trump and his financial backers. Tariffing soybeans just whacks some poor farmer in a state that begins and ends with a vowel who's never done anything bad to Canada. I guarantee you that poor bastard is making payments on a John Deere tractor, which costs him an extra $200 every time it breaks down, because after he fixes it himself, he has to pay two hundred bucks to John Deere and wait two days for them to send out a technician who types an unlock code into the tractor's console that unlocks the "parts pairing," so the tractor recognises the new part. Instead of tariffing that farmer's soybeans, we could sell him the jailbreaking tool that lets him fix his tractor without paying an extra $200 to John Deere. Instead of tsking at Elon Musk over his Nazi salute, we could sell every mechanic in the world a Tesla jailbreaking kit that unlocks all the subscription features and software upgrades, without sending a dime to Tesla, kicking Elon Musk square in the dongle. This is all stuff we could be doing. We could be building gigantic Canadian tech businesses, exporting to a global market, whose products make everything cheaper for every Canadian, and everyone else in the world, including every American. Because the American public is also getting screwed by these companies, and we could stand on guard for them, too. We could be the Disenshittification Nation. But that's not what we've done. Instead, we've decided to make everything in Canada more expensive, which is just about the stupidest political strategy I've ever heard of. This might be the only thing Carney could do that's less popular than firing 10,000 civil servants and replacing them with chatbots on the advice of the world's shadiest art dealer, who is pretty sure that if we keep shoveling words into the word-guessing program it will wake up and become intelligent. Which is just, you know, stupid. It's like thinking that if we just keep breeding our horses to run faster, one of our mares will eventually give birth to a locomotive. Human beings are not word-guessing programs who know more words than ChatGPT. Now, it's clear that the coalition of "people who care about digital rights" and "people who want to make billions of dollars off jailbreaking tech" isn't powerful enough to break the coalition that makes hundreds of billions of dollars from enshittification. But Trump – yes, Trump! – keeps recruiting people to our cause. Trump has made it clear that America no longer has allies, nor does it have trading partners. It has adversaries and rivals. And Trump's favorite weapons for attacking his foreign adversaries are America's tech giants. When the International Criminal Court issued an arrest warrant against Bejamin Netanyahu for ordering a genocide, Trump denounced them, and Microsoft shut down their Outlook accounts. The chief prosecutor and other justices immediately lost access to all the working files of the court, to their email archives, to their diaries and address books. This was a giant, blinking sign, visible from space, reading AMERICAN TECHNOLOGY CANNOT BE TRUSTED. Trump's America only has adversaries and rivals, and Trump will pursue dominance by bricking your government, your businesses, your whole country. It's not just administrative software that Trump can send kill signals to. Remember when those Russian looters stole Ukrainian tractors and they turned up in Crimea? John Deere sent a kill-signal to the tractors and permanently immobilized them. This was quite a cool little comeuppance, the kind of thing a cyberpunk writer like me can certainly relish. But anyone who thinks about this for, oh, ten seconds will immediately realise that anyone who can push around the John Deere company can order the permanent immobilization of any tractor in the world, or all the tractors in your country. Because John Deere is a monopolist, and whatever part of the market Deere doesn't control is controlled by Massey Ferguson, and Trump can order the bricking of those tractors, too. This is the thing we were warned we'd face if we let Huawei provide our telecoms infrastructure, and those warnings weren't wrong. We should be worried about any gadget that we rely on that can be bricked by its manufacturer. Because that means we are at risk from the manufacturer, from governments who can suborn the manufacturer, from corporate insiders who can hijack the manufacturer's control systems, and from criminals who can impersonate the manufacturer to our devices. This is the third part of our coalition: not just digital rights weirdos like me; not just investors and technologists looking to make billions; but also national security hawks who are justifiably freaking out about America, China, or someone else shutting down key pieces of their country, from its food supply to its administrative capacity. Trump is a crisis, and crises precipitate change. Just look at Europe. Before Putin invaded Ukraine, the EU was a decade behind on its energy transition goals. Now, just a few years later, they're 15 years ahead of schedule. It turns out that a lot of "impossible" things are really just fights you'd rather not have. No one wants to argue with some tedious German who hates the idea of looking at "ugly solar panels" on their neighbour's balcony. But once you're all shivering in the dark, that's an argument you will have and you will win. Today, another mad emperor is threatening Europe – and the world. Trump's wanton aggression has given rise to a new anti-enshittification coalition: digital rights advocates, investors and technologists, and national security hawks; both the ones who worry about America, and the ones who worry about China. That's a hell of a coalition! The time is right to become a disenshittification nation, to harness our own tech talent, and the technologists who are fleeing Trump's America in droves, along with capital from investors who'd like to back a business whose success isn't determined by how many $TRUMP Coins they buy. Jailbreaking is how Canada cuts American Big Tech down to size. It's unlike everything else we've tried, like the Digital Services Tax, or forcing Netflix to support cancon, or making Facebook and Google pay to link to the news. All of those tactics involve making these companies that are orders of magnitude richer than Canada do something they absolutely do not want to do. Time and again, they've shown that we don't have the power to make them do things. But you know what Canada has total power over? What Canada does. We are under no obligation to continue to let these companies use our courts to attack our technologists, our businesses, our security researchers, our tech co-ops, our nonprofits, who want to jailbreak America's shitty tech, to seize the means of computation, to end the era in which American tech companies can raid our wallets and our data with impunity. In a jailbroken Canada, we don't have to limit ourselves to redistribution, to taxing away some of the money that the tech giants steal from us. In a jailbroken Canada, we can do predistribution. We can stop them from stealing our money in the first place. And if we don't do it, someone else will. Because every country was arm-twisted into passing an anti-circumvention law like ours. Every country had a supine and cowardly lickspittle like James Moore or Tony Clement who'd do America's bidding, a quisling who'd put their nation's people and businesses in chains, rather than upset the US Trade Rep. And all of those countries are right where we are: hit with tariffs, threatened by Trump, waiting for the day that Microsoft or Oracle or Google or John Deere bricks their businesses, their government, their farms. One of those countries is going to jump at this opportunity, the opportunity to consume the billions in rents stolen by US Tech giants, and use them as fuel for a single-use rocket booster that launches their tech sector into a stable orbit for decades to come. That gives them the hottest export business in living memory: a capital-light, unstoppable suite of products that save businesses and consumers money, while protecting their privacy. If we sleep on this, we'll still benefit. We'll get the consumer surplus that comes from buying those jailbreaking tools online and using them to disenshittify our social media, our operating systems, our vehicles, our industrial and farm equipment. But we won't get the industrial policy, the chance to launch a whole sector of businesses, each with the global reach and influence of RIM or Nortel. That'll go to someone else. The Europeans are already on it. They're funding and building the "Eurostack": free, open source, auditable and trustworthy versions of the US tech silos. We're going to be able to use that here. I mean, why not? We'll just install that code on metal running in Canadian data-centres, and we'll debug it and add features to it, and so will everyone else. Because that's how IT should work, and it should go beyond just the admin and database software that businesses and governments rely on. We should be building drop-in, free, open software for everything: smart speakers, smart TVs, smart watches, phones, cars, tractors, powered wheelchairs, ventilators. That's how it should already be: that the software that powers these devices that we entrust with our data, our integrity, our lives should be running code that anyone can see, test, and improve. That's how science works, after all. Before we had science, we had something kind of like science. We had alchemy. Alchemy was very similar to science, in that an alchemist would observe some natural phenomena in the world, hypothesise a causal relationship between them, and design an experiment to validate that hypothesis. But here's where alchemy and science diverge: unlike a scientist, an alchemist wouldn't publish their results. They'd keep them secret, rather than exposing them to the agony of adversarial peer review, where your enemies seek out every possible reason to discredit your work. This let the alchemists kid themselves about the stuff they thought they'd discovered, and that's why every alchemist discovered for themself, in the hardest way possible, that you shouldn't drink mercury. But after 500 years of this, alchemy finally achieved its long sought-after goal of converting something common to something of immeasurable value. Alchemy discovered how to transform the base metal of superstition into the precious metal of knowledge, through the crucible of publishing. Disclosure is the difference between knowledge and ignorance. Openness is the difference between dying of mercury poisoning and discovering medicine. The fact that we have a law on our statute books, in the year of two thousand and twenty-five, that criminalises discovering how the software we rely on works, and telling other people about it and improving it – well, it's pretty fucking pathetic, isn't it? We don't have to keep on drinking the alchemists' mercury. We don't have to remain prisoners of the preposterous policy blunders of Tony Clement and James Moore. We don't have to tolerate the endless extraction of Big Tech. We don't have to leave billions on the table. We need not abide the presence of lurking danger in all our cloud-connected devices. We can be the vanguard of a global movement of international nationalism, of digital sovereignty grounded in universal, open, transparent software, a commons that everyone contributes to and relies upon. Something more like science than technology. Like the EU's energy transition, this is a move that's long overdue. Like the EU's energy transition, a mad emperor has created the conditions for us to get off of our asses, to build a better world. We could be a disenshittification nation. We could seize the means of computation. We could have a new, good internet that respects our privacy and our wallets. We could make a goddamned fortune doing it. And once we do it, we could protect ourselves from spineless digital vassals of the mad king on our southern border, and rescue our American cousins to boot. What's not to like? Hey look at this (permalink) The UK Has It Wrong on Digital ID. Here’s Why https://www.eff.org/deeplinks/2025/11/uk-has-it-wrong-digital-id-heres-why Sex Workers Built an ‘Anti-OnlyFans’ to Take Control of Their Profits https://www.wired.com/story/sex-workers-built-an-anti-onlyfans-to-take-control-of-their-profits/ Object permanence (permalink) #20yrago Ten (sensible) startup rules https://web.archive.org/web/20060324072607/https://evhead.com/2005/11/ten-rules-for-web-startups.asp #20yrsago Bosnian town unveils Bruce Lee statue of peace http://news.bbc.co.uk/2/hi/entertainment/4474316.stm #20yrsago Sony rootkit author asked for free code to lock up music https://web.archive.org/web/20051130023447/https://groups.google.de/group/microsoft.public.windowsmedia.drm/msg/7cb5c4ad49fa206e #20yrsago Singapore’s executioner gets fired http://news.bbc.co.uk/2/hi/asia-pacific/4477012.stm #20yrsago Pre-history of the Sony rootkit https://web.archive.org/web/20181126020952/https://community.osr.com/discussion/42117#T3 #15yrsago Support the magnetic ribbon industry ribbon! https://www.reddit.com/r/pics/comments/ecr1t/ill_see_your_empty_gesture_and_raise_you/ #15yrsago Molecular biologist on the dangers of pornoscanners https://web.archive.org/web/20101125192455/https://myhelicaltryst.blogspot.com/2010/11/tsa-x-ray-backscatter-body-scanner.html #15yrsago Wunderkammerer front room crammed with nooks https://web.archive.org/web/20101125184317/http://mocoloco.com/fresh2/2010/11/23/villa-j-by-marge-arkitekter.php #15yrsago Delightful science fiction story in review of $6800 speaker cable https://www.amazon.com/review/R3I8VKTCITJCX6/ref=cm_cr_dp_perm?ie=UTF8&ASIN=B000J36XR2&nodeID=172282&tag=&linkCode= #15yrsago German Pirate Party members strip off for Berlin airport scanner protest https://web.archive.org/web/20101129043459/https://permaculture.org.au/2010/11/26/full-monty-scanner-or-enhanced-pat-down-the-only-options/ #10yrsago Dolphin teleportation symposium: now with more Eisenhowers! https://twitpic.com/3aqqa0 #10yrsago Vtech breach dumps 4.8m families’ information, toy security is to blame https://arstechnica.com/information-technology/2015/11/when-children-are-breached-inside-the-massive-vtech-hack/ #10yrsago A Canadian teenager used America’s militarized cops to terrorize women gamers for years https://www.nytimes.com/2015/11/29/magazine/the-serial-swatter.html?_r=0 #10yrsago What the 1980s would have made of the $5 Raspberry Pi https://www.wired.com/beyond-the-beyond/2015/11/raspberry-pi-five-bucks-us/ #10yrsago Workaholic Goethe wished he’d been better at carving out time for quiet reflection https://www.wired.com/beyond-the-beyond/2015/11/the-aged-herr-goethe-never-had-enough-time-for-himself/ Upcoming appearances (permalink) San Diego: Enshittification at the Mission Hills Branch Library, Dec 1 https://libraryfoundationsd.org/events/doctorow Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) Escape Forward with Cristina Caffarra https://escape-forward.com/2025/11/27/enshittification-of-our-digital-experience/ Why Every Platform Betrays You (Trust Revolution) https://fountain.fm/episode/bJgdt0hJAnppEve6Qmt8 How the internet went to sh*t (Prospect Magazine) https://www.prospectmagazine.co.uk/podcasts/prospect-podcast/71663/cory-doctorow-how-the-internet-went-to-sht Enshittification and “Breaking Kings” (Web Summit) https://www.youtube.com/watch?v=CpLudlrwS_g Enshittification Nation (The Lever) https://www.levernews.com/enshittification-nation/ Enshittification with Oh God What Now https://castbox.fm/episode/Why-Tech-Sucks-%E2%80%93%C2%A0Cory-Doctorow-on-Enshittification-and-how-to-fix-it-id4634015-id876127534 Enshittification with The Lede (New Lines Magazine) https://newlinesmag.com/podcast/why-the-internet-got-bad-and-how-to-fix-it/ Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE. "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: Normie diffusion and technophilia (27 Nov 2025)
Today's links Normie diffusion and technophilia: Who will seize the means of computation? Hey look at this: Delights to delectate. Object permanence: Centaur teddybears; Vaginal yeast sourdough; Snoopers Charter rebuttal; "The Paradox"; Bossware is unfair. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. Normie diffusion and technophilia (permalink) It's an accepted (but wrong) fact that some groups of people are just more technologically adventurous by temperament, and that's why they adopt technologies before the rest of society (think here of pornographers, kids, and terrorists). As I've written before, these groups aren't more (or less) temperamentally inclined to throw themselves into mastering new technologies. Rather, they have more reason to do so: https://pluralistic.net/2022/06/21/early-adopters/#sex-tech Whenever a new communications technology arrives, it is arriving into a world of existing communications technologies, which are, by definition, easier to use. They're easier to use for two reasons: the obvious reason is that you're more likely to be familiar with an existing technology than you are with a new technology. After all, it's literally impossible to be familiar with a technology that has just been invented! But the other reason that existing communications technologies are easier to use is that communication is – again, by definition – something you do with other people. That means that if you want to use a new communications tool to talk with someone else, it is not sufficient for you to master that technology's use – you must also convince the other person you're hoping to reach to master that technology, too. In economic terms, the "opportunity cost" (the amount of time you lose for doing other things) of mastering a new communications tool isn't limited to your own education, but also to the project of convincing someone else to master that tool, and then showing them how to use it. If the existing communications technology is working for you, mastering the new tool is mostly cost, with very little upside. Perhaps you are a technophile by temperament and derive intrinsic satisfaction from exploring a new tool, and that's why you do it, but even so, you're going to find yourself in the bind of trying to convince the people you'd like to communicate with to follow your lead. And if they're all being well-served by the existing communications tools, and if they're not technophiles, you're asking them to engage in a lot of labor and endure a high opportunity cost for no obvious benefit. It's a hard slog. But there are many groups of people for whom the existing technology does not work, and one of the biggest ways an existing technology can fail is if the authorities are using it to suppress your communications and/or spy on your usage in order to frustrate your goals. This brings us back to sex workers, kids and terrorists. All three groups are typically poorly served by the existing communications technology. If you're a pornographer in the age of celluloid film, you either have to convince your customers to visit (and risk being seen entering) an adult movie theater, or you have to convince them to buy an 8mm projector and mail order your reels (and risk being caught having them delivered). No wonder pornographers and sex workers embraced the VCR! No wonder they embraced the internet! No wonder they embraced cryptocurrency (if your bank accounts are liable to being frozen and/or seized, it's worth figuring out how to use an esoteric payment method and endure the risk of its volatility and technological uncertainty). Today, sex workers and their customers are doubtless mastering VPNs (to evade anonymity-stripping "age verification" systems) and Tor hidden services (to evade "online safety" laws). The alternative to using these systems isn't the status quo – making use of existing websites, existing payment methods, existing connection tools. The alternative is nothing. So it's worth learning to use these new tools, and to engage in the social labor of convincing others to join you in using them. Then there's kids. Unlike sex workers, kids' communications aren't broadly at risk of being suppressed so much as they are at risk of being observed by authority figures with whom they have an adversarial relationship. When you're a kid, you want to talk about things without your parents, teachers, principals, or (some of) your peers or siblings listening in. You want to plan things without these people listening in, because they might try and stop you from doing them, or punish you if you succeed. So again, it's worth figuring out how to use new technologies, because the existing ones are riddled with censorship and surveillance back-doors ("parental controls") that can be deployed to observe your communications, interdict your actions, and punish you for the things that you manage to pull off. So of course kids are also "early adopters" – but not because being a kid makes you a technophile. Many kids are technophiles and many are not, but whether or not a kid finds mastering a new technology intrinsically satisfying, they will likely have to do so, if they want to communicate with their peers. For terrorists, the case for mastering new technologies combines the sex-workers' cases and kids' cases: terrorists' communications are both illegal and societally unacceptable (like sexual content) and terrorists operate in an environment in which entities far more powerful than them seek to observe and interdict their plans, and punish them after the fact for their actions (like kids). So once again, terrorists are apt to master new communications technologies, but not because seeking to influence political outcomes by acts of violence against civilian populations is somehow tied to deriving intrinsic satisfaction from mastering new technologies, but rather because the existing technologies are dangerously unsuitable for your needs. Note that just because being in one of these groups doesn't automatically make you a technophile, it doesn't mean that there are no technophiles among these groups. Some people are into tech and the sex industry. Some kids love mastering new technologies. Doubtless this is true of some terrorists, too. I haven't seen any evidence that being a kid, or a terrorist, or a sex-worker, makes you any less (or any more) interested in technology than anyone else. Some of us just love this stuff for its own sake. Other people just want a tool that works so they can get on with their lives. That's true of every group of people. The difference is that if you're a technophile in a group of people who have a damned good reason to endure the opportunity cost of mastering a new technology, you have a much more receptive audience for your overheated exhortations to try this amazing new cool thing you've discovered. What's more, there are some situational and second-order effects that come into play as a result of these dynamics. For example, kids are famously "cash-poor and time-rich" which means that spending the time to figure out new technologies when they're still in stage one of enshittification (when they deliver a lot of value at their lowest cost, often free) is absolutely worth it. Likewise, the fact that sex-workers are often the first commercial users of a new communications technology means that there's something especially ugly about the fact that these services jettison sex workers the instant they get leaned on by official prudes. The story of the internet is the story of businesses who owe their commercial existence to sex workers, who have since rejected them and written them out of their official history. It also means that technophiles who aren't kids, pornographers or terrorists are more likely to find themselves in techno-social spaces that have higher-than-average cohorts of all three groups. This means that bright young technologists can find themselves being treated as peers by accomplished adults (think of Aaron Swartz attending W3C meetings as a pre-teen after being welcomed as a peer in web standardization online forums). It also means that technophiles are more likely than the average person to have accidentally clicked on a terrorist atrocity video. And it means that pornographers and sex-workers are more likely to be exposed to technologically adventurous people in purely social, non-sexual online interactions, because they're among the first arrivals in new technological spaces, when they are still mostly esoteric, high-tech realms, which means that even among the less technophilic members of that group, there's probably an above-average degree of familiarity with things that are still way ahead of the tech mainstream. My point is that we should understand that the adoption of technology by disfavored, at risk, or prohibited groups is driven by material factors, not by some hidden ideological link between sex and tech, or youth and tech, or terrorism and tech. Hey look at this (permalink) Chasing Oligarchs Across Borders https://gijn.org/stories/gijc25-cross-border-investigations-tips-oligarchs/ Canada Needs a Commissioner Who Fights Monopolies https://action.openmedia.org/page/182266/petition/1 Fifteen Years https://xkcd.com/3172/ The Rent Is Too Damn High: Did Trump Just 'Bless' Using AI to Jack Up Rents? https://www.thebignewsletter.com/p/an-odd-settlement-on-rent-fixing Biretrograde Clock – Lasercut https://www.instructables.com/Biretrograde-Clock-Lasercut/ Object permanence (permalink) #20yrsago TSA makes flier remove body jewelry https://web.archive.org/web/20051129025951/https://pittsburghlive.com/x/tribune-review/s_397618.html #20yrsago Microsoft caught subverting UN process, censoring FOSS references https://web.archive.org/web/20051128030303/https://news.zdnet.co.uk/software/linuxunix/0,39020390,39238443,00.htm #15yrsago Zimbabwean law will put legislation, parliamentary gazette, etc, under state copyright https://web.archive.org/web/20101129133649/https://www.theindependent.co.zw/local/28907-general-laws-bill-inimical-to-democracy.html #10yrsago Steiff Japan’s centaur teddybears http://www.steiff-shop.jp/2007w_ltd/037351_seet.html #10yrsago Woman adds vaginal yeast to sourdough starter, Internet flips out https://web.archive.org/web/20180808194241/https://anotherangrywoman.com/2015/11/25/baking-and-eating-cuntsourdough/ #10yrsago Party like it’s 1998: UK government bans ripping CDs — again https://arstechnica.com/tech-policy/2015/11/thanks-to-the-music-industry-it-is-illegal-to-make-private-copies-of-music-again/ #10yrsago Devastating technical rebuttal to the Snoopers Charter https://www.me.uk/IPBill-evidence1.pdf #10yrsago AIDS-drug-gouging hedge-douche reneges on promise to cut prices for Daraprim https://www.techdirt.com/2015/11/25/turing-refuses-to-lower-cost-daraprim-hides-news-ahead-thanksgiving-holiday/ #10yrsago US credit union regulator crushed Internet Archive’s non-predatory, game-changing bank https://blog.archive.org/2015/11/24/difficult-times-at-our-credit-union/ #10yrsago The last quarter-century of climate talks explained, in comics form https://web.archive.org/web/20151126142914/http://www.nature.com/news/the-fragile-framework-1.18861 #10yrsago The Paradox: a secret history of magical London worthy of Tim Powers https://memex.craphound.com/2015/11/26/the-paradox-a-secret-history-of-magical-london-worthy-of-tim-powers/ #1yrago Bossware is unfair (in the legal sense, too) https://pluralistic.net/2024/11/26/hawtch-hawtch/#you-treasure-what-you-measure Upcoming appearances (permalink) Toronto: Jailbreaking Canada (OCAD U), Nov 27 https://www.ocadu.ca/events-and-exhibitions/jailbreaking-canada San Diego: Enshittification at the Mission Hills Branch Library, Dec 1 https://libraryfoundationsd.org/events/doctorow Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) Why Every Platform Betrays You (Trust Revolution) https://fountain.fm/episode/bJgdt0hJAnppEve6Qmt8 How the internet went to sh*t (Prospect Magazine) https://www.prospectmagazine.co.uk/podcasts/prospect-podcast/71663/cory-doctorow-how-the-internet-went-to-sht Enshittification and “Breaking Kings” (Web Summit) https://www.youtube.com/watch?v=CpLudlrwS_g Enshittification Nation (The Lever) https://www.levernews.com/enshittification-nation/ Enshittification with Oh God What Now https://castbox.fm/episode/Why-Tech-Sucks-%E2%80%93%C2%A0Cory-Doctorow-on-Enshittification-and-how-to-fix-it-id4634015-id876127534 Enshittification with The Lede (New Lines Magazine) https://newlinesmag.com/podcast/why-the-internet-got-bad-and-how-to-fix-it/ Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE. "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: O(N^2) nationalism (26 Nov 2025)
Today's links O(N^2) nationalism: Trumpism can only be defeated through international nationalism. Hey look at this: Delights to delectate. Object permanence: Paywall kremlinology; How to fix everything; Office365 is spyware; State-owned Amazon. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. O(N^2) nationalism (permalink) In their 2023 book Underground Empire, political scientists Henry Farrell and Abraham Newman describe how the modern world runs on US-based systems that other nations treat(ed) as neutral platforms, and how that is collapsing: https://pluralistic.net/2023/10/10/weaponized-interdependence/#the-other-swifties Think of the world's fiber optic cables: for most of the internet's history, it was a given that one end of the majority of the world's transoceanic fiber would make landfall on one of the coasts of the USA. US telcos paid to interconnect these fiber head-ends – even ones on opposite coasts – with extremely reliable, high-speed links. This made a certain kind of sense. Pulling fiber across an ocean is incredibly expensive and difficult. Rather than run cables between each nation in the world, countries could connect to the US, and, in a single hop, connect to anywhere else. This is a great deal, provided that you trust the USA to serve as an honest broker for the world's internet traffic. Then, in 2013, the Snowden leaks revealed that America's National Security Agency was spying on pretty much everyone in the world. Since then, the world has undergone a boom in new transoceanic fiber, most of it point-to-point links between two countries. Despite the prodigious logistical advantages of a hub-and-spoke model for ocean-spanning fiber networks, there just isn't any nation on Earth that can be entrusted with the world's information chokepoint, lest they yield to temptation to become the world's gatekeeper. Don't get me wrong: there are also advantages to decentralized (or even better, distributed) interconnections in the world's data infrastructure. A more dispersed network topology is more resilient against a variety of risks, from political interference to war to meteor strikes. But connecting every country to every other country is a very expensive proposition. Our planet has 205 sovereign nations, and separately connecting each of them to the rest will require 20,910 links. In complexity theory, this is an "Order N-squared" ("O(n^2)") problem – every additional item in the problem set squares the number of operations needed to solve it. We aren't anywhere near a world where every country has a link to every other country on Earth. Instead, we're in an unsettled period, where warring theories about how to decentralize, and by how much, have created a weird, lopsided network topology. Obviously, fiber interconnection isn't the most important "neutral platform" that the US (formerly) provided to the rest of the world. The most important American platform is the US dollar, which most countries in the world use as a reserve currency, and also as a standard for clearing international transactions. If someone in Thailand wants to buy oil from someone in Saudi Arabia, they do so in dollars. This is called "dollar clearing." The case for dollar clearing is similar to the case for linking all the world's fiber through US data-centers. It's a big lift to ask every seller to price their goods in every potential buyer's currency, and it's a lot to ask every Thai baht holder to race around the world seeking someone who'll sell them Saudi riyals – and then there's the problem of what they do with the change left over from the transaction. Establishing liquid markets for every possible pair of currencies has the same kind of complexity as the problem of establishing fiber links between every country. Since the mid-20th century, we've solved this problem by treating the US dollar as a neutral platform. Countries opened savings accounts at the US Federal Reserve and stashed large numbers of US dollars there (when someone says, "China owns umpty-billion in US debt," they just mean, "There's a bank account in New York at the Fed with China's name on it that has been marked up with lots of US dollars"). Merchants, institutions and individuals that wanted to transact across borders used the SWIFT system, which is nominally international, but which, practically speaking, is extremely deferential to the US government. Issuing the world's reserve and reference currency was a source of enormous power for the US, but only to the extent that it used that power sparingly, and subtly. The power of dollarization depended on most people believing that the dollar was mostly neutral – that the US wouldn't risk dollar primacy by nakedly weaponizing the dollar. Dollarization was a bet that America First hawks would have the emotional maturity to instrumentalize the dollar in the most sparing and subtle of fashions. But today, no one believes that the dollar is neutral. First came the Argentine sovereign debt default: in 2001, the government of Argentina wiped out investors who were holding its bonds. In 2005, a group of American vulture capitalists scooped up this worthless paper for pennies, then sued in New York to force Argentina to make good on the bonds, and a US court handed over Argentina's foreign reserves, which were held on US soil. That was the opening salvo in a series of events which showed everyone in the world that the US dollar wasn't a neutral platform, but was, rather, a creature of US policy. This culminated with the Russian invasion of Ukraine, which saw the seizure of Russian assets in the USA and a general blockade on Russians using the SWIFT system to transfer money. Whether or not you like the fact that Russian assets were transferred to Ukraine to aid in its defense against Russian aggression (I like it, for the record), there's no denying that this ended the pretense that the dollar was a neutral platform. It was a signal to every leader in the world that the dollar could only be relied upon for transaction clearing and foreign reserves to the extent that you didn't make the USA angry at you. Today, Donald Trump has made it clear that the US's default posture to every country in the world is anger. The US no longer has allies, nor does it have trading partners. Today, every country in the world is America's adversary and its rival. But de-dollarization isn't easy. It presents the same O(n^2) problem as rewiring the world's fiber: creating deep, liquid markets to trade every currency against every other currency is an impossible lift (thus far), and there's no obvious candidate as a replacement for the dollar as a clearing currency. As with fiber, we are in an unsettled period, with no obvious answer, and lots of chaotic, one-off gestures towards de-dollarization. For example, Ethiopia is re-valuing its foreign debt in Chinese renminbi: https://www.bloomberg.com/news/articles/2025-10-20/ethiopia-in-talks-with-china-to-convert-dollar-loans-into-yuan But fiber and dollars aren't the only seemingly neutral platforms that America provided to the world as a way of both facilitating the world's orderly operation and consolidating America's centrality and power on the global stage. America is also the world's great digital exporter. The world's governments, corporations and households run on American cloud software, like Google Docs and Office365. Their records are held in Oracle databases. Their messages and media run on iPhones. Their cloud compute comes from AWS. The Snowden revelations shook this arrangement, but it held. The EU extracted a series of (ultimately broken) promises from the US to the effect that America wouldn't spy on Europeans using Big Tech. And now, after a brittle decade of half-measures and uneasy peace with American tech platforms, Trump has made it clear that he will not hesitate to use American tech platforms to pursue his geopolitical goals. Practically speaking, that means that government officials that make Trump angry can expect to have their cloud access terminated: https://apnews.com/article/icc-trump-sanctions-karim-khan-court-a4b4c02751ab84c09718b1b95cbd5db3 Trump can – and does – shut down entire international administrative agencies, without notice or appeal, as a means of coercing them into embracing American political goals. What's more, US tech giants have stopped pretending that they will not share sensitive EU data – even data housed on servers in the EU – with American spy agencies, and will keep any such disclosures a secret from the European governments, companies and individuals who are affected: https://www.forbes.com/sites/emmawoollacott/2025/07/22/microsoft-cant-keep-eu-data-safe-from-us-authorities/ All this has prompted a rush of interest in the "Eurostack," an effort to replicate the functionality of US tech companies' cloud services: https://pluralistic.net/2025/10/15/freedom-of-movement/#data-dieselgate But the Eurostack's proponents are really working on the preliminaries to digital sovereignty. It's not enough to have alternatives to US Big Tech. There also needs to be extensive work on migration tools, to facilitate the move to those alternatives. No one is going to manually copy/paste a million documents out of their ministry or corporation's GSuite repository and into a Eurostack equivalent. There are a few tools that do this today, but they're crude and hard to use, because they are probably illegal under America's widely exported IP laws. Faithfully transferring those files, permissions, edit histories and metadata to new clouds will require a kind of guerrilla warfare called "adversarial interoperability." Adversarial interoperability is the process of making a new thing work with an existing thing, against the wishes of the existing thing's manufacturer: https://www.eff.org/deeplinks/2019/10/adversarial-interoperability The problem is that adversarial interoperability has been mostly criminalized in countries all around the world, thanks to IP laws that prohibit the study, reverse engineering and modification of software without permission. These laws were spread all over the world at the insistence of the US Trade Representative, who, for 25 years, has made this America's top foreign trade priority. Countries that balked at enacting laws were threatened with tariffs. Virtually every country in the world fell into line: https://pluralistic.net/2025/01/15/beauty-eh/#its-the-only-war-the-yankees-lost-except-for-vietnam-and-also-the-alamo-and-the-bay-of-ham But then Trump happened. The Trump tariffs apply to countries that have voluntarily blocked their own investors and entrepreneurs from making billions by supplying products that unlock and improve America's enshittified tech exports. These blocks also exposed everyone in the world to the data- and cash-plundering scams of US Big Tech, by preventing the creation of privacy blockers, alt clients, jailbreaking kits, and independent app stores for phones, tablets and consoles. What's more, the laws that block reverse-engineering are also used to block repair, forcing everyone from train operators to hospitals to drivers to everyday individuals to pay a high premium and endure long waits to get their equipment serviced by the manufacturer's authorized representatives: https://pluralistic.net/2024/05/24/record-scratch/#autoenshittification These US-forced IP laws come at a high price. They allow American companies to pick your nation's pockets and steal its data. They interfere with repair and undermine resiliency. They also threaten security researchers who audit critical technologies and identify their dangerous defects: https://pluralistic.net/2024/09/30/life-finds-a-way/#ink-stained-wretches On top of that, they expose your country to a range of devastating geopolitical attacks by the Trump administration, who have made it clear that they will order American tech companies to brick whole governments as punishment for failing to capitulate to US demands. And of course, all of these remote killswitches can be operated by anyone who can hack or trick the manufacturer, including the Chinese state: https://pluralistic.net/2024/10/07/foreseeable-outcomes/#calea Speaking of China, isn't this exactly the kind of thing we were warned would happen if we allowed Chinese technology into western telecommunications systems? The Chinese state would spy on us, and, in extremis, could shut down our critical infrastructure with a keystroke. This is exactly what America is doing now (and has been doing for some time, as Snowden demonstrated). But it's actually pretty reasonable to assume that a regime as competent and ambitious (and ruthless) as Xi Jinping's might make use of this digital power if doing so serves its geopolitical goals. And there is a hell of a lot of cloud-connected digital infrastructure that Xi does (or could) control, including the solar inverters and batteries that are swiftly replacing fossil fuel in the EU: https://pluralistic.net/2025/09/23/our-friend-the-electron/#to-every-man-his-castle And if you're worried about China shutting down your solar energy, you should also worry about America's hold on the embedded processors in your country's critical systems. Take tractors. Remember when Putin's thugs looted millions of dollars' worth of tractors from Ukraine and spirited them away to Chechnya? The John Deere company sent a kill command to those tractors and bricked them, rendering them permanently inoperable: https://pluralistic.net/2022/05/08/about-those-kill-switched-ukrainian-tractors/ Sure, there's a certain cyberpunk frisson in this tale of a digital comeuppance for Russian aggressors. But think about this for ten seconds and you'll realize that it means that John Deere can shut down any tractor in the world – including all the tractors in your country, if Donald Trump forces them to: https://pluralistic.net/2025/10/20/post-american-internet/#huawei-with-american-characteristics The national security case for digital sovereignty includes people worried about American aggression. It includes people worried about Chinese aggression. It includes people worried about other countries that might infiltrate and make use of these remote kill switches. And it includes people worried about criminals doing the same. True digital sovereignty requires more than building Eurostack data-centers and the software to run on them. It requires more than repealing the IP laws that block cloud customers from migrating their data to those Eurostack servers. It requires the replacement of the cloud software and embedded code that power our infrastructure and administrative tools. This is a gigantic task. Ripping out all the proprietary code that powers our cloud software and devices and replacing it with robust, auditable, user-modifiable free/open source software is a massive project. It's also a project that's long overdue. And crises precipitate change. Putin's invasion of Ukraine vaporized every barrier to Europe's solar conversion, rocketing the bloc from ten years behind schedule to fifteen years ahead of schedule in just a few years. The fact that changing out all the proprietary, opaque, vulnerable code in our world and replacing it with open, free, reliable code is hard has no bearing on whether it is necessary. It is necessary. What's more, replacing all the code isn't like replacing the dollar, or replacing the fiber. It isn't hamstrung by the O(n^2) problem. Because if the Eurostack code is open and free, it can also be the Canadian stack, the Mexican stack, the Ghanaian stack, and the Vietnamese stack. It can be a commons, a set of core technologies that everyone studies for vulnerabilities and improves, that everyone adds features to, that everyone localizes and administers and bears the costs for. It is a novel and curious form of "international nationalism," a technology that is more like a science. In the same way that the Allies and the Axis both used the same radio technologies to communicate, a common, open digital infrastructure is one that everyone – even adversaries – can rely upon. This is a move that's long overdue. It's a move that's in the power of every government, because it merely involves changing your own domestic laws to enable adversarial interoperability. Its success doesn't depend on a foreign state forcing Apple or Google or Microsoft or Oracle to do something they don't want to do: https://pluralistic.net/2025/11/01/redistribution-vs-predistribution/#elbows-up-eurostack The opportunity and challenge of building the post-American internet is part of the package of global de-Americanization, which includes running new fiber and de-dollarization. But the post-American internet is unique in that it is the only part of this project that can be solved everywhere, all at once, and that gets cheaper and easier as more nations join in. Hey look at this (permalink) On contrarian history https://going-medieval.com/2025/11/25/on-contrarian-history/ Game Theory Explains How Algorithms Can Drive Up Prices https://www.wired.com/story/game-theory-explains-how-algorithms-can-drive-up-prices/ Part 1: My Life Is a Lie https://www.yesigiveafig.com/p/part-1-my-life-is-a-lie The American Pay Cut That Gave Us Obama and Trump, Twice https://www.americasundoing.com/p/it-works-if-you-work-it Americans are holding onto devices longer than ever and it’s costing the economy https://www.cnbc.com/2025/11/23/how-device-hoarding-by-americans-is-costing-economy.html Object permanence (permalink) #20yrsago Transformers costumes that turn into cars and jets https://web.archive.org/web/20051127021810/http://www.marksprojects.com/costumestrans.htm #15yrsago London police brutally kettle children marching for education https://web.archive.org/web/20101126000126/http://www.newstatesman.com/blogs/laurie-penny/2010/11/children-police-kettle-protest #15yrsago Kremlinology with Rupert Murdoch: what do the Times paywall numbers mean? https://www.theguardian.com/technology/blog/2010/nov/25/times-paywall-cory-doctorow #10yrsago Ifixit is the new Justice League of America and Kyle Wiens is its Superman https://web.archive.org/web/20151125125009/https://motherboard.vice.com/read/how-to-fix-everything #5yrsago Random Penguin to buy Simon & Schuster https://pluralistic.net/2020/11/25/the-peoples-amazon/#merger-to-monopoly #5yrsago A state-owned Amazon https://pluralistic.net/2020/11/25/the-peoples-amazon/#correo-compras #5yrsago Office 365 spies on employees for bosses https://pluralistic.net/2020/11/25/the-peoples-amazon/#clippys-revenge #5yrsago Tech in SF https://pluralistic.net/2020/11/25/the-peoples-amazon/#asl Upcoming appearances (permalink) Toronto: Jailbreaking Canada (OCAD U), Nov 27 https://www.ocadu.ca/events-and-exhibitions/jailbreaking-canada San Diego: Enshittification at the Mission Hills Branch Library, Dec 1 https://libraryfoundationsd.org/events/doctorow Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) How the internet went to sh*t (Prospect Magazine) https://www.prospectmagazine.co.uk/podcasts/prospect-podcast/71663/cory-doctorow-how-the-internet-went-to-sht Enshittification and “Breaking Kings” (Web Summit) https://www.youtube.com/watch?v=CpLudlrwS_g Enshittification Nation (The Lever) https://www.levernews.com/enshittification-nation/ Enshittification with Oh God What Now https://castbox.fm/episode/Why-Tech-Sucks-%E2%80%93%C2%A0Cory-Doctorow-on-Enshittification-and-how-to-fix-it-id4634015-id876127534 Enshittification with The Lede (New Lines Magazine) https://newlinesmag.com/podcast/why-the-internet-got-bad-and-how-to-fix-it/ Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE. "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: Google steers Americans looking for health care into "junk insurance" (25 Nov 2025)
Today's links Google steers Americans looking for health care into "junk insurance" : An enshittified search monopolist meets the worst health care system imaginable. Hey look at this: Delights to delectate. Object permanence: Disaster fantasies; "Sea to Sea"; Veronica Belmont on surviving memeification; Email carcinization. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. Google steers Americans looking for health care into "junk insurance" (permalink) Being "the enshittification guy" means that people expect you to weigh in on every service or platform that has been deliberately worsened to turn a buck. It's an impossible task (and a boring one besides). There's too much of this shit, and it's all so mid – a real "banality of enshittification" situation. So these days, I really only take note of fractally enshittified things, exponentially enshittified things, omnienshittified things. Things like the fact that Google is sending people searching for health care plans to "junk insurance" that take your money and then pretty much just let you die: https://pluralistic.net/junk-insurance "Junk insurance" is a health insurance plan that is designed as a short-term plan that you might use for a couple of days or a week or two, say, if you experience a gap in coverage as you move between two jobs. These plans can exclude coverage for pre-existing conditions and typically exclude niceties like emergency room visits and hospitalization: https://www.brookings.edu/wp-content/uploads/2020/07/Broader-View_July_2020.pdf Crucially, these plans do not comply with the Affordable Care Act, which requires comprehensive coverage, and bans exclusions for pre-existing conditions. These plans only exist because of loopholes in the ACA, designed for very small-scale employers or temporary coverage. The one thing junk insurance does not skimp on is sales and marketing. These plans outbid the rest of the market when it comes to buying Google search ads, meaning that anyone who uses Google to research health insurance will be inundated with ads for these shitty plans. The plans also spend a fortune on "search engine optimization" – basically, gaming the Google algorithm – so that the non-ad Google results for health insurance are also saturated with these garbage plans. The plans also staff up boiler-rooms full of silver-tongued high-pressure sales staff who pick up on the first ring and hard-sell you on their plans, deliberately misleading you into locking into their garbage plans. That's right, locking in. While Obamacare is nominally a "market based" healthcare system (because Medicare For All would be communism), you are only allowed to change vendors twice per year, during "open enrollment," these narrow biannual windows in which you get to "vote with your wallet" against a plan that has screwed you over and/or endangered your life. Which means that if a fast-talking salesdroid from a junk insurance company can trick you into signing up for a garbage plan that will leave you bankrupt and/or dead if you have a major health crisis, you are stuck for at least six months in that trap, and won't escape without first handing over thousands of dollars to that scumbag's boss. Amazingly enough, these aren't even the worst kinds of garbage health plans that you can buy in America: those would be the religious "health share" programs that sleazy evangelical "entrepreneurs" suck their co-religionists into, which cost the world and leave you high and dry when you or your kids get hurt or sick: https://armandalegshow.com/episode/is-it-ever-appropriate-to-fudge-a-little/ The fact that there are multiple kinds of scam health insurance in America, in which companies are legally permitted to take your money and then deny you care (even more than the "non-scam" insurance plans do) shows you the problem with turning health into a market. "Caveat emptor" may make sense when you're buying a used blender at a yard-sale. Apply it to the system that's supposed to take care of you if you're diagnosed with cancer, hit by a bus, or develop eclampsia, and it's a literally fatal system. This is just one of the ways in which the uniparty is so terrible for Americans. The Republicans want to swap out shitty regulated for-profit health insurance with disastrous unregulated for-profit health insurance, and then give you a couple thousand bucks to yolo on a plan that seems OK to you: https://www.cnbc.com/2025/11/24/republicans-push-obamacare-tax-credit-alternatives-as-deadline-looms.html This is like letting Fanduel run your country's health system: everyday people are expected to place fifty-way parlay bets on their health, juggling exclusions, co-pays, deductibles, and network coverage in their head. Bet wrong, and you go bankrupt (if you're lucky), or just die (if you're not). Democrats, meanwhile, want to maintain the (garbage) status quo (because Medicare for All is communism), and they'll shut down the government to make it clear that they want this. But then they'll capitulate, because they want it, but not that badly. But like I say, America is an Enshittification Nation, and I don't have time or interest for cataloging mere unienshittificatory aspects of life here. To preserve my sanity and discretionary time, I must limit myself to documenting the omnienshittificatory scams that threaten us from every angle at once. Which brings me back to Google. Without Google, these junk insurance scams would be confined to the margins. They'd have to resort to pyramid selling, or hand-lettered roadside signs, or undisclosed paid plugs in religious/far-right newsletters. But because Google has utterly succumbed to enshittification, and because Google has an illegal monopoly – a 90% market share – that it maintains by bribing competitors like Apple to stay out of the search market, junk insurance scams can make bank – and ruin Americans' lives wholesale – by either tricking or paying Google to push junk insurance on unsuspecting searchers. This isn't merely a case of Google losing the SEO and spam wars to shady operators. As we learned in last year's antitrust case (where Google was convicted of operating an illegal search monopoly), Google deliberately worsened its search results, in order to force you to search multiple times (and see multiple screens full of ads) as a way to goose search revenue: https://pluralistic.net/2024/04/24/naming-names/#prabhakar-raghavan Google didn't just lose that one antitrust case, either. It lost three cases, as three federal judges determined that Google secured and maintains an illegal monopoly that allows it to control the single most important funnel for knowledge and truth for the majority of people on Earth. The company whose mission is to "organize the world's information and make it universally accessible and useful," now serves slop, ads, spam and scams because its customers have nowhere to go, so why bother spending money making search good (especially when there's money to be made from bad search results)? Google isn't just too big to fail, it's also too big to jail. One of the judges who found Google guilty of maintaining an illegal monopoly decided not to punish them for it, and to allow them to continue bribing Apple to stay out of the search market, because (I'm not making this up), without that $20b+ annual bribe, Apple might not be able to afford to make cool new iPhone features: https://pluralistic.net/2025/09/03/unpunishing-process/#fucking-shit-goddammit-fuck Once a company is too big to fail and too big to jail, it becomes too big to care. Google could prevent slop, spam and scams from overrunning its results (and putting its users lives and fortunes at risk), it just chooses not to: https://pluralistic.net/2024/04/04/teach-me-how-to-shruggie/#kagi Google is the internet's absentee landlord. Anyone who can make a buck by scamming you can either pay Google to help, or trick Google into helping, or – as is the case with junk insurance – both: https://pluralistic.net/2025/07/15/inhuman-gigapede/#coprophagic-ai America has the world's stupidest health care system, an industry that has grown wildly profitable by charging Americans the highest rates in the rich world, while delivering the worst health outcomes in the rich world, while slashing health workers' pay and eroding their working conditions. It's omnienshittified, a partnership between the enshittified search giant and the shittiest parts of the totally enshittified health industry. It's also a reminder of what we stand to gain when we finally smash Google and break it up: disciplining our search industry will make it competitive, regulatable, and force it to side with the public against all kinds of scammers. Junk insurance should be banned, but even if we just end the junk insurance industry's ability to pay the world's only major search engine to help it kill us, that would be a huge step forward. Hey look at this (permalink) Nvidia’s ‘I’m Not Enron’ memo has people asking a lot of questions already answered by that memo https://www.theverge.com/business/828047/nvidia-enron-conspiracy-accounting How Black Friday Loyalty Programs Rip Off Shoppers https://economicpopulist.substack.com/p/how-black-friday-loyalty-programs The Hater's Guide To NVIDIA https://www.wheresyoured.at/the-haters-guide-to-nvidia/ GrapheneOS migrates server infrastructure from France amid police intimidation claims https://www.privacyguides.org/news/2025/11/22/grapheneos-migrates-server-infrastructure-from-france-amid-police-intimidation-claims/ Competition Commissioner Boswell calls it quits early https://www.donotpassgo.ca/p/competition-commissioner-matthew Object permanence (permalink) #20yrsago Solar utility pole: streetlight, WiFi, CCTV and charger https://web.archive.org/web/20060508050552/http://www.starsightproject.com/en/africa/index.php?option=com_content&task=view&id=12&Itemid=52 #20yrsago Sony rootkit recall makes The Onion https://web.archive.org/web/20051126015022/http://www.theonion.com/content/node/42988 #15yrsago Menstruating woman subjected to TSA grope because panty-liner obscured her vulva on pornoscanner https://blog.gladrags.com/2010/11/24/tsa-groin-searches-menstruating-woman/ #15yrsago Set to Sea: moving and beautiful graphic novel about a poet who becomes an involuntary sailor https://memex.craphound.com/2010/11/24/set-to-sea-moving-and-beautiful-graphic-novel-about-a-poet-who-becomes-an-involuntary-sailor/ #10yrsago Cultural appropriation? Hindu nationalists used yoga as an anti-colonialist export https://web.archive.org/web/20151124030935/http://www.slate.com/articles/double_x/doublex/2015/11/university_canceled_yoga_class_no_it_s_not_cultural_appropriation_to_practice.html #10yrsago Leaked recording: pollution lobbyists discuss exploiting Syrian refugee crisis https://theintercept.com/2015/11/24/lobbyists-refugee-crisis/ #10yrsago Dell apologizes for preinstalling bogus root-certificate on computers https://arstechnica.com/information-technology/2015/11/dell-apologizes-for-https-certificate-fiasco-provides-removal-tool/ #10yrsago Veronica Belmont on being overtaken by a meme https://www.youtube.com/watch?v=bTThblbbnkM #10yrsago J Edgar Hoover was angry that the Boy Scouts didn’t thank him effusively enough https://www.muckrock.com/news/archives/2015/nov/24/j-edgar-hoover-insults/ #10yrsago WTO rules against US dolphin-safe tuna labels because they’re unfair to Mexican fisheries https://theintercept.com/2015/11/24/wto-ruling-on-dolphin-safe-tuna-labeling-illustrates-supremacy-of-trade-agreements/ #10yrsago Shamrock shake: Pfizer’s Irish “unpatriotic loophole” ducks US taxes https://arstechnica.com/science/2015/11/with-160-billion-merger-pfizer-moves-to-ireland-and-dodges-taxes/ #5yrsago Talking interop on EFF's podcast https://pluralistic.net/2020/11/24/zawinskiian-carcination/#comcom #5yrsago Cheap Chinese routers riddled with backdoors https://pluralistic.net/2020/11/24/zawinskiian-carcination/#jetstream #5yrsago Emailifaction is digital carcinization https://pluralistic.net/2020/11/24/zawinskiian-carcination/#carcinization #5yrsago Saudi Aramco is gushing debt https://pluralistic.net/2020/11/24/zawinskiian-carcination/#gusher #5yrsago Sci-Fi Genre https://pluralistic.net/2020/11/24/zawinskiian-carcination/#asl #1yrago The far right grows through "disaster fantasies" https://pluralistic.net/2024/11/24/mall-ninja-prophecy/#mano-a-mano Upcoming appearances (permalink) Toronto: Jailbreaking Canada (OCAD U), Nov 27 https://www.ocadu.ca/events-and-exhibitions/jailbreaking-canada San Diego: Enshittification at the Mission Hills Branch Library, Dec 1 https://libraryfoundationsd.org/events/doctorow Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) Enshittification Nation (The Lever) https://www.levernews.com/enshittification-nation/ Enshittification with Oh God What Now https://castbox.fm/episode/Why-Tech-Sucks-%E2%80%93%C2%A0Cory-Doctorow-on-Enshittification-and-how-to-fix-it-id4634015-id876127534 Enshittification with The Lede (New Lines Magazine) https://newlinesmag.com/podcast/why-the-internet-got-bad-and-how-to-fix-it/ Today in Focus (The Guardian) https://www.theguardian.com/news/audio/2025/nov/24/enshittification-how-we-got-the-internet-no-one-asked-for-podcast Enshittification with Vass Bednar (Vancouver Public Library) https://www.crowdcast.io/c/0wzs9iu1q225 Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. FIRST DRAFT COMPLETE AND SUBMITTED. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: Cooking in Maximum Security (24 Nov 2025)
Today's links Cooking in Maximum Security: A companion volume to "Prisoners' Inventions." Hey look at this: Delights to delectate. Object permanence: Cursed house; Randall Munroe's stick figures; Reverse engineering a gig work platform; Barbie surveillance toy teardown; Labor and large firms. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. Cooking in Maximum Security (permalink) Cooking in Maximum Security is a slim volume of prisoners' recipes and improvised cooking equipment, a testament to the ingenuity of a network of prisoners in Italy's maximum security prisons: https://halfletterpress.com/cooking-in-maximum-security/ Cooking in Maximum Security has a new English translation from Half Letter Press, who also publish the classic Prisoners' Inventions, which is one of my favorite books of all time, a collection of keenly observed, beautifully drawn material improvisations from America's prisons: https://pluralistic.net/2021/06/09/king-rat/#mother-of-invention Prison cookbooks are a genre unto themselves, with "underground" classics like Jailhouse Cookbook: http://jailhousecookbook.com/ And slick coffee-table books like Prison Ramen: https://www.eater.com/23900359/gastropod-instant-ramen-prison-ramen-recipes-stories-maruchan-cup-noodle But Cooking in Maximum Security drills down much deeper on the method than those other books, elevating the makerish improvisation of the chefs whose work it reproduces. They explain how to make an oven out of a wooden stool lined with cigarette foil and draped with heavy blankets, into which a small gas burner is introduced: https://www.cookinginmaximumsecurity.com/tools/ Or how to turn a toothbrush handle and the razor blade from a pencil-sharpener into an all-purpose paring knife: https://cdn11.bigcommerce.com/s-l4sjfhdy/images/stencil/2048×2048/products/771/3042/CookinginMax4__83959.1762438870.jpg?c=2 These field-expedient gadget improvisations are incredibly satisfying. They have the vibe of a good episode of Scrapheap Challenge, or the high-stakes duct-tape ingenuity of Apollo 13. And while these recipes and build notes were collected in the 2010s, the pencil/charcoal illustrations have a classic 1970s feel, like the illustrations out of the Moosewood Cookbook or The Joy of Sex. If you love the kind of clever repurposings that filled the pages of Make magazine, you'll love this. Plus, the food sounds incredible. Mouth-watering. Fresh bread whose dough was warmed and risen by setting it atop the heat-radiating surface of a CRT television! One thing that sets Cooking in Maximum Security apart from other prison cookbooks is the unique character of Italian maximum security prisons, in which visitors are allowed to bring a fairly large variety of goods to inmates, and where the commissary is stocked with an incredible variety of basic ingredients, including things like goat and beef livers (the book reproduces an entire commissary menu, with prices, as an appendix). Prisoners have access to beer and wine, and find endless uses for old beer cans. The book also drops in casual clues about life in an Italian prison, for example, when it suggests getting your wooden stirrer by taking down a crucifix and using that. Cooking in Maximum Security arose out of a project called "MoCa" (a play on the essential moka coffee maker that is the most versatile and widely used tool in this book). Prisoners met with, and corresponded with, outside helpers who put together the entire volume. One collaborator, Mario, died shortly after sending a long letter (reproduced in an appendix) from solitary confinement, and this letter, along with other notes interspersed through the recipes, give a brilliant anthropological account of life in Italian maximum security prisons. The MoCa project isn't done – they've embarked on "Phase II," which will collect recipes from Spanish prisoners. It's a remarkable book, and an essential companion to Prisoner's Inventions. Hey look at this (permalink) Bossware booms as bots determine whether you're doing a good job https://www.theregister.com/2025/11/23/bossware_monitor_remote_employees/ Morality offsets https://www.metafilter.com/48233/Dumping-the-SUV-guilt#1171485 Nation’s Largest Landlord Is Encouraged to Break the Law With Measly Fine for Price Fixing Scheme That Kept Rents Artificially High and Worsened Homelessness Crisis | naked capitalism https://www.nakedcapitalism.com/2025/11/nations-largest-landlord-is-encouraged-to-break-the-law-with-measly-fine-for-price-fixing-scheme-that-kept-rents-artificially-high-and-worsened-american-homelessness-crisis.html Fran Sans https://emilysneddon.com/fran-sans-essay Object permanence (permalink) #20yrsago Sony rootkit hurts artists https://web.archive.org/web/20051125121608/http://businessweek.com/technology/content/nov2005/tc20051122_343542.htm #20yrsago Anti-game lawyer loses right to practice law in Alabama https://arstechnica.com/uncategorized/2005/11/5613-2/ #20yrsago Tech business niches begging to be filled https://techcrunch.com/2005/11/21/companies-id-like-to-profile-but-dont-exist/ #20yrsago Giving EU air-passenger data to US DHS is illegal https://www.rte.ie/news/2005/1122/70024-eu/ #15yrsago What John Pistole means when he talks about “enhanced” TSA checkpoints https://www.youtube.com/watch?v=0wrDzMD_BC8 #15yrsago Rock-Paper-Scissors-Lizard-Spock explained in 32 seconds https://www.youtube.com/watch?v=mJKHFPBwDRA #15yrsago TSA looks at Adam Savage’s junk, misses his two 12″ razor blades https://www.youtube.com/watch?v=q3yaqq9Jjb4 #10yrsago What’s inside a “Hello Barbie” surveillance toy? https://www.somersetrecon.com/blog/2015/11/20/hello-barbie-security-part-1-teardown #10yrsago J Edgar Hoover loved Efrem Zimbalist’s “FBI” https://www.muckrock.com/news/archives/2015/nov/23/efrem-zimbalist-fbi-file/ #10yrsago Blankets: New edition of Craig Thompson’s graphic masterpiece https://memex.craphound.com/2015/11/23/blankets-new-edition-of-craig-thompsons-graphic-masterpiece/ #10yrsago Randall Munroe does a Q&A with stick-figure comics https://time.com/4116921/randall-munroe-draws-his-own-conclusions/ #10yrsago On the grotesque obsession with accomplished women’s fertility https://harpers.org/archive/2015/10/the-mother-of-all-questions/?single=1 #10yrsago How browser extensions steal logins & browsing habits; conduct corporate espionage https://labs.detectify.com/security-guidance/chrome-extensions-google-is-tracking-you/ #10yrsago Activist tricked into 6-year relationship with undercover cop tells her story https://www.theguardian.com/uk-news/2015/nov/20/lisa-jones-girlfriend-of-undercover-police-office-mark-kennedy-interview #5yrsago An Especially Cursed House https://pluralistic.net/2020/11/22/especially-cursed/#mcmansion-hell #5yrsago Guatemala's guillotines https://pluralistic.net/2020/11/23/opsec-and-personal-security/#guillotines #5yrsago The power of procurements https://pluralistic.net/2020/11/23/opsec-and-personal-security/#procurements #5yrsago Labor and large firms https://pluralistic.net/2020/11/23/opsec-and-personal-security/#monopsony #5yrsago A textbook grift https://pluralistic.net/2020/11/23/opsec-and-personal-security/#racket #5yrsago Australian predictive policing tool for kids https://pluralistic.net/2020/11/23/opsec-and-personal-security/#phrenology #5yrsago Opsec and personal security https://pluralistic.net/2020/11/23/opsec-and-personal-security/#asl #1yrago Reverse engineers bust sleazy gig work platform https://pluralistic.net/2024/11/23/hack-the-class-war/#robo-boss Upcoming appearances (permalink) Toronto: Jailbreaking Canada (OCAD U), Nov 27 https://www.ocadu.ca/events-and-exhibitions/jailbreaking-canada San Diego: Enshittification at the Mission Hills Branch Library, Dec 1 https://libraryfoundationsd.org/events/doctorow Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Virtual: Poetic Technologies with Brian Eno (David Graeber Institute), Dec 8 https://davidgraeber.institute/poetic-technologies-with-cory-doctorow-and-brian-eno/ Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) Today in Focus (The Guardian) https://www.theguardian.com/news/audio/2025/nov/24/enshittification-how-we-got-the-internet-no-one-asked-for-podcast Enshittification with Vass Bednar (Vancouver Public Library) https://www.crowdcast.io/c/0wzs9iu1q225 Tech unions against enshittification (TUC) https://www.youtube.com/watch?v=m11hmiHu6Tc It’s not your job to fix the internet (Vergecast) https://www.theverge.com/podcast/822822/enshittification-cory-doctorow-interview-vergecast Enshittification with danah boyd and Lee Vinsel (Peoples & Things) https://newbooksnetwork.com/cory-doctorow-on-enshittification-why-everything-suddenly-got-worse-and-what-to-do-about-it Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. FIRST DRAFT COMPLETE AND SUBMITTED. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Pluralistic: Boss preppers (22 Nov 2025)
Today's links Boss preppers: What does a captain of industry have to offer after the shit hits the fan? Hey look at this: Delights to delectate. Object permanence: Yahoo blocks webmail for adblockers; Badly forgiving student debt. Upcoming appearances: Where to find me. Recent appearances: Where I've been. Latest books: You keep readin' em, I'll keep writin' 'em. Upcoming books: Like I said, I'll keep writin' 'em. Colophon: All the rest. Boss preppers (permalink) Sometimes, you learn a fact that makes everything else make sense – one of those keystone insights that puts a whole phenomenon into perspective. For example, the fact that preppers are engaged in a very specific type of wish-fulfillment. I learned this during the first part of the pandemic lockdowns, when preppers were very much in our collective consciousness. On the Media featured an interview between Micah Loewinger and Richard Mitchell, author of Dancing at Armageddon: Survivalism and Chaos in Modern Times which features ethnographic studies of preppers: https://pluralistic.net/2020/03/22/preppers-are-larpers/#preppers-unprepared Mitchell described how preppers make ready for specific forms of societal collapse, based not on the likelihood of the event itself, but rather, based on how useful they would be in that situation. For example, a water chemist has made extensive preparations for an event in which terrorists poison the water-supply. When pressed, he couldn't explain why terrorists would choose his town to target with an attack like this, but basically thought it would be really cool if the only person who could save his town was him. This is the "disaster fantasy" that propels the prepper movement, in which a functional, high-tech world of wicked, systemic problems is replaced with a fallen, low-tech society where the problems are all simple. A world of simple problems is a world of individual actors, where every struggle is just about what one person can make someone else do, or offer to someone else. It's a perfect world if you've been raised on Thatcher's neoliberal doctrine that "there is no such thing as society," only to find yourself in a society in which you can only make real change by participating in collective efforts: https://pluralistic.net/2024/11/24/mall-ninja-prophecy/#mano-a-mano All this raises the question of what rich preppers are prepping for. If your contribution to society consists of "allocating capital" and/or giving people orders, what, exactly, is the disaster that fulfills your fantasy of a world where your unique skills are the only thing that can save us all? What kind of a disaster needs a boss? In Douglas Rushkoff's 2022 book Survival of the Richest, he describes a surreal "futurism" consulting gig in which a bunch of wealthy investor types asked him to help them figure out how to keep their mercenaries in line after "The Event" (the end of the world): https://pluralistic.net/2022/09/13/collapse-porn/#collapse-porn These guys had the idea that what a fallen civilization needed was bosses, you see, but they were self-aware enough to recognize that the people who survived the apocalypse might not recognize their unique genius and simply fall into line. In order to assert their natural role as leaders after the shit hit the fan, these guys would need an army of heavily armed mercenaries. But again, these guys were self-aware enough to recognize that the mercenaries might also fail to recognize their unique fitness to rule and opt instead to slaughter them and raid their hoarded food, ammo and medical supplies. So they wanted Rushkoff's advice – should they fit the mercs with bomb-collars that were on a dead-man's switch that would go off if the boss croaked? This was such a weird and revealing moment that Rushkoff got a whole book out of exploring the desire of the wealthy to both secede from the rest of us, and keep us all in line. I was inspired by this and other experiences with people fantasizing about the world's end to take a run at rewriting Edgar Allan Poe's "Masque of the Red Death" as a story about investor/ubermenschen in a luxury bunker at the end of the world (spoiler: it doesn't go well for them): https://pluralistic.net/2020/03/14/masque-of-the-red-death/#masque All of this has been very much on my mind lately because I've been reading Quinn Slobodian's amazing Hayek's Bastards, a closely researched history of the merger of the neoliberal wing of the conservative movement with its white nationalist faction, producing a conservativism obsessed with "hard borders, hard-wired human difference, and hard money": https://www.penguin.co.uk/books/472194/hayeks-bastards-by-slobodian-quinn/9780241774984 It's a revelatory history, one that argues convincingly that the brooding, violent racism of MAGA isn't so much a break with "Romney conservativism" of the "respectable" Republican Party as it is the attainment of the goals of the party's longstanding dominant tendency. "Hard-wired human differences" refers to the "scientific racism" that the likes of Elon Musk push, the junk science that insists that there is such a thing as a "race," that IQ measures something important and immutable, and that different "races" have different IQs, which is why some "races" do well, while others do poorly: https://pluralistic.net/2020/08/16/combat-wheelchairs/#race-realism "Hard-wired human difference" militates for "hard borders," since the teeming billions of racially inferior people in other countries would – given half a chance – come to the "good" countries and turn them into "shithole countries." This is the nonsense that Musk is peddling when he compares Britons to "hobbits" and warns that they're about to be overrun by people who will "start raping the kids": https://www.huffingtonpost.co.uk/entry/elon-musk-compares-brits-to-hobbits-amid-shock-immigration-claim_uk_69089785e4b0c4a0f509d6f5?origin=home-latest-unit But because the soft-headed, soft-hearted hobbits keep electing leaders who don't understand this, they'll get "overrun" by the bad "races," who demand welfare handouts, which the state can't afford, triggering "money printing" and Musk's other obsession, national debts: https://fortune.com/2025/07/01/trump-spending-bill-pain-points-critics-elon-musk-medicaid-national-debt-clean-energy/ (Which is to say, Musk's understanding of money is just as wrongheaded as his understanding of genomics): https://pluralistic.net/2020/06/10/compton-cowboys/#the-deficit-myth In the disaster fantasy, the failure of hard borders leads to the inevitable consequences of hard-wired human differences, which means that we need "hard money" – gold. The modern right is a linear descendant of the goldbug movement, composed of grifters who made fortunes terrifying racists into buying gold as a hedge against the day when the collapse of the welfare state leads to race war and the dollar's vaporization: https://mises.org/library/book/gold-peace-and-prosperity?d7_alias_migrate=1 For goldbugs, the coming collapse seems to be one that will demand coin collectors. In Hayek's Bastards, Slobodian quotes all these goldbug preppers furiously dreaming of a day when a single gold coin will let them buy a whole city block in Manhattan. Somehow, they've conceived of disaster scenario where the most needful of all things is a ductile metal with a few marginal uses in electronics. It's a very weird kind of disaster fantasy. One can only assume that the guys figuring out how to assemble an army of bomb-collared mercs will just stroll over to these goldbugs' lesser bunkers and take their precious coins. The modern goldbug is, of course, a crypto weirdo, and man is that a weird thing to be a prepper about. It will be a very odd apocalypse indeed that takes down all of modern civilization except for blockchains. (Image: Morten Jensen, CC BY 2.0, modified) Hey look at this (permalink) Qualcomm enshittified Arduino https://www.linkedin.com/posts/adafruit_opensource-privacy-techpolicy-activity-7396903362237054976-r14H/ Why is knowledge getting so expensive? https://www.youtube.com/watch?v=PygUK16aQgk Cooking Temperature and Hold Time Affect Beef Brisket Textural Properties and Cooking Yield https://www.iastatedigitalpress.com/mmb/article/id/18269/ The Dairy Products Theory of Dead Media (2004) https://bruces.medium.com/the-dairy-products-theory-of-dead-media-2004-34842e069335 Object permanence (permalink) #20yrsago Sony insider: DRM is discredited at Sony https://memex.craphound.com/2005/11/20/sony-insider-drm-is-discredited-at-sony/ #20yrsago Microsoft: Trusted Computing sucks! https://web.archive.org/web/20060821002450/http://news.com.com/Who+has+the+right+to+control+your+PC/2100-1029_3-5961609.html #20yrsago EFF brings class-action against Sony! https://web.archive.org/web/20051125183030/https://www.eff.org/news/archives/2005_11.php#004192 #20yrsago Texas sues Sony over rootkits — YEE-HAW! https://web.archive.org/web/20060204212201/https://www.oag.state.tx.us/oagNews/release.php?id=1266 #20yrsago 1,000 sqft secret chamber discovered in Indian National Library https://timesofindia.indiatimes.com/city/kolkata/secret-chamber-in-national-library/articleshow/6957358.cms #15yrsago Who owns your mortgage, the mind-croggling flowchart edition https://web.archive.org/web/20101118032158/https://www.zerohedge.com/article/just-when-you-thought-you-knew-something-about-mortgage-securitizations #15yrsago When did you choose to be straight? https://www.youtube.com/watch?v=QJtjqLUHYoY #15yrsago Dear airlines: goodbye https://www.theatlantic.com/business/archive/2010/11/dear-airline-im-leaving-you/66750/ #15yrsago How TSA screeners feel about junk-touching https://web.archive.org/web/20140928131617/https://flyingwithfish.boardingarea.com/2010/11/18/tsa-enhanced-pat-downs-the-screeners-point-of-view/ #10yrsago Yahoo blocks some users from accessing email until they turn off ad-blocking https://web.archive.org/web/20151121172408/https://consumerist.com/2015/11/20/use-adblock-and-yahoo-may-block-you-from-reading-your-e-mail/ #10yrsago Alan Moore’s brilliantly bonkers lost 1980s Star Wars comics https://web.archive.org/web/20151122232854/https://www.techtimes.com/tags/alan-moores-star-wars #10yrsago The secret history of the Haunted Mansion’s hall of changing paintings https://longforgottenhauntedmansion.blogspot.com/2015/11/the-changing-portrait-hall-that-never.html #10yrsago England: You have four days to reply to the secret consultation on the NHS’s future https://www.theguardian.com/commentisfree/2015/nov/19/nhs-mandate-england-consulation-deadline #10yrsago Southwest Airlines surrenders to racists, refuses boarding to Arab-American passengers https://www.nbcsandiego.com/news/national-international/philly-pizza-shop-owner-profiled-southwest-airlines/89976/ #5yrsago Nintendo vs Nintendees https://pluralistic.net/2020/11/21/wrecking-ball/#ssbm #5yrsago Google's monopoly rigged the ad market https://pluralistic.net/2020/11/20/sovkitsch/#adtech #5yrsago Facebook bullies watchdog https://pluralistic.net/2020/11/20/sovkitsch/#adobserver #5yrsago We're already (badly) forgiving student debt https://pluralistic.net/2020/11/20/sovkitsch/#student-debt #5yrsago Little Revolutions https://pluralistic.net/2020/11/20/sovkitsch/#asl #1yrago Expert agencies and elected legislatures https://pluralistic.net/2024/11/21/policy-based-evidence/#decisions-decisions Upcoming appearances (permalink) Toronto: Jailbreaking Canada (OCAD U), Nov 27 https://www.ocadu.ca/events-and-exhibitions/jailbreaking-canada San Diego: Enshittification at the Mission Hills Branch Library, Dec 1 https://libraryfoundationsd.org/events/doctorow Seattle: Neuroscience, AI and Society (University of Washington), Dec 4 https://www.eventbrite.com/e/neuroscience-ai-and-society-cory-doctorow-tickets-1735371255139 Madison, CT: Enshittification at RJ Julia, Dec 8 https://rjjulia.com/event/2025-12-08/cory-doctorow-enshittification Hamburg: Chaos Communications Congress, Dec 27-30 https://events.ccc.de/congress/2025/infos/index.html Recent appearances (permalink) Enshittification with Vass Bednar (Vancouver Public Library) https://www.crowdcast.io/c/0wzs9iu1q225 Tech unions against enshittification (TUC) https://www.youtube.com/watch?v=m11hmiHu6Tc It’s not your job to fix the internet (Vergecast) https://www.theverge.com/podcast/822822/enshittification-cory-doctorow-interview-vergecast Enshittification with danah boyd and Lee Vinsel (Peoples & Things) https://newbooksnetwork.com/cory-doctorow-on-enshittification-why-everything-suddenly-got-worse-and-what-to-do-about-it Enshittification and Extraction: The Internet Sucks Now, with Tim Wu (Oxford Internet Institute) https://www.youtube.com/watch?v=CkYxMQJ9c94 Latest books (permalink) "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 "Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025 https://us.macmillan.com/books/9780374619329/enshittification/ "Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels). "The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245). "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com Upcoming books (permalink) "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026 "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026 "The Memex Method," Farrar, Straus, Giroux, 2026 "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, 2026 Colophon (permalink) Today's top sources: Currently writing: "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. FIRST DRAFT COMPLETE AND SUBMITTED. A Little Brother short story about DIY insulin PLANNING This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net. https://creativecommons.org/licenses/by/4.0/ Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution. How to get Pluralistic: Blog (no ads, tracking, or data-collection): Pluralistic.net Newsletter (no ads, tracking, or data-collection): https://pluralistic.net/plura-list Mastodon (no ads, tracking, or data-collection): https://mamot.fr/@pluralistic Medium (no ads, paywalled): https://doctorow.medium.com/ Twitter (mass-scale, unrestricted, third-party surveillance and advertising): https://twitter.com/doctorow Tumblr (mass-scale, unrestricted, third-party surveillance and advertising): https://mostlysignssomeportents.tumblr.com/tagged/pluralistic "When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. ISSN: 3066-764X

Back to top

100r

Hey everyone!

This is the list of all the changes we've done to our projects during the month of November.

Thousand Rooms, added an English version with one type of dyslexia-friendly typeface. A Danish version is also on the way.
Orca, improved the interface, released an Orca Cheatsheet for an upcoming workshop, and increased the parity between Orca versions with new tests.
Drifblim, implemented a tug-o-war(Mastodon) memory model.
Punk Rabbits, completed 8 new rabbits(#57-64).
Uxn, wrote a standalone Uxn REPL, and improved Uxn5.
M291, fixed an annoying crashing bug.

This month, we celebrate Hundred Rabbit's 10 year anniversary and remember with great fondness how, in November 2015, we sat together at a coffee shop in Montreal, puzzling over how we would start a new life on the water. Here's hoping for 10 more years of learning and documenting experiments around low-tech and resilience!

We finally stashed our summer sailing gear, we compressed everything into vacuum bags drawing out as much air as we could to discourage mold. We're entering the month of December in Victoria, and we are beginning to feel the increasing dampness of winter in our clothes, we also see it as the condensation gathers on Pino's windows.

Devine spent the last few days in Austria for the Ultramateria Festival talking with local artists and activists about the design philosophy of Hundred Rabbits. Devine also gave an Orca workshop, played some techno in a gorgeous venue, made a brief appearance on Austrian television and Fireside Fedi.

Rek spent time troubleshooting a raw water leak in Calcifer II, gaining in-depth knowledge of yet another part of the engine. What was learned was documented in the ever-growing engine care portal under raw water pump. Rek has also been working on the upcoming Playdate version of Donsol!

Book Club: This month we are still reading Madame Bovary: Provincial Manners by Gustave Flaubert.

Summary of changes for October 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of October.

CCCC, added a factorization mode.
Bagel, wrote about a cursed programming language idea where instead of cons cells, s-exp represent unordered lists.
Rabbit Waves, released a new page called Celestial Compass, and added a button for those who wish to link to the website from theirs.
Punk Rabbits, completed 2 new rabbits(#55 and 56).

We sailed Pino back to Victoria before heading east for AMP Festival 2025. The venue was packed! The Aliceffekt show(YouTube) started with a bit of radio taiso, to make sure everyone had a chance to limber up, it was pretty funny.

As the trees were shedding the last of their leaves, members of the Merveilles community composed a spooky mixtape(download), and we folded paper to craft ourselves some homemade Halloween masks. Like every year, we carved a pumpkin. This year's design was inspired by the Hollow creature from the amazing animated sci-fi series Scavengers Reign.

We spent the rest of the month with family, seeing friends and reviewing microgrant applications for Rhizome.

We have re-opened the store for sticker sales, but at the moment we cannot ship them to the US due to the suspension of the de minimis exemption. We hope to resume shipments as soon as we can figure out how to comply with the new shipping rules. The sale of our physical books to the US is unaffected. We'll end this update with the mention that Oquonie is part of the Playdate Catalogue fall sale lasting until Nov 13, 2025. Thank you to everyone who continue to explore our strange little world.

Book Club: This month we are reading The Outsiders by Susan E. Hinton, and Madame Bovary: Provincial Manners by Gustave Flaubert.

Summary of changes for September 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of September.

Noodle, redesigned the interface.
Wiki, updated with a new photo.
Punk Rabbits, completed 19 new rabbits(#35-53).
NanoTalk, released a Nanochat client, written in Tal.

As promised, we released a revised transcription of Devine's talk Permacomputing 101 for Critical Signals 2025! We have moved our website to a Canadian TDL(100r.ca), so be sure to update your bookmarks! We will keep the .co version of our website online for redundancy.

Rek finished revising the upcoming version of the Victoria to Sitka logbook and passed the text over to Devine for proof-reading. The finished publication will feature 104 drawings, 19 recipes, and 18 new sections on a variety of topics. We hope to release the digital version early next year, and the printed version a bit later.

Our friend Erik(d6) designed a bespoke chat server so that the Uxn community could meet up through an interface designed specifically to interface nicely with tiny clients so we hacked together a little rom for it. Get in touch if you'd like to hang out on there!

Devine is performing in Montreal on October 11th, as Aliceffekt, at the AMP Festival 2025. They've also released a new album this month, called Ver'Iystl(Bandcamp), adding further dimension to the many places populating the Neauismetica. Let us know if you're planning to come!

Book Club: This month we are reading The Glass Bead Game by Hermann Hesse, and we are continuing to read Middlemarch by George Eliot.

Summary of changes for August 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of August.

Wiktopher, updated songs.
100r.ca, updated cast iron cookware(seasoning oil suggestions).
Punk Rabbits, completed 15 new rabbits(#19-34).
Orca, pushed a little update that includes the string operator.
Solresol, illustrated some curwen signs.

In preparation for a programming class that's coming up, we've implemented a graphical tiny-BASIC runtime called Sunflower BASIC. It contains the essential blocks of a BASIC language interpreter with enough features to communicate elementary programming concepts and how each one is implemented. We've also released the Permacomputing 101 talk given at Critical Signals 2025 which covered a few interesting aspect of digital preservation and some tactics to craft software in a way that may last.

Choosing to remain in the Southern Gulf islands in August this year has permitted us to pick blackberries, plums and apples. We have incorporated the fruit into cakes, or just squished whole berries over morning toast. We processed some of the apples into jam, and are currently delighting in eating through the rest. We've also been experimenting with the solar cooker, preparing some cinnamon buns in it for the first time! See our cameo in our friend Peter's latest video.

Summary of changes for July 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of July.

Catjam 2025, finished a small game called Polycat!
100r.ca, added Vancouver Island West Coast, Ucluelet, Port San Juan, Juan de Fuca Strait and Cadboro Bay.
Theme Editor, made a nicer theme editor for our tools ecosystem.
Punk Rabbits, started a drawing series of rabbit characters with the goal of making one hundred.

This month we sailed into the Juan de Fuca Strait, escorted by pods of orcas and a lone young humpback whale. The last time we had been here was in July 2020, on our way back from Japan. After weathering gale force winds at anchor in Becher Bay, we stopped in Port San Juan. The beaches there are covered in old growth driftwood, carried there by winter storms. Some trees are so large and have been there so long that people have installed swings on them. The way to Barkley Sound was bleak, we spent 10 hours of it in a fog bank, only to emerge near Cape Beale to a bright sun over jade-colored waters. We pulled into Ucluelet the next day, just in time to meet up with our friend Avi to view the building site for their upcoming boatyard project.

We spent a few days anchored in Barkley Sound, in an anchorage with the biggest population of hummingbirds we'd ever seen. The hummingbird visits were constant, with 3-4 buzzing around us at all times. During our stay there we completed our game entry for Catjam named Polycat. The game is very hard, but also very short. Watch a video of Devine playing the game.

In the second half of July, Pino sailed back to the Southern Gulf islands and stayed anchored alongside a friend, messing with their laser engraver, hiking, picking blackberries, and working on projects. Instead of hummingbirds, in Fulford, we had kingfishers, they really liked sitting on the wind vane's arrow on top of the mast. See this amazing drone footage shot by our friends aboard MV Poem.

Devine has been invited to talk about permacomputing at Critical Signals on August 12th. They will try to introduce some of the ideas that they find most interesting via practical examples. Save the date!

Book Club: This month we are reading Ancillary Justice by Ann Leckie.

Summary of changes for June 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of June.

100r.ca, updated costs, hauling out, united states and teapot gelcoat. Added san juan islands.
Rabbit Waves, added all content links to the main page, released a new page called Boatswain's Call.
Orca, embedded runtime in the reference guide.
Left, made lots of little improvements and optimizations!
Solresol, learnt some profanities in a musical conlang?

For a few days, Pino became a land creature, living on stilts, while we scrubbed and re-painted the lower part of the hull. Our propeller had a bit of a wobble, which we hope is now corrected. We also battled with the old wheel quadrant and were finally able to remove it, at least a part of it. Boaters have frequently helped us while we were in boatyards, and we are finally able to pay it forward. We offered both advice to those who asked and lent tools to folks that needed them. It felt nice. Teapot's new bottom has seen water for the first time, the new gelcoat will allow us to take it around into bays for many more years to come.

We spent many June days working on both Turnip Complete(Uxn book) and the enhanced version of the Victoria to Sitka Logbook, with frequent breaks to enjoy the beautiful places we found ourselves in.

The beginning of our sailing season has been very blustery, allowing for some good sailing, but also often forcing us to wait at anchor for clement weather. Later, we sailed through the San Juan Islands to meet up with some Merveillans on Blakely Island. We are very grateful to be part of a community of such kind, curious, and generous people. The image that was drawn for this month's update represents cooperation between members of Merveilles.

Book Club: This month we are reading Ill Met By Moonlight by Sarah A. Hoyt, Silmarillion by J.R.R Tolkien and Girl's Last Tour by Tsukumizu.

Summary of changes for May 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of May.

100r.ca, updated Oquonie and water.
Modal, the interpreter was ported to Uxn!
Uxntal, the documentation has been completely redone!
Hakum, added page 7 and page 8 of Sabotage Study.

Oquonie was released on the Playdate Catalog this month! We'd like to thank everyone who sent us photos of their progress in the game, it has been nice to follow along. The game is kind of our first official release on a modern handheld platform, and we're happy to see that Uxn roms run well on it! It might be one of the first original Playdate games implemented that way?

In other news, Devine started working on a book, the working title is "Turnip Complete". The goal is to write a complete and stand-alone implementation guide for the Uxn virtual machine and devices, along with some example programs and thoughts about playful computery things. We might have something to show for it come autumn, maybe.

We've left Victoria for the summer, and are falling back into the groove of waking up at dusk to catch the tide. We have a quick haul out lined up, and afterward we'll be sailing around the Gulf Islands until the fall. We have lots of projects to finish up these next couple of months and can't wait to share them with you.

We share photos of life aboard throughout the month on our little photo site, if you're curious to see what the daily life aboard Pino is like.

Book Club: This month we are reading Artemis by Andy Weir, Gardening Without Work: For the Aging, the Busy and the Indolent by Ruth Stout and A History of Thinking on Paper by Roland Allen.

Summary of changes for April 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of April.

100r.ca, updated water, ditch bag, woodstove installation, and added new photos and information on first-aid kit.
Rabbit Waves, updated Triangular Bandages with animated gifs, and First-Aid kit with new med suggestions (also appended a .txt list of meds and their intended use).
Hakum, began a new comic sequence named Sabotage Study(not yet completed).
Orca, modified the behavior of the lowercase-j operator to allow for jumpers to grow.
Solresol, improved the documentation.
Uxntal, improved the documentation.

The weather is getting warmer, which is perfect for airing out Pino's lockers, and drying off moldy clothes and tools. Anything stored in the v-berth lockers, below the waterline, suffer from extreme wetness. It is a very, very annoying fact of boat life, but there is really no way to bring good air flow in those spaces. We scrubbed the lockers clean, parted with items we no longer needed, and sent two laptops to the recycler.

In last month's update, we mentioned Flickjam, a game jam based on Increpare's Flickgame. We received a total of 27 entries! They're really fun, and all playable in the browser. Devine's jam entry is about a very adorable rabbit learning to play the word "rabbit" on a xylophone in Solresol.

Devine spent some time off the computer, skating and folding paper. The paper computer pages have been updated to cover some new ways in which computer emulators can be operated on paper. While on that subject, we highly recommend Tadashi Tokieda's excellent talk named A world from a sheet of paper.

Another item on Devine's list was to gradually phase out Uxnasm.c in favor of the self-hosted assembler. We're not 100% pleased yet, but it is getting closer to retirement.

Starting on May 20th 2025(1000 PST/PDT) the Playdate Catalogue will include Oquonie. The game is also available on our itch.io store.

The video for Devine's November 2024 talk A Shining Place Built Upon The Sand is now on YouTube.

Book Club: This month we are reading Banvard's Folly by Paul Collins, Einstein's Dreams by Alan Lightman, and we are still making progress on the The Goldfinch by Donna Tartt.

Summary of changes for March 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of March.

Summary Of Changes

In the above illustration, little Ninj is going through a first-aid kit, looking through our supplies to see what needs to be topped off and what is out-of-date. Rek drew a list of suggestions on what to include in both a first-aid and a medical kit for the Rabbit Waves project, we plan to add more items soon(thanks to everyone on Mastodon who suggested additions! It'll be in the April update).

We will spend the first few days of April participating in Flickjam, making small games in the style of Flickgame, a tool originally made by Increpare, in which the world is navigated by clicking on pixels of different colors to head in different directions. Devine ported Flickgame to Varvara, and wrote a compiler for flick games to uxn roms.

This past month, Rek finished transcribing the entire 15 weeks of the Victoria to Sitka logbook! We have plans to turn it into a book, in the style of Busy Doing Nothing, with tons of extra content and illustrations.

March was a very good month for silly calendar doodles. Our paper calendar is always in view, it documents important events like releases, appointments, as well as food, memes, and other noteworthy things that happened on each day.

Book Club: This month we are still reading The Goldfinch by Donna Tartt(it's a long book).

Summary of changes for February 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of February.

Summary Of Changes

100r.ca, added Dinghy gelcoat, Week 10, Week 11, and Week 12 of the Victoria to Sitka logbook. Updated solar with new pictures and corrected information (this page used to be called solar tips).
Nebu, released a spreadsheet editor.
Grimgrains, added a new recipe: Stovetop zaatar pizza.
Store, added maritime flag stickers for sale.
Rabbit Waves, added a new page: Emergency Bag. Updated Morse Code with Flags page with animations, released a printable zine(see how to fold a zine).

On February 14th, we celebrated our 9th year living aboard our beloved Pino. Read a short text by Devine, which expands on what it means to truly be a generalist.

Despite the weather being less-than-ideal, we were able to install our replacement solar panels, and revisit our notes on solar installations.

Devine completed Nebu, a spritesheet editor as well as a desktop calendar, alongside many other little desktop utilities. Nebu is just over 8.3 kB, a bit less than a blank excel file.

In times of increasing climate and political instability, it is a good time to get together with your community and make plans for emergencies. Consider reading Tokyo Bosai about disaster preparedness, this elaborate document deals with disasters that occur specifically in Japan, but many of the recommendations are useful regardless. We released a new page on rabbit waves with suggestions on what to pack in an Emergency Bag. Remember, every emergency bag is different, and what is essential varies per person.

We also put together a print-it-yourself zine, which combines useful information about Morse Code and Signal Flags. If you have printed the zine and don't know how to fold it, see Rek's illustrated instructions. Speaking of signal flags, we printed stickers of Rek's ICS flag drawings.

The nice weather finally arrived this week and we were able to redo Teapot's gelcoat. This was our first time working with gelcoat, our friends Rik & Kay, who lent us their workspace, were very patient and generous teachers. We will continue the project later when the gelcoat has cured.

Book Club: This month we are reading The Goldfinch by Donna Tartt.

Summary of changes for January 2025

Hey everyone!

This is the list of all the changes we've done to our projects during the month of January.

Summary Of Changes

100r.ca, added a new page: tote. Added Week 8 and Week 9 of the Victoria to Sitka logbook.
Tote, released the project on itch.io.
Grimgrains, added a new recipe: chocolate turtles.
Left, added an option to collapse the nav bar on the left.
Orca, added community links.

Devine spent time improving the html5 Uxn emulator, and thanks to their hard work it is now possible to play Niju, Donsol, and Oquonie directly in the browser on itch.io, the same goes for projects like Noodle and Tote.

It's been a long time coming, but Oquonie is now playable on Playdate. Rek spent the last week converting the 2-bit assets for Oquonie to 1-bit, because some of the characters and tiles were too difficult to read, now all of the assets work perfectly on monochromatic screens. As an amazing plus, Devine got the music and sounds working perfectly, just like in the original iOS version.

From January 19-25th, we both participated in Goblin Week, an event in which you make goblins every day for a week(whatever that means to you). See the goblin series made by Rek(viewable here in higher rez also) and the one made by Devine(Mastodon).

Pino has earned two new replacement solar panels this month! We have not installed them yet, it is still too cold outside in Victoria (we are expecting snow this week).

We share photos often in our monthly updates, and so Devine spent time building our very own custom photo feed named Days. It is possible to follow the feed with RSS.

Book Club: This month we are reading How do You Live? by Genzaburo Yoshino and Middlemarch by George Eliot.

Summary of changes for December 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of December.

Summary Of Changes

100r.ca, updated the documentation for our various projects.
Left, added support for unicode input(Mastodon).
Rabbit Waves, added a page on Air to Ground Signals.
December Adventure, collected Devine's code experiments.

Before diving into the ins and outs of the past year, we'd like to begin by sending our very warmest thanks to everyone who generously hosted us, drove us to the hardware store, invited us out for fries to cheer us up, fixed typos in the books, improved the documentation, lent us power-tools, donated to the studio, spent hours to show us how to fix broken things and corrected us when we were wrong.

During the first few weeks of the year, we were busy with planning our upcoming sail north to Alaska, during which a DDoS attack took down many of our repositories and precipitated our decentralizing of the project source files. Mirroring our projects across multiple forges and diversifying the means in which they were available became necessary.

In preparation for the heavy weather up north, we strengthened the chainplates and replaced a few experienced halyards. In fact, our most vivid memories of the early spring was of the blisters we made splicing dyneema. We've also built ourselves a gimballed stove with space for an open pantry allowing us to store more fresh vegetables by doing away with the oven.

Our summer was spent exploring the Northern Canada and Alaskan coastline to test the recent boat projects, a sort of shakedown if you will, in preparation for plans we may divulge in a future update. During our transit, we began writing down notes on various forms of analog communication which have now mostly fallen into obscurity. These notes later became an integral part of the Rabbit Waves project, created with the hope of sparking an interest in these valuable but vanishing skillsets.

Through it all, we continued improving the Uxn ecosystem documentation and toolchain, which has played a central role in our work now for four years! We've also explored other enticing avenues where small robust virtual machines could be used for knowledge preservation, namely Conway's Fractran, which all came together into the Shining Sand talk given at the the year's end.

We're looking cautiously forward to the challenges that awaits us all in 2025. Approaching these adversarial forces with collective tactical preparedness and clarity is more important than ever, and we shall all rise to the occasion!

We had a lot of really good wildlife moments this year, and so the last drawing of 2024 is of a half-mooning seal.

Book Club: This month we are reading The Secret History by Donna Tartt. Our favorite book this year was West with the Night by Beryl Markham, see all of the other books we read in 2024.

Summary of changes for November 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of November.

Summary Of Changes

100r.ca, added an article named A Shining Place Built Upon The Sand, and Week 6 to the Victoria to Sitka Logbook.
Rabbit Waves, added a page on Morse Code and on Morse Code with flags.
Left, redesigned with a bigger font, for aging eyes.

Our website has a new look! The illustrated algae-eared rabbit nav helped solve the problem of navigating on mobile. We added a lot of information to this wiki over the years, creating separate portals for its evergrowing content was inevitable, we hope you like the re-design. Some of the content has shifted, and we've simplified many of the pages.

A couple of folks on Merveilles got together recently and made a Diablo Tribute tape. A limited run of physical cassettes are currently in production, but in the meantime the tribute album is available to download on Bandcamp.

Next month on December 6th, Devine will share the stage with Iszoloscope, Oddie(Orphx) & Creature at Foufounes Electriques in Montréal as part of AMP Industrial Events. Then on the 7th, we will both(remotely) present a summary of all the interesting analog communication schemes that inspired and found their way into Rabbit Waves and Wiktopher for Iterations 2024 organized by Creative Coding Utrecht.

Devine's talk for Handmade Seattle 2024 entitled A Shining Palace Built Upon the Sand was released online(YouTube), we also released the written transcript.

Due to the ongoing Canada Post strike we had to close the sale of stickers in our store, we'll let you know once we resume operations (this also applies to Patreon supporters, we'll ship perks your way as soon as we can).

Book Club: This month we are still reading The Memoirs of Sherlock Holmes by Arthur Conan Doyle.

Summary of changes for October 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of October.

Summary Of Changes

100r.ca, added Rabbit Waves and Logbooks. Updated woodstove installation, no windlass with 1 photo, mini dodger and Victoria to Sitka logbook with Week 3 and 4.

Pino is back in Victoria. Being back in a city also means that we are shipping sticker sheets again! Devine found a spirograph set at a thrift store for 5$, we now make patterns on every letter we ship.

We are happy to announce the official release of Rabbit Waves! The idea for the project came after discussing the disappearance of certain traditional seasteading skills and maritime communication knowledge that we believe are valuable when electronics misbehave, but that are also just generally fun to learn and use. The world of the micro-site will grow as we think of new ideas to expand it.

Devine participated in Drawtober again this year and completed a zine that teaches the basics of multiset rewriting with examples, it also includes the source for a tiny Fractran interpreter. Since its release, many people have printed their own. Avanier went a step further and re-drew the zine on black paper! Devine also released an interactive version, and CapitalEx created with it a beautiful little world to explore! Handmade Seattle 2024 is coming up, Devine will be there to talk about weird computer stuff, and will hand out copies of the zine too.

This year, we carved a Calcifer pumpkin (see our other Halloween pumpkins).

Book Club: This month we read The Memoirs of Sherlock Holmes by Arthur Conan Doyle.

Summary of changes for September 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of September.

Summary Of Changes

100r.ca, added a new page: Victoria to Sitka logbook.
M291, added support for Cyrillic glyphs.
Fractran, released what might be the most in-depth documentation of Conway's programming language out there.
Now Lie In It, a look back at what has happened with Uxn since its creation 4 years ago.

September started off warm, but got cold and windy fast, we spent lots of time sitting by the woodstove drinking tea. As promised, we have begun transcribing the Victoria to Sitka logbook digitally, we release one week's worth of logs at a time. We populated the logs with photos and Rek's sketches(also sourced from the handwritten logbook). End of the month, we closed our summer 2024 sailing route, Pino has traveled very far this year! We made 76(!!!) stops over a period of 5 months, sailing 1900 NM.

We announced a new project this month named Rabbit Waves. It will serve as a vessel to expand, in a playful way, on some of our favourite things. Expect lots of art featuring root vegetable root-shaped sailboats, rabbits, and seabirds! The website will host more content next month.

For 3 years now, we've had a monthly hand-drawn calendar in the galley that we cover with doodles, at the end of the year, Rek binds the 12 pages together, and it makes it easy to look back at where we were, what we were doing at a previous time. Everyday has some kind of highlight or other. It's one of our favourite habits.

Listen to Devine's remix of SOPHIE's One More Time feat. Popstar.

Book Club: This month we read Project Hail Mary by Andy Weir. We are forever in love with Rocky.

Summary of changes for August 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of August.

Summary Of Changes

100r.ca, added new pages: Sointula, Johnstone Strait anchorages, and Central coast anchorages. Updated existing pages: added Yuculta and Dent rapids with southbound tactics, no windlass with 3 new photos, lpg with troubleshooting, and gimballed stove with performance tests.
Left, added support for macros.
Uxnfor, added support for macros.
Uxn, found a tiny optimization that makes things a bit faster.
M291, started a little music player for Uxn11.
Wiktopher, updated some Solresol words in the Ilken songs featured in the book.
Hakum, added a new comic named Smile.
Wunderland Rabbits, added a new rabbit pic.

This month, Pino reached the northern tip of Vancouver Island, sailed south through Johnstone Strait, and into calmer, familiar waters on the 11th of August. Both of us were eager for a taste of summer weather, we hoped to catch what was left of it. Our legs demanded an anchorage with options for walking, so we chose to anchor in Hathayim Marine Park. The lovely people on the sailboat Nanamuk were anchored here too, they mapped many of the trails in the area, even the overgrown, less-traveled routes. We updated our summer route map through northern B.C.

From May 1st to August 11th, like with our book Busy Doing Nothing, Rek kept a detailed logbook of daily happenings onboard. We hope to publish these notes to this wiki soon.

Book Club: This month we are reading The Adventures of Sherlock Holmes by Arthur Conan Doyle, The Design of Everyday Things by Don Norman, and Everyday Utopia: What 2000 years of Wild Experiments Can Teach Us About the Good Life by Kristen R. Ghodsee.

Summary of changes for July 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of July.

Summary Of Changes

100r.ca, added Sitka, and completed route in us se alaska.
Left, can now paste binary directly from programs like Nasu.
Hakum, added two drawings to the Characters section, and a new very short comic called Shoes.
Wiktopher, fixed some typos.
Markl, we don't have much of anything to show for it yet, but who knows, maybe this time it will work out!
Solrela, expanded Solresol dictionary.
Malleable Systems, wrote a little thing about extending compiled software with devtools.

Pino and crew have moved a lot in the past month. On the first of July, we were in Sitka, Southeast Alaska, and then on the last day of the month we were back in Millbrook Cove, very near to the top of Vancouver Island. We sailed 590 NM and stopped in 15 different anchorages.

Leaving Sitka, we sailed along the west coast of Southeast Alaska for a few days to try and take advantage of a good weather window, we had some engine issues which too motivated the need for such a long passage(see our track)—we spent two days troubleshooting the issue while anchored in Port Bazan, a bay far from everything, with no internet connection or way to talk to anybody, we were glad to have the physical engine manual on board. Sailing on open waters is always nice, we saw black-footed albatrosses, horned puffins, a whale per hour, and many more sea otters(Port Bazan was full of them).

After checking back into Prince Rupert, the way back south through Northern Canada was plagued with unfavorable winds, we had to beat into it, or travel on quiet waters to make progress. We resorted to doing short hops between anchorages, conditions did not permit for long distances. Doing short hops though did allow us to discover beautiful places we might have otherwise missed. We spent many grey days waiting for weather, reading, drawing, and beginning work on markl, we're giving it another go).

Book Club: This month we read Erewhon by Samuel Butler, Technophilia and Its Discontents by Ellen Ullman, The Democracy Of Species by Robin Wall Kimmerer, I Will Fight No More Forever by Merrill D. Beal, In Cold Blood by Truman Capote, and Mrs Dalloway by Virginia Woolf.

Summary of changes for June 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of June.

Summary Of Changes

100r.ca, added Ketchikan, Snug Cove, Ratz Harbor, Frosty Bay, Berg Bay, Wrangell, Petersburg and Ruth Island Cove. Updated library.
Oekaki, optimized and added a selection tool.
Nasu, fixed selection issue.
Uxn5, redesigned and made responsive for mobile.
Uxndis, wrote a disassembler.
Uxnrepl, added step-by-step evaluation.

We spent all of June cruising through Southeast Alaska, we visited 4 cities and stopped by 14 different anchorages. On June 27th, 420 nautical miles later, we arrived in the beautiful town of Sitka — our favorite city so far.

We have sailed as far north as we are willing to go this year, at 57°N — the same latitude as Kodiak. Sailing in these waters has been challenging, there is a lot of current, and the wind is often light, or absent. Because of these frequent calms, Calcifer II has seen a lot of use this year. We will now slowly make our way back south, exploring new anchorages along the west coast of Southeast Alaska all the while. We continue to update our path in Alaska here, when we cross back into Canada we'll resume updates here.

Book Club: This month we are reading West With the Night by Beryl Markham.

Summary of changes for May 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of May.

Summary Of Changes

100r.ca, added Frances Bay, Yuculta and Dent Rapids, Shoal Bay, Port Neville, Telegraph Cove, Port McNeill, Fury Cove, Prince Rupert, B.C. north coast anchorages, US Southeast Alaska and United States.
Paradise, implemented paradise in Modal.
Note Pad, added pen tool and line styles.
Oekaki, rect tool uses brush settings.
Adelie, tga images are now dithered.
Left, fixed issue for non-qwerty keyboards.

We spent this month moving northward through both southern and northern British Columbia. We've been moving almost every day, stopping every night to anchor, sleep and recuperate. Sailing near land is not as relaxing as sailing offshore, this reef-strewn coast requires careful navigation. We've had many long days of endless tacking from one side of the channel to the other, almost all the way to Port McNeill, then after that we started to get more weather from the south for some mostly pleasant, but cold and rainy, downwind sailing. We've been using our woodstove a lot, in evenings it helps warm the boat after a long sail.

On May 29th, 623 nautical miles miles after leaving Victoria, we arrived in Prince Rupert, our last major port in British Columbia before we head north to Southeast Alaska. Then, on June 2nd, we arrived in Ketchikan, Southeast Alaska. Most of our updates this month detail some of the places we've been(see the above list). To see our path, look at Western Canada and us se alaska. We update the map as we find internet.

We've seen sea otters, lots of humpback whales, two pods of orcas(one pod had a baby tagging along), eagles, and lots of mountains. In other non-travel related news, Devine is going to speak again at Handmade Seattle this upcoming November!

Pino book & movie club

Book Club: This month we are reading The Martian by Andy Weir.

Summary of changes for April 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of April.

Summary Of Changes

100r.ca, added Twilight, updated our notes on chainplates, wheel to tiller conversion, cabin lights standing rigging replacement, Princess Louisa Inlet(added maps), Goji no Chaimu(added maps), and Sailing to Japan(fixed some dead links).
Hakum, released a new comic sequence called Kaizah.
Wunderland Rabbits, released a new Rabbit travel photo
Orca, added a note on the repository for the Javascript version titled Is Orca dead?

Devine has been busy working on the implementation and documentation of wryl's fantastic programming language Modal. Rewriting systems are a computation paradigm that is generally unknown and under-explored that might have some fascinating features that might be able help us to tackle some of our future projects.

In other news, Pino is ready to head northward! We finished all of our boats projects and left the dock on May 1st. See a photo of our first day of the year on the water, taken as we exited Enterprise Channel, just north of Trial Island south of Victoria. On our travels we will continue to push updates every month like usual, but the updates will only go live when we find internet, and this may or may not coincide with the start of every month. We will keep a log of our travels, populated with plenty of drawings!

Pino book & movie club

Book Club: This month we are reading The Fountainhead by Ayn Rand.

Summary of changes for March 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of March.

Summary Of Changes

100r.ca, added chainplates, knots, washing dishes, receiving mail, updated our notes on diy carbonation system, and refrigeration.
Uxn, added 2 new commands to Varvara's System/expansion port and rewrote uxnasm.
Some toys, made a two-player implementation of Pong, and an orca that follows the cursor like that old classic flash web toy.
Left, improved the object inspector, it's much prettier now!
Kokorobot has a new splash page.

News

Pino now has all-new chainplates! We removed the original ones earlier this month to inspect them and found some pit corrosion(as well as a small crack), replacing them was necessary. With the chainplates gone, we removed the entire starboard side cabinet to see what was behind it—it's always nice to see parts of our boat we've never seen. We also replaced 3 old halyards on Pino. Devine earned themself a couple of blisters splicing dyneema onto some of our existing halyards.

Sejo revisited the Uxn tutorial, and appended corrections. The most important change is that the tutorial is now targeting the learn-uxn platform(online) maintained by metasyn. Now, people can jump right in and experiment without having to set up a dev environment. Tsoding, someone who can code in front of the camera in a language they've never used or read the docs for, did a pretty funny session in Uxntal, you can watch it here.

There has been too many exciting Uxn projects coming out these past few days, so we'll just put a link to the hashtag. Someone also created a Discord channel, it's a good place to learn about other concatenative languages and an alternative for people who have trouble with #uxn, in irc.libera.chat.

Pino book & movie club

This month we are reading The Last Great Sea by Terry Glavin, and we watched the movie Tenet.

Summary of changes for February 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of February.

Summary Of Changes

100r.ca, added gimballed stove, open pantry, Little Ninj and LPG fume detection system. Updated galley refit and Western Canada(includes tidal/current resources).
Uxn, with the help of the community, we defined a specification on how labels and sublabels should be nested into each other. Assemblers were updated to reflect that change, including the Uxn REPL.
Left, added accented latin characters support, so you can read and write French and Spanish text files.
Potato, released a final version, added a screensaver(Mastodon).
Hakum, finished Ruler of the Taiga.

News

Late last month we started re-modeling part of our galley, the work is now complete! It's subtle, but the splash image for the log now includes the re-design. We will test our new galley when we go out cruising.

Pino will be adventuring a bit more north this summer, we're planning to explore the north coast of British Columbia, all the way to Prince Rupert, or possibly Ketchikan(AK), areas with little to no cell coverage. How far we go depends on what we find on the way. If the seas and winds are kind, and if we have time, we might go farther. We spend our days studying charts, gathering supplies, and fixing up the boat to make sure the passage is safe and pleasant. More updates on our plans soon!

Want to see something cool? Xsodect made Tetris(Mastodon) in Orca.

Pino book & movie club

This month we watched The Race to Alaska Movie.

Summary of changes for January 2024

Hey everyone!

This is the list of all the changes we've done to our projects during the month of January.

Summary Of Changes

100r.ca, added galley refit, updated lifelines, seamed box cushions, and moisture prevention underliner.
Permacomputing, revamped the page.
Flappy Bird, released an Uxn version of the Flappy Bird game.
Grimgrains, released a new basic recipe: Whole Wheat Pancakes.
Aliceffekt, Devine wrote some new music.

On January 10th the forge that we use to host our projects was taken down by DDoS attacks and was struggling to come back online(it's back now, read the post-mortem), the event reminded us that we ought to host mirrors and release versions of these source files ourselves. We have begun to host copies across our various websites. The builds are still accessible through itch.io. These will be automatically updated as we work on them in their individual repositories, but mirrored there for reliability. We are thankful for Sourcehut's tireless work on resolving the issue and for taking the time to communicate important changes.

In keeping with the spirit of improving the resilience of the tools we use we've taken a moment to write a kind of pocket version of the console emulator and self-hosted assembler as to see how many lines are needed to start from the seed assembler and replicate it. A copy of the pocket emulator, the source for the assembler and its hexadecimal representation have been documented.

On January 17th Victoria got its first snowfall, with it came temperatures below freezing. We got to test our recent improvements, like a new louvered closet vent to help ventilate the space(there are also two existing vents at the top, one on each side). The closet has been dry for the first time in 3 years. We've made an effort not to keep too many items on the floor so the area can breathe. We got ice inside of the windows for the first time ever though... not ideal.

See Uxn running on a Zaurus Husky(Mastodon).

Pino book club

This month we are reading The Haunting of Hill House by Shirley Jackson.

Summary of changes for December 2023

Hey everyone!

This is the list of all the changes we've done to our projects during the month of December.

Summary Of Changes

100r.ca, added solar cooking experiment, making seamed box cushions, making saloon cushions, moisture prevention underliner, and board games. Updated charging electronics, and upholstery.
Wiktopher, released the book on paperback.
Wunderland Rabbits, added a new photo.
GrimGrains, added millet dumplings, and vegetable curry.
December Adventure, Devine wrote a daily devlog for the month, documenting various projects like Porporo(an OS).
Lispkit, wrote a PureLisp compiler and emulator for the SECD stack-machine.
Grail, made a little shorthand calligraphy and interpreter.

News

Wiktopher was released on paperback! Our small collection of self-published books is growing.

We finished the upholstery in the saloon, Pino feels like a new boat. We also published an article on this past summer's Solar Cooking Experiment.

Last September Devine and a group of people went on a 3-day train ride from Seattle to St Louis for the last edition of Strange Loop 2023. This video documents that journey.

As mentionned in November's update, Tinyletter, the service we use to send out our monthly newsletter, is shutting down in February 2024. We will now be using Sourcehut to send our monthly updates. With this new system our emails will be leaner than ever, using plain text(no html). We cannot transfer accounts to this new list ourselves, so if you want to keep receiving updates by email please sign up again here. Clicking on the subscribe button will open your email client, you can leave the body and subject of the email blank. We will keep sending newsletters with TinyLetter until the end of January 2024, so as to give people time to make the switch. If you sign up to this new list, unsuscribe from the old newsletter to avoid getting two emails with the same content for December and January. We hope you continue to follow our updates.

Note that since it's our first time sending updates with the new newsletter format, it may look a little wonky. We'll improve on it next month.

2023 was kind to us, we look forward to seeing what 2024 brings! We hope the coming year treats you all well.

Pino book & movie club

This month we are reading The Tartar Steppe by Dino Buzzati, and we went to see 君たちはどう生きるか(The Boy and the Heron).

Summary of changes for November 2023

Hey everyone!

This is the list of all the changes we've done to our projects during the month of November.

Summary Of Changes

Wiktopher, drew some new art(Mastodon), finalized a few translations(Mastodon), and released it the project on Itchio!
Thousand Rooms, translated the book(Mastodon) into Solresol.
100r.ca, added a still map of our Pacific circumnavigation in where, added repair, effect of combining dissimilar metals, bikes on a boat, upholstery and updated lifelines.
Busy Doing Nothing, added GPS coordinates(Mastodon) for every listed day of travel.
Hakum, designed handwritten font for the comic and wrote a post about the process.
Elmet Brae, released a collaborative album with members of the Merveilles community and friends. Made the album cover in collaboration with Rostiger, who also made the Varvara Zine.
Solrela, released a Solresol translator website to replace the now defunct Sidosi translator.

News

Wiktopher is finally finished. We started this book in 2017 while in French Polynesia, constrained by power limitations and hardware failures. Writing demanded less energy than drawing digitally, Rek could use the Chromebook to work (see tools ecosystem). You can read the first two chapters of the finished story here[4.1 MiB] as a PDF. If you liked what you've read, we hope you'll consider reading the rest!

We treated ourselves this month to new saloon cushions(see upholstery). We sleep and live on these, it's so nice to have plump cushions again!

IMPORTANT. You may have heard but the service we use to send our newsletter(TinyLetter) is shutting down early next year (Feb 2024). We are in the process of setting up an alternative, we'll provide details on that in December's newsletter and on this website.

Pino book & movie club

We are reading Thomas Pynchon's The Crying of Lot 49, and enjoyed watching Close Encounters of the Third Kind.

Summary of changes for October 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of October. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Thousand Rooms, added a Brazilian Portuguese version.
Wunderland Rabbits, traveled to a botanical garden, and went to pick apples.
Uxn5, Alex W. is writing a Vanilla JS implementation, in which you can drag roms into the window(Mastodon) to play them. Eiríkr wrote an guide on how to use signed numbers.
Hakum, added 3 pages.
100r.ca, added 3 travel maps in Western Canada.

News

This month we got tattooed(Mastodon) by the very talented Lizbeth. Check out her tattoo art.

Devine's Strange Loop 2023 talk was released online, watch it here(YouTube). We also released the talk as a text version, Computing and sustainability, for those who prefer to read. We talked with the members of Frugarilla on their latest podcast(French), in which we finally admit that our whole thing is a sneaky way of getting programmers interested in food preservation.

Every year we carve halloween pumpkins, this year we made a Uxn pumpkin!

See Oquonie running on a linux handheld(Mastodon).

Pino book club

We are reading Selma Lagerlöf's The Wonderful Adventures of Nils.

Summary of changes for September 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of September. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Wiktopher, adapted Solresol, edited other conlangs.
Niju, fixed a drawing bug.
Oquonie, working on the Playdate version.

News

Pino returned to the Victoria docks a little early this year so Devine could go to Strange Loop 2023. We had a lovely sail that day, with clear skies, and 10 kts on the beam. Despite being a little food and sleep deprived, Devine's presentation went well, we will share the recording here once it is released.

Rek has been busy editing Wiktopher, finessing the conlangs featured in the story. One of the featured languages is Ilken, a whistled language, designed for long-distance communication, and playable with instruments. A few years ago Devine designed a language for it, but we decided to instead use a modern variation of Solresol, a musical language by Jean-François Sudre. Rek drew a fanart of the mascot of Solresol, and Devine a communication lantern.

Currently, Devine is working at translating Thousand Rooms(Famimi Remisolla) in Solresol as practice. We're also editing a Brazilian Portuguese version, to be released next month.

We've been toying with the idea of making an audiobook for the story, and asked Paul B. to use their voice synthesis tool Gesture to try and hear what a poem in Ilken(Solresol) sounds like. The result was so lovely that it made Rek cry of joy.

Rek's sketch thread(Mastodon) is still going. Devine will be producing a lot more art next month for Drawtober!

Pino book club

We are reading J.D. Salinger's Catcher in the Rye, and B. F. Skinner's Walden Two.

Summary of changes for August 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of August. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

100r.ca, added Heriot Bay, Ballet Bay Octopus Islands, and updated Hathayim Marine Park, rain, and boom tent.
Oekaki, released a new drawing program.
Varvara, began versioning.

News

Pino sailed a bit more northward this month and went all the way to the Octopus Islands. We visited this place during a very windy week, with winds blowing 30-35 kts the entire time. We got acquainted with a few northern rapids, like Hole in the Wall and Surge Narrows. It is a bit of a mindfuck to think that in these waters the tide ebbs north and floods south.

This summer has been especially arid, and because of it the province has seen a lot forest fires (see pictures of our smokey transit). Trails that we know and love on Cortes Island, that are usually wet and muddy, were bone dry this year. We had a few days of hard rain, during that time we collect rain water and go for walks to look for slugs and snails.

Both of us have been drawing a lot this month, see this Neoneve portrait(Mastodon) by Devine (drawn with Oekaki), and this sketch thread(Mastodon) by Rek..

Pino book club

We have read Adam Wisniewski-Snerg's Robot, George Orwell's Homage to Catalonia, and Michael A. Hiltzik's Dealers of Ligthning.

Summary of changes for July 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of July. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Slide Rule, released a little slide rule toy(Mastodon).
100r.ca, added roscoe bay, updated LPG refit.
wiktopher, we finished doing the entire first pass of corrections.
Left, made a couple of interface improvements, it's not only prettier now, but faster.
Drifblim, added support for lambdas in Uxntal, now also supported in uxnasm.

News

We spent many quiet days in Roscoe Bay, and then wandered over to melanie cove for a few days before moving to our favorite anchorage in Desolation Sound, Hathayim Marine Park. This inlet is quiet, and not overly busy, it is ideal for focusing on projects. We walk the 3 km trail to Squirrel Cove everyday.

We have been hard at work reviewing Wiktopher, and we're happy to announce that we've finished the first pass of corrections! We'll be doing many more passes, but this was a very big step. Rek has been drawing(Mastodon) a lot, and Devine has been working on their presentation for Strange Loop 2023.

Check out this amazing Uxn cheat sheet by Nettie!

Pino book & movie club

We are reading Lewis Carrol's Bruno and Sylvie. We re-watched Vampire Hunter D for the hundredth time.

Summary of changes for June 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of June. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

100r.ca, added propeller maintenance, Maple Bay, Telegraph Cove, Smuggler Cove and Princess Louisa Inlet.
Wiktopher, added back the revised/corrected version of Chapter 10, back online, and Chapter 11 has been corrected but is not yet live.
UxnFor, created an uxntal code formatter.
Bicycle, added lots of little improvements.
Adelie, added speaker's notes and a pen mode.

News

Pino spent the first few days of the month on land, having its bottom re-painted, and its various bits serviced and checked. We took our propeller apart for the first time.

We've added a few write-ups of our travels so far (see above entry with links under 100r.ca), but the most significant one is our 46nmi sail up to Princess Louisa Inlet, a long fjord on British Columbia's Sunshine Coast, with an incredible gem at the end. It is an amazing, and unique place. We're glad we finally got to go. As we write this, we are in Roscoe Bay on West Redonda Island, tethering off a phone hoisted up the mast (it works quite well).

This summer we are power stable. We had issues last year because of parisitic draws due to old wiring (see DC electrical refit), but now everything is working as it should. We're charging our computers without an inverter, and that too is working out quite well so far (see charging electronics).

Together, Hikari and Lynn made chibicc-uxn, a c compiler for Uxn, and with it also released a port of the classic software Neko(xneko, oneko sakura).

Pino book & movie club

We are reading Arkady and Boris Strugatsky's Roadside Picnic. We've been re-watching Kaamelott(the series, book 1 though 6) for the hundredth time.

Summary of changes for May 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of May. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

100r.ca, updated jib cars, and added new recommendations on the offshore checklist(new entries labelled with dates).
Donsol, Asie made some 3DS and NDS roms(Mastodon).
Wiktopher, added the revised and corrected version of Chapter 8, and Chapter 9, back online.
Uxnbal, wrote a type-checker, it's still very experimental, but it can infer most imbalancing stack-effects.
Bicycle, created a little interactive evaluator designed to be a teaching aid.

News

Pino is off the dock, and spending time at anchor. The weather has been excellent, and with days of full comes sun solar cooking! We baked some bread, and roasted some green coffee beans in the sun. We are enjoying some quiet days before we haul the boat out of the water at the start of June.

Devine's talk proposal to Strange Loop 2023 has been accepted, so parts of the summer will be collecting our notes and writing slides for the presentation in September.

The recording for the show Devine(Alicef) did with Anju Singh and Reylinn(visuals) last march for Biosonic on Galiano Island is online, watch it here.

We had a small impromptu logo jam event on Merveilles this month. Members of the community re-interpreted the logo, with illustrations, photo collages, and even food. See all of the entries so far. Nf just completed Fourtette, a block game. Devine provided guidance, Rek made the title screen art, and d6 provided music.

Pino book & movie club

We went to the theater for the first time in a long time, to see Suzume(2023). We have also finished reading Saint-Exupery's Courrier Sud.

Summary of changes for April 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of April. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

100r.ca, added charging electronics, solar cooking and solar evacuated tube cooking, and updated insulation, thruhulls.
Oquonie, released the game for Uxn. We have a Windows95+ compatible version[Mastodon video].
Left, various UX improvements, including negative length selection.
Note Pad, ported the classic macintosh Note Pad application to Varvara, download it here.
Turye, total redesign.
Beetbug, added support for comments in symbol files.

Oquonie is out and it is playable! A big thank you to those who helped us test the game on a variety of devices and systems all the way to Windows95. This version of Oquonie differs a little from the original, in that some of the puzzles and secrets have changed. We hope that those who played the original will too enjoy this one. We have a special build of the game on itchio with the emulator and rom combined, if you have a false-negative virus warning on Windows 10, you will need to use the standard uxn32 emulator and rom.

We have watched as people implemented their own emulators and were able to play Oquonie on a Varvara of their own making. The current implementation documentation might need to be improved, if you have feedback for things that could be clearer, please let us know!

We published our experiments with solar cooking this month, and wrote a more detailed post on solar evacuated tube cooking. The real test will happen this summer. We plan to keep a log of everything we cook, how long it takes, and the conditions(sun, overcast, temp etc).

We're still closing a few projects aboard Pino, to get it ready for some summer sailing. Our plans for now are loose, we're hauling the boat out of the water in early June, with plans to sail back towards Desolation Sound afterward, with a possible stop by Jervis Inlet.

Pino book & movie club

We're watching La Belle Verte by Coline Serreau.

Summary of changes for March 2023

Hey everyone! This is the list of all the changes we've done to our projects during the month of March.

Summary Of Changes

Donsol, added 100r logo to splash screen on the rom.
100r.ca, added a new page: diy carbonation system. Updated Saving fuel, Engine rebuild and sprouting.
Grimgrains, added two new recipes: Beet Sauce Pasta, and Mac and Faux Cheese.
Left, added all sorts of fun new things like routine definition highlight and graphics support.
Hakum, new comics named Who Did What and Disengaging.
Orca, added $bpm command to the uxn version.
Uxn, revamped Uxntal documentation based on the feedback from the community (thanks everyone).
Interaction Nets, spent time in the deep-end of the pool.

News

We spent the first half of March on Galiano Island in the Salish Sea for BioSonic(by ActivePassive), an event series exploring the intersections of music, art and biodiversity. On March 10th we gave a talk titled What Are Computers For?, see the art from the talk. The next day, Devine and Anju Singh performed together using Orca, with Reylinn on visuals. A video of the perfomance and of the talk will be released soon, in the meantime, see photos of the talk and of the show, taken by photographer Dayna Szyndrowski.

We are still working on re-releasing Oquonie. We spent the month of March playing the game, finding bugs, and fixing them. Oquonie will be playable next month.

This month we've been experimenting with solar cooking, to try to save on cooking fuel this summer. We are currently making tests, gathering data, and hope to share this with you all end of April. In the meantime, enjoy this amazing music by Xsodect, made using Orca.

Pino book club

We're reading Structure and Interpretation of Computer Programs (SICP) by Harold Abelson, Gerald Jay and Julie Sussman.

Summary of changes for February 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of February. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Wiktopher, added back corrected chapters 1-7 to online.
Left, made a ton of improvements including a new directory navigation, better navbar labels and performance.
Orca, fixed an issue where copy/paste/drag would move characters off-screen.
Catclock, ported to new opcodes and improved monochromatic mode.
Beetbug, added an interactive mode that interprets uxntal on the fly.
Hakum, added a comic sequence named Tracking.
100r.ca, added updates to battery connections.
Grimgrains, added some notes on Temperature for lacto-fermentation.

News

On February 14th, we celebrated our 7th year living aboard our beloved Pino. It's also around this time 10 years ago that we were still living in Odaiba(Japan), and beginning our work on what would be our first game collaboration: oquonie.

The uxn port of Oquonie has advanced in incredible leaps this month. Rek has finished re-doing all of the assets. Devine is now working on the music, and finalizing some of the levels. We are testing the game as we go, and hope to release it sometime next month. Oquonie will be playable on a number of platforms, including the Nintendo DS(Mastodon), as well as the Playdate. See a small preview(Mastodon).

Early next month we are traveling to Galiano Island in the Salish Sea for BioSonic(by ActivePassive). We'll be part of an event series exploring the intersections of music, art and biodiversity. We'll give a talk on March 10th, and Devine will perform with Orca on the 11th at the Galiano South Hall.

Watch Devine's set for Lovebyte 2023.

Pino book club

We're reading Courrier Sud by Antoine de Saint-Exupéry.

Summary of changes for January 2023

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of January. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

100r.ca, added electrical refit(portal for AC & DC electrical refit), and updated LPG refit.
Wiktopher, corrected chapter 8, and nearly done with lexicon.
Weathering software winter, video(Vimeo) now has closed-captionning (same goes for YouTube version). Rek spent time cleaning up the auto-generated transcript.
Uxn, Andrew released Uxn32 2.0.
Potato, added updates, potato can now assemble roms from tal files.

News

This month, we started porting Oquonie to Uxn. This is a long time coming, but we weren't sure if it was possible to do, and we still had a lot to learn before even thinking of taking it on. Now, we think we are ready. We are re-drawing the sprites(Mastodon), and they look amazing. This is an important test for us, and for Uxn.

Here is a very adorable little Uxn sprite for Potato that comes up when a rom path was mistyped, see it also on the Uxn page.

Pino book club

We're reading The Journey Home: Some Words in Defense of the American West by Edward Abbey.

Summary of changes for December

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of December. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

100r.ca, added a new page: electrical refit, fuel sensor, marine wire termination, also added updates to XPS and EPS in winter insulation.
Orca, released a new build that improves the look and feel, added app icon(Mastodon) to the about modal.
Busy Doing Nothing, released a new version, in which we fixed extra typing errors (thanks Igor), and added explanations for certain sailing terms like reefing, etc.
Wiktopher, corrected chapter 6 and 7.
Beetbug, added break-point and symbols supports.
Took a detour into computer science to learn about arity testing and stack effect checking, learn more about it here.
TinyCode2022, spent some time doing demoscene experiments.

News

The rabbits are re-wiring Pino. So far this month, we spent entire afternoons removing, and passing new wires into the boat's walls and ceiling. This project has taken up most of our time this month. For updates on the project, see electrical refit. We also released an edited transcript of Devine's talk weathering software winter, for those who prefer to read.

We forgot to mention it in the last update, but Compudanzas just released a new version of their introduction to uxn programming book! The online tutorial also had some updates.

Happy new year everyone! See more photos of Pino(on the far left) and friends decorated for the occasion.

Pino book club

We're reading Le Péril Bleu by Maurice Renard.

Summary of changes for November

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of November. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

GrimGrains, added a quick grilled cheese recipe.
Noodle, updated the guide, and added app icon(Mastodon) to the about modal.
Nasu, added app icon(Mastodon) to the about modal.
Store, added sheets of Ecosystem Rabbit Stickers(gen2) to the store.
Uxntal, created a list of Uxntal examples with equivalent C sources, you can find them here.
Wiktopher, made a progress bar (50% in the correction process) on the project page. We have finished processing chapter 5, and are currently applying corrections to chapter 6 & 7.
Donsol, updated GBA rom with a few fixes.
Soroban, made a little desktop graphical abacus(Mastodon).
Uxn, ported to DuskOS(SourceHut).
Dexe, redesigned and much faster(SourceHut).

We put some red lights on Pino, to help combat winter gloom. We also started growing another lion's mane mushroom on board(we grew the same variety last fall), it already has a little tuft!

Devine's talk Weathering Software Winter for Handmade Seattle was recorded, watch it here(Vimeo). The video is for the entire first day of the conference, so for your convenience Devine's talk starts at 1h25min.

A little while ago Rostiger drew an amazing series of illustrations explaining Uxn, and how it works. Ben made a zine out of it and gave us a copy. Make your own Uxn zine using this PDF[1.38 MB].

Pino book club

We're reading Gulliver's Travels by Jonathan Swift, and How to Blow Up a Pipeline by Andreas Malm.

Summary of changes for October

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of October. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

TinyBASIC, implemented TinyBASIC in Uxntal.
Left, added a variant of the Smalltalk-76 font.
Hakum, released a short comic sequence called Chase.
Wunderland Rabbits, added a new rabbit pic.
100r.ca, updated galley plumbing(serviced our water pump) and curtains(modified the design). Added lazy lazy jacks.

News

Pino is in Victoria again, and we're diving back into our favorite fall activities like pumpkin carving (see halloween pumpkins), and fruit picking. The boat is now filled with apple jam. October was a drawing month for the both of us. Devine participated in drawtober and completed 28 drawings using Noodle. Rek finished a sequence for the ongoing comic project Hakum.

For those in the Pacific Northwest, Devine will be giving a talk called Weathering Software Winter at Handmade Seattle on November 17th.

As you know, we share a community online with a fantastic group of people. Some months ago Lizbeth designed a burgee for Merveilles and this month we decided to make one for Pino. See the Merveilles burgee.

Pino book club

We're reading Life, the Universe and Everything by Douglas Adams, and What The Doormouse Said by John Markoff.

Summary of changes for September

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of September. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Uxn, updated Playdate implementation to the latest core, started emulator for Arduino.
Left, added lots of little improvements for various reported drawing bugs.
Bouc, wrote a document reader.
Orca, added monochromatic mode.
CCCC, added monochromatic mode.
Catclock, added monochromatic mode(Reddit).
100r.ca, added lifelines in boat projects.

News

The days are getting shorter, and so is the time that we can spend on the computer, due to our batteries depleting earlier a bit each day. So, Devine spends evenings proof-reading the wiktopher manuscript, reading and messing around with the Playdate, and Rek continues ink work on an upcoming project(Mastodon, no project page yet).

While cleaning up the boat, Devine found two small black notebooks. We started paging through them, to see if we should keep them. The notebooks were full of sketches, interspersed with shopping lists, and incomplete logs from earlier sailing trips we'd done. We found logs detailing our very first attempt at sailing offshore, our sail down the US West Coast and Mexico, and our passage from Tonga to New Zealand. We read the logs, and decided to transcribe and publish them online. Read the lost logbook.

Devine wrote a little timer program for the Adafruit Playground.

Pino book club

We're reading Hitchhiker's Guide to the Galaxy by Douglas Adams.

Summary of changes for August

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of August. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Left, added a navigation bar to navigate larger codebases.
potato, implemented file system APIs so new files can be renamed, copied and deleted.
Noodle, added various optimizations, improved TGA support.
Drifblim, completed rewrite. The assembler is now used to build all of our projects, with no more dependence on the C toolchain to make roms.
Uxnlin, added a lot of recipes, making it better at finding possible code optimizations.

News

Pino is back in the land of faster internet, and our boat's belly has been re-filled with food. We returned to the Gulf Islands, and are busy eating as many wild blackberries as we can stomach ('tis the season).

Our last anchorage in Desolation Sound was Tenedos Bay, a really lovely place with an amazing (vertical) hike, and clear, clear waters. We also wrote a post on Sturt Bay on Texada Island, a place we stopped on the way up earlier this year, and again when we traveled back south.

As mentioned brieftly in our last post, Devine has been working on an OS called Potato. Rek drew a mascot, and another illustration featuring Varvara and Potato together. Potato is for the Varvara computer, designed to fill the gaps where a host device might not have an underlying file system, like handheld consoles (many people use Uxn on Nintendo DS).

Rek has been drawing a lot, their winter will consist of scanning and processing a sketchbook-full of art. We are still proofreading Wiktopher. A recent stop in Sidney permitted us to print the entire book on paper to make it easier (and more pleasant) to make corrections. The result is 70 (double-sided) pages of text. As of today, we have gone over and marked in red the first chapter (out of 12). Editing books is never easy or fast, but we'll get there.

We know a couple of people have made hako dice sets, so we feel bad for "patching" a physical game, but the face organization of the die has changed somewhat, now, the opposing sides are always of equal value. If any of you are looking for a simple 2-player boardgame to play, try Conway's Phutball. Devine transcribed the rules on their wiki.

Pino book club

We're reading Mathematical Puzzles & Diversions by Martin Gardner.

Summary of changes for July

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of July. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Adelie, added image maps, animation controls, and wrote a guide. Rek also drew an Adelie penguin mascot.
Cccc, created a graphical calculator.
Orca, added new font to make it easier to discern letters and numbers from afar (if projected onto a screen).
Noodle, re-designed noodle.
Minesweeper, completed the game.

News

Sometimes we find an anchorage that is so nice, so ideal, that we end up staying for weeks. We stayed in Von Donop Bay (hathayim marine park) for well over a month. The southernmost anchorage is near many trails that snake and branch out deep into the woods, and the bay is so large that we kept finding new corners to explore by dinghy. The water in the area is warmer than in Victoria, we can dive, and check Pino's bottom without freezing. This is our first real summer on the boat, when we have no big boat projects to do, nor big transits to plan, and it feels amazing.

We have stretched our food stores to the limit (it has been 2 months since we last stocked up in full). A 5 km trek through the woods takes us to a little General Store, they never have fresh produce (or it gets bought out before we get there) but we go once in a while to replenish our stock of potatoes and onions. We are relying on sprouts a lot (see growing food).

This month, we made a Keynote talk for Nime 2022, and Devine started work on a little OS project called Potato, see some footage(Mastodon). There is no documentation yet, but soon.

Pino book club

We're reading The Stories of Ray Bradbury by Ray Bradbury.

Summary of changes for June

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of June. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Uxn, improved the Uxntal reference sheet and improved the Uxntal cheatsheet.
Dexe, added menu bar.
Nasu, added menu bar.
Noodle, added menu bar.
100r.ca, updated boom tent, and added lpg refit (backdated update).

News

Pino is currently in Desolation Sound, enjoying the quiet. We've written a few posts about some of the anchorages we've visited, like melanie cove, grace harbour and hathayim marine park. We're updating our track as we go.

Devine has been adding a lot of notes to the permacomputing wiki this month. We also started a little arcade game named Inle, something that we could play together on the boat in the style of Gunbound/Tank Wars... but with rabbits (we finished reading Watership Down last month, so we blame that, haha). We don't have a project page yet for it, but we shared some images on the post for grace harbour, where we started working on the game.

Rek produced a video about image optimization for the Photographer's Gallery (as part of their Green Hacks video series) last month.

Pino book club

We're reading The Man who Mistook his Wife for a Hat by Oliver Sacks.

Summary of changes for May

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of May. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Combinatory Logic, wrote a guide to combinatory logic, using talking birds.
, released a linter, and optimized uxnasm.
Dexe, released an updated version.
100r.ca, added batteries, and regulator.

News

From this month until next October, our updates may be delayed. We are sailing northward, towards Desolation Sound and the Broughtons, where cell towers are few. We will wander in and out of such regions all summer. So far, we sailed up to the Gulf Islands, and over to Nanaimo from Victoria, and then crossed the Strait of Georgia over to the Sunshine Coast(close-reaching in 20-knot winds). This was a good shakedown for Pino, a good way to re-awaken our little vessel. All went well, but we ought to have secured our produce better... some of our potatoes escaped their nest and went out for an afternoon roll around the cabin floor.

Start of May, we had some issues with our batteries. They've been acting out for some time, we think because of a dead cell. We have been operating at half battery capacity for a month, and realized that yet again we don't need that much power, especially in the summer when the days are long.

The combinatory logic guide is the first of many projects we plan to release this summer. We also released an sign language version of Uxntal.

In other news, a version of Collapse OS was ported to Uxn.

Pino book club

We're reading Watership Down by Richard Adams.

Summary of changes for April

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of April. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Bicycle, released an Uxntal playground. See Varvara riding a Sinclair bike.
Uxn, wrote a linux native implementation of Varvara, as well as an HTML5 implementation of the virtual machine.
Turquoise, released a little line plotting system.
100r.ca, added sewing, Shimoda, Cathedral Grove, and mini dodger.
Nebu, working on a spreadsheet editor in Uxn.

News

The month of April was a time of boat projects. We built a mini dodger to cover the companionway, and installed a large spindle for floating rope on Pino's stern (marine stores give those spindles away for free, usually). In these waters, it is often necessary to stern tie to shore when anchoring and the spindle will make it easier to uncoil the line.

We also took some time off to visit some ancient trees in Cathedral Grove on Vancouver Island.

Devine found some slide rules and wrote a guide on how to use them.

If you want to play Catpot, the little Hypercard game we made for Merveilles Hyperjam 2020, you can play it with this Hypercard Simulator (thank you Dan).

Pino book club

We're reading The Stranger by Albert Camus.

Summary of changes for March

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of March. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

100r, released a guide to diesel Engine Care.
Wunderland Rabbits, released a new rabbit image.
Toys, finished re-creating the classic bouncing ball for the Amiga for Uxn.
Uxn, released a 23kb implementation of the Varvara emulator in plain X11(without SDL2), started a mailing list & newsletter to document changes, events and exciting projects, released a second devlog, and wrote a little single-file uxntal assembler called Drifblim.
Noodle, re-worked entire tool, added native TGA import(Mastodon), implemented file size loading specified in the pathname(Mastodon), added the possiblity to drag the canvas to resize it(Mastodon), and implemented a floating tool pane(Mastodon) etc.

News

A major update to our wiki is that we've put together a text with our stance on various political aspects. Because of the decentralized nature of some of our work, and because of the overlap of libertarians and right-wing doomsday preppers and our documenting survivalism at sea, there were things that just had to be spelled out quite clearly. See philosophy. We've appended a notice to our off the grid page too, since it gets shared the most.

A lot of our time this month was dedicated to preparing for our keynote talk for LibrePlanet 2022 called Software Doldrums. If you missed it the talk was recorded, watch it here. Rek illustrated all of the slides for the presentation, gathered here. These images are now scattered on our wiki. Devine built the Uxn slideshow program Adelie for that presentation, we plan to use it again for all future talks.

The day prior, Devine gave a short performance(YouTube) for Algorave's 10-year anniversary, alongside over 140+ artists. The event was 24 hours, with everyone playing a 10-minute set.

Uxn was featured on The Verge, in an article entitled These artists are making tiny ROMs that will probably outlive us all. And Devine was interviewed(Medium) for Behind the Screens.

In other news, we finally made some Uxn sticker sheets!

Pino book club

We're reading We Have Always Lives in the Castle by Shirley Jackson.

Summary of changes for February

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of February. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Adelie, released a program to create slideshows.
GrimGrains, added a new recipe: Bean chili.
Thousand Rooms, released Catalan version, a translation by Dani Sevilla.
100r.ca, added a new project: Gravity water filter.
Uxn, Cancel(Andrew R.) released a new version of uxn32 with complete step debugging tools. Added new art for the Varvara docs..
Orca, implemented injections(YouTube), and J and Y wiring(YouTube).
Toys, released Uxn versions of Minesweeper(Mastodon), and Wireworld.

News

This month it was announced that we joined LibrePlanet 2022 as keynote speakers. The annual technology and social justice conference will be held virtually on March 19 and 20, 2022, with the theme Living Liberation. Our talk is named Software Doldrums.

Rek is putting the finishing touches to Wiktopher, and Devine designed a game that the people of Irideri could be playing. The result was a dice game combining the capture mechanism of Go and the randomness of the Domino. Learn to play Hako. Each player has a Sonozai, a set of 4 dice on a rope. Merveillans have been making their own sets:

Rostiger has been making illustrated notes for Uxn, and they are fabulous.

Pino book club

We're reading Underland by Robert Macfarlane.

Summary of changes for January

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of January. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Left, re-wrote documentation, redesigned the UX for save-as/open-as.
Orca, re-wrote documentation, and added the operators manual on launch.
Thousand Rooms, released 3 new languages: Polish, Hungarian and Serbian. Now offering book as an ePUB.
Uxn, re-wrote entire documentation, and started a project devlog.
Nasu, improved zoom tool, it is now possible to move between tiles(Masto) while zoomed.
Yufo, released a small game for the Virtual Pet Jam.
100r, added new page: cast-iron cookware, and updated medical.

News

On January 28th Uxn turned 1 year old! We'd like to thank everyone who has contributed code, ideas, time and laughs to help this project grow into what it is now. It was a wonderful year for smol ordinators. See an image that Rek made for uxn's birthday.

We finally released versions of the Uxn emulator for all major systems(Linux, OS X and Windows), with the option of a version bundled with a few starter roms. We simplified the guide too, to make it easier to install and use.

Our lion's mane mushroom grew another full head, we harvested it and made some mushroom pakoras.

In other news, Devine was interviewed on Anonradio, listen to it here. Also, Compudanzas released an Introduction to Uxn Programming book, with a foreword by Devine.

Pino book club

We're reading The Complete Cosmicomics by Italo Calvino, and The Dawn of Everything: A New History of Humanity by David Graeber.

Summary of changes for December

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of December. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Grimgrains, published a tofu from soy flour recipe, and reduced the amount of ingredients appearing on the main page so it loads faster.
Left, created inline image support, and implemented a search feature(Birdsite) inspired by the Canon Cat(1987)'s LEAP™ key.
Cat Clock, released our very own cat clock.
Turye, released a font editor.
TGA parser, released a tool to make it easier to bring images into the Uxn ecosystem.
Wunderland Rabbits, released a new image.

News

It is snowing, and we are cocooning. Our little woodstove is working hard. This month, we finally decided to release a paperback version of Busy Doing Nothing.

In our last update log, we mentioned that we were trying to grow Lion's Mane mushroom, and we are happy to report that it was a success! It grew beautifully. Rek was so excited about the mushroom that they decided to draw some this month, this series focuses on varieties that grow on Vancouver Island.

In other news, we had an interview with the founder of Sourcehut, read it here. Also, our good friend Alderwick make us a very cool gift(YouTube).

Pino book club

We're reading Fantômes: Issue 1, with work by 18 talented artists, put together by Lizbeth. It is a eerie, and gorgeous zine, we strongly recommend the Mike Wolf version.

Pino's location: 48° 42.230'N, 123° 36.900'W

Summary of changes for November

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of November. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Donsol, designed a donsol turnip.
Uxn, wrote a file browser rom(Mastodon), improved on uxn utilities (clock, calculator.
Nasu, added nametable to preview items on the spritesheet, and added option to flip a sprite horizontally or vertically in the blend view.
100r, added an information section on Drownspire, the studio we had prior to hundredrabbits.
Oquonie, started tests to port the game to Uxntal(Birdsite).
Left, fixed bugs and improved speed.

News

This month, there was an intro to Uxn Programming(YouTube) workshop by Compudanzas, an event by Babycastles Academy. Give it a watch!

November was a very rainy month in Victoria, a perfect time for experiments in the galley. We are growing Lion's Mane mushrooms currently (a first for us), and we are continuing to lacto-ferment vegetables like kohlrabi, turnips, daikon, cauliflower and red onion. To learn how to do it, see our guide to lactofermentation.

Pino book club

We're reading The Summer Book by Tove Jansson (it's such a lovely book).

Pino's location: 48° 42.230'N, 123° 36.900'W

Summary of changes for October

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of October. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

donsol, ported our Famicom(6502) code to Varvara(uxn).
uxn, wrote a reference guide and created a list of community projects.
noodle, added guides for the line and rectangle tool and updated shortcuts in the documentation.
grimgrains, optimized images and published a Chunky Apple Jam recipe.

100r, optimized images (see Rek's notes). Added new pages: boom tent, grinder and small space.
left, optimized code.
nasu, fixed crashing bug with large selections.

News

This month, we found a used grain mill for Pino! Flour doesn't keep as well as whole grains, so we decided to start milling flour (wheat berries, soy beans or chickpeas) only as we need it. We only released a Guide to Lacto-fermenting vegetables on grimgrains.

Donsol is now available as an uxn rom on itchio.

See Devine's daily drawings series for October.

Pino book club

We're continuing our readings of The Stories of Ray Bradbury by Ray Bradbury. Favorite shorts this month include The Long Rain, The City and Kaleidoscope.

Pino's location: 48° 42.230'N, 123° 36.900'W

Summary of changes for September

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of September. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Orca, added way for instances of Orca to talk to each other.
Calc, wrote a little graphical calculator to help with learning binary and hexadecimal.
Dexe, added option to copy the textual value of a selection.
Uxn, updated UxnDS emulator.
Wiktopher, added Chapter 16: The Big Dark.
100R, added new pages: Western Canada, alcohol stove, decorations and shore power cord repair. The site also has a new splash.

News

It is an early announcement, but end of June 2022 we will be giving a keynote presentation, alongside Khyam Allami, at NIME(New Interfaces for Musical Expression).

Rek wrote an article on Saving Energy When Cooking Aboard for Noonsite.

Check out Eli's guide on installing Uxn on OS X, and Keijiro's version of Flappy Bird in UxnTal.

Our friends at Compudanzas have released part 6 of their Introduction to Uxn Programming tutorial. This new chapter basically shows you how to build Pong!

Pino book club

We started reading The Stories of Ray Bradbury by Ray Bradbury. Favorite shorts so far include There Will Come Soft Rains, The Coffin and There Was an Old Woman.

Pino's location: 48° 42.230'N, 123° 36.900'W

Summary of changes for August

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of August. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Nasu, implemented a way to shift multiple tiles at once, and added a snarf buffer to copy/paste data between instances of Nasu.
Niju, completed, and released the project on itch.io.
Orca, implemented snarf buffer to easily bring patches in and out of it (uxn version).
Uxn, massive re-write of the Uxn VM, and CollapseOS now runs on Uxn.
Paradise, started on a Uxn-native version.
noodle, created a mascot, and added a tiny animation toolkit.
100r.ca, added various hand drawn images to the knowledge base.

News

This month, our little engine was fixed (read about it here) we've been sailing around the Gulf Islands, working from anchor. We also found Iggy's successor, a used fiberglass dinghy that we've named Teapot. We've been rowing it from ship to shore, and it's so, so nice. We stopped by Saltspring Island and got to meet the sailors on BosunBird, a couple who have traveled around the world on a Vancouver27. Their blog was an invaluable resource for us on our travels through Japan.

We've released a solid version of noodle, our drawing tool. Follow the tutorial on our website, or check out this amazing quick start guide by Polyducks. We also released niju, our little kana-learning game. Niju was a trial to see if we could design, write and assemble a project entirely within the Uxn computer.

Our friends at Compudanzas have released part 3, 4 and 5 of their Introduction to Uxn Programming tutorial.

Pino book club

Help. We still haven't finished The Swarm by Frank Schatzing. It is terrible, but we can't stop.

Pino's location: 48° 53.370'N, 123° 23.734'W

Summary of changes for July

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of July. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Nasu, implemented the export of .theme files, and theme support.
Left, worked on Uxn-native version, and implemented theme support.
Niju, progressed on animations and started implementing controls.
Grimgrains, added a new recipe: Stovetop Blackberry Cake.
Wiktopher, added a new chapter: Lupin's Logbook.
Uxn, created a proportional font format for Uxn, and improved documention for Varvara.
Orca, implemented theme support
Noodle, published tutorial, and implemented theme support

News

This month, Calcifer is being re-built. While we wait for that, we're working on more projects aboard. We added insulation to the v-berth, an attempt to keep Pino warm this winter. We created a new portal called boat projects on our wiki that covers most of the major construction projects we've done to the boat.

Our friends at Compudanzas have started writing an Introduction to Uxn Programming tutorial. We recommend it to anyone interested in programming for the Uxn Computer. No prior understanding of stack-machines, or Assembly, required! The first covers basics, and the latest chapter focuses on learning to draw pixels on the screen.

If you missed Devine's performance at Flash Crash, you can watch it here.

Pino book club

We're reading Mingming & the Art of Minimal Ocean Sailing by Roger Taylor and The Swarm by Frank Schatzing.

Pino's location: 48° 40.768'N, 123° 24.802'W

Dry Toilet Installation

The work is done. Building a dry toilet was more work than we had anticipated, but we still prefer it over the ready-made models. We learned tons doing it, and now our toilet is perfectly suited to our space. The pandemic has pushed more people into boat and van living (to travel within their own countries) and towards simple systems. Looking at the Nature's Head website, they've had a 8-week waiting list for ages. It's either you wait for the thing, or you build the thing.

Dry toilets are simple to use and have few parts, but it doesn't mean that they are simple to build. Simple is hard, it costs time, and requires a ton of creativity.

Summary of changes for June

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of June. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Nasu, released a nasu guide, and updated the look of the icon. We have also discontinued the old javascript version.
Uxn, released an uxn guide.
Orca, working on the Uxn port.
Niju, started work on sprites. Implemented hover states.
Noodle, made Noodle responsive for small screens and added highlight to save state

News

Pino and crew spent the first half of the month in the boatyard. We splashed back into the water on the 14th and moved to North Saanich to have access to a workshop with the goal of completing our dry toilet. We are documenting the entire installation, with plans to update the page when we begin to use it. We are ALMOST done with this project.

We started working on Niju, a hiragana/katakana review application. We used this project to test our the latest iteration of Nasu so we could finalize the documentation.

On June 26 2021, Devine met up with the London SF reading group to talk about solarpunk, see their notes. On July 10th UTC 20:00, Devine will also perform with Orca for flash crash.

See Uxn running on the ESP32. It is TOO adorable!

Pino book club

We're reading Nature as Measure by Wes Jackson, The Strange Last Voyage of Donald Crowhurst by Nicholas Tomalin and Ron Hall and Labyrinths by Jorge Luis Borges.

Pino's location: 48° 40.768'N, 123° 24.802'W

Summary of changes for May

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of May. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Noodle, released Uxn version. Improved UX to resize the canvas and fixed stylus picking for Nintendo DS version.
Nasu, completed port to Uxn.
Uxn, runs on 9front and Raspberry pi.
GrimGrains, added Buckwheat Dumpling recipe.
Wunderland Rabbits, added two new travel pics: Rhodo Ravine and Patricia Bay.

News

There has been a lot of activity on Uxn this month! It's exciting to see it work on a variety of devices, like the PS vita, Gameboy Advance and the Nintendo DS. We love the idea that most people already have the all hardware necessary to run our software.

We hosted a small cooking jam on Merveilles, feel free to peruse The Galley tag to see the recipes.

In Pino related news, we are moving north. First stop, the boatyard. We'll be doing a bunch of changes to the studio this week, like removing and replacing old thru-hulls and installing a dry toilet.

Pino book club

We're reading Farenheit 451 by Ray Bradbury.

Pino's location: 48° 40.768'N, 123° 24.802'W

Summary of changes for April

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of April. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Uxn, improved documentation, implemented MIDI and sound chip, and drew some new art for the documentation.
Birfucan, ported to Uxn.
Nasu, general improvements.
Wiktopher, released Chapter 14: Tarka.

News

This month, we converted the old static version of our website into a wiki, with pages for each of the various projects we've been working on aboard Pino. We hope you like it!

We also finished installing our wood stove. Our timing could have been better (it's summer now), but we'll be able to keep warm while at anchor next winter. We have many projects to do, including the removal and replacement of many thru-hulls and plumbing, as well as the installation of a dry toilet. Looks like Pino will have to come out of the water again this year!

Pino book club

We're reading Terre des Hommes by Antoine de Saint-Exupéry and Sylvie and Bruno by Lewis Carroll.

Pino's location: 48° 42.230'N, 123° 36.900'W

Wood stove installation

It was our dream to have a little wood stove aboard Pino. After researching stoves, we decided that the best model was the cast iron Sardine from Navigator Stoveworks.

Our Espar forced air diesel heater broke on our last passage, and we decided not to replace it. There are few low-power alternatives to a gas/diesel heater for heating a boat when off the grid. A wood stove was our best low-tech option. We also like that it doubles as a cook top...

Summary of changes for March

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of March. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Uxn, lots of progress on Uxn, started documenting the assembly syntax, built a Uxn emulator with a handful of devices, from date/time support, to graphics, mouse, and soon audio and midi support. Rek designed some additional mascots for the project.
Noodle, implemented Noodle into Uxn, with presentation modes, save/load and various patterns to create 1-bit graphics.
Busy Doing Nothing, fixed type and formatting errors, and removed the fixed font. It is now easier to read on phones.
Grimgrains, added a Sourdough spelt flatbread recipe.
Wunderland rabbits, released a small photo project involving traveling, and rabbits.

News

This month, the rabbits have been busy making new holes in Pino, cutting metal, and building a support platform for their new tiny woodstove. When the installation is complete, we have plans to write a blog post about the process.

If you're seeing this update on the 100r.ca website, you'll notice that all logs are now in the same file. It is easier for us to manage, and we think, more pleasant for you to read.

We have received a lot of really good feedback and corrections for our book Busy Doing Nothing, thank you for reading it. Rek has updated their notes on creating e-books with Pandoc to include exports to epub and mobi (for those interested).

Pino book club

We're reading The Complete Rigger’s Apprentice by Brion Toss and Thinking Forth by Leo Brody.

Pino's location: 48° 42.230'N, 123° 36.900'W

Summary of changes for February

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of February. We'll also be reporting in our on position in the world, and on our future plans.

Summary Of Changes

Uxn, started working on a fantasy console called Uxn, and designed a mascot.
100r.ca, added a dark mode as an accessibility feature, and added new drawings to cooking and sailing.
Grimgrains, also added a dark mode.
Wiktopher, what is this? Another dark mode. Now our eyes are happy.

News

This month, we released the e-book version of the North Pacific Logbook titled Busy Doing Nothing. The book is 217 pages long, and is available as a PDF, mobi or EPUB. We're happy it's out, and hope that you like it!

In other news, Esoteric.Codes interviewed our studio, and we heard that the Toronto Public Library was hosting an online Orca workshop on March 1st—how cool is that?

Pino book club

We're reading A Sand County Almanac by Aldo Leopold.

Summary of changes for January

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of January. We'll also be reporting in our on position in the world, and on our future plans.

Summary of changes for December

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of December. We'll also be reporting in our on position in the world, and on our future plans.

Summary of changes for November

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of November. We'll also be reporting in our on position in the world, and on our future plans.

Summary of changes for October

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of October. We'll also be reporting in our on position in the world, and on our future plans.

Working offgrid efficiently

Our traveling studio has operated off-the-grid for 4 1/2 years.

For the first 3 years we tested the limits of our space, and at first, it was difficult to create new things, as we had to make time to learn how to solve underlying problems. Our boat was not just an office, it was also our house and transport. As for us, we were artists, but also plumbers, deckhands, electricians, captains, janitors and accountants.

Our main problems as a studio were internet scarcity, power management, data storage as well as hardware and software failures. Overtime we found ways to balance work, pleasure and maintenance. Here are some of the lessons we learnt.

North Pacific Logbook

The passage from Japan (Shimoda) to Canada (Victoria) took 51 days, and it was the hardest thing we've ever done. We decided to keep a logbook, to better remember it and so it can help others who wish to make this trip.

Typhoons and mold

For every traveling sailor, comes a time when the boat has to stay alone in a foreign country. For us, this happened this year in Japan. We'd never left Pino alone before, never for more than a week. We were apprehensive at first, but decided it would be a good learning experience, for us and our beloved.

Whenever we mentioned leaving our boat in Japan, people would say, 'Aren't you afraid of typhoons?' Our 6 month leave coincided with the time of year when typhoons affect Japan, with August to October being the worse months. We were worried, but knew that if we prepared well, Pino would be fine. We spent weeks planning our departure, doing research on how to keep a boat safe in a storm, but also, how to keep mold and insects at bay in our absence.

While in Canada, I had anxiety at night, vivid dreams about what was happening to Pino. These dreams involved us returning to the boat, only to find it turned into a moldy, water-logged cockroach motel. Having no experience leaving our home behind, I had no guarantee that we had done enough.

When we returned 6 months later, we found no mold, no bugs and little to no damage, in fact, we slept in that same night. Pino endured weeks of hot Japanese summers, tropical rain and typhoon-strength winds. We're happy to say that overall, our preparations were indeed enough.

Below is a short list of things to remember, things we learned, when came time to prepare our boat for long-term storage:

Ventilation is key.
Clear the decks.
Don't keep food.
Clean everything.
Store away everything.
Don't leave openings.
Tie everything down.

a home for pino

We left Shimizu on a sunny morning, pushing off the dock at 6am. Early. We wanted to make sure we'd arrive at our destination on time. There was 126nm between us and Shima Yacht harbor, a distance we needed to do in part at night. This wasn't ideal. We knew that. Many people warned us about sailing at night in these waters, but as the Japanese say: 'Shoganai' (it is what it is!). We needed to cross a big stretch of water called Enshu Nada, an area with a lot of traffic. In truth, the entire coastline is full of ships, but it gets very busy north of the Kii Peninsula.

We left Shimizu on a sunny morning, pushing off the dock at 6am. We discussed our plans with our friends Masa and Shu from Dawntreader, they too recommended a non-stop trip because the ports between Omaezaki and Mie are few. There is the port of Fukuda 福田, located at the mouth of Ota Kawa, but the depth of the water is inconsistent and prone to silting. Locals also warned us it wasn't very yacht-friendly, and so we put an X on Fukuda.

Shu instructed us to stay 10nm from shore, to avoid the many nets lining the coast, and to avoid small fishing vessels idling there at night. We did as told.

Coming out of Shimizu port, we came face to face with a large container ship named 'One'. A beautiful ship. Red, with a peculiar shape. The marina had warned us about its coming, that its entrance into Shimizu port was scheduled at 6am during our exit. Avoiding it was not a problem.

We powered out of the harbor and into Suruga Bay. There was no wind, but we raised the mainsail anyway. We wanted to test our new slugs (what keeps the mainsail attached to the mast). It was the first time since Fiji that we'd raised a full main. The black moon shook off its wrinkles, presenting its belly to the sun.

tools ecosystem

How did the Hundredrabbits ecosystem come into being? It's a long story, but here's a summary.

In 2016, we left Canada, armed with our two iPhones and 2 MacBooks Pros. We didn't know the wattage of any of the devices we owned, and even less about the amount of solar needed to power them. When living on land we didn't pay attention to how many amps our devices required daily. Electricity felt limitless.

When we started sailing in BC, we had no dinghy and so we'd go from dock to dock. When we purchased Iggy in Nanaimo, we spent more days on the hook. The first anchorage we went to was a small bight east of Eagle Point, it offered a great view of metro Vancouver. From that point on we spent more and more time at anchor, moving every 5 days or so. We had no power concerns because our route always included marinas, or guest slips at yacht clubs. Our batteries were always topped up.

Life off-grid was new to us then, as was spending lots of time outdoors. We liked it, a lot. When at anchor we'd go explore, spend a few hours working, cooking, then we'd read or play card games in evenings. When living on land, we'd work from 8h-19h, sitting in front of our respective screens, but now things were different. We wanted to do less of that, to take long bike ride around islands or to sit on the deck in evenings to watch the sun set. Then, at marinas where we had both power and internet, we'd go back to working longer hours to get things done. This was a fine setup, we thought, but, there was problem: what happens when we start living AND working at anchor full time? We liked being outdoors, but that's not all we wanted to do. We're creatives, and we need to make things. We were relying on powered docks to work, and so we never got to test our current power setup off-grid. If we had spent a month or so away from civilization, we would have learnt that we had to change something.

And so, to continue with the story, we left Canada and cruised down the coast of the US. True to our old habits, we continued to alternate between staying in a marina and at anchor. The longest we spent off-grid during that time was 3 weeks in San Francisco, anchored off Treasure Island. During that time we discovered that working aboard, running two Macbook Pros, a refrigerator and our phones was not possible. To save on power, we started turning the fridge off at night, and taking trips into town during the day to work from cafes. SF was grey on most days, our solar couldn't keep up with our demanding work schedules. Going to work from cafes in town worked well for us, most had outlets we could use. Our routine started with working from cafes until lunch, then wandering around in the afternoons. We would return home before dark to turn the fridge off, but doing it didn't make sense because the constant shifts in temperatures produced too much moisture. Moisture meant rot and mold. We decided that keeping it off was a better idea for both our batteries and our produce. With the fridge out of the equation, we figured that we'd have more power left-over for our laptops.

hello fujisan

It's 8h00 pm on a cold dark winter night, we are outside of Shimizu harbor motoring in circles and waiting for a response from Shimizu Port Control. The temperature is 4 °C, the wind is blowing hard and our clothes are wet and caked with salt. We’re tired and hungry, waiting for permission to enter the Port. Prior to this, we had a rough 4-day passage, riding under 30-40 knot winds on the nose. This passage was a true test of strength, for us and for Pino... but first, let’s go back and see exactly what happened…

We'd planned to go to Wakayama, riding on the back of a passing low with winds from the NE, shifting to the S and then to the SW, but the wind decided to turn earlier making it impossible for us to go east. We found ourselves close-reaching in 40 knot winds, heading straight north. Looking at the weather we could see that it would blow from the W for 3-4 days, so we made a new plan to head to Omaezaki. We'd read of other sailors taking refuge there in big weather and thought it would be possible to go, but again, the wind kept pushing us further and further east. The next port on our list was Shimizu, tucked in deep into the bay. We were able to point Pino to the cape just past Shimizu, but we weren't sure if again the wind and current would allow us to make some easting.

At that point both of us were frozen solid. Wave after wave splashed over the boat and into the cockpit. The starboard rail was constantly submerged, our starboard side lee cloth was gone and the diesel bins were threatening to fall overboard. We had 3 reefs in our main, but 5 slides had snapped off (yet again), I wondered when the rest would break.

goji no chaimu

After a long 21-day passage, seeing the shape of the island of Chichijima in the distance was unreal; this was our prize, our first step onto Japanese soil. We used to make many trips to Japan by plane, but getting there by our own efforts — by sailboat — is a lot slower and harder. If we had stuck to our plan of sailing there via Hawaii, we would have been there sooner, but I’m glad we took the long route. We passed through 9 countries, learned a lot about the world and, through it all, we've surpassed ourselves.

During that time, we often talked about what it would be like to arrive in Japan, about what would happen when we did. You have to remember that this was a big deal for us, a milestone in our lives and the culmination of 3 years of hard work. A fantasy made real is a hell of an achievement. A part of me couldn’t believe we’d made it — anytime now I’d wake up mid-ocean in transit in the South Pacific. Even when I’d have my feet planted on the ground, with a Japanese flag flying above my head, I knew I’d be anxious, waiting for something horrible to happen that would rob us of our victory.

'They’ll turn us away.', 'We’ve landed on the wrong island.' or 'We died in the pacific some months ago, and this is limbo.'

My eyes were set on the phantasmic island ahead. The sun fell out of the sky then, drawing down a star-studded curtain; the wind blew itself out, leaving the sea to settle into an unmoving and creepy oil slick. Limbo.

A bright circle appeared on the horizon then. It isn’t the first or the last time that I mistake the moonrise for a ship, or the bright eye of some mythological beast.

At this point, it looked like we’d be entering Futami port at night, but at least we had the eye of Sauron to light the way. The island in the distance stopped being a vague black patch, and we began to see details in it.

the promise of pancakes

As soon as we'd tied to our mooring ball in Majuro's lagoon, the worries of the previous 24 days had vanished only to replaced by the crushing weight of responsibility. Devine, being worry-free, wanted to have pancakes, sleep and check-in tomorrow, but Devine knows how uptight I am, and that this was not what we'd be doing first (even if it is what I wanted too *sigh*). My thinking was that I'd rather get the paperwork out of the way first, to get all of that worrying out of me so I can then eat pancakes in peace.

'Shut up and get dressed.'

We needed to be presentable for the officials, we had to wear clean clothes with pants that reach over your knees. A lot of countries in the pacific don't want to see your knees — I get it, knees are weird. We dug out some clothes from our bins, and then went back on deck to give Iggy the dinghy the kiss of life.

doldrumming

Here we go again, time for another passage. We left Fiji on October 23rd 2018, eager to spend some time on the water again. Our plan, was to stop by Tuvalu, maybe Kiribati, before arriving in Majuro in the Marshall islands where we'd be spending two months before moving off west to Micronesia. We left, knowing that this was wasn't going to be an easy ride...

Two areas of calms lie north of Fiji: the SPCZ (south pacific convergence zone) and the ITCZ (intertropical convergence zone). If you look at windy, hovering around the countries of Tuvalu and Kiribati are two bands of blue - blue means there is no wind. The size and location of these bands varies from day to day, week to week.. they phase in and out of existence with the weather and influence of the trade winds.

Sailors fear these blue bands because the weather there is difficult, not only do you suffer calms, but also a continuous ballet of squalls and thunderstorms. We've been through the doldrums (the ITCZ) once already when we crossed from Mexico to the Marquesas.

leleuvia

We've never been on a tiny island, a place you can run the width of under just a few minutes. We found a place like this, Leleuvia, an island in the Lomaitivi archipelago in Fiji.

This island went through many hands over the years, it now belongs to a resort that too bears the name of the island. We decided to make a stop there on our way to Suva, to wait for favorable winds to go south.

Also, we wanted a taste of tiny-island living.

We arrived at Moturiki pass around 1pm. SY Scoots gave us a number to phone the resort on arrival, so they could send a boat to guide us through the reef. We realized then, that our phone plan didn't include calls within Fiji, all we had was data — woops! That's ok! We still had the option of calling them on VHF. I hailed them repeatedly on CH10 — no luck.

I had waypoints for the entrance, but not all the way to the anchorage. Many areas in Fiji aren't charted well, you can find yourself navigating over an area with the depth sounder reading '10m' but the chart will display a patch of green, an area too shallow to pass. It's always disconcerting, to find yourself anchored in a patch of green, like sitting in a negative space, a secret place that you didn't think existed.

We got closer and closer to the green area, growing ever-so nervous, and continuing to try and hail the resort. Eventually, they picked up my call.

'Vessel calling, this is Leleuvia resort.'
'This is sailing vessel Pino, d'you have any moorings available?'
'Yes. When you come near the pier we'll send a boat to escort you to it.'
'Great, thanks!'

We wouldn't be entering the anchorage in the blind after all. We would have eyes to guide us to a safe spot.

We motored on, nearing the pier, and spotted the escort boat. The driver came within shouting range, instructing us to follow, which we promptly did. They led us to a mooring, and assured us it was strong and that it could take our weight — not that Pino is heavy. We grabbed the line from the water, with a bit of difficulty, sometimes the mooring 'eye' for the buoys are submerged, and you need to figure out which bit to grab to get to it. We missed the mooring ball the first time, the whole endeavour was made worse by the up and down motion of the bow — there was a bit of swell coming into the anchorage from the north at the time. We rounded again to grab the mooring ball, i spied a thin loop at the top of the ball, and thrusted the boat hook in it. I hurriedly pulled the float out of the water, and my hands and the line found the mooring loop. This is not my favorite type of mooring ball, where you need to pull the ball up itself to find the rope hanging far underneath it, usually they'll put a separate float on the line to keep it buoyant. All moorings are different.

The northerly swell would stop soon, the forecast called for 20-25kts out of the SE tomorrow. On the chart, the area looked protected from swell, with a reef belt around it, but looking around now, aside from the tiny spit of land that is Leleuvia, there was only water. At low tide the reef became evident, as the water receded sand banks came into view, fencing us in from all directions but from the North. Phew. The reef would break most of the waves, but at high tide some swell would make it past it for sure — not ideal, but we would have some protection.

The next day the wind did freshen, and as expected, at high tide the waves spilled into the anchorage. It was bumpy, but not overly so.

where is the turtle farm

Pino spent a long time in Savusavu, but by then, we were growing tired of this scenery, not of the market, or of the company to be found here, but just of having that same view every morning. We love this city, but when it's time to go, it's time to go!

We left our mooring at 9am, and moved along over to Cousteau's resort to anchor (16 48.623S, 179 17.331E). The water was unclear, and the clouded sky made it difficult to see bommies beneath us. Devine dove in and checked out our anchor, which was set in sand, and we weren't near any huge coral that we could see, that is, unless the wind shifted - it was hard to see that far in cloudy water to be honest.

SV Privateer arrived shortly after us, having made the short passage by sail, we saw them manoeuver around, looking for a place to drop the hook.

'What's the bottom like?' Lila shouted, baby Chance strapped to her back.
'Sand. A few bommies!' I shouted back.

They hovered around some more, opening the headsail, furling it, in and out again, and moving the main in and out to make their way around the anchorage. It's always impressive to watch, not many will rely on wings alone to do this. They'll do as many tacks as necessary to get where they need to go - engines be damned!

We tried swimming at the beach that afternoon, but it was full of seaweed and unclear, we much preferred staying on the tiny slab of beach lining the shore to watch the hundreds of tiny hermit crabs moving about. They were different sizes, wearing a grand variety of shells - some spirally, others conical, stained with purples and whites, oranges and cream. We sat there in silence, listening to the sound of their shells rubbing against bits of broken coral. Such a pleasant sound, small scratching noises. Crkk, crkk... crkk.

'Move along little ones - move along now! Tide's rising!'

We left our hermit crab friends behind, and went back aboard Pino. Tomorrow morning we had to get up at 4am to sail to Makogai (pronounced ma-kon-guy), 49NM away.

The wind changed in the night, we could hear the chain rubbing against bit of coral, catching, before coming off again with a jerk, the sound traveling to us by the chain through the hull. We should have probably buoyed the chain, we thought then, but it was dark, and too late to think of doing this now. Hopefully, the chain wouldn't have this macramé thing going on with the bits of coral down there.

projects and pain

We arrived in New Zealand with a long scary list of things to fix or replace on Pino. We needed new batteries, a new mainsail, a fresh coat of bottom-paint, galley plumbing, new intermediates shrouds, new backstay, new top hatch, new windows, new control cables etc.

'If we can't finish all of these projects, then we can't leave.'

That was the deal. There was too much ocean between us and Japan. Our vessel needed to be made safe to endure it, and to ensure our safe passage.

When we landed in the country, we had grand ideas, 'grand illusions' I should say, about what we thought we could get done by ourselves. We wanted to learn, but we also wanted to save money. By now, we knew how much it cost to offload the work to others, and it's not something we knew we could do.

Below, is a detailed account of all the repairs we did on Pino during the 9 months we spent in New Zealand. This is a technical post, interspersed with bits of story, present and past. For those who don't know the terms, but that are interested, I'll do my best to explain them all throughout the text.

Here I go!

an island to oneself

Traveling to New Zealand, after a year of unknown, was a great comfort to us. There are a few things Devine and I were really looking forward to, like a good latte, craft beer, a fresh food market and a bulk food store. I found a city that checked all of the boxes.

Many of the cruisers we know want to arrive in Opua – with reason. It's warm, damn gorgeous, and you know you'll find friends there, because that's where everyone goes during the cyclone season. Arriving in a strange place, with familiar faces, always makes the experience better, but knowing this, we still chose Whangarei.

I first pronounced Whangarei as 'one-gah-rey', but the proper way to say it is: 'fah-ngah-rey'. A friend corrected me early on, sparing me the embarrassment of mispronouncing it aloud in public. I know that no one would think me a fool for making a mistake like this, but I do like learning the correct way to say things.

Why did we choose to go there? Because staying in the Whangarei Town Basin is inexpensive, convenient, with everything just a short walk away. We'd also read that it was a good place for boat projects, and since Pino needed a lot of attention, this too, we thought, tipped the scale in its favor. We also noted that it was close to Auckland — well, it looked closer on a map. We became very familiar with that stretch of land, and of the actual distance between the two places during the 8 months we spent there.

The first thing we did when we arrived, was to replenish our store of dried goods at Bin Inn, a really great bulk food store. The second thing, was purchasing a home brew kit - priorities amirite? The third thing, was to get a latte.

I'll never forget the look on Devine's face after taking a sip of a cup of freshly brewed beans, a delicious pool of dark liquid topped with a pillowy cloud of plant milk.

Joy incarnate.

captain what is this

After 15 days on the water, we were to get into port. It was the 27th of June, and we'd left Opua on the 12th. We hove-to for the night, waiting for sunrise before entering Savusavu bay. 'Entering a strange harbor at night is for morons and fools,' people told us. We didn't listen right away, but they were right. In this particular case, there was no point in arriving early, considering yachts cannot anchor in Fiji waters before checking in, and that check-in is only possible after 8am.

At dawn, we pointed towards the island of Vanua Levu and sailed on, with the wind at our backs. I went below to make some coffee, as both of us needed a boost. Devine was in the cockpit, keeping an eye on a large storm cloud ahead. The wind increased as we neared it, but it did not trouble us long. We made our way inside the reef, which offered some protection from the building swells, and moved closer to land. We could see rows of hills ahead, and caught the perfume of greenery. After that, came a sure sign of civilization: buildings, low, with green and red roofs. As we got nearer, came an even more obvious sign of civilization: cars, and small power boats. We'd arrived.

We neared the entrance to Nakama creek around 9am, and radio'ed the authorities on channel 16.

I hailed them 3 times, no answer. We slowed down, awaiting a reply. The commercial wharf lay ahead, we could see boats on moorings, some abandoned, others belonging to people we'd seen or met accross the Pacific. Eventually, they replied and asked us about the details of our trip, and if we had sent a pre-arrival notice. Sending it ahead of time was mandatory, and was about 10 pages too long. I'd sent it to the proper people by email, although half of the messages bounced back, and other cruisers reported the same thing happening. With the document being so large, it's no wonder their inboxes are always full. I even tried sending it again while underway, no luck. No matter. I'd received a reply from the custom office, at least one of the messages made it. They told us to look for a white building on our starboard side.

the rock of polynesia

Niue, pronounced 'New-ay', a rock in the Pacific, one of the largest coral islands on earth. It's the first country to offer free, state-funded, wireless internet to all its residents and has a goal of being completely solar powered— uuuh... wow?

We'd also heard that the school gave all of the kids laptops, this, with free internet, makes it a paradise for people like us. Already then, we made plans to move there — like all places in the tropics with a good connection and supply of coconuts and beer. I remember when we were speaking of staying in Nuku Hiva too, and in La Paz. We make a home everywhere we go. This, makes it hard to leave, but this ease of adaptation also makes us eager to go forward, to see where else we could live. This is what we do, we set up house in different places, sometimes for 8 months at a time.

We weren't going to be staying long in Niue though, but not by choice.

Alofi Bay, the only anchorage on the island, is not protected in any wind other than east. If the wind turns in an unfavorable direction, staying could be dangerous and we'd be forced to leave.

One other troublesome thing about the 'rock of Polynesia', is that they hiked the departure fees from 35$ to 80$ per person. Anyone who enters Niue, when leaving, need pay this fee. That's a lot of money, we thought, to visit a place so small.

In the end I'm glad we went, because of all the places we'd been, Niue was our favorite.

We arrived at 6am in the morning, rounding the island to Alofi bay that lay on the west side. A squall lay between me and the anchorage, a puffy cloud with a thick wet skirt. I pulled my hood on, grabbed the helm firmly and quickly skipped through songs on my phone till I landed on anything by Purity ring. Ah! Sea castles. Yes, perfect.

WOOSH! A gust of wind comes, but I'm ready. The song begins then too... 'I could build a machine—' The boat heels, '—draw pictures for the walls.' Then comes the rain, heavy droplets, washing the salt crystals away. It left as quickly as it came, giving way to the sun, its face reflected in a thousand wet pools on the deck. 'Hang up all my fragile frights—' I point Pino towards the anchorage. Tall masts ahead, signs of life. The water, a deep blue, spotted with brightly-colored floaters. '—Display that you may see.' I sing aloud, turning the music off. 'We're here!' I shout to Devine.

internet in paradise

Huahine, one of the many grouped islands in French Polynesia. Our plans for future ocean voyaging could have ended here, because we almost crashed onto a reef.

Because we always time our arrival with the morning sun, I always get the first look of every island. Huahine stood in front of us, a series of volcanic peaks marked by deep valleys and blanketed in green, an island that came into being million of years ago.

We were heading for Baie d'Avea, to the south of the island.

rainy with a chance of mosquitoes

Nuku Hiva, a green mountainous island in the Pacific, straight out of Jurassic Park. Just as foreign and just as wild, except instead of hungry lizards there are mosquitoes, also known as the vampires of the Marquesas.

Before arriving, we didn't know what it was going to be like there, we'd barely read anything about it. We knew where we'd anchor, that people there spoke french and that there would be tropical fruit, but beyond that it was a blur, a black spot in our minds. We read the book Fourteen during our 28-day transit from La Paz. In this book, the family sailed to Nuku Hiva, but their experience there was not so good. It wasn't bad because of the Marquesans, or the island itself, but because of no-no's, little biting bugs that hide in sand. We took a mental note of this: "Avoid sand beaches, and you will have a great time!"

On day 27 of our voyage, I could see the outline of the island in the distance. I stood at the bow, trying to take footage of the event, but was disappointed with the shot. Far-away wonders have a way of looking unimpressive on camera. I was about to put the camera away, when I heard a 'wooshing' sound. I looked over the side, and saw an orca whale swimming next to Pino, its length matching our own. It stayed with us for a long while, it's white belly making it easy to spot it in the water. This unusual encounter was a great start to our Marquesian adventure.

Pino arrived at the entrance to Taiohae bay. I sat on the bow with Iggy's deflated corpse. I pumped life back into it, while it, sucked mine out. I was sweaty, a constant stream of body water oozing down my back. We had no dinghy pump, having broken it ages ago. All we had was a jury-rigged contraption using a bike pump, a bike tube and the hose from the old pump. It worked, but it took twice as long to put air into anything.

A super yacht was anchored in the mouth of the bay, called 'Ethereal'. "How fitting", I thought.

It's as if the yacht was a sign, a warning of the view to come — one, that was definitely ethereal.

A chain of mountains, green and fuzzy, and ahead a bay filled with boats flying flags from all over the world. We found a spot in 12 m of water, mud bottom, and dropped anchor. The sky was clear, but clouds clung to the peaks of every mountain. It was a rare thing, we realized afterwards, for the skies to be clear. Most days were grey. While grey often means rain, it also means less sun. It was over 30 degrees every day, so hot that at times we couldn't work, our bodies shiny with sweat, driving us mad. Mad to the point that we seriously considered flooding the cockpit with water to turn it into a pool.

Back to top

Darknet Diaries

166: Maxie

Maxie Reynolds loves an adventure, especially the kind where she’s breaking into buildings (legally). In this episode, she shares stories from her time as a professional penetration tester, including high-stakes physical intrusions, red team chaos, and the unique adrenaline of hacking the real world.

Her book: The Art of Attack: Attacker Mindset for Security Professionals (https://amzn.to/4ojYSVZ)

Her data center: www.subseacloud.com/

165: Tanya

Tanya Janca is a globally recognized AppSec (application security) expert and founder of We Hack Purple. In this episode, she shares wild stories from the front lines of cybersecurity. She shares stories of when she was a penetration tester to an incident responder.

You can sign up for her newsletter at https://newsletter.shehackspurple.ca/

Sponsors

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

This episode is sponsored by Hims. Hims offers access to ED treatment options ranging from trusted generics that cost up to 95% less than brand names to Hard Mints, if prescribed. To get simple, online access to personalized, affordable care for ED, Hair Loss, Weight Loss, and more, visit https://hims.com/darknet.

Support for this show comes from Drata. Drata is the trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses stay audit-ready and scale securely. Learn more at drata.com/darknetdiaries.

View all active sponsors.

Books

164: Oak Cliff Swipers

He started small, swiping cards, buying gift cards, and cashing out. It spiraled into a full‑blown criminal enterprise. Dozens of co‑conspirators, stacks of stolen plastic, and a lifestyle built on chaos.

Meet Nathan Michael, leader of Oak Cliff Swipers.

Sponsors

Support for this show comes from Pantheon. Pantheon keeps your site fast, secure, and always on. That means better SEO, more conversions, and no lost sales from downtime. But this isn’t just a business win; it’s a developer win too. Your team gets automated workflows, isolated test environments, and zero-downtime deployments. Visit Pantheon.io, and make your website your unfair advantage.

Support for this show comes from Adaptive Security. Deepfake voices on a Zoom call. AI-written phishing emails that sound exactly like your CFO. Synthetic job applicants walking through the front door. Adaptive is built to stop these attacks. They run real-time simulations, exposing your teams to what these attacks look like to test and improve your defences. Learn more at adaptivesecurity.com.

163: Ola

In 2019, Ola Bini, a Swedish programmer and privacy advocate, was arrested in Ecuador for being a Russian hacker.

Find Ola on X: https://x.com/olabini. Or visit his website https://olabini.se/blog/. Or check out his non-profit https://autonomia.digital/.

Sponsors

This show is sponsored by Miro. AI doesn’t have to be intimidating—in fact, it can help your team thrive. Miro’s Innovation Workspace changes that by bringing people and AI together to turn ideas into impact, fast. Whether you’re launching a new podcast, streamlining a process, or building the next big thing, Miro helps your team move quicker, collaborate better, and actually enjoy the work. Learn more at https://miro.com/.

This show is sponsored by Thales. With their industry-leading platforms, you can protect critical applications, data and identities – anywhere and at scale with the highest ROI. That’s why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most – applications, data and identities. Learn more at http://thalesgroup.com/cyber.

View all active sponsors.

Sources

162: Hieu

All Hieu Minh Ngo wanted was to make money online. But when he stumbled into the dark web, he found more than just opportunity, he found a global dark market. What started as a side hustle turned into an international crime spree.

Find Hieu on X: https://x.com/HHieupc.

Sponsors

This show is sponsored by Red Canary. Red Canary is a leading provider of Managed Detection and Response (MDR), helping nearly 1,000 organizations detect and stop threats before they cause harm. With a focus on accuracy across identities, endpoints, and cloud, we deliver trusted security operations and a world-class customer experience. Learn more at redcanary.com.

161: mg

In this episode we talk with mg (https://x.com/MG), the brilliant (and notorious) hacker and hardware engineer behind the OMG Cable. A seemingly ordinary USB cable with extraordinary offensive capabilities.

Learn more about mg at: o.mg.lol

Sponsors

Support for this show comes from Axonius. Axonius transforms asset intelligence into intelligent action. With the Axonius Asset Cloud, customers preemptively tackle high-risk and hard-to-spot threat exposures, misconfigurations, and overspending. The integrated platform brings together data from every system in an organization’s IT infrastructure to optimize mission-critical risk, performance, and cost measures via actionable intelligence. Covering cyber assets, software, SaaS applications, identities, vulnerabilities, infrastructure, and more, Axonius is the one place to go for Security, IT, and GRC teams to continuously drive actionability across the organization. Bring truth to action with Axonius. Learn more at axonius.com.

160: Greg

Greg Linares (AKA Laughing Mantis) joins us to tell us about how he became the youngest hacker to be arrested in Arizona.

Follow Greg on Twitter: https://x.com/Laughing_Mantis.

Sponsors

159: Vastaamo

Joe Tidy investigates what may be the cruelest and most disturbing cyber attack in history. A breach so invasive it blurred the line between digital crime and psychological torture. This story might make your skin crawl.

Get more from Joe linktr.ee/joetidy.

Get the book Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet (https://amzn.to/3He7GNs).

Sponsors

158: MalwareTech

MalwareTech was an anonymous security researcher, until he accidentally stopped WannaCry, one of the largest ransomware attacks in history. That single act of heroism shattered his anonymity and pulled him into a world he never expected.

https://malwaretech.com

Sponsors

Support for the show comes from Black Hills Information Security. Black Hills has a variety of penetration assessment and security auditing services they provide customers to help keep improve the security of a company. If you need a penetration test check out www.blackhillsinfosec.com/darknet.

Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.

Support for this show comes from Cloaked, a digital privacy tool. Cloaked offers private email, phone numbers, and virtual credit card numbers. So you can be anonymous online. They also will remove your personal information from the internet. Like home address, SSN, and phone numbers. Listeners get 20% off a Cloaked subscription when they visit https://cloaked.com/darknet. Calling 1-855-752-5625 for a free scan to check if your personal information is exposed!

157: Grifter

Grifter is a longtime hacker, DEF CON organizer, and respected voice in the infosec community. From his early days exploring networks to helping shape one of the largest hacker conferences in the world, Grifter has built a reputation for blending deep technical insight with a sharp sense of humor.

Learn more about Grifter by visiting grifter.org.

Sponsors

Support for this show comes from ZipRecruiter. ZipRecruiter has solved the hiring problem. Employers prefer it the most for so many reasons. Let’s start by telling you about their matching technology. They work hard to find the best candidates for your needs, and will instantly show you results once you post a job listing. ZipRecruiter will speed up your hiring process. See it for yourself at www.ziprecruiter.com/DARKNET.

This show is sponsored by Material Security. Your cloud office (think Google Workspace or Microsoft 365) is the core of your business, but it’s often protected by scattered tools and manual fixes. Material is a purpose-built detection and response platform that closes the gaps those point solutions leave behind. From email threats to misconfigurations and account takeovers, Material monitors everything and steps in with real-time fixes to keep your data flowing where it should. Learn more at https://material.security.

156: Kill List

The dark web is full of mystery. Some of it’s just made up though. Chris Monteiro wanted to see what was real and fake and discovered a hitman for hire site which took him on an unbelievable journey.

Chris Monteiro Twitter: x.com/Deku_shrub, Website: https://pirate.london/

Carl Miller Twitter: https://x.com/carljackmiller.

Kill List podcast: https://wondery.com/shows/kill-list/

Sponsors

This episode is sponsored by ProjectDiscovery. Tired of false positives and falling behind on new CVEs? Upgrade to Nuclei and ProjectDiscovery, the go-to tools for hackers and pentesters. With 10,000 detection templates, Nuclei helps you scan for exploitable vulnerabilities fast, while ProjectDiscovery lets you map your company’s perimeter, detect trending exploits, and triage results in seconds. Get automation, accuracy, and peace of mind. First-time users get one month FREE of ProjectDiscovery Pro with code DARKNET at projectdiscovery.io/darknet.

This episode is sponsored by Kinsta. Running an online business comes with enough headaches—your WordPress hosting shouldn’t be one of them. Kinsta’s managed hosting takes care of speed, security, and reliability so you can focus on what matters. With enterprise-level security, a modern dashboard that’s actually intuitive, and 24/7 support from real WordPress experts (not chatbots), Kinsta makes hosting stress-free. Need to move your site? They’ll migrate it for free. Plus, get your first month free when you sign up at kinsta.com/DARKNET.

155: Kingpin

In this episode, we delve into the multifaceted career of Joe Grand, also known as “Kingpin.” A renowned hardware hacker and computer engineer, Joe has been exploring and manipulating electronic systems since the 1980s. As a former member of the legendary hacker collective L0pht Heavy Industries, he has significantly contributed to the cybersecurity landscape. Joe is also the proprietor of Grand Idea Studio, a research and development firm, and has shared his expertise through various media, including his YouTube channel. Join us as we explore Joe’s unique perspective on hacking, engineering, and his extraordinary journey in the world of technology.

https://joegrand.com/

Sponsors

Support for this show comes from Lumen. It used to be hard to track your metabolism, but Lumen is a little device that you breath into which tells you if your burning fat or carbs, fast and easy and have your results in seconds. And knowing that will help you know what kind of food your body needs. And knowing that will help you with your health goals like losing weight or gaining muscle. Take the next step to improving your health go to lumen.me/darknet.

154: Hijacked Line

Conor Freeman (x.com/conorfrmn) stole money online. Lot’s of it. In this episode we talk with him, and hear how he did it, why he did, and what he spent it on.

Conor’s website: https://conorfreeman.ie

Conor’s X: https://x.com/conorfrmn

Sponsors

Sources

153: Bike Index

Have you ever got your bike stolen? In this episode we dive into the world of stolen bikes. Who does it and where do the bikes go? We talk with Bryan from Bike Index who investigates this.

https://bikeindex.org

Sponsors

This show is sponsored by Flashpoint. As one of the largest private providers of threat intelligence, Flashpoint delivers what security teams need most: clarity. By combining cutting-edge technology with the expertise of world-class analyst teams, their Ignite platform gives organizations instant access to critical data, expertly analyzed insights, and real-time alerts —all in one seamless platform. To access one of the industry’s best threat data and threat intelligence, visit flashpoint.io today.

152: Stacc Attack

Jarett Dunn, AKA StaccOverflow, stole millions of dollars from a website called Pump Fun, and he wanted to do it in the most dramatic and theatrical way he could. His big heist is known as the “Stacc Attack”.

https://x.com/STACCoverflow

He has a merch store now freestacc.io.

Sponsors

Support for this show comes from Cobalt Strike. Cobalt Strike simulates real-world, advanced cyber attacks to enable red teams to proactively evaluate an organisation’s security readiness and defence response. Their Command and Control framework gives red teamers the ability to customise their engagements and incorporate their own tools and techniques, allowing you to stress-test specific parts of your incident response capabilities. Learn more about Cobalt Strike and get a custom demo at https://cobaltstrike.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

151: Chris Rock

Chris Rock is known for being a security researcher. But he’s also a black hat incident responder. He tells us about a job he did in the middle east.

https://x.com/chrisrockhacker

Sponsors
Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from Flare. Flare automates monitoring across the dark & clear web to detect high-risk exposure, before threat actors have a chance to leverage it. Their unified solution makes it easy to rapidly identify risks across thousands of sources, including developers leaking secrets on public GitHub Repositories, threat actors selling infected devices on dark web markets, and targeted attacks being planned on illicit Telegram Channels. Visit http://try.flare.io/darknet-diaries to learn more.

150: mobman 2

In Episode 20 of Darknet Diaries, we heard from Greg aka “mobman” who said he created the sub7 malware. Something didn’t sit right with a lot of people about that episode. It’s time to revisit that episode and get to the bottom of things.

Sponsors
This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

Sources
https://www.youtube.com/watch?v=GDMc2PZM4V4
https://www.illmob.org/notmymobman/
https://darknetdiaries.com/episode/20

149: Mini-Stories: Vol 3

In this episode we hear EvilMog (https://x.com/Evil_Mog) tell us a story about when he had to troubleshoot networks in Afghanistan. We also get Joe (http://x.com/gonzosec) to tell us a penetration test story.

Sponsors
Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

148: Dubsnatch

Ever wondered how far a fan would go to get a sneak peek of their favorite artist’s unreleased tracks? In this episode, we uncover the audacious story of some teens bent on getting their hands on the newest dubstep music before anyone else.

Sponsors
Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

147: Tornado

In this episode, Geoff White (https://x.com/geoffwhite247) tells us what happened to Axie Infinity and Tornado cash. It’s a digital heist of epic proportions that changes everything.

This story comes from part of Geoff’s book “Rinsed” which goes into the world of money laundering. Get yours here https://amzn.to/3VJs7pb.

146: ANOM

In this episode, Joseph Cox (https://x.com/josephfcox) tells us the story of anom. A secure phone made by criminals, for criminals.

This story comes from part of Joseph’s book “Dark Wire” which you should definitely read. Get yours here https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691.

145: Shannen

Shannen Rossmiller wanted to fight terrorism. So she went online and did.

Read more about her from her book “The Unexpected Patriot: How an Ordinary American Mother Is Bringing Terrorists to Justice”. An affiliate link to the book on Amazon is here: https://amzn.to/3yaf5sI.

Thanks to Spycast for allowing usage of the audio interview with Shannen.

Sponsors

Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

144: Rachel

Rachel Tobac is a social engineer. In this episode we hear how she got started doing this and a few stories of how she hacked people and places using her voice and charm.

Learn more about Rachel by following her on Twitter https://twitter.com/RachelTobac or by visiting https://www.socialproofsecurity.com/

Daniel Miessler also chimes in to talk about AI. Find out more about him at https://danielmiessler.com/.

Sponsors

Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

143: Jim Hates Scams

Jim Browning has dedicated himself to combatting scammers, taking a proactive stance by infiltrating their computer systems. Through his efforts, he not only disrupts these fraudulent operations but also shares his findings publicly on YouTube, shedding light on the intricacies of scam networks. His work uncovers a myriad of intriguing insights into the digital underworld, which he articulately discusses, offering viewers a behind-the-scenes look at his methods for fighting back against scammers.

Jim’s YouTube channel: https://www.youtube.com/c/JimBrowning

Sponsors

Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.

This episode is sponsored by Intruder. Growing attack surfaces, dynamic cloud environments, and the constant stream of new vulnerabilities stressing you out? Intruder is here to help you cut through the chaos of vulnerability management with ease. Join the thousands of companies who are using Intruder to find and fix what matters most. Sign up to Intruder today and get 20% off your first 3 months. Visit intruder.io/darknet.

This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.

CLAIM=a6e199f5f9fd5954e532117c829c8f0a8f0f1282=CLAIM

142: Axact

Axact sells fake diplomas and degrees. What could go wrong with this business plan?

Sponsors

141: The Pig Butcher

The #1 crime which results in the biggest financial loss is BEC fraud. The #2 crime is pig butchering. Ronnie Tokazowski https://twitter.com/iHeartMalware walks us through this wild world.

Sponsors

Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries.

140: Revenge Bytes

Madison's nude photos were posted online. Her twin sister Christine came to help. This begins a bizarre and uneasy story.

139: D3f4ult

This is the story of D3f4ult (twitter.com/_d3f4ult) from CWA. He was a hacktivist, upset with the state of the way things were, and wanted to make some changes. Changes were made.

Sponsors

Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.

Support for this show comes from Quorum Cyber. Their mantra is: “We help good people win.” If you’re looking for a partner to help you reduce risk and defend against the threats that are targeting your business — and especially if you are interested in Microsoft Security — reach out to Quorum Cyber at www.quorumcyber.com/darknet-diaries.

Sources

https://www.vice.com/en/article/z3ekk5/kane-gamble-cracka-back-online-after-a-two-year-internet-ban

https://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/

https://www.hackread.com/fbi-server-hacked-miami-police-data-leaked/

https://archive.ph/Si79V#selection-66795.5-66795.6

https://wikileaks.org/cia-emails/John-Brennan-Draft-SF86/page-7.html

138: The Mimics of Punjab

This episode is about scammers in the Punjab region. Tarun (twitter.com/taruns21) comes on the show to tell us a story of what happened to him. Naomi Brockwell (twitter.com/naomibrockwell) makes an appearance to speak about digital privacy.

To learn more about protecting your digital privacy, watch Naomi’s YouTube channel https://www.youtube.com/@NaomiBrockwellTV. And check out the books Extreme Privacy (https://amzn.to/3L3ffp9) and Beginner’s Introduction to Privacy (https://amzn.to/3EjuSoY).

Sponsors

Support for this show comes from SpyCloud. It’s good practice to see what data is getting passed around out there regarding you, your employees, your customers, and your business. The dark web is a place where this data is traded and shared. SpyCloud will help you find what out there about you and give you a report so you can be aware. Then they’ll continuously monitor the dark web for any new exposures you should be aware of. To learn more visit spycloud.com/darknetdiaries.

Support for this show comes from ThreatLocker. ThreatLocker has built-in endpoint security solutions that strengthen your infrastructure from the ground up with a zero trust posture. ThreatLocker’s Allowlisting gives you a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level. Learn more at www.threatlocker.com.

137: Predator

A new type of mercenary spyware came on the radar called Predator. It’ll infect a mobile phone, and then suck up all the data from it. Contacts, text messages, location, and more. This malware is being sold to intelligence agencies around the world.

In this episode we hear from Crofton Black at Lighthouse Reports who spent 6 months with a team of journalists researching this story which was published here: https://www.lighthousereports.com/investigation/flight-of-the-predator/.

We also hear from Bill Marczak and John Scott-Railton from Citizen Lab.

If you want to hear about other mercenary spyware, check out episodes 99 and 100, about NSO group and Pegasus. To hear another episode about Greece check out episode 64 called Athens Shadow Games.

Sponsors

Support for this show comes from Akamai Connected Cloud (formerly Linode). Akamai Connected Cloud supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

136: Team Xecuter

Team Xecuter was a group involved with making and selling modchips for video game systems. They often made mods that allowed the video game system to rip games or play pirated games. It was a crowd favorite in the modding scene. Until it all fell apart. The story of what happened to Team Xecuter must be heard to believe.

This episode features Gary Bowser. You can find more about Gary here:

https://twitter.com/Bowser_GaryOPA

https://garyopa.com/

https://www.gofundme.com/f/garyopa-restarting-his-life?utm_location=darknetdiaries

Sponsors

Sources

https://www.washingtonpost.com/archive/politics/1994/10/27/ringleader-pleads-guilty-in-phone-fraud/56e551bb-a727-43e8-a3ca-1c1f4cf6ef82/

https://www.justice.gov/sites/default/files/usao/legacy/2010/10/12/usab4304.pdf

https://www.eurogamer.net/nintendo-to-appeal-not-guilty-judgement-of-flash-cart-sellers-7

https://www.gamesindustry.biz/nintendo-pounces-on-global-piracy-outfit

https://www.justice.gov/opa/pr/two-members-notorious-videogame-piracy-group-team-xecuter-custody

https://medium.com/swlh/watch-paint-dry-how-i-got-a-game-on-the-steam-store-without-anyone-from-valve-ever-looking-at-it-2e476858c753#.z05q2nykc

https://www.lemonde.fr/police-justice/article/2022/05/27/voler-des-societes-qui-font-des-milliards-qu-est-ce-que-j-en-ai-a-faire-max-louarn-c-ur-de-hackeur_6127821_1653578.html

https://www.theverge.com/2020/11/20/21579392/nintendo-big-house-super-smash-bros-melee-tournament-slippi-cease-desist

https://www.youtube.com/watch?v=U7VwtOrwceo

https://www.youtube.com/watch?v=5sNIE5anpik

135: The D.R. Incident

Omar Avilez worked in the CSIRT of the Dominican Republic when a major cyber security incident erupted. Omar walks us through what happened and the incident response procedures that he went through.

Breakmaster Cylinder’s new album: https://breakmastercylinder.bandcamp.com/album/the-moon-all-that.

Sponsors

Support for this show comes from Flare. Flare automates monitoring across the dark & clear web to detect high-risk exposure, before threat actors have a chance to leverage it. Their unified solution makes it easy to rapidly identify risks across thousands of sources, including developers leaking secrets on public GitHub Repositories, threat actors selling infected devices on dark web markets, and targeted attacks being planned on illicit Telegram Channels. Visit https://flare.io to learn more.

Sources

https://www.wired.com/story/costa-rica-ransomware-conti/

https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook

https://www.youtube.com/watch?v=QHYH0U66K5Q

https://www.youtube.com/live/prCr7Z94078

https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america

https://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-disrupts-govt-agency-in-dominican-republic/

https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/

Attribution

Darknet Diaries is created by Jack Rhysider.

Assembled by Tristan Ledger.

Episode artwork by odibagas.

Mixing by Proximity Sound.

Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.

134: Deviant

Deviant Ollam is a physical penetration specialist. That means he’s paid to break into buildings to see if the building is secure or not. He has done this for a long time and has a lot of tricks up his sleeve to get into buildings. In this episode we hear 3 stories of him breaking into buildings for a living.

You can find more about Deviant on the following sites:

https://twitter.com/deviantollam

https://www.instagram.com/deviantollam

https://youtube.com/deviantollam

https://defcon.social/@deviantollam

https://deviating.net/

Sponsors

This show is sponsored by Packetlabs. They’ve created the Penetration Testing Buyer’s guide - a comprehensive resource that will help you plan, scope, and execute your Penetration Testing projects. Inside, you’ll find valuable information on frameworks, standards, methodologies, cost factors, reporting options, and what to look for in a provider. https://guide.packetlabs.net/.

133: I'm the Real Connor

One day Connor Tumbleson got an email saying his identity has been stolen. And this was one of the strangest days he’s ever had.

Sponsors

Skiff is a collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what you’ve created. Try it out at https://skiff.com.

Support for this show comes from AttackIQ. AttackIQ’s security optimization platform emulates the adversary with realism to test your security program, generating real-time performance data to improve your security posture. They also offer free training. Head to attackiq.com to get a closer look at how AttackIQ can help you today.

Sources

https://connortumbleson.com/

https://krebsonsecurity.com/2022/10/glut-of-fake-linkedin-profiles-pits-hr-against-the-bots/

Snippet from Darknet Diaries ep 119 about North Korean’s getting tech jobs to steal bitcoin https://www.youtube.com/watch?v=v1ik6bAwELA

Attribution

Assembled by Tristan Ledger.

Sound design by Garrett Tiedemann.

Episode artwork by odibagas.

Mixing by Proximity Sound.

Theme music created by Breakmaster Cylinder.

132: Sam the Vendor

Sam Bent, a.k.a. DoingFedTime, brings us a story of what it was like being a darknet market vendor.

Learn more about Sam at https://www.doingfedtime.com/.

Sponsors

Support for this show comes from Akamai Connected Cloud (formerly Linode). Akamai Connected Cloud supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

131: Welcome to Video

Andy Greenberg (https://twitter.com/a_greenberg) brings us a gut wrenching story of how criminal investigators used bitcoin tracing techniques to try to find out who was at the center of a child sexual abuse darkweb website.

This story is part of Andy’s new book “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency”. An affiliate link to the book on Amazon is here: https://amzn.to/3VkjSh7.

Sponsors

130: Jason's Pen Test

Join us as we sit down with Jason Haddix (https://twitter.com/Jhaddix), a renowned penetration tester who has made a name for himself by uncovering vulnerabilities in some of the world’s biggest companies. In this episode, Jason shares his funny and enlightening stories about breaking into buildings and computers, and talks about the time he discovered a major security flaw in a popular mobile banking app.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.

129: Gollumfun (Part 2)

Brett Johnson, AKA Gollumfun (twitter.com/GOllumfun) was involved with the websites Counterfeit Library and Shadow Crew. He tells his story of what happened there and some of the crimes he committed.

In part 2, his past catches up to him.

Listen to more of Brett on his own show. https://www.thebrettjohnsonshow.com/.

128: Gollumfun (Part 1)

Brett Johnson, AKA Gollumfun (twitter.com/GOllumfun) was involved with the websites Counterfeit Library and Shadow Crew. He tells his story of what happened there and some of the crimes he committed.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

127: Maddie

Maddie Stone is a security researcher for Google’s Project Zero. In this episode we hear what it’s like battling zero day vulnerabilities.

Sponsors

Support for this show comes from Zscalar. Zscalar zero trust exchange will scrutinize the traffic and permit or deny traffic based on a set of rules. This is so much more secure than letting data flow freely internally. And it really does mitigate ransomware outbreaks. The Zscaler Zero Trust Exchange gives YOU confidence in your security to feel empowered to focus on other parts of your business, like digital transformation, growth, and innovation. Check out the product at zscaler.com.

Sources

https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/yu-vb2013.pdf

https://www.youtube.com/watch?v=s0Tqi7fuOSU

https://www.vice.com/en/article/4x3n9b/sometimes-a-typo-means-you-need-to-blow-up-your-spacecraft

126: REvil

REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.

A special thanks to our guest Will, a CTI researcher with Equinix.

Sponsors

125: Jeremiah

Jeremiah Roe is a seasoned penetration tester. In this episode he tells us about a time when he had to break into a building to prove it wasn’t as secure as the company thought.

You can catch more of Jeremiah on the We’re In podcast.

Sponsors

124: Synthetic Remittance

What do you get when you combine social engineering, email, crime, finance, and the money stream flowing through big tech? Evaldas Rimašauskas comes to mind. He combined all these to make his big move. A whale of a move.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

123: Newswires

Investing in the stock market can be very profitable. Especially if you can see into the future. This is a story of how a group of traders and hackers got together to figure out a way to see into the future and make a lot of money from that.

Sponsors

Support for this show comes from Juniper Networks. Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper’s Zero Trust Data Center provides uncompromising visibility across all your data center environments. Visit juniper.net/darknet to learn more.

122: Lisa

In this episode we hear some insider threat stories from Lisa Forte.

Sponsors

Support for this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the cloud — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Attribution

Darknet Diaries is created by Jack Rhysider.

Editing by Damienne. Assembled by Tristan Ledger. Sound designed by Andrew Meriwether.

Episode artwork by odibagas.

Mixing by Proximity Sound.

Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.

121: Ed

In this episode we hear some penetration test stories from Ed Skoudis (twitter.com/edskoudis). We also catch up with Beau Woods (twitter.com/beauwoods) from I am The Cavalry (iamthecavalry.org).

Sponsors

Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.

View all active sponsors.

Attribution

Darknet Diaries is created by Jack Rhysider.

Editing by Damienne. Assembled by Tristan Ledger. Sound designed by Andrew Meriwether.

Episode artwork by odibagas.

Audio cleanup by Proximity Sound.

Theme music created by Breakmaster Cylinder.

120: Voulnet

This is the story about when Mohammed Aldoub, AKA Voulnet, (twitter.com/Voulnet) found a vulnerability on Virus Total and Tweeted about it.

Sponsors

Sources

https://www.cyberscoop.com/story/trial-error-kuwait-mohammed-aldoub-case/

119: Hot Wallets

In this episode we interview journalist Geoff White to discuss some of the recent crypto currency heists that have been happening. Geoff has been tracking a certain group of thieves for some time and shares his knowledge of what he’s found.

Much of what we talk about in this episode has been published in Geoff’s new book The Lazarus Heist: From Hollywood to High Finance: Inside North Korea’s Global Cyber War (https://amzn.to/3mKf1qB).

Sponsors

118: Hot Swaps

This is the story of Joseph Harris (https://twitter.com/akad0c). When he was a young teen he got involved with stealing video game accounts and selling them for money. This set him on a course where he flew higher and higher until he got burned.

Joseph sometimes demonstrates vulnerabilities he finds on his YouTube channel https://www.youtube.com/channel/UCdcuF5Zx6BiYmwnS-CiRAng.

Listen to episode 112 “Dirty Coms” to hear more about what goes on in the communities Joseph was involed with.

Sponsors

Support for this show comes from Synack. Synack is a penetration testing firm. But they also have a community of, people like you, who earn regular money by legally hacking. If you’re interested in getting paid to hack, visit them now at synack.com/red-team, and click ‘apply now.’

117: Daniel the Paladin

Daniel Kelley (https://twitter.com/danielmakelley) was equal parts mischievousness and clever when it came to computers. Until the day his mischief overtook his cleverness.

Sponsors

Support for this show comes from Keeper Security. Keeper Security’s is an enterprise password management system. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization. Get started by visiting keepersecurity.com/darknet.

116: Mad Dog

Jim Lawler, aka “Mad Dog”, was a CIA case officer for 25 years. In this episode we hear some of the stories he has and things he did while working in the CIA.

Jim has two books out. Affiliate links below.

Living Lies: A Novel of the Iranian Nuclear Weapons Program https://amzn.to/3s0Ppca

In the Twinkling of an Eye: A Novel of Biological Terror and Espionage https://amzn.to/3y7B4OL

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

115: Player Cheater Developer Spy

Some video game players buy cheats to win. Let’s take a look at this game cheating industry to see who the players are.

Sponsors

114: HD

HD Moore (https://twitter.com/hdmoore) invented a hacking tool called Metasploit. He crammed it with tons of exploits and payloads that can be used to hack into computers. What could possibly go wrong? Learn more about what HD does today by visiting rumble.run/.

Sponsors

Support for this show comes from Quorum Cyber. They exist to defend organisations against cyber security breaches and attacks. That’s it. No noise. No hard sell. If you’re looking for a partner to help you reduce risk and defend against the threats that are targeting your business — and specially if you are interested in Microsoft Security - reach out to www.quorumcyber.com.

Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs — finding and fixing vulnerabilities in real time. And Snyk does it all right from the existing tools and workflows you already use. IDEs, CLI, repos, pipelines, Docker Hub, and more — so your work isn’t interrupted. Create your free account at snyk.co/darknet.

113: Adam

Adam got a job doing IT work at a learning academy. He liked it and was happy there and feeling part of the team. But a strange series of events took him in another direction, that definitely didn’t make him happy.

Sponsors

112: Dirty Coms

This episode we talk with a guy named “Drew” who gives us a rare peek into what some of the young hackers are up to today. From listening to Drew, we can see that times are changing for the motive behind hacking. In the ’90s and ’00s it was done for fun and curiosity. In the ’10s Anonymous showed us what Hacktivism is. And now, in the ’20s, the young hackers seem to be profit driven.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

Support for this show comes from Juniper Networks. Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper Secure Edge can help you keep your remote workforce seamlessly secure wherever they are.

111: ZeuS

ZeuS is a banking trojan. Designed to steal money from online bank user’s accounts. This trojan became so big, that it resulted in one of the biggest FBI operations ever.

Sponsors

110: Spam Botnets

This episode tells the stories of some of the worlds biggest spamming botnets. We’ll talk about the botnets Rustock, Waledac, and Cutwail. We’ll discover who was behind them, what their objectives were, and what their fate was.

Sponsors

Support for this show comes from Juniper Networks (hyperlink: juniper.net/darknet). Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper Secure Edge can help you keep your remote workforce seamlessly secure wherever they are.

109: TeaMp0isoN

TeaMp0isoN was a hacking group that was founded by TriCk and MLT (twitter.com/0dayWizard). They were responsible for some high profile hacks. But in this story it’s not the rise that’s most interesting. It’s the fall.

Sponsors

108: Marq

This is the story of Marq (twitter.com/dev_null321). Which involves passwords, the dark web, and police.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

View all active sponsors.

Sources

Court records and news articles were used to fact check this episode. However Marq requested that links to his full name not be made available.

https://techcrunch.com/2019/12/19/ring-doorbell-passwords-exposed/

https://www.wired.com/2010/03/hacker-bricks-cars/

107: Alethe

Alethe is a social engineer. Professionally she tries to trick people to give her passwords and access that she shouldn’t have. But her journey to this point is interesting and in this episode she tells us how she became a social engineer.

Follow Alethe on Twitter: https://twitter.com/AletheDenis

Sponsors

Support for this show comes from Skiff. Skiff is a collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what you’ve created. Try it out at https://www.skiff.org/darknet.

Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

106: @Tennessee

How much online abuse are you willing to take before you decide to let your abuser have what they want? Unfortunately, this is a decision that many people have to ask themselves. If someone can threaten you physically, it bypasses whatever digital security you have in place.

Thanks to https://twitter.com/jw for sharing this harrowing story with us.

Affiliate links to books:

The Smart Girl’s Guide to Privacy: https://www.amazon.com/gp/product/1593276486/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1593276486&linkCode=as2&tag=tunn01-20&linkId=0a8ee2ca846534f77626757288d77e00

Extreme Privacy:https://www.amazon.com/gp/product/B0898YGR58/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B0898YGR58&linkCode=as2&tag=tunn01-20&linkId=575c5ed0326484f0b612f000621b407f

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.

View all active sponsors.

105: Secret Cells

Joseph Cox (https://twitter.com/josephfcox), Senior Staff Writer at Motherboard (https://www.vice.com/en/topic/motherboard), joins us to talk about the world of encrypted phones.

Books

Affiliate links to books:

Extreme Privacy:https://www.amazon.com/gp/product/B0898YGR58/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B0898YGR58&linkCode=as2&tag=tunn01-20&linkId=575c5ed0326484f0b612f000621b407f

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.

View all active sponsors.

104: Arya

Arya Ebrahami has had quite a personal relationship with darknet marketplaces. In this episode you’ll hear about his adventures on tor. Arya’s current project is https://lofi-defi.com.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

View all active sponsors.

Sources

https://www.nbcwashington.com/news/local/27-arrested-in-prince-william-county-narcotics-investigation/58441/

https://patch.com/virginia/manassas/undercover-narcotics-operation-nets-27-arrrests-xanax-distribution-ring

103: Cloud Hopper

Fabio Viggiani is an incident responder. In this episode he talks about the story when one of his clients were breached.

Sponsors

Support for this show, and for stretched security teams, comes from SOC.OS. Too many security alerts means alert fatigue for under-resourced SecOps teams. Traditional tools aren’t solving the problem. SOC.OS is the lightweight, cost-effective, and low-maintenance solution for your team. Centralise, enrich, and correlate your security alerts into manageable, prioritised clusters. Get started with an extended 3-month free trial at https://socos.io/darknet.

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.

Sources

https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper

https://www.reuters.com/article/us-china-cyber-cloudhopper-companies-exc-idUSKCN1TR1D4

https://www.fbi.gov/wanted/cyber/apt-10-group

https://www.youtube.com/watch?v=277A09ON7mY

https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061

https://www.technologyreview.com/2018/12/20/239760/chinese-hackers-allegedly-stole-data-of-more-than-100000-us-navy-personnel/

102: Money Maker

Frank Bourassa had an idea. He was going to make money. Literally. Listen to the story of a master counterfeiter.

101: Lotería

In 2014 the Puerto Rico Lottery was mysteriously losing money. Listen to this never before told story about what happened and who did it.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

Sources

https://en.wikipedia.org/wiki/Puerto_Rico_Lottery

https://www.justice.gov/usao-pr/pr/10-individuals-indicted-drug-trafficking-and-money-laundering

https://www.dea.gov/press-releases/2014/07/22/caribbean-corridor-strike-force-arrests-10-individuals-indicted-drug

https://casetext.com/case/united-states-v-delfin-robles-alvarez-7

100: NSO

The NSO Group creates a spyware called Pegasus which gives someone access to the data on a mobile phone. They sell this spyware to government agencies around the world. How is it used and what kind of company is the NSO Group?

Thanks to John Scott-Railton and Citizen Lab for investigating this and sharing their research.

Sponsors

Support for this show comes from Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET

Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.

For a full list of sources used in this episode and complete transcripts visit https://darknetdiaries.com.

99: The Spy

Igor works as a private investigator in NYC. He’s often sitting in cars keeping a distant eye on someone with binoculars. Or following someone through the busy streets of New York. In this episode we hear about a time when Igor was on a case but sensed that something wasn’t right.

Sponsors

Support for this show comes from Exabeam. Exabeam lets security teams see what traditional tools can’t, with automated threat detection and triage, complete visibility across the entire IT environment and advanced behavioral analytics that distinguishes real threats from perceived ones, so security teams stay ahead and businesses keep moving — without fear of the unknown. When the security odds are stacked against you, outsmart them from the start with Exabeam. Learn more at https://exabeam.com/DD.

View all active sponsors.

Sources

Article: The Case of the Bumbling Spy

Podcast: The Catch and Kill Podcast with Ronan Farrow

98: Zero Day Brokers

Zero day brokers are people who make or sell malware that’s sold to people who will use that malware to exploit people. It’s a strange and mysterious world that not many people know a lot about. Nicole Perlroth, who is a cybersecurity reporter for the NY Times, dove in head first which resulted in her writing a whole book on it.

Affiliate link for book: This is How They Tell Me The World Ends (https://www.amazon.com/gp/product/1635576059/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1635576059&linkCode=as2&tag=tunn01-20&linkId=0aa8c966d98b49a7927bfc29aac76bbe)

Audiobook deal: Try Audible Premium Plus and Get Up to Two Free Audiobooks (https://www.amazon.com/Audible-Free-Trial-Digital-Membership/dp/B00NB86OYE/?ref_=assoc_tag_ph_1485906643682&_encoding=UTF8&camp=1789&creative=9325&linkCode=pf4&tag=tunn01-20&linkId=31042b955d5e6d639488dc084711d033)

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes from Privacy.com. Privacy allows you to create anonymous debit cards instantly to use for online shopping. Visit privacy.com/darknet to get a special offer.

View all active sponsors.

Sources

97: The Pizza Problem

What if someone wanted to own your Instagram account? Not just control it, but make it totally theirs. This episode tells the story of how someone tried to steal an Instagram account from someone.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

View all active sponsors.

Sources

Vid: The $5 Million Phone Hack 📱True Life Crime

96: The Police Station Incident

Nicole Beckwith wears a lot of hats. She’s a programmer, incident responder, but also a cop and a task force officer with the Secret Service. In this episode she tells a story which involves all of these roles.

https://twitter.com/NicoleBeckwith

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes from Exabeam. Exabeam lets security teams see what traditional tools can’t, with automated threat detection and triage, complete visibility across the entire IT environment and advanced behavioral analytics that distinguishes real threats from perceived ones, so security teams stay ahead and businesses keep moving — without fear of the unknown. When the security odds are stacked against you, outsmart them from the start with Exabeam. Learn more at https://exabeam.com/DD.

View all active sponsors.

Sources

95: Jon & Brian's Big Adventure

Jon and Brian are penetration testers who both worked at a place called RedTeam Security. They’re paid to break into buildings and hack into networks to test the security of those buildings. In this episode they bring us a story of how they prepare and execute a mission like this. But even with all the preparation, something still goes terribly wrong.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.

View all active sponsors.

Sources

94: Mariposa

Chris Davis has been stopping IT security threats for decades. He’s currently running the company Hyas that he started. In this episode he tells a few tales of some threats that he helped stop.

Sponsors

View all active sponsors.

Sources

93: Kik

Kik is a wildly popular chat app. Their website says that 1 in 3 American teenagers use Kik. But something dark is brewing on Kik.

92: The Pirate Bay

The Pirate Bay is a website, a search engine, which has an index of torrent files. A lot of copyrighted material is listed on the site, but the site doesn’t store any of the copyrighted material. It just points the user to where you can download it from. So for a while The Pirate Bay has been the largest places you can find pirated movies, music, games, and apps. But this site first came up 2003. And is still up and operation now, 18 years later! You would think someone would shut this place down by now. How does the biggest source for copyrighted material stay up and online for that long? Listen to this episode to find out.

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

View all active sponsors.

91: webjedi

What happens when an unauthorized intruder gets into the network of a major bank? Amélie Koran aka webjedi was there for one of these intrusions and tells us the story of what happened.

You can find more talks from Amélie at her website webjedi.net.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

This podcast is sponsored by Navisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. Visit Navisite.com/go.

View all active sponsors.

Sources

90: Jenny

Meet Jenny Radcliffe, the People Hacker. She’s a social engineer and physical penetration tester. Which means she gets paid to break into buildings and test their security. In this episode she tells us a few stories of some penetration testing jobs she’s done.

Sponsors

This podcast is sponsored by Navisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. Visit Navisite.com/go.

View all active sponsors.

Sources

humanfactorsecurity.co.uk

89: Cybereason - Molerats in the Cloud

The threat research team at Cybereason uncovered an interesting piece of malware. Studied it and tracked it. Which lead them to believe they were dealing with a threat actor known as Molerats.

Sponsors

This episode is sponsored by Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in your hands. Their future-ready attack platform gives defenders the wisdom to uncover, understand, and piece together multiple threats. And the precision focus to end cyberattacks instantly – on computers, mobile devices, servers, and the cloud. They do all this through a variety of tools they’ve developed such as antivirus software, endpoint monitoring, and mobile threat detection tools. They can give you the power to do it yourself, or they can do all the monitoring and respond to threats in your environment for you. Or you can call them after an incident to get help cleaning up. If you want to monitor your network for threats, check out what Cybereason can do for you. Cybereason. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.

View all active sponsors.

Sources

88: Victor

Victor looks for vulnerabilities on the web and reports them responsibly. This is the story about discloser number 5780.

Listen to episodes 86, and 87 before this one to be caught up on the story leading up to this.

Sponsors

This podcast is sponsored by Navisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. Visit Navisite.com/go.

This podcast is sponsored by the JSCM Group. They have a service called ClosedPort: Scan, and it’s is a monthly Penetration Test performed by Cyber Security Experts. Contact JSCM Group today at jscmgroup.com/darknet.

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

87: Guild of the Grumpy Old Hackers

In 2016 the LinkedIn breach data became available to the public. What the Guild of the Grumpy Old Hackers did with it then is quite the story. Listen to Victor, Edwin, and Mattijs tell their story.

Sponsors

Support for this show comes from Privacy.com. Privacy allows you to create anonymous debit cards instantly to use for online shopping. Visit privacy.com/darknet to get a special offer.

View all active sponsors.

86: The LinkedIn Incident

In 2012, LinkedIn was the target of a data breach. A hacker got in and stole millions of user details. Username and password hashes were then sold to people willing to buy. This episode goes over the story of what happened.

For a good password manager, check out LastPass.

Sponsors

Support for this episode comes from Quadrant Information Security. If you need a team of around the clock analysts to monitor for threat in your network using a custom SIEM, check out what Quadrant can do for you by visiting www.quadrantsec.com.

Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

85: Cam the Carder

This is the story of Cam Harrison, aka “kilobit” and his rise and fall as a prominent carder.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes from Oracle for Startups. Oracle for Startups delivers enterprise cloud at a startup price tag, with free cloud credits and 70% off industry-leading cloud services to help you reel in the big fish—confidently. To learn more, visit Oracle.com/goto/darknet.

View all active sponsors.

Sources

84: Jet-setters

How bad is it if you post your boarding pass on Instagram? Our guest, “Alex” decides to figure this out for themself and has quite a story about what happened. You can read more from “Alex” on their blog https://mango.pdf.zone.

We also hear from TProphet who’s here to give us some travel hacks to save tons on airfare when we start traveling again. You can learn more about TProphet’s travel hacks at https://seat31b.com or https://award.cat.

Sponsors

Support for this show comes from Tanium. With Tanium you can gain real-time security and operational data directly from your endpoints – along with the ability to take action on, and create reports from, that data – in just minutes, so that you and your teams can have the insight and capability necessary to accomplish the mission effectively. Learn more at https://federal.tanium.com.

View all active sponsors.

Sources

83: NSA Cryptologists

In this episode we interview two NSA Cryptologists, Marcus J. Carey and Jeff Man. We hear their story of how they got into the NSA and what they did while there.

To hear more stories from Jeff tune into Paul’s Security Weekly where Jeff is a regular co-host and shares a lot of stories and insights.

Marcus has written several books on security. They are Tribe of Hackers, Tribe of Hackers Blue Team, Tribe of Hackers Red Team, Tribe of Hackers Security Leaders, Think in Code, and a childrens book called Three Little Hackers.

Also check out the Tribe of Hackers podcast to hear interviews with all these amazing people!

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

View all active sponsors.

82: Master of Pwn

The Zero Day Initiative runs a hacker contest called Pwn2Own. The contest calls the best hackers in the world to demonstrate they can hack into software that should be secure. Like browsers, phones, and even cars. A lot of vulnerabilities are discovered from this event which means vendors must fix them. Whoever can demonstrate the most vulnerabilities will be crowned the “Master of Pwn”.

Thanks to Dustin Childs and Brian Gorenc from ZDI to hear all about Pwn2Own.

Thanks to Radek and Pedro for sharing their experiences of becoming the Masters of Pwn.

Sponsors

Support for this show comes from Kars 4 Kids. Donate your car today, this organization will sell to use for their charity.

View all active sponsors.

Sources

81: The Vendor

This is the story of a darknet marketplace vendor we’ll name V. V tells his story of how he first became a buyer, then transitioned into seller.

This episode talks about drugs. Listener discretion is advised.

If you want to contact V his email is at https://darknetdiaries.com/episode/81.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

80: The Whistleblower

In this episode we hear a story from a social engineer who’s job it is to get people to do things they don’t want to do. Why? For profit.

Sponsors

Support for this episode comes from SentinelOne which can protect and assistwith ransomeware attacks. On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Go to SentinelOne.com/DarknetDiaries for your free demo. Your cybersecurity future starts today with SentinelOne.

View all active sponsors.

79: Dark Basin

What do you do when you find yourself the target of a massive hacking campaign, and you are getting thousands of phishing emails and someone following you in your car. You might turn to Citizen Lab who has the ability to research who is behind this and help bring the hackers to justice.

Our guests this episodes are Adam Hulcoop and John Scott-Railton of Citizen Lab. This episode also has an interview with Matthew Earl of Shadowfall.

Sponsors

Support for this show comes from LastPass by LogMeIn. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.

78: Nerdcore

Nerdcore music is music for nerds. In this episode we hear from some of the musicians who make Nerdcore music.

This episode features guests ytcracker, Ohm-I, and Dual Core.

Content warning: This episode has explicit lyrics.

Music

For a playlist of music used in this episode visit darknetdiaries.com/episode/78.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

77: Olympic Destroyer

In February 2018, during the Winter Olympics in Pyeongchang South Korea, a cyber attack struck, wiping out a lot of the Olympic’s digital infrastructure. Teams rushed to get things back up, but it was bad. Malware had repeatedly wiped the domain controllers rendering a lot of the network unusable. Who would do such a thing?

We will talk with Andy Greenberg to discuss Olympic Destroyer, a chapter from his book Sandworm (affiliate link).

Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.

76: Knaves Out

This is the story about how someone hacked into JP Morgan Chase, one of the biggest financial institutions in the world. It’s obvious why someone would want to break into a bank right? Well the people who hacked into this bank, did not do it for obvious reasons. The hackers are best described as knaves. Which are tricky, deceitful fellows.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

For a complete list of sources and a full transcript of the show visit darknetdiaries.com/episode/76.

75: Compromised Comms

From 2009 to 2013 the communication channels the CIA uses to contact assets in foreign countries was compromised. This had terrifying consequences.

Guests this episodes are Jenna McLaughlin and Zach Dorfman.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.

View all active sponsors.

Sources

Attribution

Darknet Diaries is created by Jack Rhysider.

Research assistance this episode from Yael Grauer.

74: Mikko

Poker is a competitive game. Unlike other casino games, poker is player vs player. Criminal hackers have understood this for a while and sometimes hack the other players to get an edge. And that small edge can result in millions of dollars in winnings.

This episode contains a story from Mikko Hypponen of F-Secure. We also interview Mikko to know more about him and the history of malware.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Sources

73: WannaCry

It is recommend to listen to episodes 53 “Shadow Brokers”, 71 “FDFF”, and 72 “Bangladesh Bank Heist” before listening to this one.

In May 2017 the world fell victim to a major ransomware attack known as WannaCry. One of the victims was UK’s national health service. Security researchers scrambled to try to figure out how to stop it and who was behind it.

Thank you to John Hultquist from FireEye and thank you to Matt Suiche founder of Comae.

Sponsors

Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project.

72: Bangladesh Bank Heist

A bank robbery with the objective to steal 1 billion dollars. This is the story of the largest bank robbery in history. And it was all done over a computer.

Our guest this episode was Geoff White. Learn more about him at geoffwhite.tech.

Check out Geoff’s new book Crime Dot Com. Affiliate link: https://www.amazon.com/gp/product/1789142857/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1789142857&linkCode=as2&tag=darknet04-20&linkId=bb5a6aa7ba980183e0ce7cee1939ea05

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

71: Information Monopoly

In this episode, we’re going into the depths of North Korea to conduct one of the greatest hacks of all time. To find a way to inject information into a country run by totalitarian regime.

A big thanks to Yeonmi Park for sharing her story with us. Also thanks to Alex Gladstein for telling us the inside story.

You can find more about Flash Drive For Freedom at flashdrivesforfreedom.org.

Yeonmi’s book "In Order to Live": https://www.amazon.com/gp/product/014310974X/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=014310974X&linkCode=as2&tag=darknet04-20&linkId=88ebdc087c6ce041105c479b1bb6c3d2

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

70: Ghost Exodus

Ghost Exodus is a hacker. He conducted various illegal activities online. Some of which he documents on YouTube. He’s also a great musician. He got into some trouble from his hacking. This is his story.

A big thanks to Ghost Exodus for sharing his story with us. Also thanks to Wesley McGrew for telling us the inside story.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

This episode was sponsored by Detectify. What vulnerabilities will their crowdsource-powered web vulnerability scanner detect in your web applications? Find out with a 14-day free trial. Go to https://detectify.com/Darknet

Sources

69: Human Hacker

We all know that computers and networks are vulnerable to hacking and malicious actors, but what about us, the humans who interface with these devices? Con games, scams, and strategic deception are far older than computers, and in the modern era, these techniques can make humans the weakest link in even the most secure system. This episode, security consultant and master social engineer, Christopher Hadnagy, joins us to share his stories and wisdom. He describes what it was like to be a social engineer before the world knew what social engineering was and tells some of his amazing stories from his long career in penetration testing.

A big thanks to Christopher Hadnagy from social-engineer.org for sharing his stories with us.

Check out his book Social Engineering: The Science of Human Hacking, affiliate link here.

Check out his podcast called The Social-Engineer podcast.

Sponsors

Sources

Book Recommendations with affiliate links:

68: Triton

A mysterious mechanical failure one fateful night in a Saudi Arabian chemical plant leads a cast of operational technology researchers down a strange path towards an uncommon, but grave, threat. In this episode, we hear how these researchers discovered this threat and tried to identify who was responsible for the malware behind it. We also consider how this kind of attack may pose a threat to human life wherever there are manufacturing or public infrastructure facilities around the world.

A big thanks to Julian Gutmanis, Naser Aldossary, Marina Krotofil, and Robert M. Lee for sharing their stories with us.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Sources

67: The Big House

John Strand is a penetration tester. He’s paid to break into computer networks and buildings to test their security. In this episode we listen to stories he has from doing this type of work.

Thanks to John Strand for coming on the show and telling your story.

Sponsors

Sources

66: freakyclown

Freakyclown is a physical penetration tester. His job is to break into buildings to test the security of the building. In this episode we hear stories of some of these missions he’s been on.

Thanks to Freakyclown for coming on the show and telling your story.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

This episode was sponsored by Molekule, a new air purifier that completely destroys air pollutants to help you breath easier. https://molekule.com.

65: PSYOP

PSYOP, or “Psychological Operations”, is something the US military has been doing to foreign audiences for decades. But what exactly is it? And what’s the difference between white, gray, and black PSYOP missions? We talk to PSYOP specialists to learn more.

Thanks to Jon Nichols for telling us about this fascinating world.

Sponsors

Sources

Videos

64: The Athens Shadow Games

Vodafone Greece is the largest telecom provider in Greece. But in 2004 a scandal within the company would pin them to be top of the news cycle in Greece for weeks. Hackers got in the network. And what they were after took everyone by surprise.

Sponsors

Support for this episode comes from Okta. Learn more about how you can improve your security posture with the leader in identity-driven security at okta.com/darknet.

This episode is supported by PlexTrac. PlexTrac is the purple teaming platform and is designed to streamline reporting, tracking and attestation so you can focus on getting the real cybersecurity work done. Whether you're creating pen test reports on the red team, or tracking and remediating on the blue team, PlexTrac can help.

63: w0rmer

The hacker named w0rmer was active within AnonOps. These are Anonymous Operations which often organize and wage attacks on websites or people often with the purpose of social justice. Eventually w0rmer joined in on some of these hacking escapades which resulted in an incredible story that he will one day tell his kids.

Thanks to w0rmer for telling us your story.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.

SourcesArchived Tweets

Feb 7, 2012 Twitter user @Anonw0rmer posts “@MissAnonFatale I managed to pwn1 a site , get my papers , find my required primary IDS , yeah baby, i deservers em :)”

Feb 8, 2012 1:17 AM, Twitter user @Anonw0rmer posted, “ROFL! WaS that us? https://www.wvgazettemail.com/news/legal_affairs/hackers-group-posts-police-chiefs-information-online/article_77f79fd5-f76f-5825-ae19-43a398361fdf.html o yeah oops #OpPigRoast #CabinCr3w”

Feb 9, 2012 12:35 AM, Twitter user @Anonw0rmer posted, “DB Leak http://dps.alabama.gov https://pastehtml.com/view/bnik8yo1q.html”. The bottom of this post originally showed this NSFW image.

Feb 9, 2012 at 8:42 PM, Twitter user @Anonw0rmer posted, “Mobile Alabama Police Criminal Record Database Logins Failing To Protect And Serve I Via @ItsKahuna I http://pastehtml.com/view/bnmjxxgfp.html #OpPiggyBank.”

Feb 9, 2012 at 8:39 PM, Twitter user @CabinCr3w posted, “Texas Dept. of safety Hacked By @AnonWOrmer for #OpPiggyBank http://bit.ly/x1KH5Y #CabinCr3w #Anonymous” Bottom of pastebin also shows a woman holding a sign saying “We Are ALL Anonymous We NEVER Forgive. We NEVER Forget. <3 @Anonw0rmer”

Feb 10, 2012 at 9:07 PM, Twitter user @Anonw0rmer posted, “My baby SETS standards ! wAt U got? https://i.imgur.com/FbH2K.jpg https://i.imgur.com/zsPvm.jpg https://i.imgur.com/S2S2C.jpg https://i.imgur.com/TVqdN.jpg #CabinCr3w”.

Links

62: Cam

Cam’s story is both a cautionary tale and inspirational at the same time. He’s been both an attacker and defender. And not the legal kind of attacker. He has caused half a million dollars in damages with his attacks. Attacks that arose from a feeling of seeing injustices in the world. Listen to his story.

Sponsors

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

Sources

61: Samy

Samy Kamkar is a hacker. And while he’s done a lot of stuff, he’s best known for creating the Samy Worm. Which spread its way through a popular social media site and had crazy results.

Thanks to our guest Samy Kamkar for telling his story. Learn more about him by visiting https://samy.pl/.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Sources

60: dawgyg

This is a story about the hacker named “dawgyg” and how he made over $100,000 in a single day, from hacking.

Thanks to our guest dawgyg for telling his story.

Sponsors

This episode is sponsored by SentinelOne - to learn more about their endpoint security solutions and get a 30-day free trial, visit sentinelone.com/darknetdiaries

Sources

59: The Courthouse

In this episode we hear from Gary and Justin. Two seasoned penetration testers who tell us a story about the time when they tried to break into a courthouse but it went all wrong.

Sponsors

This episode was sponsored by Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Sources

58: OxyMonster

OxyMonster sold drugs on the darknet at Dream Market. Something happened though, and it all came crashing down.

Sponsors

This episode was sponsored by Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET

This episode was sponsored by Molekule, a new air purifier that completely destroys air pollutants to help you breath easier. https://molekule.com to use check out code “DARKNET10” to get a discount.

See complete list of sources at https://darknetdiaries.com/episode/58.

57: MS08-067

Hear what goes on internally when Microsoft discovers a major vulnerability within Windows.

Guest

Thanks to John Lambert for sharing this story with us.

Sponsors

Support for this episode comes from ProCircular. Use the team at ProCircular to conduct security assessments, penetration testing, SIEM monitoring, help with patches, or do incident response. Visit www.procircular.com/ to learn more.

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Sources

Attribution

Darknet Diaries is created by Jack Rhysider.

Episode artwork by odibagas.

Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.

56: Jordan

This is the story of Jordan Harbinger. A bit of a misfit teenager, who was always on the edge of trouble. In this story we hear what happened that lead to a visit from the FBI.

Guest

Thanks to Jordan Harbinger for sharing his story with us. You can find hist podcast by searching for The Jordan Harbinger Show wherever you listen to podcasts.

Sponsors

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.

More information at https://darknetdiaries.com/episode/56.

55: NoirNet

A holiday special episode. A private pen tester takes on a job that involves him with another eccentric pen tester, a mischievious smile, and his quest to gain access to the network.

Guest

Thanks to TinkerSec for telling us the story.

Sources

https://twitter.com/TinkerSec/status/1206410740099366918

Attribution

Darknet Diaries is created by Jack Rhysider.

Artwork this episode by habblesthecat.

More information at DarknetDiaries.com.

54: NotPetya

The story of NotPetya, seems to be the first time, we see what a cyber war looks like. In the summer of 2017 Ukraine suffered a serious and catastrophic cyber attack on their whole country. Hear how it went down, what got hit, and who was responsible.

Guest

Thanks to Andy Greenberg for his research and sharing this story. I urge you to get his book Sandworm because it’s a great story.

Sponsors

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2019 to get a $20 credit on your next project.

Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices – all in one place. Visit honeybook.com/darknet to get 50% off your subscription.

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit cmd.com/dark to get a free demo.

For more show notes visit darknetdiaries.com/episode/54.

53: Shadow Brokers

The NSA has some pretty advanced, super secret, hacking tools. What if these secret hacking tools were to end up in the wrong person’s hands? Well, that happened.

Guest

Thanks to Jake Williams from Rendition Security for telling us the story.

Sponsors

52: Magecart

Credit card skimming is growing in popularity. Gas pumps all over are seeing skimmers attached to them. It’s growing in popularity because it’s really effective. Hackers have noticed how effective it is and have began skimming credit cards from websites.

Guest

Thanks to Yonathan Klijnsma from RiskIQ.

Sponsors

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

Visit darknetdiaries.com for full show notes and transcripts.

Ep 51: The Indo-Pak Conflict

Kashmir is a region right in between India, Pakistan, and China. For the last 70 years Pakistan and India have fought over this region of the world, both wanting to take control of it. Tensions sometimes heat up which can result in people being killed. When tensions get high in the real world, some people take to the internet and hack their rivals as a form of protest. In this episode we’ll explore some of the hacking that goes on between India and Pakistan.

Sponsors

Support for this episode comes from Check Point. Check Point makes firewalls and security appliances you can use to combat the latest generation of cyber attacks. Upgrade your cybersecurity at CheckPoint.com

For more show notes and links visit https://darknetdiaries.com/episode/51.

Ep 50: Operation Glowing Symphony

Operation Inherent Resolve was started in 2016 which aimed to combat ISIS. It was a combined joint task force lead by the US military. Operation Inherent Resolve sent troops, ships, and air strikes to Iraq and Syria to fire weapons upon ISIS military. It’s widely known that US military engaged with ISIS in this way. But what you may not have heard, is the story of how the US military also combated ISIS over the Internet. This is the story of how the US hacked ISIS.

Sponsors

Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices – all in one place. Visit [honeybook.com/darknet] to get 50% off your subscription.

Ep 49: Elliot

In this episode we meet Elliot Alderson (@fs0c131y) from Twitter. Who is this strange masked person? What adventures have they gotten themselves into? Many stories will be told. The mask will be lifted.

Sponsors

Go to https://nordvpn.com/darknet to get 70% off a 3 year plan and use code darknet for an extra month for free!

Ep 48: Operation Socialist

This is the story about when a nation state hacks into a company within another nation.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25 to get 25% off.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code “DARKNET” to get 75% off when signing up for 3 years.

Ep 47: Project Raven

This is the story about an ex-NSA agent who went to work for a secret hacking group in the UAE.

Sponsors

Ep 46: XBox Underground (Part 2)

This is the story about the XBox hacking scene and how a group of guys pushed their luck a little too far.

This is part 2 of a 2 part series.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.

Learn more about stocks and investing from MyWallSt. Visit mywallst.com/darknet to learn more.

Ep 45: XBox Underground (Part 1)

This is the story about the XBox hacking scene and how a group of guys pushed the hacking a little too far.

This is part 1 of a 2 part series.

Sponsors

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. Use promot code "DARKNET25".

Ep 44: Zain

Ransomware is ugly. It infects your machine and locks all the the data and to unlock you have to pay a fee. In this episode we dive into some of the people behind it.

Sponsors

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

This episode was sponsored by MyWallSt. Their app can help you find good looking stocks to invest in. Visit MyWallSt.com/dark to start your free 30 day trial.

For more show notes and links check out darknetdiaries.com.

Ep 43: PPP

This is the story about how I acquired a black badge from DEFCON (pictured above).

We also hear the story about who PPP is, and their CTF journey at DEFCON.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code “DARKNET”.

This episode was sponsored by Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET

Ep 42: Mini-Stories: Vol 2

Three stories in one episode. Listen in on one of Dave Kennedy's penetration tests he conducted where he got caught trying to gain entry into a datacenter. Listen to a network security engineer talk about the unexpected visitor found in his network and what he did about it. And listen to Dan Tentler talk about a wild and crazy engagement he did for a client.

Guests

A very special thanks to Dave Kennedy. Learn more about his company at trustedsec.com.

Thank you Clay for sharing your story. Check out the WOPR Summit.

Viss also brought an amazing story to share. Thank you too. Learn more about him at Phobos.io.

I first heard Clay's story on the Getting Into Infosec Podcast. Thanks Ayman for finding him and bring that story to my attention.

Sponsors

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

For more show notes and links check out darknetdiaries.com.

Ep 41: Just Visiting

Join JekHyde and Carl on a physical penetration test, a social engineering engagagement, a red team assessment. Their mission is to get into a building they shouldn't be allowed, then plant a rogue computer they can use to hack into the network from a safe place far away.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by Hostinger. Go to https://hostinger.com/darknet and use code DARKNET to get 15% off a hosting plan and check out this week’s free feature.

For more information visit darknetdiaries.com.

Ep 40: No Parking

Take a ride with a red teamer. A physical penetration tester as he tries to make his away into unauthorized areas, steal sensitive documents, hack into the computers, and escape with company property.

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

This episode was sponsored by Hostinger. Go to https://hostinger.com/darknet and use code DARKNET to get 15% off a hosting plan and check out this week’s free feature.

For complete show notes and links go to darknetdiaries.com.

Ep 39: 3 Alarm Lamp Scooter

A talk at Defcon challenged people to find a way to destroy a hard drive. A young man was inspired by this challenge and was determined to find a way to destroy a hard drive. But this is not a typical young man, with a typical plan.

For pictures of Daniel and his projects visit darknetdiaries.com/episode/39.

This episode was sponsored by Nord VPN. Visit nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.

Ep 38: Dark Caracal

A journalist wrote articles critical of the Kazakhstan government. The government did not like this and attempted to silence her. But they may have done more than just silence her. Perhaps they tried to spy on her too. The EFF investigated this case and went down a very interesting rabbit hole.

Thanks to Cooper Q from EFF's new Threat Lab. Also big thanks to Eva from EFF, Andrew Blaich and Michael Flossman from Lookout.

For another story about the EFF listen to episode 12 "Crypto Wars".

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

Ep 37: LVS

The Venetian casino in Las Vegas Nevada was the largest hotel in the world until 2015. The parent company is Las Vegas Sands (LVS) which owns 10 properties around the world. And the CEO and founder of LVS is Sheldon Adelson. One day the CEO said something which sparked quite a firestorm.

This episode was sponsored by Nucleus. Visit nucleussec.com to start your free trial.

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

For more show notes visit DarknetDiaries.com.

Ep 36: Jeremy from Marketing

A company hires a penetration tester to pose as a new hire, Jeremy from Marketing, to see how much he can hack into in his first week on the job. It doesn't go as planned.

Thanks to @TinkerSec for telling us this story.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.

For more show notes visit https://darknetdiaries.com/episode/36.

Ep 35: Carbanak

ATM hacking. Hollywood has been fantasizing about this since the 1980's. But is this a thing now? A security researcher named Barnaby Jack investigated ATMs and found them to be vulnerable. Once he published his data the ATM hacking scene rose in popularity and is is a very serious business today.

One of the first big ATM robberies was done with the malware called Carbanak. Jornt v.d. Wiel joins us to discuss what this malware is.

This episode was sponsored by Nucleus. Visit nucleussec.com to start your free trial.

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.

For more show notes and links visit darknetdiaries.com.

Ep 34: For Your Eyes Only

Nude selfies. This episode is all about nude selfies. What happens if you take one and give it to a vengeful boyfriend. What happens when a hacker knows you have them and wants to steal them from your phone. What happens is not good.

This episode was sponsored by Nord VPN. Visit nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by Molekule, a new air purifier that completely destroys air pollutants to help you breath easier. Visit molekule.com to use check out code "DARKNET" to get a discount.

For references, sources, and links check out the show notes at darknetdiaries.com/episode/34/.

Ep 33: RockYou

In 2009 a hacker broke into a website with millions of users and downloaded the entire user database. What that hacker did with the data has changed the way we view account security even today.

This episode was sponsored by CuriosityStream. A streaming service showing non-fiction and documtnaries. Visit https://curiositystream.com/darknet and use promo code "darknet".

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

To see more show notes visit darknetdiaries.com/episode/33.

Ep 32: The Carder

A carding kingpin was tracked by the Secret Service. How did he steal the cards? Where was he stealing them from? How much was he making doing this? And where did he go wrong? Find out all this and more as we listen to how the Secret Service investigated the case.

This episode was sponsored by Eero. A solution to blanket your home in WiFi. Visit https://eero.com/darknet and use promo code "darknet".

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "darknet".

Cover image this episode created by 𝕄årç ∆⃝ 𝕄ølïñårō.

Go to Darknet Diaries for additional show notes.

Ep 31: Hacker Giraffe

In late November 2018, a hacker found over 50,000 printers were exposed to the Internet in ways they shouldn't have been. He wanted to raise awareness of this problem, and got himself into a whole heap of trouble.

For show notes and links visit DarknetDiaries.com.

This episode was sponsored by CuriosityStream. A documentary streaming service. Visit curiositystream.com/darknet and use promo code "darknet".

This episode is also sponsored by Cover. Visit cover.com/darknet to get insured today.

Ep 30: Shamoon

In 2012, Saudi Aramco was hit with the most destructive virus ever. Thousands and thousands of computers were destroyed. Herculean efforts were made to restore them to operational status again. But who would do such an attack?

Very special thanks goes to Chris Kubecka for sharing her story.

She is author of the book Down the Rabbit Hole An OSINT Journey, and Hack The World With OSINT (due out soon).

This episode was sponsored by Eero. A solution to blanket your home in WiFi. Visit https://eero.com/darknet and use promo code "darknet".

This episode is also sponsored by Cover. Visit cover.com/darknet to get insured today.

Ep 29: Stuxnet

Stuxnet was the most sophisticated virus ever discovered. It's target was a nuclear enrichment facility in Iran. This virus was successfully able to destroy numerous centrifuges. Hear who did it and why.

Special thanks to Kim Zetter for joining us this episode. You can find more about Stuxnet from her book Count Down to Zero Day.

Ep 28: Unit 8200

Israel has their own version of the NSA called Unit 8200. I was curious what this unit does and tried to take a peek inside. Hear what I found by listening along to this episode.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code “darknet”.

This episode is also sponsored by Mack Weldon. Visit mackweldon.com to shop for premium men's casual wear and get a 20% off discount with your first order by using promo code “diaries”.

Ep 27: Chartbreakers

Something is wrong with the Apple Podcasts top charts. As a podcaster, this personally annoyed and intrigued me. I investigate how this is happening and who is behind it.

For show notes visit https://darknetdiaries.com/episode/27.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code 'darknet'.

This episode is sponsored by LPSS Digital Marketing, your source for honest, transparent marketing services for businesses of all sizes. Visit LPSS at https://www.lpss.co/ for details.

Ep 26: IRS

The IRS processes $3 trillion dollars a year. A lot of criminals want to get a piece of that. In 2015 the IRS had a large data breach. Hundreds of thousands of tax records were leaked. What happened and who was behind this? Listen to this episode to find out.

For show notes visit https://darknetdiaries.com

Ep 25: Alberto

Alberto Hill was sent to prison for a long time for hacking. For a crime he said he did not commit. Listen to his story and you be the judge on whether he's guilty or not.

Ep 24: Operation Bayonet

Darknet markets are online black markets. They are highly illegal, and dangerous to run. Hear exactly how dangerous it was for Alphabay and Hansa dark markets.

Ep 23: Vladimir Levin

When banks started coming online, they almost immediately started being targeted by hackers. Vladimir Levin was one of the first ever known hacker to try to rob a bank. He succeeded a little, and failed a lot. Vladimir would go down in the history books as one of the most notorious hackers of all time because of his attempted online bank robberies.

Ep 22: Mini-Stories: Vol 1

Three stories in one! In this episode we hear about a penetration test from Mubix that he'll never forget, a incident response from Robert M. Lee which completely stunned him, and a social engineering mission from Snow.

Podcast recommendation: Moonshot.

Ep 21: Black Duck Eggs

Ira Winkler's specialty is assembling elite teams of special forces and intelligence officers to go after companies. Ira shares a story about a time he and his team broke into a global 5 company. A company so large that theft of intellictual property could result in billions of dollars of damage.

Ira's consulting company: Secure Mentum.

His books: Spies Among Us, Advanced Persistent Security, Through the Eyes of the Enemy.

Ep 20: mobman

Chances are, if you were downloading shady programs in the early 2000's, you were infected with malware he wrote called SubSeven. Hacking changed mobman's life. Hear how it happened by listening to this episode.

Image for this episode created by dr4w1ngluc4s. Check out his Instagram to see some amazing artwork!

Check out the podcasts Van Sounds and True Crime Island

Ep 19: Operation Aurora

In 2009, around Christmas time, something terrible was lurking in the network at Google. Google is the most popular website on the Internet. It’s so popular many people just think Google is the Internet. Google hires many of the most talented minds and has been online since the 90s. Hacking into Google is no easy task. There’s a team of security engineers who test and check all the configurations on the site before they go live. And Google has teams of security analysts and technicians watching the network 24/7 for attacks, intrusions, and suspicious activity. Security plays a very vital role at Google, and everything has to have the best protections. But this attack slipped past all that. Hackers had found their way into the network. They compromised numerous systems, burrowed their way into Google’s servers, and were trying to get to data they shouldn’t be allowed to have. Google detected this activity. And realized pretty quickly they were dealing with an attack more sophisticated than anything they’ve ever seen.

Podcast recommendation: Twenty Thousand Hertz

Ep 18: Jackpot

A man addicted to gambling finds a bug in a video poker machine that lets him win excessive amounts of money.

Ep 17: Finn

A 14-year-old kid who finds himself bored in class decides to hack someone's twitter account and ends up with more than he bargained for.

Ep 16: Eijah

In 2007, a hacker named Eijah got fed up with the way DRM prevented him from being able to play the content he paid for. He decided to fight back against the AACS and find a way to circumvent the DRM. By the time Eijah was done, his life wasn't the same.

Ep 15: Ill Tills

A major retailer was hacked. Their point of sales machines were riddled with malware. Listen to hear how digital forensics and incident responders handled the situation. What malware was found? Where was it found? How was it stopped? And most importantly, how much data was leaked?

Ep 14: #OpJustina

In 2013 a hospital was accused of conducting a medical kidnapping against a young girl name Justina. This enraged many people across the country, including members of anonymous. A DDOS attack was waged against the hospital.

Ep 13: Carna Botnet

In 2012 the Carna Bot was built and unleashed on the world. But it didn't have any intentions on doing anything malicious. It was built just to help us all understand the Internet better. This botnet used the oldest security vulnerable in the book. And the data that came out of it was amazing.

Ep 12: Crypto Wars

In the 1990's the Internet started to take shape. But the US goverment had strict laws regulating what type of cryptography is allowed to be used online. A few brave people stood up to the government in the name of civil rights and won the right to use strong encryption. Listen to their battle and what they had to do through to accomplish this.

Ep 11: Strictly Confidential

What happens when an innovative tech company, that's trying to develop the next big thing, detects a hacker in their network? We hear the story from a digital forensics investigator which has a surprising result.

Ep 10: Misadventures of a Nation State Actor

In today's world of intelligence gathering, governments hack other governments. This episode takes you on a ride with a nation state actor to see exactly how it's done.

Ep 9: The Rise and Fall of Mt. Gox

Mt. Gox was the largest bitcoin exchange in the world. It suddenly went offline. What happened?

Ep 8: Manfred (Part 2)

Manfred found a way to turn his passion for video games and reverse engineering into a full time business. He exploited video games and sold virtual goods and currency for real money. This was his full time job. Listen to this episode to hear exactly how he did this.

Ep 7: Manfred (Part 1)

Manfred has had the most epic story of all online video game stories. For the last 20 years, he's been hacking online games.

Ep 6: The Beirut Bank Job

Jayson E. Street tells us a story about the time he broke into a bank in Beirut Lebanon.

Ep 5: #ASUSGATE

Security researcher Kyle Lovett bought a new Asus router in 2013. He found it was riddled with security vulnerabilties. He set out on a mission to resolve these vulnerabilities not only for his own router, but for thousands of others who were also vulnerable.

Ep 4: Panic! at the TalkTalk Board Room

Mobile provider TalkTalk suffered a major breach in 2015. The CEO tried her best to keep angry customers calm and carry on. The UK government and Metropolitan Police investigate the breach. We get a rare glimpse of how the CEO handles the crisis.

Ep 3: DigiNotar, You are the Weakest Link, Good Bye!

The 2011 DigiNotar breach changed the way browsers do security. In this episode, we learn what role a CA plays, how browsers work with CAs, and what happens when a CA is breached.

Ep 2: The Peculiar Case of the VTech Hacker

VTech makes toy tablets, laptops, and watches for kids. In 2015, they were breached. The hacker downloaded gigs of children's data. Discover what the hacker did once he took the data.

Ep 1: The Phreaky World of PBX Hacking

Farhan Arshad and Noor Aziz Uddin were captured 2 years after being placed on the FBI's Cyber's Most Wanted list for PBX hacking. In this episode, we explain PBX hacking and how hackers are racking up billions of dollars in phone bills. We also learn how the two men were captured.

Back to top

KyberturvaKeskus

Back to top

Kyberturvallisuuskeskuksen viikkokatsaus - 49/2025
Tällä viikolla kerromme Traficomin johtaman verkkorikosten torjunnan yhteistyön saamasta palkinnosta sekä ohjeistuksesta EU-rahoitushakuihin, vuoden viimeisestä Kyberala murroksessa -webinaarista, EU:n kyberkestävyyssäädöksen tilanteesta ja Nyt valppaana -yleisötilaisuudesta. Viikon haittaohjelmakatsauksessa on Waledac.

Pilvipalveluiden pääkäyttäjätunnusten hallinta – parhaat käytännöt
Pilvipalvelut ovat nykyään lähes jokaisen organisaation IT-infrastruktuuriin kuuluva osa. Niitä hyödynnetään erittäin kriittisissäkin organisaation toiminnoissa, joten pilvipalveluiden pääkäyttäjätunnusten turvallinen hallinta on erittäin tärkeää. Yhdenkin pääkäyttäjätunnuksen väärinkäyttö voi vaarantaa koko organisaation pilviympäristön ja pysäyttää liiketoiminnan. Tässä artikkelissa käymme läpi kolme yleisintä pilvipalvelua – Amazon Web Services (AWS), Microsoft Azure ja Google Cloud Platform (GCP) – ja kerromme, miten niiden pääkäyttäjätunnuksia tulisi suojata ja ylläpitää.

Kriittinen haavoittuvuus Reactin React Server Components -toiminnallisuudessa
React on julkaissut haavoittuvuustiedotteen React Server Components -toiminnallisuuden haavoittuvuudesta, jonka avulla todentamaton hyökkääjä voi suorittaa mielivaltaista koodia kohdelaitteella. On suositeltavaa asentaa päivitykset viipymättä ja tarkastaa organisaatioiden käyttämien tuotteiden tilanne haavoittuvuuden osalta.

Kyberturvallisuuskeskuksen viikkokatsaus - 48/2025
Tällä viikolla kerromme Oodissa 2. joulukuuta järjestettävästä Nyt valppaana verkossa! Tunnista ja torju digihuijaukset -yleisötilaisuudesta. Kerromme myös verkkokauppojen maksusivuihin kohdistuvista digitaalisen skimmaamisen hyökkäyksistä sekä BadBox 2.0 -haittaohjelmalle altistuneista laitteista, joita on päätynyt myyntiin tunnetuissa yhdysvaltalaisissa kauppaketjuissa. Lisäksi esittelemme uuden Shai Hulud -madon, joka leviää kehittäjäympäristöissä ja varastaa käyttöoikeustietoja. Tuomme esiin myös viimeaikaiset Microsoft 365 -tilimurrrot ja viikottaisessa haittaohjelmakatsauksessa tutustumme PromptLockiin.

Microsoft 365 -tilimurroista kertova varoitus on poistettu
Suomalaisten organisaatioiden Microsoft 365 -tilejä kaapataan tietojenkalastelun seurauksena. Tapausten mittavasta kasvusta johtuen Kyberturvallisuuskeskus julkaisi asiasta syyskuussa vakavan varoituksen. Kalasteluviestit voivat olla erittäin haastavia tunnistaa ja siksi tilimurroilta tulee suojautua ottamalla käyttöön turvallisuustoimintoja organisaatiotasolla. Kyberturvallisuuskeskukselle ilmoitettujen M365-tilimurtotapausten määrä on tasoittunut ja varoitus poistetaan, mutta M365-tilimurtojen uhka säilyy siitä huolimatta.

Shai-Hulud-hyökkäyksen toinen aalto - toimenpidesuositukset organisaatioille
Uusi haittaohjelma leviää laajasti NPM-ekosysteemissä. Se on kohdistettu erityisesti suosittujen julkaisijoiden, kuten Zapier ja ENS Domains, paketteihin. Shai-Hulud: the Second Coming -nimellä tunnettu hyökkäys tartuttaa npm-paketteja ja kerää niitä käyttävistä järjestelmistä tunnuksia sekä arkaluontoisia tietoja. Tartunta leviää edelleen uusiin koodijakeluihin ja käyttöympäristöihin täysin ilman tai vain vähäisellä ihmisen avustuksella hyödyntäen ympäristöön luotuja automaatioita. Hyökkäys aiheuttaa kehittäjäympäristöille merkittävän tietoturvariskin ja rapauttaa luottamusta ohjelmistojen toimitusketjuihin. Organisaatioiden tulee tarkistaa kehitysinfrastruktuurit tartuntojen varalta, poistaa käytöstä vaarantuneet paketit ja kierrättää altistuneet salaisuudet.

Näkymätön varas verkkokaupassasi - Digitaalisella skimmauksella voi olla merkittäviä taloudellisia vaikutuksia
Digitaalisessa skimmauksessa rikolliset asentavat verkkokauppaan haitallista koodia ja varastavat sitä kautta maksuprosessissa annettavat tiedot. Aihe on ajankohtainen, sillä erityisesti Black Fridayn alla verkkokauppojen kautta tehdään ostoksia poikkeuksellisen paljon. Tässä artikkelissa kerromme mistä digitaalisessa skimmauksessa on kysymys ja miten verkkokauppojen omistajat voivat havaita ja ennaltaehkäistä digitaalista skimmausta.

Kyberturvallisuuskeskuksen viikkokatsaus - 47/2025
Tällä viikolla kerromme pakettihuijauksista, joita esiintyy etenkin Black Fridayn kaltaisten sesonkien aikana. Kerromme myös Microsoft 365-tilimurroista sekä juuri pidetystä Kriittinen Koodi -webinaarista. Muistutamme ilmoittautumaan kyberturvallisuuden EU-rahoituksen hakuinfotilaisuuksiin ja kerromme Euroopan komission järjestämästä CRA:n sidosryhmätilaisuudesta. Olemme myös avanneet kyselyn tulevista arviointi- ja hyväksyntätarpeista NCSA:n asiakkaille. Lisäksi viikottaisessa haittaohjelmakatsauksessa tutustumme Shiz-haittaohjelmaan.

Microsoft 365 -tilimurrot uhkaavat yrityksiä ja organisaatioita
Microsoft 365 -tilejä murretaan jatkuvasti onnistuneiden tietojenkalastelujen seurauksena. Tietojenkalasteluviestit ovat laadukkaita ja usein erityisen petollisia siksi, että ne voivat tulla murretulta yhteistyökumppanin tililtä. M365-tilimurtojen uhka säilyy ja siksi organisaatioilla ja yrityksillä on erityinen vastuu M365-ympäristön suojaamisessa. Tilimurron seuraukset voivat olla vakavia: mainehaittaa, laskutuspetoksia ja tietojenkalastelua organisaation nimissä, arkaluonteisten tietojen vuotaminen tai jopa koko organisaation tärkeiden tietojen päätyminen rikollisten käsiin.

Kysely tulevista arviointi- ja hyväksyntätarpeista - vastaa viimeistään 5.12.
Liikenne- ja viestintävirasto Traficomin NCSA (National Communications Security Authority) kartoittaa asiakkaidensa tulevia arviointi- ja hyväksyntätarpeita sekä kokemuksia aiemmista arvioinneista. Kyselyn tarkoituksena on tukea arviointien suunnittelua, resurssien kohdentamista ja palveluiden kehittämistä. Kysely koskee sekä tietojärjestelmäarviointeja että salaus- ja tuotearviointeja. Pyydämme teitä täyttämään ja palauttamaan oheisen kyselylomakkeen 5.12.2025 mennessä. Vastausohje löytyy kyselylomakkeelta.

Kriittinen ja hyväksikäytetty haavoittuvuus Fortinet FortiWeb -tuotteessa
Fortinet julkaisi haavoittuvuustiedotteen FortiWeb-tuotteisiin vaikuttavasta haavoittuvuudesta, joka voi mahdollistaa todentamattoman hyökkääjän suorittaa ylläpitokomentoja järjestelmässä erikseen muokattujen HTTP- tai HTTPS-pyyntöjen avulla. Fortinet sekä useat muut toimijat ovat havainneet haavoittuvuutta hyväksikäytettävän aktiivisesti tietomurtojen yrityksissä.

Huoltokatko viestinnän sähköisissä lomakkeissa ja palveluissa la 15.11. klo 7-13
Alla mainitut sähköiset lomakkeet ja palvelut eivät ole käytettävissä la 15.11. klo 7-13 huoltotöiden vuoksi. Huoltokatko ei koske Oma asiointi -palvelua.

Kyberturvallisuuskeskuksen viikkokatsaus - 46/2025
Tällä viikolla kerromme siitä, kuinka Black Friday -tarjoukset houkuttelevat myös rikollsia tekemään ajankohtaisten tarjousten teemaisia valeverkkokauppoja ja kalasteluviestejä. Lisäksi kerromme ClickFix-tekniikasta, jota käytetään haittaohjelmien levittämiseen. Marraskuun 18. päivä järjestämme webinaarin ohjelmistokehityksen johtamisesta. Maksuttomaan webinaariin voi ilmoittautua katsauksessa olevan linkin kautta. Julkaisimme lokakuun Kybersään ja viikon haittaohjelmakatsauksessa syvennymme M0yv-haittaohjelman toimintaan.

Lokakuun Kybersää 2025
Lokakuu jatkoi pilvistä ja koleaa syyskautta myös Kyberturvallisuuden osalta, vaikka tilanne rauhoittuikin aavistuksen syyskuuhun verrattuna.

Haittaohjelma voidaan aktivoida huomaamatta ClickFix-tekniikan avulla - Tutustu ilmiöön ja suojaudu
ClickFix-hyökkäykset ovat nykyaikainen hyökkäyskeino, jossa käyttäjä erehdytetään suorittamaan haittaohjelma omalla laitteellaan. Haittaohjelman tarkoitus voi olla tietojen varastaminen laitteelta tai kiristyshaittaohjelman aktivoiminen. Kerromme, miten ClickFix toimii ja miten hyökkäykseltä voi suojautua.

Kyberturvallisuuskeskuksen viikkokatsaus - 45/2025
Tällä viikolla kerromme viime aikojen eniten esillä olleista hyökkääjien tavoista huijata tavallisia kansalaisia. Hyökkääjiä kiinnostavat erityisesti rahat ja tiedot. Huijausten ja kalasteluviestien skaala on laaja, joten kaikkien tulee olla alati varuillaan ja tarkkana uusia viestejä tarkastellessaan. Viikolla järjestettiin myös Cyber Security Nordic -messut, joissa myös Kyberturvallisuuskeskus oli paikalla.

Kyberturvallisuuskeskuksen viikkokatsaus - 44/2025
Tällä viikolla kerromme edelleen jatkuvasta M365-tilien murtoaallosta, laskutuspalveluiden hyväksikäytöstä laskutuspetoksissa, uuden EU:n kyberturvallisuuden rahoitushaun aukeamisesta ja mahdollisuudesta kommentoida EU:n Kyberkestävyyssäädöstä. Viikon haittaohjelmakatsauksessa on Nymaim-troijalainen.

Digitaalinen Eurooppa -ohjelma avasi uuden rahoitushaun: 50 miljoonaa euroa kyberturvallisuuteen
EU:n Digitaalinen Eurooppa -rahoitusohjelman vuoden 2025 toinen hakukierros avautuu. Ohjelman kautta jaetaan rahoitusta kyberaiheisiin 50 miljoonaa euroa.

Kyberturvallisuuskeskuksen viikkokatsaus - 43/2025
Tällä viikolla kerromme, miksi reititin on kotiverkon tärkein suojamuuri ja miten se estää hyökkäykset kodin laitteisiin. Käsittelemme myös F5-teknologiayritykseen kohdistunutta tietomurtoa sekä VESKY 2025 -hankkeen julkaisemaa vesihuollon kyberturvallisuuden materiaalia. Lisäksi kerromme Europolin SIMcartel-operaatiosta, jossa suljettiin petoksissa käytettyä infrastruktuuria. Haittaohjelmakatsauksessa tutustumme Windows-järjestelmiä saastuttavaan Expiro-virukseen.

Kyberturvallisuuskeskuksen viikkokatsaus - 42/2025
Tällä viikolla kerromme Windows 10 -käyttöjärjestelmän tuen päättymisestä, EU:n pikamaksuasetuksesta ja Kyberturvallisuuskeskuksen nimissä liikkuneista huijauspuheluista. Cyber Security Nordic -messut tulevat taas ja kerromme Traficomin ja Huoltovarmuuskeskuksen järjestämästä Tietoturva 2025 -seminaarista osana messujen ohjelmaa. Kerromme myös viime viikolla julkaistun Digi- ja väestötietoviraston (DVV) vuoden 2025 Digiturvabarometrin havainnoista. Viikon haittaohjelmakatsauksessa esittelemme Ranbyus-haittaohjelman.

Yhdysvaltalainen tietoturva- ja teknologiayritys F5 tietomurron kohteena
Yhdysvaltalainen tietoturva- ja teknologiayritys F5 on ilmoittanut joutuneensa vakavan tietomurron kohteeksi. Valtiolliseksi uhkatoimijaksi arvioitu taho oli saanut pääsyn F5:n sisäisiin järjestelmiin ja kopioinut muun muassa BIG-IP-tuotteiden lähdekoodia sekä tietoja julkaisemattomista haavoittuvuuksista. Tapaus on herättynyt laajaa huomiota, sillä F5:n tietoturva- ja muuta teknologiaa käytetään laajasti eri organisaatioiden toimesta ympäri maailmaa. Kyberturvallisuuskeskus suosittelee F5:n järjestelmiä käyttäviä organisaatoita tekemään tarvittavat toimenpiteet niiden suojaamiseksi.

Tilisiirtoja kellon ympäri turvallisesti reaaliajassa
EU:n pikamaksuasetus astui voimaan 9.10.2025. Se velvoittaa pankkeja tarjoamaan pikasiirtoja kaikille asiakkailleen Euroopassa. Lisäksi pankki tarkistaa maksunsaajan nimen ja tilinumeron vastaavan toisiaan ennen maksun suorittamista. Asetuksen tavoitteena on tuoda tilisiirrot reaaliaikaan, parantaa maksujen turvallisuutta ja vähentää väärille tileille tehtyjä siirtoja.

Rikolliset soittavat Traficomin Kyberturvallisuuskeskuksen nimissä huijauspuheluja
Traficomin tietoon on tullut tapauksia, joissa rikolliset ovat soittaneet uhreille ja esiintyneet Kyberturvallisuuskeskuksen asiantuntijoina. Huijauspuheluissa rikolliset ovat muun muassa väittäneet uhrien matkapuhelimien olevan virusten saastuttamat ja että kyberturvallisuuskeskuksen asiantuntijat tulevat noutamaan laitteet pois. Lisäksi puheluissa on myös pyydetty pankkitunnuksia ja maksukorttien tietoja. Rikolliset ovat lähettäneet myös EU:n kyberturvallisuusdirketiivi NIS2 -aiheisia Whatsapp-viestejä, joissa viitataan organisaation tekemään tietoturvailmoitukseen. Viestissä pyydetään vahvistamaan kyseisen viestin vastaanottaminen - tarkoituksena on saada uhri vastaamaan, jolloin rikolliset voivat soittaa takaisin ja jatkaa huijausta. Näihin viesteihin ei tule vastata. Kyberturvallisuuskeskus pyytää ilmoittamaan huijaus- ja tietojenkalasteluviesteistä matalalla kynnyksellä keskukselle. Huijauspuheluissa tai viesteissä rikolliset pyrkivät synnyttämään uhrissa hätää tai pelkoa, jotta saisivat hänet toimimaan ja luovuttamaan esimerkiksi pankkitunnukset. Lisäksi rikolliset vetoavat yleensä kiireeseen, jotta uhri toimisi nopeasti.

Kyberturvallisuuskeskuksen viikkokatsaus - 41/2025
Tällä viikolla kerromme kriittisten päivitysten tärkeydestä. Jos laitteista löytyy kriittisiä haavoittuvuuksia, niiden päivittämistä ei voi viivyttää tarpeettomasti. Rikolliset käyttävät päivittämättömiä laitteita tietomurtoihin säännöllisesti. Lisäksi muistutamme tarkkaavaisuuteen organisaatioiden viestinnässä. Rikolliset esiintyvät usein organisaation johtajana ja lähestyvät työntekijöitä pikaviestimillä tai sähköposteilla yrittäen saada työntekijöitä siirtämään rahaa monenlaisin verukkein.

Syyskuun Kybersää 2025
Syyskuu toi mukanaan saderintamia myös kyberturvallisuuden ylle. Loppukesästä lisääntyneet poikkeamat jatkoivat kasvuaan ja kuukauden yleiskuva oli pääosin sateinen.

Valepomon viesti voi tulla kalliiksi – tunnista toimitusjohtajahuijaus ajoissa!
Syksyn aikana Kyberturvallisuuskeskus on vastaanottanut useita ilmoituksia toimitusjohtajahuijauksista. Rikolliset hyödyntävät sosiaalista manipulointia, heikkoja prosesseja ja ajankohtaisia tapahtumia saadakseen taloudellista hyötyä: rikolliset pyytävät esimerkiksi kiireellisiä tilisiirtoja, lahjakorttiostoja tai tekaistujen laskujen maksamista. Tässä artikkelissa käydään läpi, mistä toimitusjohtajahuijauksissa on kyse.

Redis-ohjelmistossa vakava haavoittuvuus
Redis-ohjelmiston vakava haavoittuvuus altistaa järjestelmän tietomurrolle ja mielivaltaisen koodin suorittamiselle. Haavoittuvuus koskee kaikkia Redis-ohjelmiston versioita. Ohjelmisto on laajasti käytetty ja sen vakiokonfiguraatio on haavoittuva. Suosittelemme haavoittuvien instanssien paikantamista ja päivittämistä välittömästi.

Suomen kansallisen kryptotyöryhmän linjaukset kansallisiin PQC-salaustuotearviointeihin 1.1.2026 alkaen
Nykyiset klassiset julkisen avaimen kryptografiset menetelmät ovat haavoittuvia tehokkaalle kvanttilaskennalle, joten niiden korvaamiseksi on käynnissä useita kansainvälisiä projekteja, jotka tähtäävät kvanttiturvallisten algoritmien (PQC, post-quantum cryptography) standardointiin. Suomen kansallinen kryptotyöryhmä on tehnyt seuraavat linjauksia kansallisiin salaustuotearviointeihin liittyen 1.1.2026 alkaen.

Kyberturvallisuuskeskuksen viikkokatsaus - 40/2025
Tällä viikolla kerromme palvelunestohyökkäyksistä ja niiden vaikutuksista. Kerromme myös Bulletproof Hosting -ilmiöstä rikollisen toiminnan mahdollistajana. Esittelemme lyhyesti harjoitusta, jossa turvallisuusviranomaiset harjoittelivat valtiolliseen kybervaikuttamiseen vastaamista ja lisäksi kerromme Euroopan kyberturvallisuuskuukaudesta, jonka teemana on omien arjen tietoturvataitojen parantaminen. Tämän viikon haittaohjelmakatsauksessa esittelemme Lockyn.

Ennakointi on paras puolustus palvelunestohyökkäyksiä vastaan
Palvelunestohyökkäys voi lamaannuttaa verkkopalvelut hetkessä ja aiheuttaa taloudellisia vahinkoja sekä mainehaittaa. Palvelun käytön estymisen vaikutukset näkyvät nopeasti palvelun käyttäjille ja voivat hankaloittaa heidän arkeaan. Tämä artikkeli kokoaa yhteen keskeiset vaiheet siitä, miten organisaatio voi varautua palvelunestohyökkäykseen, toimia sen aikana ja palautua sen jälkeen.

Omien arjen tietoturvataitojen parantaminen Euroopan kyberturvallisuuskuukauden teemana
Lokakuussa vietetään jo 13. kertaa Euroopan kyberturvallisuuskuukautta (ECSM). Tänä vuonna teema korostaa arjen valintoja ja tapoja, joilla vaikutamme omaan, muiden ja koko verkon turvallisuuteen. Traficomin Kyberturvallisuuskeskuksen koordinoima Some- ja verkkohuijausten ehkäisyn verkosto kampanjoi yhdessä turvallisemman verkkokokemuksen puolesta hyödyntäen Aalto-yliopiston toteuttamaa SecPort-sivustoa, joka tarjoaa käytännön vinkkejä ja oppimateriaaleja kansalaisten kyberturvataitojen vahvistamiseen.

Bulletproof Hosting – Merkittävä rikollisen toiminnan mahdollistaja
Bulletproof Hosting (BPH) termillä viitataan toimijoihin, jotka tarjoavat rikollisille tai muille haitallisille toimijoille verkkopalveluita, joihin puuttuminen viranomaistoimin on haastavaa. Tällaiset palveluntarjoajat eivät aktiivisesti puutu käyttäjien rikolliseen toimintaan, kuten haittaohjelmien levitykseen, roskapostin lähettämiseen tai huijaussivustojen ylläpitoon. BPH-palvelut toimivat usein maissa, joissa kansainvälisiä oikeuskäytäntöjä valvotaan ja noudatetaan väljästi. Kyberturvallisuuskeskus kehittää aktiivisesti toimia ilmiön rajoittamiseksi viranomaisten ja operaattoreiden kanssa. Ilmiön rajoittaminen kuitenkin vaatii, että kaikki kyberekosysteemin toimijat huomioivat ilmiön toiminnassaan.

Haavoittuvuuksia Cisco IOS ja IOS XE -laitteissa
Cisco on julkaissut korjauspäivitykset 14 vakavaan haavoittuvuuteen eri IOS-tuoteperheen tuotteissa. Haavoittuvuuksista vakavin mahdollistaa muun muassa mielivaltaisen koodin ajamisen etänä ilman kirjautumista.

Kriittisiä Cisco ASA- ja FTD-haavoittuvuuksia käytetään hyväksi hyökkäyksissä
Cisco on julkaissut korjauspäivitykset kolmeen vakavaan haavoittuvuuteen Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) -tuotteissa. Haavoittuvuudet mahdollistavat muun muassa mielivaltaisen koodin ajamisen etänä. Haavoittuvuuksia käytetään aktiivisesti hyväksi. Haavoittuva järjestelmä on syytä päivittää välittömästi ja tutkia tuotteet mahdollisten tietomurtojen varalta. Pelkkä päivittäminen ei riitä hyökkäyskoodin poistamiseen järjestelmistä.

Kyberturvallisuuskeskuksen viikkokatsaus - 39/2025
Tällä viikolla kerromme huijauspuheluiden estotoiminnasta, joka palkittiin vuoden 2025 rikoksentorjuntakilpailussa ja joka on merkittävästi vähentänyt huijauspuheluiden määrää Suomessa. Avaamme myös, mitä haittaohjelmat ovat ja millaisia riskejä ne aiheuttavat sekä annamme vinkkejä niiltä suojautumiseen. Haittaohjelmakatsauksessa tutustumme tarkemmin Flubot-haittaohjelmaan, joka levisi huijaustekstiviestien avulla.

Paluu Connect4Cyber-tapahtuman tunnelmiin – kansainväliset kyberturvallisuustoimijat kohtasivat Helsingissä
Elokuun lopulla järjestetty Connect4Cyber – Brokerage and Info Day kokosi yhteen laajan joukon kyberturvallisuusalan toimijoita Suomesta ja eri puolilta Eurooppaa. Business Finlandin pääkonttorilla pidetty tapahtuma tarjosi täyden salin verran keskusteluja ajankohtaisista rahoitusmahdollisuuksista, teknologian kehityssuunnista ja kansainvälisestä yhteistyöstä.

Kyberturvallisuuskeskuksen viikkokatsaus - 38/2025
Tällä viikolla kerromme syyskuussa paljon vaikuttaneista M365-tilimurroista ja annamme ohjeita niiltä suojautumiseen. Kerromme myös Ruotsissa tapahtuneesta laajalti vaikuttaneesta tietovuodosta sekä toimitusketjuhyökkäyksistä. Kyberkestävyyssäädöksen haavoittuvuuksista raportointivelvollisuus astuu voimaan 11.9.2026 ja ohjeistamme miten sen osalta organisaatioiden tulisi toimia. Tämän viikon haittaohjelmakatsauksessa tutustumme Tinba -haittaohjelmaan.

Suojaa Microsoft 365 -ympäristösi tietomurroilta ennakkoon – pääsy käyttäjätilille voidaan estää vielä silloinkin, kun tunnukset ovat vuotaneet
Microsoft 365 -tunnukset ovat usein hyökkäysten kohteena Suomessa. Jos hyökkääjä saa haltuunsa käyttäjän tunnukset ja salasanan, hän pääsee murretulle käyttäjätilille samoilla oikeuksilla kuin oikea käyttäjä. Seuraukset voivat olla vakavia: mainehaittaa, laskutuspetoksia ja tietojenkalastelua organisaation nimissä, arkaluonteisten tietojen vuotaminen tai jopa koko organisaation tärkeiden tietojen päätyminen rikollisten käsiin. Tilien huolellinen suojaaminen ennakolta on aina ensisijainen tapa suojautua tietomurroilta. M365-tietomurroilta voidaan suojautua myös silloin kun hyökkääjällä on jo murretut tunnukset hallussaan. Tässä artikkelissa kerromme, miten voit suojautua tietomurroilta ennakolta ja jopa silloin, kun hyökkääjällä on jo murretut Microsoft 365 -tunnukset.

Digitaalisesta Euroopasta opittua: 7 vinkkiä onnistuneen rahoitushakemuksen laatimiseen
Digitaalinen Eurooppa -rahoitusohjelma on kohta neljävuotias, ja hakijat alkavat vähitellen oppia, mistä ohjelmassa on kyse. Siksi myös rahoitushauista on tulossa entistä kilpaillumpia. Aikaisempien hakukierrosten perusteella arvioijat ovat tunnistaneet tiettyjä toistuvia puutteita, jotka pudottavat hakemusten pisteitä. Siksi kokosimme yhteen kootut vinkit hakemuksen laatimista varten. Kun otat kirjoittaessa huomioon nämä seikat, olet jo reippaasti muita hakijoita edellä!

Kyberturvallisuuskeskuksen viikkokatsaus - 37/2025
Tällä viikolla kerromme julkaisemastamme vakavasta varoituksesta M365-tilimurtoja ja niiden yrityksiä koskien. Varoituksen kohderyhmää ovat kaikki yritykset ja muut organisaatioit sekä niiden työntekijät, jotka käyttävät M365-tuotteita. Esittelemme myös elokuun Kybersään ja kerromme tällä viikolla pidetystä Kriittinen koodi -webinaarista, jonka aiheena oli ohjelmistoturvallisuus huoltovarmuuden ytimessä. Tutustumme tämän viikon viikkokatsauksessa myös Hummer-haittaohjelmaan.

Elokuun Kybersää 2025
Elokuu toi päätöksen kyberturvallisuuden kannalta rauhalliselle kesäkaudelle. Myrskypilviä nähtiin kuukauden aikana erityisesti tietomurtojen sekä haittaohjelmien ja haavoittuvuuksien alueilla.

Microsoft 365 -tilejä murretaan – varo tietojenkalastelua
Traficomin Kyberturvallisuuskeskukselle on vuonna 2025 ilmoitettu yhteensä 330 Microsoft 365 -tileihin liittyvää tietomurtotapausta tai sen yritystä. Kohteena on ollut erikokoisia organisaatioita useilta toimialoilta. Hyvin usein kaapattuja tilejä käytetään kalasteluviestin lähettämiseen tilin yhteystiedoille, jolloin tietomurrot leviävät tehokkaasti organisaatiosta toiseen.

Microsoft 365 -tilejä murretaan – varo tietojenkalastelua
Lokakuun aikana Kyberturvallisuuskeskukselle on ilmoitettu 121 tapausta M365-tilimurtoihin liittyen. Lomakauden päätyttyä tapausten määrässä havaittiin huomattavaa kasvua ja tällä hetkellä organisaatioiden sähköpostitilejä murretaan kiihtyvällä tahdilla. Murroille ja jatkokalasteluviesteille altistuneita organisaatioita on lukuisia ja yhden organisaation sisällä voi tapahtua useita, jopa kymmeniä tilimurtoja. Rikolliset kirjautuvat varastettujen tunnusten avulla Microsoft 365 -palveluihin ja kaapattuja tilejä hyödynnetään uusien tietojenkalasteluviestien lähettämiseen sekä laskutuspetosten tekemiseen.

Kyberturvallisuuskeskuksen viikkokatsaus - 36/2025
Tällä viikolla kerromme rahanmenetyksistä lastensuojeluteemaisiin huijausviesteihin, Microsoftin uusista todentamismenetelmistä sekä viikottaisesta haittaohjelmasta. Kutsumme teidät myös kriittinen koodi -webinaariin.

Rikolliset levittävät huijausviestejä lastensuojelun nimissä
Rikolliset levittävät tällä hetkellä huijaustekstiviestejä, joissa esiintyvät esimerkiksi sosiaalityöntekijöinä ja viittaavat lastensuojeluun. Huijauksen uhreiksi on joutunut muun muassa yksittäisiä organisaatioita ja rahalliset menetykset ovat vaihdelleet tuhansista euroista aina sataan tuhanteen euroon saakka.

Kyberturvallisuuskeskuksen viikkokatsaus - 35/2025
Tällä viikolla viikkokatsauksessa kerromme lastensuojelun nimissä lähetetyistä huijaustekstiviesteistä, joilla rikolliset pyrkivät kalastelemaan tietoja. Lisäksi kerromme Teams-puheluhuijauksista, joissa rikolliset esiintyvät IT-tukena ja yrittävät saada pääsyn työntekijän koneelle. Liiikkeellä on ollut myös PDF-editointiohjelmiksi naamioituja haittaohjelmia, joiden avulla rikolliset voivat varastaa tietoja tai kaapata järjestelmän. Viikottainen haittaohjelmakatsaus käsittelee tällä viikolla Avalanche-nimistä haittaohjelmaa.

Traficom ja Supo: Kyberturvallisuuden uhkataso pysynyt koholla - vakavien tapausten määrät kasvussa
Traficomin ja Suojelupoliisin tiedote Kuluneena vuonna kyberturvallisuuden uhkataso on pysynyt Suomessa edelleen kohonneena. Uhkataso nousi vuonna 2022 sen jälkeen, kun Venäjä käynnisti laajamittaisen hyökkäyksensä Ukrainaan. Traficomin Kyberturvallisuuskeskukselle ilmoitettujen tapausten perusteella suomalaiset organisaatiot ovat edelleen vihamielisen kybertoiminnan kohteena, ja vakavien tietomurtojen sekä niiden yritysten määrä on noussut. Kyberturvallisuuskeskuksen selvittämien vakavien tapausten määrä on yli kaksinkertaistunut viime vuoteen verrattuna. Havainnot ohjelmistojen haavoittuvuuksista ovat myös selvästi lisääntyneet, mikä kasvattaa merkittävästi kyberuhkaa yhteiskunnassa. Suojelupoliisin mukaan valtiollinen kybertoiminta Suomea kohtaan jatkuu aktiivisena. Traficom ja Suojelupoliisi pitävät yhteiskuntaa laajasti lamauttavien kyberiskujen todennäköisyyttä kuitenkin edelleen pienenä.

IT-tukena esiintyvät hyökkääjät lähestyvät organisaatioita Teams-puheluilla
IT-tukena esiintyvät hyökkääjät ottavat yhteyttä organisaatioiden työntekijöihin soittamalla Microsoft Teams -puhelun etäyhteysohjelman käyttämiseksi. Etäyhteysohjelman avulla hyökkääjä voi ujuttaa kohdeympäristöön haittaohjelmia, viedä tietoja ja aktivoida esimerkiksi kiristyshaittaohjelman. Kyseessä on puhelun kautta tapahtuva tietojenkalasteluyritys. Organisaatiot voivat rajoittaa ulkopuolisista Teams-organisaatioista tulevia yhteydenottoja hyökkäysten torjumiseksi.

Citrix NetScaler ADC ja NetScaler Gateway -tuotteissa kriittinen haavoittuvuus
Citrix on julkaissut korjauspäivitykset kolmeen vakavaan haavoittuvuuteen NetScaler ADC ja NetScaler Gateway -tuotteissa. Haavoittuvuudet mahdollistavat muun muassa mielivaltaisen koodin ajamisen etänä ja palvelunestotilan aiheuttamisen. Haavoittuvuuksia käytetään aktiivisesti hyväksi ja haavoittuva järjestelmä on syytä päivittää välittömästi.

Haittaohjelmia levitetään aktiivisesti PDF-editointiohjelmiksi naamioituina
Liikkeellä on haittaohjelmakampanja, jossa rikolliset levittävät näennäisiä PDF-editoreita. Ohjelma voi liittää laitteen osaksi bottiverkkoa ja varastaa tietoja. Turvallisin tapa hankkia uusia sovelluksia on ladata ohjelmistot vain virallisista lähteistä ja olla tarkkana liian hyviltä kuulostavien tarjousten kanssa.

Kyberturvallisuuskeskuksen viikkokatsaus – 34/2025
Tällä viikolla kerromme nettihuijauksista, joissa rikolliset esiintyvät työeläkeyhtiön nimissä ja pelottelevat eläkkeen loppumisella. Linkin klikkaaminen kuitenkin johtaa petokselliseen sivuun, joka kalastelee eläkeläisten verkkopankkitunnuksia. Kerromme myös halpoja älylaitteita vaivaavasta BadBox-haittohjelmasta. Lisäksi Liikenne- ja viestintävirastosta voi hakea rahoitusta viestintäverkkojen ja tietojärjestelmien tietoturvallisuuden parantamiseksi kyberturvallisuuslain vaatimusten mukaiseksi.

Rahoitustukihaku kyberturvallisuuslain toimeenpanemisen tukemiseksi avattu
Liikenne- ja viestintävirasto Traficom myöntää rahoitustukea kyberturvallisuuslain (124/2025) soveltamisalaan kuuluville mikrokokoisille, pienille ja keskisuurille organisaatioille kyberturvallisuuslaissa asetettujen vaatimusten toteuttamiseksi ja toimijoiden kyberturvallisuustason nostamiseksi organisaatiossa. Haku on auki 16.10.2025 klo 16:15 asti.

Kyberturvallisuuskeskuksen viikkokatsaus - 33/2025
Tällä viikolla kerromme ulkomaisista numeroista soitetuista huijauspuheluista. Lisäksi kerromme paljon liikkeellä olleista M365-tilimurroista, uuden radiolaitteita koskevan määräyksen voimaanastumisesta, sekä syksyllä tapahtuvasta ohjelmistoturvallisuutta käsittelevästä webinaarista. Lisäksi olemme julkaisseet heinäkuun Kybersään ja viikon haittaohjelmakatsauksessa kerromme 911 S5 -haittaohjelmasta.

Heinäkuun Kybersää 2025
Helteinen heinäkuu käynnistyi poutaisesti myös kybersään näkökulmasta. Kuun loppua kohden säätilanne kääntyi jälleen sateisempaan suuntaan.

Älykellot, itkuhälyttimet ja puhelimet yhä turvallisempia – EU kiristää tietoturvavaatimuksia
Älykellot, älypuhelimet ja monet muut langattomat laitteet ovat osa arkeamme, mutta tiedätkö kuinka tietoturvallisia nämä laitteet ovat? Nyt ei tarvitse murehtia – uudet EU:n vaatimukset varmistavat, että kodin laitteet ovat entistä tietoturvallisempia.

Kyberturvallisuuskeskuksen viikkokatsaus - 32/2025
Tämän viikon viikkokatsauksessa kerromme havainnoista organisaatioiden M365-tilien tietomurtoihin ja kalasteluviesteihin liittyen. Lisäksi muistutamme lasten tietoturvataitojen tärkeydestä koulujen alkaessa. Nostamme esille myös Citrix-haavoittuvuuden aiheuttamien tietomurtojen tilanteen ja esittelemme uuden haittaohjelmakatsauksen, joka tarjoaa viikoittain tietoa ajankohtaisista haittaohjelmista.

SonicWall Gen 7 -palomuurien SSLVPN-haavoittuvuutta hyväksikäytetään tietomurroissa
Viime päivien aikana SonicWall Gen 7 -palomuurituotteisiin liittyen on havaittu merkittävä määrä onnistuneita tietomurtoja sekä niiden yrityksiä eri tietoturvatoimijoiden raportoimana. Joissakin tapauksissa onnistuneita tietomurtoja on havaittu myös ajantasaisissa laitteissa. Toistaiseksi ei ole tiedossa, onko näissä tapauksissa kyseessä uusi nollapäivähaavoittuvuus vai aiemmin julkaistujen haavoittuvuuksien uudenlainen hyväksikäyttö. Päivitys 7.8.2025: Sonicwallin päivitetyn tiedotteen mukaan tähän liittyvää nollapäivähaavoittuvuutta ei ole löytynyt.

Vinkkejä kyberharjoituksen suunnitteluun
Oletko saanut tehtäväksesi suunnitella ja järjestää kyberharjoituksen omassa organisaatiossasi? Olet ehkä saanut evästystä johdolta, tehnyt taustatyötä aiheesta ja lukenut Kyberharjoitusohjeemme tai tutustunut ylläpitämäämme Skenaariopankkiin. Harjoituksen suunnittelu voi tuntua haastavalta, jos ohjeita ja odotuksia tulee monesta eri suunnasta. Olemme keränneet tähän artikkeliin perusohjeiden lisäksi muutamia harjoitusten suunnittelussa hyväksi koettuja havaintoja, joiden avulla suunnittelu helpottuu ja harjoituksesta saadaan enemmän hyötyä.

Kyberturvallisuuskeskuksen viikkokatsaus - 31/2025
Tällä viikolla kerromme aggressiivisesta kiristysviestikampanjasta. Lisäksi muistutamme päivitysten asentamisesta ja elinkaaren päänsä saavuttaneiden laitteiden ja ohelmistojen päivittämisestä myös lomakaudella. Muistutamme myös, että laskutushuijauksia on liikkeellä lomakaudella.

Aggressiivinen kiristysviestikampanja käynnissä
Kyberturvallisuuskeskus on havainnut aggressiivisen kiristysviestikampanjan. Viestejä on lähetetty runsaasti yksityisille henkilöille ja organisaatioille. Kampanja voi aiheuttaa kuormitusta sähköpostipalveluihin.

Kyberturvallisuuskeskuksen viikkokatsaus - 30/2025
Tällä viikolla kerromme globaalisti merkittävästä Sharepoint-haavoittuvuudesta ja rikollisten verkkopetoksissa käyttämistä keinoista.

Kyberturvallisuuskeskuksen viikkokatsaus - 29/2025
Tällä viikolla kerromme huijauksista tekstiviesteillä ja sähköpostilla poliisin nimissä. Viranomaisena esiintyvät rikolliset ovat yrittäneet huijata ihmisiä kertomaan verkkopankkitunnuksensa. Sillä välin oikea poliisi on osallistunut kansainväliseen poliisioperaatioon, jolla rikollisten käyttämä bottiverkko on saatu suljettua. Lisäksi kerromme laitteiden päivittämisen tärkeydestä. Päivittämättä jätetyt laitteet ovat rikollisille helppoa riistaa uusien bottiverkkojen rakentamiseen. Päivittämättömän laitteen omistaja voi tietämättään joutua rikoksen välikappaleeksi.

Päivittämättömät laitteet houkuttavat rikollisia
Laajasti käytetyn Windows 10 -käyttöjärjestelmän tuki päättyy 14.10.2025. Tämän jälkeen siihen ei ole saatavilla tietoturvapäivityksiä tai teknistä tukea. Kun minkä tahansa laitteen käyttöikä lähenee loppuaan, on tietoturvan kannalta viisainta hankkia uusi laite, johon on tarjolla päivityksiä.

Ylijohtaja Kärkkäinen: Suomi on varautunut hyvin erilaisiin kyberuhkiin
Suomessa kyberturvallisuutta on kehitetty pitkäjänteisesti ja strategisesti hyvässä yhteistyössä yhteiskunnan eri sektorien kanssa. Viranomaiset ja yhteiskunnan kriittiset sektorit varautuvat jatkuvasti erilaisiin uhkiin ja hyökkäyksiin. Kansainvälisesti tarkasteltuna Suomi on kyberturvallisuuden kärkimaita.

Kriittinen ja hyväksikäytetty SQL Injektio haavoittuvuus Fortinet FortiWeb palvelussa
Fortinet on julkaissut päivityksen FortiWebin kriittiseen haavoittuvuuteen, joka sallii todentamattoman hyökkääjän suorittaa SQL-komentoja muotoiltujen HTTP- tai HTTPS-pyyntöjen kautta. Haavoittuvuuden hyödyntämiskeino on nyt saatavilla ja sitä käytetään laajasti.

Kyberturvallisuuskeskuksen viikkokatsaus - 28/2025
Tällä viikolla kerromme Microsoft 365 -ympäristön Direct Send -ominaisuudesta, jota rikolliset käyttävät hyväkseen lähettääkseen väärennettyjä kalasteluviestejä ja tutustumme kesäkuun Kybersäähän. Kerromme myös Kuluttajaliiton Huijausinfo -hankkeesta, jossa Kyberturvallisuuskeskus on ollut mukana.

Kesäkuun Kybersää 2025
Kesäkausi on tarjonnut pääosin rauhallista kybersäätä, eikä kesäkuu tehnyt poikkeusta trendiin. Vilkkaimmillaan oleva lomasesonki on heijastunut myös kyberturvallisuustilanteeseen.

Käynnissä oleva hyökkäyskampanja hyödyntää Microsoft 365:n Direct Send -ominaisuutta kalasteluviestien lähettämiseen
Microsoft 365 Direct Send -ominaisuus on haavoittuvuus, minkä avulla monitoimilaitteet, tulostimet tai sovellukset voivat lähettää sähköpostia tunnistautumattomana suoraan Microsoft 365 -ympäristöön. Tietoturvatutkijat ovat havainneet, että uhkatoimijat käyttävät tätä ominaisuutta väärentääkseen sisäisten käyttäjien sähköpostiosoitetta ja lähettääkseen kalastelusähköpostiviestejä vaarantamatta heidän tilejään. Kun uhkatoimijalla on tiedossa verkkotunnus ja vastaanottajan sähköpostiosoite, tämä voi lähettää väärennettyjä sähköposteja, jotka näyttävät olevan peräisin organisaation sisältä. Tällaisten viestien lähettäminen ei edellytä tunnistautumista M365 -palveluun. Yksinkertaisuus tekee Direct Sendistä houkuttelevan ja vaivattoman tavan tietojenkalastelukampanjoille. Huomioithan että, Direct Send -ominaisuus on erikseen otettava pois käytöstä.

Kyberturvallisuuskeskuksen viikkokatsaus - 27/2025
Tällä viikolla kerromme tietoja varastavien haittaohjelmien aiheuttamista riskeistä ja muistutamme tietoturvan tärkeydestä myös lomakaudella sekä vinkkaamme Microsoft 365-ympäristön tietoturvaa parantavista keinoista.

Kyberturvallisuuskeskuksen viikkokatsaus - 26/2025
Microsoft siirtyy Entra ID -todentamismenetelmien käyttöön syksyllä 2025. Valmistautuminen kannattaa aloittaa hyvissä ajoin. Kerromme myös BadBox2.0-haittaohjelmasta, joka voi päätyä uuteen laitteeseen jo valmistusvaiheessa.

Kriittisiä haavoittuvuuksia Cisco Identity Services Engine- ja Cisco ISE Passive Identity Connector -tuotteissa
Cisco Identity Services Enginen (ISE) ja Cisco ISE Passive Identity Connectorin (ISE-PIC) -tuotteissa on havaittu kaksi kriittistä haavoittuvuutta, joita hyväksikäyttämällä hyökkääjä voi etänä suorittaa komentoja käyttöjärjestelmässä pääkäyttäjän (root) oikeuksin ilman tunnistautumista. Haavoittuvuuksiin on saatavilla korjaava päivitys, joka suositellaan asentamaan välittömästi.

Ole valppaana tekoälyn kanssa
Erilaiset tekoälymallit ovat hyödyllinen ja hauska lisä sekä työhön että vapaa-aikaan, ja tarjolla on nykyään palveluita moniin eri käyttötarkoituksiin. Uutena teknologiana tekoäly tarjoaa hienoja mahdollisuuksia, mutta sen kanssa on myös syytä olla varovainen, koska kaikkia riskejä ei vielä tunneta kattavasti.

Kriittinen ja hyväksikäytetty haavoittuvuus NetScaler ADC ja NetScaler Gateway -tuotteissa
Citrix on julkaissut NetScaler ADC ja NetScaler Gateway -tuotteissa olevaan kriittiseen haavoittuvuuteen CVE-2025-6543 korjauksen. Haavoittuvuutta hyödyntämällä hyökkääjä saa tuotteen siirtymään palvelunestotilaan. Haavoittuvuuden hyväksikäyttöä on jo havaittu ja sen korjaava päivitys on syytä asentaa viipymättä.

Haittaohjelma voi lymyillä laitteessa jo ostovaiheessa – laitteet on poistettava käytöstä, jos valmistaja ei tarjoa korjausta
Suomen kuluttajamarkkinoilla on havaittu valmiiksi haittaohjelmalla saastuneita Android-älylaitteita. Haittaohjelman asentamista varten laitteisiin on upotettu takaovi jo valmistusvaiheessa, eikä sitä voi poistaa. Jos laitteen valmistaja ei tarjoa virallista korjausta, laite on poistettava verkosta ja toimitettava sähkö- ja elektroniikkajätteen keräykseen. Traficomin Kyberturvallisuuskeskus kehottaa kansalaisia tarkistamaan käytössään olevat laitteet ja epäilysten herätessä harkitsemaan huolellisesti uusien hankintaa.

Lausuntopyyntö - Määräys viestintäverkon kriittisistä osista
Liikenne- ja viestintävirasto Traficom pyytää lausuntoa luonnoksista määräykseksi viestintäverkon kriittisistä osista sekä sen perustelumuistioksi. Lausunto pyydetään toimittamaan Liikenne- ja viestintävirasto Traficomille lausuntopalvelu.fi verkkopalvelun kautta viimeistään 15.8.2025.

Kyberturvallisuuskeskuksen viikkokatsaus - 25/2025
Tällä viikolla kerromme neuvoja huijausten uhreille avun saamiseksi ja muistutamme ylläpitäjiä DNS:stä huolehtimisesta. Muina aiheina OTKES:in raportti Helsingin tietomurrosta, päivitetty ohje tietoturvallisuuden arviointilaitosten toiminnasta ja näkökulmia viimeviikkoisesta pilvipalvelujen kriteeristöt ja arviointi -tilaisuudesta.

Kriittinen haavoittuvuus Veeam Backup & Replication -tuotteessa
Veeam Backup & Replication -tuotteeeseen on julkaistu haavoittuvuuksia, joista yksi on kriittinen ja mahdollistaa koodin suorittamisen etänä varmuuskopiointipalvelimella todennetulla toimialueen käyttäjätunnuksella. Haavoittuvuuksiin on saatavilla korjaava pävitys, järjestelmien päivittämistä suositellaan välittömästi.

Kriittinen haavoittuvuus NetScaler ADC ja NetScaler Gateway -tuotteissa
Citrix on julkaissut korjauspäivitykset kahteen vakavaan haavoittuvuuteen NetScaler ADC ja NetScaler Gateway -tuotteissa. Haavoittuvuudet mahdollistavat muun muassa käyttöoikeuksien kiertämisen sekä oikeudettoman pääsyn järjestelmämuistiin. Haavoittuva järjestelmä on syytä päivittää välittömästi ja haavoittuvuudelle mahdollisesti alttiina olleet järjestelmät tutkia murron varalta.

Verkkorikollisuutta kitketään yhteistyössä
Verkkorikollisuuden määrä on kasvanut viime vuosina globaalisti, ja se on johtanut myös Suomessa useiden miljoonien eurojen menetyksiin vuosittain. Kehityssuunta on huolestuttava, sillä se voi horjuttaa yleistä luottamusta digitaaliseen yhteiskuntaan ja sen palveluihin. Verkkorikollisuuden kitkemiseksi tehdään monipuolista ja aktiivista yhteistyötä eri toimijoiden kesken - samaan aikaan jokainen verkkopalveluiden käyttäjä vaikuttaa toiminnallaan omaan ja muiden turvallisuuteen.

Mistä apua, jos tulee huijatuksi netissä?
Verkossa huijatuksi joutuminen ei ole leikin asia. Uhri voi menettää rahansa tai henkilökohtaisia, arkaluonteisia tietoja. Rikoksen uhri voi menettää myös mielenrauhansa ja turvallisuuden tunteensa. Vahinkojen minimoimiseksi täytyy toimia nopeasti. Kerromme, mitä tehdä ihan ensimmäiseksi, kun huomaa tai epäilee tulleensa huijatuksi sekä siitä, mistä huijatuksi tullut voi saada apua niin teknisiin, taloudellisiin kuin mielen hyvinvoinnin kysymyksiin.

Uudet kyberturvallisuusrahoitushaut Digitaalinen Eurooppa- ja Horisontti Eurooppa -ohjelmista ovat nyt auki
Euroopan kyberturvallisuuden teollisuus-, teknologia- ja tutkimusosaamiskeskus (ECCC) on avannut uusia rahoitushakuja Digitaalinen Eurooppa (DEP) - ja Horisontti Eurooppa (HE) -ohjelmien alla. Avautuneissa hauissa on haettavana rahoitusta yhteensä enintään 145,5 miljoonaa euroa.

Tietoturvallisuuden arviointilaitosten toimintaa koskeva ohje on päivitetty
Liikenne- ja viestintävirasto Traficom on julkaissut päivitetyn ohjeen tietoturvallisuuden arviointilaitosten toiminnasta. Uudistettu ohje sisältää muun muassa NIS2-direktiiviin liittyviä päivityksiä sekä ohjeistusta salaustuotearviointipätevyyden hakemisesta.

Kyberturvallisuuskeskuksen viikkokatsaus - 24/2025
Tällä viikolla kerromme muun muassa Kyberturvallisuuskeskuksen nimissä soitetuista huijauspuheluista ja Kyberala murroksessa -webinaarista.

Toukokuun Kybersää 2025
Toukokuu oli kyberturvallisuuden osalta pääosin rauhallinen. Toisaalta kulunut kuukausi toi mukanaan myös yksittäisiä myrskypilviä, kun useat länsimaat kertoivat joutuneensa valtiollisiin kyberuhkatoimijoihin yhdistettyjen hyökkäysten kohteeksi.

Kyberturvallisuuskeskuksen viikkokatsaus - 23/2025
Tällä viikolla kerromme miten huijaussivustot hyödyntävät ETA- ja ESTA -matkustuslomakkeita, muistutamme myös päivityksien ja hyvien salasanojen tärkeydestä.

Uusi nelivuotinen hanke jatkaa EU:n kyberturvallisuuden vahvistamista – seuraa avautuvia rahoitushakuja
Hankkeen aikana rahoitustukea myönnetään mm. uusien kyberturvallisuussäädösten toimeenpanemisen tukemiseen. Tavoitteena on kyberturvallisuuden vahvistaminen Euroopassa ja kansallisella tasolla.

Kyberturvallisuuskeskuksen viikkokatsaus - 22/2025
Tällä viikolla kiinnitämme huomiota lähestyvään lomakauteen. Huijarit eivät lomaile, vaan päinvastoin kohdistavat toimitusjohtajahuijauksia lomailevien talousvastaavien sijaisiin. Lisäksi kerromme lisääntyvästä yhteistyöstä kyberturvallisuuden alalla ja uudesta langattomien laitteiden turvallisuutta parantavasta lainsäädännöstä.

Radiolaitteiden uudet tietoturvavaatimukset käyttöön 1.8.2025
EU:n radiolaitedirektiivin tietoturvavaatimuksia aletaan soveltaa 1.8.2025. Tavoitteena on suojata viestintäverkkoja, parantaa yksityisyyttä ja estää verkon kautta tapahtuvia taloudellisia petoksia.

Suomen ja Ukrainan kyberturvallisuusviranomaiset allekirjoittivat yhteisymmärryspöytäkirjan - Suomi ja Ukraina syventävät yhteistyötään kyberturvallisuuden edistämisessä.
Suomi ja Ukraina syventävät yhteistyötään kyberturvallisuuden ja suojauksen edistämisessä. Maat ovat allekirjoittaneet yhteisymmärryspöytäkirjan, jonka tavoitteena on vahvistaa yhteistyötä sekä helpottaa hyvien käytäntöjen ja teknisen tiedon jakamista kyberturvallisuusviranomaisten välillä.

TV on älylaite, jonka turvallisuudesta tulee huolehtia - Ole tarkkana Android TV -medialaitteiden kanssa
Markkinoilla on runsaasti erilaisia Android TV -laitteita, jotka tarjoavat käyttäjille mahdollisuuden suoratoistaa sisältöä, käyttää sovelluksia ja selata internetiä television kautta. Kaikki laitteet eivät kuitenkaan ole laadultaan tai tietoturvaltaan samalla tasolla.

Kyberturvallisuuskeskuksen viikkokatsaus - 21/2025
Tällä viikolla kerromme Android TV -laitteisiin kohdistuvasta ja laajalle levinneestä haittaohjelmasta.

Kansalliset ja EU-rahoitusmahdollisuudet kyberturvallisuuden kehittämiseen -webinaari 18.6.2025
Kyberturvallisuuskeskus järjestää ke 18.6.2025 klo 9–10 kaikille avoimen webinaariin, jossa esitellään ajankohtaisia näkymiä kansallisesti haettavista rahoitustuista ja EU-rahoitusmahdollisuuksista kyberturvallisuuden kehittämiseen sekä rahoituksen hakemiseen liittyviä palveluita.

Kyberturvallisuuskeskuksen viikkokatsaus - 20/2025
Tällä viikolla kerromme Suomessakin erittäin suositun WordPress-julkaisujärjestelmän turvallisemmasta ylläpidosta. Kerromme lisäksi tietoja varastavista haittaohjelmista sekä EU:n haavoittuvuustietokannasta.

Ajankohtaista verkkojulkaisualustoista – huolehdi sivustosi tai verkkokauppasi turvallisuudesta
Yhä useammalla organisaatiolla on jonkinlainen maksu- ja henkilötietoja käsittelevä verkkokauppa, ja useimmilla vähintään verkkosivut. Uudessa ohjeessamme annamme vinkkejä verkkokauppojen turvallisuuden parantamiseen. Tässä kirjoituksessa käsittelemme myös ajankohtaisia asioita ohjeen taustalla.

Tunnistautuminen sähköisiin asiointipalveluihimme muuttuu – Suomi.fi-viestien käyttöönottoa ehdotetaan tunnistautumisen yhteydessä
Digi- ja väestötietovirasto (DVV) uudistaa Suomi.fi-tunnistautumista. 12.5.2025 alkaen sinulle voidaan ehdottaa Suomi.fi-viestien käyttöönottoa, kun tunnistaudut vahvasti viranomaisen sähköiseen asiointipalveluun. Muutos koskee myös Traficomin asiointipalveluita.

Kyberturvallisuuskeskuksen viikkokatsaus - 19/2025
Tällä viikolla kerromme mm. siitä miten Hyöky-palvelu uudistuu sekä tulevasta webinaarista, jossa keskustellaan kysymyksistä, jotka kannattaa esittää ohjelmistotoimittajalle.

Huhtikuun Kybersää 2025
Kyberturvallisuudessa oli kuun alkuvaiheessa tarjolla leutoa kevätsäätä, jota kuitenkin sumensivat huijausten ja kalastelun alueella havaitut ajoittaiset sadekuurot. Maaliskuussa tietomurtoja ja -vuotoja lähestyneet ukkospilvet väistyivät huhtikuun aikana, sään jäädessä edelleen sateiseksi.

Save the Date: Kansainvälinen EU-rahoituksen verkostoitumistapahtuma Helsingissä 27.8.2025
Haluatko löytää uusia kumppaneita EU-hankkeisiin ja kuulla ajankohtaisista rahoitusmahdollisuuksista kyberturvallisuuden alalla? Varaa kalenteristasi 27.8.2025 ja suuntaa EU-rahoituksiin keskittyvään verkostoitumistapahtumaan Helsinkiin!

Kyberturvallisuuskeskuksen viikkokatsaus -18/2025
Tällä viikolla kerromme mm. kansallisen kyberturvallisuuslain toimeenpanosta ja siitä miten voit tunnistaa uusia liikkeellä olevia kalasteluviestejä.

Kriittinen aktiivisesti hyväksikäytetty haavoittuvuus SAP NetWeaver-komponentissa
SAP NetWeaver-ohjelmistokomponentista löydetty haavoittuvuus on kriittinen ja mahdollistaa uhkatoimijalle järjestelmän haltuunoton. Haavoittuvuutta on hyväksikäytetty aktiivisesti ja havaintoja haavoittuvuuden avulla tehdyistä murroista on myös Suomesta. Haavoittuva järjestelmä on syytä päivittää välittömästi ja haavoittuvuudelle mahdollisesti alttiina olleet järjestelmät tutkia murron varalta.

Kyberturvallisuuskeskuksen viikkokatsaus - 17/2025
Tällä viikolla kerromme Ajovarman nimissä levitettävistä tietojenkalasteluviesteistä, Oraclen pilvipalveluiden mahdollisen tietovuodon riskeistä organisaatioille sekä Traficomin uudistuneesta ohjeesta tietojärjestelmien tietoturvallisuuden arviointi- ja hyväksyntäprosesseista.

Kyberturvallisuuskeskuksen viikkokatsaus – 16/2025
Viime viikon vaalit sujuivat kyberturvallisissa merkeissä. Tällä viikolla kerromme, mitä uusi kyberturvallisuuslaki tuo tullessaan. Voit ilmoittautua toukokuun webinaariin, jossa asiasta kerrotaan vielä lisää. Viikon kuumin puheenaihe on ollut haavoittuvuustietokannan tuleva kohtalo, kun CVE-projektin rahoitus on päättymässä ja kansainväliselle kyberturvallisuudelle tärkeitä palveluita ajetaan alas.

Uusittu ohje tietojärjestelmien tietoturvallisuuden arviointi- ja hyväksyntäprosesseista
Liikenne- ja viestintävirasto Traficom on antanut uusitun ohjeen tietojärjestelmien tietoturvallisuuden arviointi- ja hyväksyntäprosesseista. Se korvaa aiemmin julkaistun ohjeen. Ohje on tarkoitettu viranomaisille ja yrityksille, joilla on tarve käsitellä kansallista tai kansainvälistä turvallisuusluokiteltua tietoa sähköisessä muodossa.

Kyberturvallisuuskeskuksen viikkokatsaus - 15/2025
Tällä viikolla kerromme mm. ajankohtaisista huijauksista ja miltä kuluneen viikon palvelunestohyökkäykset näyttivät Kyberturvallisuuskeskuksen silmin.

Maaliskuun Kybersää 2025
Maaliskuun haavoittuvuuksien, huijausten ja tilimurtojen himmentämässä puolipilvisessä Kybersäässä oli kuitenkin havaittavissa myös verkkojen toimivuuden ja sääntelyn kehityksen aiheuttamia keväisiä auringonpilkahduksia.

Kyberturvallisuuslaki on hyväksytty eduskunnassa - NIS2-direktiivin mukaiset velvoitteet astuvat voimaan 8.4.2025
Kyberturvallisuuslaki tuo mukanaan uusia riskienhallinta- ja raportointivelvoitteita monille toimialoille. Yksi ensimmäisistä askeleista on toimijaluetteloon ilmoittautuminen.

Digitaalinen Eurooppa -rahoitusohjelman työsuunnitelma vuosille 2025-2027 on julkaistu
Digitaalinen Eurooppa -ohjelman vuosien 2025–2027 työohjelma julkaistiin maaliskuun lopussa. Kyberturvallisuuteen on varattu 390 miljoonaa euroa, ja tulevissa hauissa rahoitusta suunnataan muun muassa uusien teknologioiden, kuten tekoälyn ja kvanttiturvallisten algoritmien kehittämiseen. Ensimmäiset haut avautuvat vuoden 2025 aikana.

Kyberturvallisuuskeskuksen viikkokatsaus - 14/2025
Tällä viikolla kerromme tietoja varastavasta haittaohjelmasta, jota levitetään tekijänoikeusrikkomusten varjolla. Muina aiheina ovat verkon reunalaitteiden riskit sekä EU:n digipalveluasetuksen keinot vaalihäirinnän ehkäisemiseksi.

Ivanti Connect Secure -haavoittuvuuden hyväksikäyttöä havaittu vanhemmissa versioissa
Ivanti Connect Secure -tuotteen haavoittuvuutta (CVE-2025-22457) on käytetty hyväksi helmikuun päivityksiä vanhemmissa versioissa. Päivitykset tai vanhentuneen 9.x version käytöstä poistaminen on syytä tehdä nopealla aikataululla.

Kyberturvallisuuskeskuksen viikkokatsaus - 13/2025
Tällä viikolla kerromme muun muassa, miten viestiä kyberhyökkäyksestä sekä pian voimaantulevasta kyberturvallisuuslaista, joka voi vaatia toimenpiteitä NIS2-velvollisilta.

Kuberneteksen ingress-nginx controller -komponentissa useita haavoittuvuuksia
Kuberneteksen ingress-nginx controller -komponentista on löydetty neljä haavoittuvuutta joista yksi on erityisen kriittinen. Kriittistä haavoittuvuutta (CVE-2025-1974) hyväksikäyttämällä hyökkääjä voi suorittaa mielivaltaista koodia etänä ilman tunnistautumista haavoittuvissa Kubernetes klustereissa. Hyökkääjä voi päästä käsiksi myös kaikkiin Kubernetes klusterin salaisuuksiin. Haavoittuvat Kubernetes-instanssit tulisi päivittää mahdollisimman pian.

Kyberturvallisuuskeskuksen viikkokatsaus - 12/2025
Tällä viikolla kerromme mm. Tietoturvaseminaarista ja siitä miten voit tunnistaa huijaukset.

Kyberturvallisuuskeskuksen viikkokatsaus - 11/2025
Kyberturvallisuuskeskuksen vuosikatsaus on julkaistu! Tällä viikolla kerromme myös helmikuun kybersäästä ja uudesta ohjeesta Microsoft 365 Entra ID:n asetusten tarkistamiseen

Helmikuun Kybersää 2025
Helmikuun Kybersään vallitseva kybersäätila oli sateinen, jopa ehkä räntäsateinen, vaikka pieniä pilkahduksia auringosta oli havaittavissa. Toimitusjohtajahuijaukset, viranomaisten nimissä tehty kalastelu ja M365-tilimurrot jatkuivat helmikuussa.

Tietoturvan suunnannäyttäjä -tunnustus annettiin pitkäjänteisestä työstä digitaalisen yhteiskunnan turvaamiseksi
Liikenne- ja viestintävirasto Traficomin jakaman Tietoturvan suunnannäyttäjä -tunnustuksen sai tänä vuonna johtava erityisasiantuntija Kimmo Rousku Digi- ja väestötietovirastosta. Perusteluissa Kimmo Rouskua kiitettiin esimerkillisestä ja pitkäjänteisestä työstä suomalaisen yhteiskunnan kyber- ja digiturvallisuuden edistämiseksi.

Vuosi 2024 muistetaan isoista kybertapauksista
Helsingin kaupungin tietomurto sekä Suomenlahden ja Itämeren alla kulkeneiden kaapelien vaurioitumiset nostivat kyberturvallisuuden otsikoihin vuonna 2024. Liikenne- ja viestintävirasto Traficomin julkaisema Kyberturvallisuuden vuosi 2024 kertaa maamme vuoden tärkeimmät kyberturvallisuuden tapahtumat, kehitystrendit sekä luotaa tulevaisuuteen havaintojen perusteella.

Kyberturvallisuus Suomessa - kuvitettu käsikirja kyberturvallisuuteen
Kyberturvallisuus Suomessa on tiivis, kuvitettu käsikirja tämän päivän kyberturvallisuuteen. Visualisoinnit auttavat havainnollistamaan monimutkaisia ja teknisiä ilmiöitä sekä hahmottamaan asioiden mittakaavaa.

Kyberturvallisuuskeskuksen viikkokatsaus - 10/2025
Tällä viikolla kerromme mm. Facebook-tilimurtoihin johtavista huijausviesteistä, 12.3. pidettävästä Tietoturva 2025 -seminaarista ja siitä miten salasanoja hallitaan turvallisesti.

Into Certification Oy on kolmas tietoturvallisuuden arviointilaitos, jolla on Katakri 2020 -pätevyys
Liikenne- ja viestintävirasto Traficom on 25.2.2025 laajentanut tietoturvallisuuden arviointilaitos Huld Certification Oy:n arviointilaitoshyväksyntää niin, että se kattaa jatkossa myös Katakri 2020 -pätevyysalueen turvallisuusluokkien TL IV ja TL III osalta.

Kyberturvallisuuskeskuksen viikkokatsaus - 09/2025
Tällä viikolla kerromme muun muassa miten kierrätät vanhat laitteet tietoturvallisesti. Lisäksi kerromme kaapelivaurioiden varalta olemassa olevista varajärjestelyistä. Kerromme verkkoalustoilla tapahtuvista huijauksista sekä Kyberturvallisuuskeskuksen nimissä soitetuista huijauspuheluista.

Huijauspuheluita Kyberturvallisuuskeskuksen nimissä
Traficomin Kyberturvallisuuskeskus on saanut viime viikkoina muutamia ilmoituksia huijauspuheluista, joissa on esiinnytty Kyberturvallisuuskeskuksen edustajana.

Kyberturvallisuuskeskuksen viikkokatsaus - 08/2025
Tällä viikolla kerromme Steam-tunnusten kalastelusta, toimitusjohtajahuijauksista sekä ohjelmistoriippuvuuksien riskienhallinnasta. Loppuun kuulumiset Disobey-tapahtumasta.

Vakava haavoittuvuus Palo Alton PAN-OS järjestelmässä
Palo Alton PAN-OS järjestelmässä on havaittu vakava haavoittuvuus, jota hyväksikäyttämällä hyökkääjä voi ohittaa tunnistautumisen ja suorittaa tiettyjä PHP-skriptejä. Haavoittuvuuden hyväksikäytöstä on jo viitteitä, joten on suositeltavaa asentaa korjaava päivitys ja selvittää onko hyväksikäyttöä jo tapahtunut.

Kyberturvallisuuskeskuksen viikkokatsaus - 07/2025
Tällä viikolla kerromme mm. rakkauspetoksista ja siitä miten kybermaailmassakin on hyvä varautua häiriöihin

Radiolaitteiden tietoturvavaatimukset täsmentyvät – tarkista tuotteen vaatimustenmukaisuus ajoissa
EU:n radiolaitedirektiivin tietoturvavaatimusten soveltaminen alkaa 1.8. Nyt julkaistut standardit helpottavat valmistajia, maahantuojia ja myyjiä varmistamaan laitteidensa vaatimustenmukaisuuden.

Tammikuun Kybersää 2025
Ensimmäisessä vuotta 2025 käsittelevässä Kybersäässä julkaistaan pitkän aikavälin ilmiöt, joiden seurantaan Kyberturvallisuuskeskus tänä vuonna erityisesti keskittyy. Tammikuun säätiedotteessa perehdytään jälleen myös viiteen keskeisimpään lähitulevaisuuden uhkaan.

Kriittisiä haavoittuvuuksia Ivanti Connect Secure ja Ivanti Policy Secure
Ivanti on julkaisut tietoturvapäivitykset, joista Ivanti Connect Secure ja Ivanti Policy Secure haavoittuvuuksia hyväksikäyttämällä hyökkääjä voi suorittaa mielivaltaisia koodia komentoja haavoittuvalla laitteella.

Kansallisen koordinointikeskuksen rahoitustuki edisti yritysten kyberturvallisuutta
Traficomin Kyberturvallisuuskeskuksen kansallinen koordinointikeskus myönsi vuosina 2023–2024 mikro- ja pk-yrityksille rahoitustukea modernien tieto- ja kyberturvaratkaisujen käyttöönottoon ja innovointiin yhteensä noin 2 milj. euroa. 4Front Oy:n laatiman rahoitustuen vaikuttavuusarvioinnin mukaan tuen suorat vaikutukset tuen saajien kyberturvallisuuteen ovat merkittäviä. Lisäksi rahoitustuen voidaan arvioida vaikuttavan positiivisesti kansalliseen kyberturvallisuuskapasiteettiin esimerkiksi tuen saajien asiakassuhteiden ja toimitusketjujen kautta.

Kyberturvallisuuskeskuksen viikkokatsaus - 06/2025
Tällä viikolla kerromme tietojenkalastelusta, jossa hyödynnetään suosittua tiedostonjakopalvelu Dropboxia. Muina aiheina ovat konfiguroimattoman palvelun aiheuttama tietovuodon riski, riskienhallinta ohjelmistoturvallisuudessa ja ajankohtaiset huijaukset.

Kyberturvallisuuskeskuksen viikkokatsaus - 05/2025
Tällä viikolla kerromme mm. Internetin kauppapaikoilla leviävästä haittaohjelmasta ja siitä miten yhdistysten pitää panostaa myös tietoturvaan.

Verkon reunalaitteiden riskit ovat merkittävä uhka organisaatioille
Reunalaitteiden näkyminen ja avoimuus internetiin avaa paljon hyökkäyspintaa pahantahtoisille toimijoille. Haavoittuvuudet sekä virheet konfiguraatiossa ovat kirjautumistunnusten vuotamisen ohella merkittävimmät murrolle altistavat tekijät.

Määräyshankepäätös: Määräys viestintäverkon kriittisistä osista
Liikenne- ja viestintävirasto Traficom on antanut 23.1.2025 seuraavan määräyshankepäätöksen: Määräys viestintäverkon kriittisistä osista (TRAFICOM/36420/03.04.05.00/2025).

Internetin kauppapaikoilla leviää nyt haittaohjelma - toimi näin
Poliisi kertoi viime viikolla puhelimiin asennettavasta haittaohjelmasta, jota levitetään internetin kauppapaikoilla. Haittaohjelman avulla huijari voi saada koko puhelimesi hallintaansa ja päästä esimerkiksi verkkopankkiisi. Älä avaa viesteissä olevia linkkejä tai lataa sovelluksia ulkopuolisen pyynnöstä.

Kyberturvallisuuskeskuksen viikkokatsaus - 04/2025
Tällä viikolla kerromme uusien tekniikoiden ja tekoälypalveluiden turvallisesta käyttöönotosta. Mukana asiaa myös ohjelmistoturvallisuudesta.

Sonicwall SMA1000 laitteiden hallintakäyttöliittymässä kriittinen haavoittuvuus
Kriittinen haavoittuvuus SonicWall SMA1000 -laitteiden Appliance Management Console (AMC) ja Central Management Console (CMC) -hallintakäyttöliittymissä mahdollistaa hyökkääjälle mielivaltaisten komentojen suorittamisen etänä ilman autentikointia. Haavoittuvuuden hyväksikäyttöä on mahdollisesti havaittu. Käyttäjiä kehotetaan päivittämään laitteiden ohjelmisto välittömästi.

Kyberturvallisuuskeskuksen viikkokatsaus - 3/2025
Hakukoneiden hakutuloksiin ei kannata luottaa kritiikittömästi. Tälläkin viikolla on nähty väärennettyjen hakutulosten johtavan kalastelusivuille. Tällä viikolla kerromme myös, kuinka Suomessa järjestetty Nato-huippukokous sujui kyberturvallisuuden näkökulmasta. Muistutamme verkon reunalaitteiden turvallisesta hallinnoinnista ja ajankohtaisten turvallisuuspäivitysten tärkeydestä. Lisäksi kutsumme tutustumaan uusiin sääntelyvaatimuksiin CRA (Cyber Resilience Act) -teematilaisuuteen.

Kriittinen rsync-haavoittuvuus vaatii välitöntä korjausta
Rsync-palvelussa on julkaistu kriittinen haavoittuvuus. Pinonylivuotohaavoittuvuus (CVE-2024-12084) antaa hyökkääjille mahdollisuuden suorittaa mielivaltaista koodia kohdepalvelussa. Päivitä rsync välittömästi.

Joulukuun Kybersää 2024
Joulukuussa havaittiin verkon reunalaitteisiin kohdistuneita tietomurron yrityksiä ja kiristyshaittaohjelmia. Lisäksi viranomaisten nimissä tehtiin tietojenkalastelua ja erilaiset huijaukset jatkuivat. Viranomaisten tehokas yhteistyö ja yhteiskunnan varautumisen hyvä taso näkyivät jälleen, kun 25.12.2024 tapahtunutta merikaapeleiden vauriotapausta ryhdyttiin selvittämään.

Fortinetin FortiOS ja FortiProxy -tuotteissa kriittinen haavoittuvuus
Fortinet on julkaissut päivityksiä kriittiseen haavoittuvuuteen FortiOS ja FortiProxy -tuotteissaan. Haavoittuvuutta hyväksikäyttämällä hyökkääjän on mahdollista saavuttaa superadmin-tason oikeudet järjestelmässä. Fortinet on kertonut, että haavoittuvuutta hyväksikäytetään aktiivisesti. Fortinet on julkaissut 14.1 myös muita päivityksiä eri tuoteperheisiinsä.

Kyberturvallisuuskeskuksen viikkokatsaus - 2/2025
Kiristyshaittaohjelmatapauksia havaittiin viime vuonna aiempaa vähemmän, mutta ilmoitusten määrä kasvoi loppuvuonna. Tällä viikolla varoitamme myös kryptovaluutoista kiinnostuneista huijareista.

Ivanti Connect Secure -haavoittuvuuden hyväksikäyttöä havaittu
Ivanti julkaisi kaksi uutta haavoittuvuutta Ivanti Connect Secure, Ivanti Policy Secure ja ZTA Gateway-tuotteisiinsa. Päivitys tulee suorittaa välittömästi, sillä Ivanti Connect Secure -tuotteessa olevan haavoittuvuuden (CVE-2025-0282) hyväksikäyttöä on jo havaittu.

Vastaa Kyberturvallisuuskeskuksen tilannekuvatuotteiden palautekyselyyn

SonicWall julkaisi päivityksiä palomuureissa havaittuihin kriittisiin haavoittuvuuksiin
SonicWall julkaisi palomuurituotteisiinsa viisi uutta haavoittuvuutta, joiden avulla hyökkkääjä voi ohittaa tunnistatumisen sekä voi suorittaa haluamiaan komentoja kohteina olevilla laitteilla. Haavoittuvat ohjelmistot tulee päivittää viipymättä ja lisäksi on selvitettävä, onko mahdollista haavoittuvuuden hyväksikäyttöä jo tapahtunut sekä estettävä mahdollisesti jo vaarantuneiden tunnusten hyväksikäyttö.

Kyberturvallisuuskeskuksen viikkokatsaus - 01/2025
Vuoden ensimmäisen viikkokatsauksen aiheena on Viikkokatsausten vuosi 2024.

Kyberturvallisuuskeskuksen viikkokatsaus - 51/2024
Tällä viikolla kerromme esimerkiksi tekijänoikeusteemaisista huijausviesteistä, joilla pyritään saamaan käyttäjän tietokoneelle haitallisia tiedostoja. Kerromme myös yhteistyöstä sekä some-palveluista tehdyistä valituksista.

Puolustusvoimat ja Traficom käynnistivät kyberturvallisuuden yhteistyöryhmän
Yhteistyöryhmässä (MIL-ISAC) on mukana monipuolisesti puolustusjärjestelmään liittyviä yrityksiä. Työryhmän toiminta käynnistyy tilannekuvan muodostamisella ja keskinäisellä tiedonvaihdolla.

Kansallisen koordinointikeskuksen vuosi 2024
Vuosi 2024 ja sen myötä kansallisen koordinointikeskuksen (NCC-FI) ensimmäinen EU-rahoitteinen projekti on tulossa päätökseen. Kulunut vuosi on ollut tapahtumarikas. Vuoden aikana koordinointikeskus on muun muassa myöntänyt mikro- ja pk-yrityksille 1,5 miljoonan euron edestä rahoitustukea tietoturvaratkaisujen käyttöönottoon, tarjonnut koulutusta EU-rahoitushakemuksien laatimiseen sekä järjestänyt erilaisia tapahtumia.

Kyberturvallisuuskeskuksen viikkokatsaus - 50/2024
Tällä viikolla kerromme mm. uudesta Lumma Stealer -haittaohjelman levitystavasta ja siitä miten inhimillinen virhe voi johtaa tietovuotoon.

Marraskuun Kybersää 2024
Marraskuu osoitti varautumisen tärkeyden, kun Suomea kohtasi kaksi hyvin erilaista digitalisoituneen yhteiskunnan poikkeamaa. Vuoden harmaimmaksi luonnehdittua kuukautta ovat lisäksi sävyttäneet eri pankkien nimissä tehdyt huijaus- ja kalastelukampanjat. Kulunut kuukausi toi mukanaan myös merkittäviä askelia kyberturvallisuuden parantamiseksi EU:ssa.

Kriittisiä haavoittuvuuksia Ivanti Cloud Services (CSA) -tuotteissa
Ivantin Cloud Services Application (CSA) -tuotteissa on julkaistu kolme kriittisiä haavoittuvuutta. Haavoittuvuuksia hyväksikäyttämällä hyökkääjät voivat suorittaa haluamiaan komentoja kohdeorganisaatioiden laitteilla. Päivitykset on syytä tehdä välittömästi.

Kyberturvallisuuskeskuksen viikkokatsaus - 49/2024
Tällä viikolla kerromme mm. alkuviikolla puhuttaneesta kaapelirikosta ja QR-koodien turvallisesta käytöstä.

Traficomin Kyberturvallisuuskeskus osallistui Puolustusvoimien järjestämään Naton Cyber Coalition -harjoitukseen
"Traficomilla on keskeinen rooli kriittisen infrastruktuurin turvaamisessa sekä vastuu kansallisen kybertilannekuvan ylläpitämisestä. Yhteiset kyberharjoitukset tarjoavat viranomaisille turvallisen alustan arvioida ja kehittää toimintatapoja haastavissa kriisi- ja häiriötilanteissa sekä niistä toipumisessa", sanoo Kyberturvallisuuskeskuksen Poikkeamanhallintaosaston johtaja Samuli Bergström.

Kyberturvallisuuskeskuksen viikkokatsaus - 48/2024
Tällä viikolla kerromme mm. ajankohtaisista M365-kalasteluista ja siitä miten loppuvuoden alennusmyynnit ja pakettisumat saavat myös rikolliset liikkeelle.

Digitaalinen skimmaus - vinkkejä verkkokaupan suojaamiseen
Digital skimming, eli digitaalinen skimmaus, on menetelmä, jota rikolliset käyttävät varastaakseen maksukorttitietoja ja muuta arkaluonteista tietoa suoraan verkkokaupoista. Kyseessä on merkittävä uhka, joka voi jäädä huomaamatta pitkiksi ajoiksi, ja aiheuttaa huomattavia taloudellisia ja maineellisia vahinkoja verkkosivustoille sekä niiden asiakkaille. Poimi tästä artikkelista talteen vinkit digitaalisen skimmauksen havaitsemiseen, ennaltaehkäisyyn ja toimenpiteisiin skimmaus-havainnon jälkeen.

Uudistettu määräys hätäliikenteen teknisestä toteutuksesta ja varmistamisesta
Määräys tulee pääosin voimaan 1.3.2025, ja se korvaa 20.12.2016 annetun Viestintäviraston määräyksen hätäliikenteen teknisestä toteutuksesta ja varmistamisesta (Viestintävirasto 33 G/2016 M).

Kyberturvallisuuskeskuksen viikkokatsaus - 47/2024
Tällä viikolla kerromme mm. juuri julkaistusta EU:n kyberkestävyyssäädöksestä sekä varautumisesta erilaisiin häiriötilanteisiin.

Sisäministeriö on julkaissut Häiriö- ja kriisitilanteisiin varautumisen oppaan
Uusi koko väestölle suunnattu Häiriö- ja kriisitilanteisiin varautuminen -opas on julkaistu Suomi.fissä. Sisäministeriö on toteuttanut verkko-oppaan Digi- ja väestötietoviraston sekä laajan yhteistyöverkoston kanssa. Opas kokoaa varautumisohjeet yhteen paikkaan. Traficom on ollut mukana oppaan tuottamisessa.

Kyberturvallisuuskeskuksen viikkokatsaus - 46/2024
Tällä viikolla kerromme mm. kiristyshaittaohjelmista, ilmoittamisesta ja kybersäästä.

Lokakuun Kybersää 2024
Lokakuussa Kyberturvallisuuskeskukselle tehdyissä kyberpoikkeamatapauksissa havaittiin määrällistä kasvua rauhallisemman alkusyksyn jälkeen. Syyssäässä on esiintynyt ajoittaisia sadepilviä ja harmautta suomalaisiin organisaatioihin viime aikoina kohdistuneiden erilaisten sähköpostitse ja tekstiviestitse lähetettävien tietojenkalastelu- ja huijauskampanjoiden vuoksi.

Kyberturvallisuuskeskuksen viikkokatsaus - 45/2024
Tekstiviestihuijauksia on liikkeellä jatkuvasti, mutta niitä myös pysäytetään viranomaisten ja palveluntarjoajien yhteistyöllä. Kerromme myös hotelliasiakkaita jo pitkään kiusanneista huijauksista, joissa hyödynnetään varausjärjestelmien tietomurtoja.

Hotelli- ja matkanvarauspalveluiden tietomurtoja käytetään asiakkaiden huijaamiseen
Tässä analyysissä käydään läpi hotellien ja heidän asiakkaidensa raportoimia tietoturvapoikkeamia, joihin liittyy tietomurtoja hotellien omiin varausjärjestelmiin ja Booking.com-varauspalveluun. Booking.com on yleinen ja suosittu matka- ja majoitusvarauksia tarjoava palvelu. Erilaisia Booking.com-teemaisia petoksia ja tietojenkalasteluita on maailmalla raportoitu jo usean vuoden ajan. Kyberturvallisuuskeskus on raportoinut Booking.comin avulla tehdyistä petoksista mm. viikkokatsauksessa 2024/27. Yleisimpiä Booking.com-teemaisia verkkopetoksia ovat erilaiset tietojenkalasteluviestit.

Runsaasti tekstiviestikalastelua eri organisaatioiden nimissä
Traficomin Kyberturvallisuuskeskus on vastaanottanut viime aikoina runsaasti ilmoituksia tekstiviestikalasteluista esimerkiksi Fortumin, Terveystalon ja Traficomin nimissä. Olethan tarkkana jos saat tekstiviestin, jossa vaaditaan tekemään jotain kiireellisesti.

Kyberturvallisuuskeskuksen viikkokatsaus - 44/2024
Tällä viikolla kerromme, miten voit itse tarkistaa, näkyykö kotireitittimesi internettiin sekä voimakkaasti digitalisoituneen kiinteistö- ja rakennusalan kyberturvallisuushaasteista.

Kyberturvallisuuskeskuksen viikkokatsaus - 43/2024
Tällä viikolla kerromme palvelunestohyökkäyksistä sekä ilmiöstä, jossa yrityksiltä on udeltu eri tahojen avoimia laskuja ja todennäköisimmin valmisteltu laskutuspetoksia. Muina aiheina ovat Kaikki liikkeessä ja Cyber Security Nordic -tapahtumat sekä yli 300:lle yritykselle myönnetty tietoturvan kehittämisen tuki.

Fortinetin FortiManager-tuotteessa kriittinen haavoittuvuus
Fortinet on julkaissut korjauksia kriittiseen FortiManager-tuotteen haavoittuvuuteen. Haavoittuvuutta käytetään aktiivisesti hyväksi, joten on suositeltavaa asentaa korjaava päivitys viipymättä ja selvittää onko hyväksikäyttöä jo tapahtunut.

Kyberturvallisuuskeskuksen viikkokatsaus - 42/2024
Yhteistyön merkitys on ensisijaisen tärkeää yhteiskunnan palveluiden ja toimintojen suojaamiseksi kyberuhkia vastaan. Jokainen voi omilla toimillaan parantaa yhteistä kyberturvallisuuttamme huolehtimalla omien verkkolaitteidensa turvallisuudesta. Siihen saa parhaat neuvot tutustumalla juuri päivitettyihin Kyberturvallisuuskeskuksen ohjeisiin.

Määräyshankepäätös: Määräys teletoiminnan häiriötilanteista
Liikenne- ja viestintävirasto Traficom on antanut 2.10.2024 seuraavan määräyshankepäätöksen: Määräys teletoiminnan häiriötilanteista (TRAFICOM /499548/03.04.05.00/2024).

Tietoturvan kehittämisen tukea 313 yhteiskunnan kannalta elintärkeälle yritykselle
Liikenne- ja viestintävirasto Traficom on myöntänyt elokuun 2024 aikana loppuun tietoturvan kehittämisen tukena myönnettäväksi varatun 6 miljoonan euron määrärahan. Tietoturvan kehittämisen tuki tuli haettavaksi Liikenne- ja viestintävirasto Traficomilta 1.12.2022 alkaen. Yhteensä tukea myönnettiin 313 yhteiskunnan kannalta elintärkeälle yritykselle. Myönnetyt tuet vaihtelevat 371 eurosta 100 000 euroon.

Kyberturvallisuuskeskuksen viikkokatsaus - 41/2024
Tällä viikolla kerromme organisaatioita ja niiden asiakkaita kiusaavista palvelunestohyökkäyksistä. Tutustumme myös juuri julkaistun kansalliseen kyberturvallisuusstrategiaan.

Kriittisiä haavoittuvuuksia Palo Alto Networks Expeditionissa
Palo Alto Networks on julkaissut kriittisiä haavoittuvuuksia Palo Alto Networks Expedition -siirtotyökalussa. Haavoittuvuuden avulla hyökkääjä voi saada haltuun palomuurien järjestelmänvalvojan tilit ja paljastaa arkaluontoisia tietoja, kuten käyttäjänimiä, selväkielisiä salasanoja ja PAN-OS-palomuurien API-avaimia.

Syyskuun Kybersää 2024
Syyskuu toi tullessaan kyberturvallisuuden tapausrintamalla lievää kasvua rauhallisten kesäkuukausien jälkeen. Muutoin melko kirkkaassa syyssäässä esiintyi usvaa organisaatioihin kohdistuneiden palvelunestohyökkäysten sekä erilaisten tietojenkalastelu- ja huijauskampanjoiden vuoksi.

Palvelunestohyökkäystilanne Suomessa
Traficomin Kyberturvallisuuskeskus on vastaanottanut ilmoituksia palvelunestohyökkäyksistä aiempaa enemmän. Hyökkäykset ovat kuitenkin osa internetin arkea ja suurimmalla osalla niistä ei ole vaikutuksia organisaatioiden tai kansalaisten toimintaan.

Kvanttiturvallisia algoritmeja lisätty kansalliseen kriteeristöön
Klassiset julkisen avaimen salausmenetelmät ovat haavoittuvia riittävän tehokkaalle kvanttilaskennalle. Traficom suosittelee organisaatioita siirtymään mahdollisimman pian kvanttiturvallisten algoritmien käyttöön.

Kyberturvallisuuskeskuksen viikkokatsaus - 40/2024
Tällä viikolla kerromme mediassakin esillä olleesta verkkotunnusten päätymisestä vääriin käsiin. Kerromme mikä on verkkosivujen ja verkkotunnuksen ero sekä neuvomme miten verkkotunnuksista ja niiden hallinnasta voi huolehtia asianmukaisesti. Muina aiheina ovat Lumma Stealer haittaohjelman uudet levittämiskeinot, Digiturvaviikko ja alkanut kyberturvallisuuskuukausi, sekä tekstiviestien lähettäjätunnuksen suojaaminen.

Älä ota kesädomainia! – verkkotunnukset ovat arvokasta omaisuutta
Verkkotunnukset ovat nykyisin merkittävää aineetonta omaisuutta ja niistä kannattaa pitää huolta. Verkkotunnuksen päätyminen toisen käsiin voi olla kiusallista tai jopa vaarantaa tietoturvaa, eikä verkkotunnusta yleensä saa helposti takaisin.

Poikkeamien hallinnointi turvallisuuden parantajana
NIS 2 -direktiivin myötä organisaatioille tulee velvoite ilmoittaa merkittävistä tietoturvapoikkeamista valvovalle viranomaiselle. Miten poikkeama havaitaan? Tässä artikkelissa tarjoamme vinkkejä ja käytäntöjä, miten havaintokyvykkyyttä kehitetään.

CUPS-tulostusjärjestelmän haavoittuvuudet mahdollistavat mielivaltaisen koodin suorittamisen
CUPS-tulostusjärjestelmässä on useita haavoittuvuuksia, jotka voivat johtaa mielivaltaisen koodin suorittamiseen etänä ilman tunnistautumista. Organisaatioiden on suositeltavaa poistaa cups-browsed-palvelu käytöstä ja seurata tulevia päivityksiä.

Kyberturvallisuuskeskuksen viikkokatsaus - 39/2024
Tällä viikolla kerromme palvelunestohyökkäysten tilanteesta, kiristyshaittaohjelmista ja uusista huijauksista.

Akira- ja Lockbit-kiristyshaittaohjelmat valokeilassa
Kiristyshaittaohjelmat ovat yksi merkittävimmistä organisaatioihin kohdistuvista kyberuhista. Viime vuosina Suomessa havaituissa kiristyshaittaohjelmahyökkäyksissä ovat korostuneet Akira ja Lockbit 3.0. Hyvä varautuminen antaa parhaat mahdollisuudet hyökkäyksen torjumiseen ja siitä palautumiseen.

Traficomin ensimmäinen NATO-tuotehyväksyntä salausratkaisulle
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen kansainvälisiin tietoturvavelvoitteisiin liittyviin tehtäviin kuuluu salaustuotteiden hyväksyntä EU- ja NATO- turvallisuusluokitellun tiedon suojaamiseksi Suomessa. Julkisia hyväksyntiä myönnetään tuotteille, jotka täyttävät vaaditut turvallisuusominaisuudet. Turvaluokasta riippuen vaatimuksia on määritelty esimerkiksi salausalgoritmeille, tuotteen ohjelmisto- ja laiteturvallisuudelle sekä turvallisen kehityksen menettelyille.

Kyberturvallisuuskeskuksen viikkokatsaus - 38/2024
Tällä viikolla kerromme mm. carpet bombing -tekniikasta palvelunestohyökkäyksissä ja siitä miten Hyöky-palvelun ensimmäinen vuosi sujui.

Kansainvälinen kumppanuustapahtuma tarjosi tietoa ja verkostoitumismahdollisuuksia
Kansallinen koordinointikeskus järjesti syyskuun alussa kansainvälisen kumppanuustapahtuman yhdessä järjestelykumppanien kanssa. Tapahtumassa kuultiin monipuolisesti puheenvuoroja niin teknologisista kehityssuunnista kuin ajankohtaisista EU-rahoitusmahdollisuuksista kyberturvallisuuden alalla. Osallistujat pääsivät paitsi kysymään kysymyksiä asiantuntijoilta, myös verkostoitumaan keskenään.

EU-rahoitushakemuksiin tukea koulutuksella
EU-hankerahoituksien hakeminen voi näyttäytyä haastavana ja työläänä prosessina. Kansallinen koordinointikeskus (NCC-FI) tarjosi alkusyksystä koulutusta kyberalan EU-rahoitushakemuksien laatimiseen. Koulutuksen tavoitteena oli tukea suomalaisia organisaatioita korkeatasoisten EU-rahoitushakemusten laatimisessa.

Kriittisiä haavoittuvuuksia VMware vCenter Serverissä
VMware vCenter Server-ohjelmistosta on löydetty kaksi kriittistä haavoittuvuutta, joita hyväksikäyttämällä hyökkääjän on mahdollista saada itselleen ohjelmistoa pyörittävän palvelimen täysi hallinta. Valmistaja on julkaissut korjaavat päivitykset, jotka on syytä asentaa mahdollisimman pian.

Red Hat OpenShift Container Platform 4: kriittisiä haavoittuvuuksia
Red Hat OpenShiftistä on löydetty kaksi kriittistä haavoittuvuutta. Haavoittuvuudet mahdollistavat mielivaltaisen koodin suorittamisen ja OpenShiftiä suorittavien noodien kaappaamisen. Haavoittuvuuksia vastaan on olemassa rajoituskeinot, jotka on syytä suorittaa viipymättä.

Kyberturvallisuuskeskuksen viikkokatsaus - 37/2024
M365-tunnuksia kalastellaan nyt etenkin Dropbox-palvelun avulla. Olethan tarkkana Dropboxista saapuvien tiedostojen kanssa.

Elokuun Kybersää 2024
Elokuun Kybersää jatkui kesä-heinäkuun tapaan tavanomaista rauhallisempana. Sääntelykentällä aurinko porottaa lämpimästi, kun Traficomin uudistettu määräys teletoiminnan tietoturvasta astui voimaan.

SonicWall SSLVPN haavoittuvuutta hyväksikäytetään aktiivisesti
SonicWall SSLVPN -tuotteen haavoittuvuutta CVE-2024-40766 on havaittu hyväksikäytettävän aktiivisesti kiristyshaittaohjelmahyökkäyksissä. Haavoittuvat ohjelmistot tulee päivittää viipymättä ja selvittää onko mahdollista haavoittuvuuden hyväksikäyttöä jo tapahtunut sekä estää mahdollisesti jo vaarantuneiden tunnusten hyväksikäyttö.

Kyberturvallisuuskeskuksen viikkokatsaus - 36/2024
Tällä viikolla kerromme muun muassa vinkkejä lapsille ja vanhemmille turvalliseen pelaamiseen sekä bottiverkoista.

Uudistettu teletoiminnan tietoturvamääräys voimaan 1.9.2024
Liikenne- ja viestintävirasto Traficom on antanut uudistetun teletoiminnan tietoturvamääräyksen. Määräys tulee pääosin voimaan 1.9.2024, ja se korvaa 4.3.2015 annetun teletoiminnan tietoturvamääräyksen. Uudistus edellyttää kaikilta teleyrityksiltä toimenpiteitä tietoturvallisuuden ja riskien hallinnan vaatimusten toteuttamiseksi ja dokumentoimiseksi.

Kyberturvallisuuskeskuksen viikkokatsaus - 35/2024
Tällä viikolla toivotamme uudet koululaiset tervetulleiksi myös digitaaliselle opintielle. Kerromme myös Microsoftin uudistuksesta, jolla palveluihin kirjautumisen ja hallinnan turvallisuutta parannetaan kaksivaiheisella kirjautumisella.

Kyberturvallisuuskeskuksen viikkokatsaus - 34/2024
Tällä viikolla kerromme mm. Nyt valppaana! -kampanjasta ja kokoamme tunnelmia Assembly-tapahtumasta. Mukana myös ajankohtaiset huijaukset.

Kriittinen haavoittuvuus LiteSpeed Cache WordPress -lisäosassa
LiteSpeed Cache WordPress -lisäosasta on löydetty kriittinen haavoittuvuus. Haavoittuvuuden hyväksikäyttö mahdollistaa hyökkääjälle pääsyn järjestelmään luomalla uusia käyttäjätunnuksia ilman tunnistautumista.

Uhka-analyysi ja uhkamallinnus varautumisen työkaluina kyberturvallisuusriskien hallinnassa
NIS 2 -direktiivi velvoittaa monia toimijoita riskienhallintaan omissa organisaatioissaan. Uhka-analyysin teko ja uhkamallinnuksen käyttöönotto ja ajan tasalla pitäminen tarjoavat järjestelmällisen menetelmän kyberturvallisuusriskien tunnistamiseen ja varautumiseen.

Nyt valppaana! - Kyberturvallisuuden kansalaiskampanjassa annetaan ohjeita tietoverkkohuijausten tunnistamiseen
Traficomin Kyberturvallisuuskeskuksen, Digi- ja väestötietovirasto DVV:n ja poliisin yhteisessä Nyt valppaana! -kampanjassa opetellaan tunnistamaan internetin varjopuolia ja suojautumaan niiltä.

Kyberturvallisuuskeskuksen viikkokatsaus - 33/2024
Tällä viikolla kerromme mitä kiristyshaittaohjelmat ovat ja miten niiltä voi suojautua.

Mikä ihmeen kiristyshaittaohjelma?
Kiristyshaittaohjelma on ohjelma, joka estää laitteen normaalin käytön ja esittää vaatimuksen lunnaiden maksamisesta rikollisille. Haittaohjelmatyypistä käytetään myös nimitystä lunnastroijalainen.

Kyberturvallisuuskeskuksen viikkokatsaus - 32/2024
Tällä viikolla kerromme mitä voit tehdä, jos henkilötietojasi joutuu väärin käsiin. Huijarit eivät lepää kesälläkään, joten muistutamme myös Traficomin nimissä lähetetyistä huijausviesteistä.

Heinäkuun Kybersää 2024
Kybersää oli heinäkuussa aikaisempia kuukausia jonkin verran rauhallisempi. Toisaalta heinäkuuhun mahtui merkittäviäkin tapahtumia, kun CrowdStrike-tietoturvatuotteen päivitys aiheutti laajan häiriön ympäri maailmaa. Huijausviestien osalta loppukuussa veronpalautusteemaiset viestit alkoivat jälleen yleistymään elokuun alun veronpalautuksia ennakoiden.

Kyberturvallisuuskeskuksen viikkokatsaus - 31/2024
Tällä viikolla kerromme mm. lainahuijauksista ja siitä miten syksyllä maksettavat veronpalautukset kiinnostavat myös rikollisia.

Kyberturvallisuuskeskuksen viikkokatsaus - 30/2024
Tällä viikolla kerromme mm. CrowdStriken päivityksen aiheuttamasta häiriöstä sekä annamme vinkkejä turvalliseen somettamiseen.

Sometilit kuntoon – vinkit turvalliseen somettamiseen
Oletko miettinyt, mitä tietoja sinusta voi sosiaalisen median kautta saada tai mitä tapahtuisi, jos sosiaalisen median tilisi saisikin haltuun jokin ulkopuolinen taho? Sosiaalisesta mediasta on tullut iso osa jokapäiväistä elämäämme, ja sen avulla on helppoa pitää ihmisiin yhteyttä tai jakaa pätkiä elämästään kuvien tai julkaisujen muodossa. On tärkeää muistaa, että sosiaalisen median pelikentällä on myös pelaajia, joilla ei ole hyvät mielessä. Tässä artikkelissa pureudutaan sosiaalisen median turvalliseen käyttöön, sekä avataan riskejä, joita sosiaalinen media tuo mukanaan.

CrowdStriken päivitys aiheuttanut häiriöitä Windows-laitteissa
CrowdStrike-tietoturvaohjelmiston päivitys on aiheuttanut Windows-laitteissa toistuvan uudelleenkäynnistymistilan (boot loop). CrowdStrike on pääosin organisaatiokäytössä oleva tietoturvaohjelmisto. Tapauksesta on aiheutunut häiriöitä ja käyttökatkoja organisaatioille ja eri palveluille ympäri maailmaa.

Kyberturvallisuuskeskuksen viikkokatsaus - 29/2024
Tällä viikolla kerromme mm. haavoittuvuuksien entistäkin nopeammasta hyväksikäytöstä ja osallistumisestamme Assembly-tapahtumaan.

Kriittinen haavoittuvuus Cisco Secure Email Gatewayssa (ent. IronPort)
Cisco Secure Email Gatewaysta (entinen IronPort) on löytynyt kriittinen haavoittuvuus. Haavoittuvuuden hyväksikäyttö mahdollistaa hyökkääjälle haitallisen koodin suorittamisen laitteen käyttöjärjestelmässä.

Kyberturvallisuuskeskuksen viikkokatsaus – 28/2024
Valtioneuvosto on asettanut tutkintaryhmän selvittämään Helsingin kaupunkiin kohdistunutta tietomurtoa. Käymme läpi, mitä tapauksesta voi oppia.

Kesäkuun Kybersää 2024
Kesäkuu näyttäytyi monella kyberrintamalla aikaisempia kuukausia rauhallisempana. Toisaalta esimerkiksi kalasteluviestit sekä Microsoft 365 -käyttäjätilien kalastelut jatkuivat. Kesälläkin on hyvä muistaa pitää organisaatioiden tietoturvasta huolta.

Kyberturvallisuuskeskuksen viikkokatsaus - 27/2024
Tällä viikolla varoittelemme M365-tietomurroista ja tietojenkalastelusta hotellivarauspalvelun kautta. Annamme myös vinkkejä kyberturvalliseen lomamatkailuun.

Ajankohtaiset EU-rahoitusmahdollisuudet kyberturvallisuusalalle
Heinäkuun aikana kyberturvallisuuden alalle avautuu useita kiinnostavia EU-rahoitusmahdollisuuksia. Rahoitusmahdollisuuksia on tarjolla niin yksityisen, julkisen kuin tutkimussektorinkin toimijoille. Rahoitusta myönnetään uusien teknologioiden käyttöönottoon ja hyödyntämiseen, sekä tutkimus- innovaatio- ja kehittämistoimintaan. Myös Naton DIANA-kiihdyttämöohjelma avaa kiinnostavia mahdollisuuksia kunnianhimoisten innovatiivisten teknologioiden kehittämiseen yhteistyötyössä laajan kumppani- ja asiantuntijaverkoston kanssa.

Kriittinen haavoittuvuus OpenSSH-ohjelmistossa
OpenSSH-ohjelmistosta löytynyt kriittinen haavoittuvuus mahdollistaa allaolevan järjestelmän täyden haltuunoton etänä ilman tunnistautumista. Haltuunotto on tähän mennessä todennettu glibc-pohjaisilla Linux-järjestelmillä sekä FreeBSD-järjestelmillä. Kyberturvallisuuskeskuksella ei ole tiedossa haavan aktiivista hyväksikäyttöä.

Kyberturvallisuuskeskuksen viikkokatsaus - 26/2024
Tällä viikolla kerromme esimerkiksi kyberturvallisuusharjoittelun tärkeydestä ja loma-ajan tietoturvasta.

Traficom ohjeistaa tietovälineiden turvalliseen tyhjentämiseen
Traficomin on julkaissut ohjeen suojattavaa tietoa sisältävien tallennusvälineiden tyhjennyksestä ja mahdollisessa uusiokäytöstä organisaatioiden riskienhallinnalle. Ohjeessa kuvataan yleisimmät edellytykset tallennusmedioiden luotettavaan, todennettavissa olevaan tyhjennykseen ja uusiokäyttöön.

Huijausviestejä Traficomin nimissä
Liikenne- ja viestintävirasto Traficom varoittaa Traficomin nimissä lähetetyistä huijausviesteistä. Huijausviesteissä väitetään, että viestin saajalla on erääntynyt maksamatta oleva sakko. Kyse on kalasteluviestistä, jolla sinut yritetään saada klikkaamaan viestissä olevaa linkkiä ja luovuttamaan pankkitunnuksesi rikollisille.

Kyberturvallisuuskeskuksen viikkokatsaus - 25/2024
Tällä viikolla kerromme mm. siitä, miten fyysinen turvallisuus on yksi tietoturvan keskeisimmistä tekijöistä ja suosittelemme valmistautumaan kvanttiturvallisiin salausalgoritmeihin siirtymiseen.

Traficom kehottaa valmistautumaan kvanttiturvallisiin salausalgoritmeihin siirtymiseen
Klassiset julkisen avaimen salausmenetelmät ovat haavoittuvia riittävän tehokkaalle kvanttilaskennalle. Tämä tarkoittaa sitä, että näillä menetelmillä salattuja tietoja voidaan kerätä talteen nyt ja purkaa myöhemmin, kun riittävän tehokas kvanttikone on saatavilla. Haavoittuvien menetelmien korvaamiseksi on käynnissä useita kvanttiturvallisten algoritmien standardointiin tähtääviä hankkeita, ja ensimmäisten standardien odotetaan valmistuvan tänä vuonna. Kvanttiturvallisia toteutuksia (esim. Signal-viestisovellus) on jo tehty standardiluonnosten perusteella.

Kyberturvallisuuskeskuksen viikkokatsaus - 24/2024
Tällä viikolla kerromme muun muassa toimitusjohtajien nimissä lähetetyistä huijauksista ja siitä miten toimitusketjuhyökkäykset ovat viime vuosina yleistyneet. Palaamme myös toukokuun Kybersään merkeissä viime kuun tapahtumiin.

Kriittisiä haavoittuvuuksia Adobe FrameMaker Publishing, Adobe Commerce ja Magento alustoissa
Adobe on julkaissut kriittisiä tietoturvapäivityksiä Adobe FrameMaker Publishing, Adobe Commerce ja Magento -ohjelmistoihin. Onnistunut hyväksikäyttö voi johtaa mielivaltaisen koodin suorittamiseen, tietoturvasuojauksien ohitukseen ja käyttöoikeuksien laajenemiseen. Jos käytössänne on Adoben FrameMaker Publishing palvelin, Adobe Commerce ja Magento -verkkokauppa-alusta, kehoitamme päivittämään Adobe -ohjelmistojen tietoturvapäivitykset viipymättä.

Toukokuun Kybersää 2024
Kybersää jatkui synkeänä myös toukokuussa. Kybersäätä synkensivät erityisesti tietomurtojen ja -vuotojen alalla julki tulleet tapaukset. Myös huijausten ja kalastelujen saralla myrskysi.

Huomio hankintojen ja toimitusketjujen turvallisuuteen - NIS2-direktiivissä uusia velvoitteita
Toimitusketjuhyökkäykset ovat yleistyneet viime vuosina. Asia on huomioitu myös NIS2-direktiivissä ja sen kyberturvallisuuden riskienhallinnan toimenpiteissä. NIS2-direktiivissä toimitusketjun hallintavelvoite ulottuu toimijan välittömiin toimittajiin ja palveluntarjoajiin. Hankintojen osalta uusi NIS2-direktiivi korostaa tuotteen tai palvelun kyberturvallisuuden huomioimista koko elinkaaren ajalta.

Kyberturvallisuuskeskuksen viikkokatsaus - 23/2024
Traficomin nimeä käytettiin SMS-huijaukseen, jossa maksamattoman sakon verukkeella kalasteltiin pankkitunnuksia. Poliisioperaatiossa suljetussa bottiverkossa oli yli 19 miljoonaa päätelaitetta. Bottiverkkoa operoitiin haittaohjelmalla, joka oli asennettuna miljooniin päätelaitteisiin ympäri maailmaa. Näillä ohjeilla varmistat, ettet ole osa bottiverkkoa.

911 S5 -bottiverkossa tuhansia suomalaisia IP-osoitteita mukana
Toukokuussa 2024 suljettu 911 S5 -bottiverkko tarjosi rikollisille pääsyn vaarantuneisiin IP-osoitteisiin ja niihin liittyviin yksityishenkilöiden ja yritysten omistamiin laitteisiin. Joukossa on ollut myös tuhansia kaapattuja laitteita, joiden IP-osoite sijaitsee Suomessa. Kaappaukset ovat tapahtuneet haitallisten VPN-palveluiden avulla. Ohjeen avulla tunnistat ja poistat haitallisen palvelun laitteeltasi.

Kyberturvallisuuskeskuksen viikkokatsaus - 22/2024
Tällä viikolla kerromme mm. oman organisaation palveluiden tietoturvan kartoittamisesta, sekä NIS2-direktiivin riskienhallintavelvoitteesta.

Vakava haavoittuvuus Check Point Quantum Gateway -tuotteissa
Check Point Quantum Gateway palomuurituotteissa on löydetty haavoittuvuus, jota on havaittu hyväksikäytettävän rajattuun asiakaskuntaan kohdistuvissa hyökkäysyrityksissä. Valmistaja on julkaissut korjaavan ohjelmistopäivityksen sekä ohjeita päivityksen suorittamiseen. Päivitys tulee ottaa käyttöön viipymättä ja varmistaa ettei onnistuneesta hyväksikäytöstä ole havaintoja. Haavoittuvuudelle on julkinen hyväksikäyttömenetelmä, joten ohjelmistojen päivittäminen tulee priorisoida korkeimmalle mahdolliselle tasolle.

Millaiseen kyberpoikkeamaan organisaatiosi on varautunut? Tutustu NIS2-direktiivin riskienhallintavelvoitteeseen
NIS2-direktiivissä säädetään kyberturvallisuuden riskienhallinnasta ja hallintatoimenpiteiden perustason velvoitteista. Traficomin valmistelemasta suositusluonnoksesta voi hakea tukea riskienhallinnan suunnitteluun.

Kyberturvallisuuskeskuksen viikkokatsaus - 21/2024
Kuntiin kohdistuneet kyberhyökkäykset ovat yleistyneet, ja tällä viikolla muistutammekin kuntien tietoturvan merkityksestä. Huomioimme myös tulevat europarlamenttivaalit ja annamme vinkkejä tietoturvasta huolehtimiseen vaalikampanjoinnin aikana.

Huippuhakkerit kolkuttelivat luvan kanssa paikallisten 5G-verkkojen tietoturvaa
Viime viikonloppuna kansainvälisessä 5G-tapahtumassa Espoon Dipolissa oli koolla 70 valkohattuhakkeria. Heille annettiin lupa testata 5G-verkon puolustusta, murtautua sisälle verkkoon, kartoittaa verkon sisäisiä komponentteja ja palveluja, korottaa omia käyttöoikeuksia ja saada verkko paremmin haltuun. Tämän lisäksi he saivat luvan muuttaa, asentaa, poistaa ja rikkoa verkon komponentteja. Testaamalla ja korjaamalla uutta, vielä kehitysvaiheessa olevaa, teknologiaa edistämme kyberturvallisuutta ja yhteiskunnan varautumista.

Mitä NIS2-direktiivissä esitetyt kyberhygieniakäytännöt ovat?
Kyberhygieniakäytännöt eli perustason tietoturvakäytännöt luovat perustan organisaation kyberturvallisuudelle. Jos kyberturvallisuus ei ole organisaatiolle vielä kovin tuttua, kyberhygieniakäytännöillä organisaatio pääsee alkuun kyberturvallisuudesta huolehtimisessa.

Kyberturvallisuuskeskuksen viikkokatsaus - 20/2024
Tällä viikolla kerromme esimerkiksi Helsingin tietomurrosta, joka osoittaa monille organisaatioille kuinka tärkeää tietoturvaan panostaminen on.

Oikotietä hyvään tietoturvaan ei ole - tukea ja tietoa on tarjolla
Oletteko miettineet kunnassanne, miten hyvin kuntanne ja hallussanne olevien kuntalaisten tiedot on suojattu? Milloin järjestelmät ja sovellukset on päivitetty? Milloin olette viimeksi harjoitelleet kyberhyökkäyksen varalle?

Modernien tietoturvaratkaisujen ja -innovaatioiden käyttöönoton tukea myönnettiin 36 yritykselle
Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen Kansallinen koordinointikeskus (NCC-FI) avasi 2.1.2024 Suomeen rekisteröidyille mikro- ja pk-yrityksille haettavaksi rahoitustukea modernien tietoturvaratkaisujen ja -innovaatioiden käyttöönottoprojekteihin. Rahoitustukea oli jaossa yhteensä 1,5 milj. euroa. 1.3.2024 päättyneeseen hakuun saapui 160 hakemusta. Rahoitustukea haettiin yhteensä noin 6,5 milj. euron edestä.

Kyberuhkien lieventäminen rajallisilla resursseilla - ohje kansalaisyhteiskunnalle julkaistu
Yhdysvaltain kyberturvallisuusvirasto (Cybersecurity and Infrastructure Security Agency, CISA) on luonut yhteisen kyberturvallisuuden ohjeistuksen keskeisten valtiollisten, valtiosta riippumattomien, yritysmaailman ja kansalaisyhteiskunnan kumppaneiden kanssa erityisen riskialttiille yhteisötoimijoille, kuten kansalaisyhteiskunnan järjestöille ja yksilöille. Suomesta yhteistyössä oli mukana Traficomin Kyberturvallisuuskeskus.

Tietomurrot - mitä ne ovat?
Helsingin kaupunki kertoi joutuneensa tietomurron kohteeksi toukokuun alussa. Tietomurto tarkoittaa luvatonta tietojärjestelmään, palveluun tai laitteeseen tunkeutumista tai sovelluksen, kuten esimerkiksi sähköpostitilin luvatonta käyttöä haltuun saatujen tunnusten avulla. Tietomurto on rikoslaissa määritelty rangaistava teko ja myös tietomurron yritys on rangaistavaa. Tässä artikkelissa kerromme tietomurroista yleisesti.

Kyberturvallisuuskeskuksen viikkokatsaus - 19/2024
Tällä viikolla poistimme huhtikuussa julkaistun vakavan varoituksen Palo Alton tuotteiden kriittisestä haavoittuvuudesta. Kerromme myös tarkempaa pohdintaa Mirai-haittaohjelman varjopuolista ja keinoista, joilla jokainen kuluttaja voi omalta osaltaan huolehtia laitteidensa ja verkkoympäristönsä tietoturvasta.

Huhtikuun Kybersää 2024
Kevät lähti kyberturvallisuuden osalta myrskyisästi käyntiin. Myrskyn merkkejä Kybersäähän toivat erityisesti huhtikuussa julkaistu Varoitus 1/2024 Palo Alton GlobalProtect-tuotteisiin liittyen, mutta myös Android-puhelimissa huijausviesteillä levinnyt haittaohjelma.

Palo Alto GlobalProtect -tuotteita koskenut Varoitus on poistettu
Palo Alto GlobalProtect -tuotetta käyttäviin organisaatioihin kohdistui vakava uhka huhtikuussa. Kriittinen haavoittuvuus johti Suomessakin tietomurtotapauksiin, mutta vakavammilta vahingoilta vältyttiin.

Miraissa on tulevaisuus
Mirai-haittaohjelmatartuntojen torjunta ja siivoaminen on osoittautunut vaikeaksi, sillä se nähdään helposti “jonkun toisen ongelmana”, kirjoittaa erityisasiantuntijamme Perttu Halonen.

Kyberturvallisuuskeskuksen viikkokatsaus - 18/2024
Tällä viikolla kerromme muun muassa pankkitietoja varastavasta Android-haittaohjelmasta. Mukana on tuttuun tapaan myös ajankohtaiset huijaukset.

Kyberturvallisuuskeskuksen viikkokatsaus - 17/2024
Tällä viikolla kerromme mm. tietojenkalastelusta -.fi-verkkotunnuksissa ja siitä miten tietoturvalliseen lomakauteen kannattaa varautua työpaikalla.

Useita vakavia haavoittuvuuksia Cisco ASA ja FTD-tuotteissa
Cisco Adaptive Security Appliance ja Firepower Threat Defense tuotteissa on havaittu haavoittuvuuksia, joita on käytetty osana valtiollisen toimijan suorittamia kyberhyökkäyksiä. Valmistaja on julkaissut korjaavat ohjelmistopäivitykset sekä ohjeita mahdollisen tietomurron havaitsemiseksi.

Miksi tietoturvapoikkeaman selvittäminen on tärkeää ja miksi asiasta kannattaa ilmoittaa viranomaiselle?
Tietoturvapoikkeama voi osua suoraan tai välillisesti mihin tahansa organisaatioon. Vaikka tietoturvaan olisi panostettu, järjestelmät olisivat päivitysten osalta ajan tasalla ja prosessit kunnossa, voi poikkeama silti päästä yllättämään. Kerromme, miksi organisaation CISO:n on hyvä pitää huolta siitä, että poikkeaman syy selvitetään ja miksi asiasta on hyvä ilmoittaa myös viranomaiselle.

Kyberturvallisuuskeskuksen viikkokatsaus - 16/2024
Tällä viikolla kerromme Palo Alto -verkkolaitteiden kriittisestä haavoittuvuudesta ja siihen julkaistusta keltaisesta varoituksesta. Luottotietorekisteriin nimissä on liikkeellä tietojenkalasteluviestejä ja organisaatiot ovat vastaanottaneet erilaisia laskutushuijauksia.

Tietomurtoja Palo Alto GlobalProtect-tuotteisiin – vaatii välittömiä toimia
Organisaatioissa laajasti käytetyn Palo Alto GlobalProtect-tuotteen haavoittuvuutta (CVE-2024-3400) käytetään aktiivisesti hyväksi. Haavoittuvuudella on merkittäviä vaikutuksia ja se vaatii laitteiden päivitystä ja tutkintaa. Haavoittuvuudelle alttiita laitteita on syytä epäillä murretuiksi.

Vakava haavoittuvuus PuTTY-ohjelmiston ECDSA-algoritmin toteutuksessa
PuTTY-tietoliikenneasiakasohjelmiston ja sen koodia käyttävien sovellusten heikko NIST P-521 ECDSA-algoritmin toteutus voi paljastaa käyttäjän yksityisen avaimen, mikäli avain on edellä mainittua tyyppiä.

Kriittinen haavoittuvuus Palo Alton GlobalProtect -tuotteessa
Palo Alton PAN-OS-järjestelmän GlobalProtect-ominaisuuden haavoittuvuus mahdollistaa järjestelmän täyden haltuunoton etänä ilman tunnistautumista. Valmistaja on julkaissut ensimmäiset korjaavat päivitykset 14.4. Haavoittuvuutta hyväksikäytetään aktiivisesti ja haavoittuvuuden korjaavat päivitykset on syytä suorittaa välittömästi.

Kyberturvallisuuskeskuksen viikkokatsaus - 15/2024
Tällä viikolla kerromme kotien internetiin kytkettyjen laitteiden, erityisesti televisioiden, tietoturvasta ja haavoittuvuuksista, jotka voivat altistaa laitteet pahantahtoisille hyökkäyksille sekä kerromme, miten kotien laitteet tulee suojata. Muita viikkokatsauksen aiheita ovat maaliskuisen tietoturvaseminaarimme tallenne, NIS2-direktiivi sekä verkkosivujemme palautekysely.

Lausuntopyyntö suositusluonnoksesta NIS2-direktiivin kyberturvallisuuden riskienhallinnan toimenpiteistä
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus pyytää lausuntoja suositusluonnoksesta valvoville viranomaisille NIS2-direktiivin mukaisista kyberturvallisuuden riskienhallinnan toimenpiteistä.

TIEDOTE: Kyberturvallisuuskeskus on muuttanut haavoittuvuustiedotteen ulkoasua
Kirjoitamme edelleenkin artikkelin ingressiin kuvauksen haavoittuvuudesta ja sen kriittisyydestä. Halusimme muutoksella jouhevoittaa haavoittuvuustiedottamista.

Maaliskuun Kybersää 2024
Keväiset sateet sävyttivät maaliskuun kybersäätä, mutta aurinkokin pilkahteli. Huijauksissa esillä oli erityisesti ajoneuvoveroteemainen kalastelu. Myös palvelunestohyökkäyksiä ja sähköpostikalastelua nähtiin maaliskuussa. Tässä Kybersäässä mukana ovat myös neljä kertaa vuodessa päivitettävät kvartaalitilastot.

Tietoturva 2024 -seminaarissa puhutti tekoäly ja kvanttiteknologia
Traficomin Kyberturvallisuuskeskuksen sekä Huoltovarmuuskeskuksen järjestämä Tietoturva 2024 -seminaari kokosi maaliskuun puolivälissä tietoturvan tulevaisuuteen liittyvistä aiheista kiinnostuneet jälleen yhteen. Tänä vuonna seminaarin teemoina olivat tekoäly sekä kvanttiteknologia. Seminaarissa jaettiin myös Tietoturvan suunnannäyttäjä -tunnustus, joka myönnettiin tänä vuonna huijauspuhelujen ja -viestien estämiseen tähtäävälle yhteistyölle.

Auta meitä kehittämään verkkosivujamme
Kehitämme Traficomin Kyberturvallisuuskeskuksen verkkosivuja ja haluamme kuulla sinun mielipiteesi verkkosivuston sisällöistä ja arjen tietoturvan viestinnästä. Voit osallistua sekä kyselyyn että käytettävyystutkimukseen tai halutessasi vain toiseen. Palautteesi auttaa meitä kehittämään sisältöä entistä asiakaslähtöisemmäksi.

Kyberturvallisuuskeskuksen viikkokatsaus - 14/2024
Tällä viikolla kerromme mm. Linuxin käyttöjärjestelmän varaantaneesta kriittisestä haavoittuvuudesta ja julkaisimme DeepFake-tietopaketin.

Kun jokainen päivä voi olla aprillipäivä - Mistä deepfakeissa on kysymys?
Olet todennäköisesti törmännyt viime aikoina sanaan "deepfake". Mistä deepfakeissa ja niiden taustalla olevassa teknologioissa ja tekniikoissa on kysymys?

Kriittinen haavoittuvuus Linux-jakeluissa XZ Utils -tiedonpakkausohjelmistossa
Linux-jakeluiden XZ Utils -tiedostonpakkausohjelman 5.6.0 ja 5.6.1 versiot sisältävät haitallista koodia, joka sallii luvattoman pääsyn luoden takaportin järjestelmään. Haitallinen koodi on käytössä useissa Linux-jakeluissa. Valmistaja suosittelee ottamaan käyttöön vanhemman version (5.4.6) XZ Utils -tiedostonpakkausohjelmasta tai poistamaan sen käytöstä kokonaan, sillä korjaavaa ohjelmistopäivitystä ei ole vielä julkaistu.

Kyberturvallisuuskeskuksen viikkokatsaus - 13/2024
Tällä viikolla kerromme mm. verkkotunnusten huolellisesta hallinnasta sekä tulevasta Hack the Networks -hackathon tapahtumasta.

Kyberturvallisuuskeskuksen viikkokatsaus - 12/2024
Tällä viikolla kerromme Tietoturvan vuosi 2023 -katsauksesta sekä kyberturvallisuusaiheiden käsittelystä Futucast-podcastissa. Lisäksi kerromme uusista ohjeista pilvipalveluihin ja tietoturvan vähimmäisvaatimuksiin liittyen.

Tietoturvan vuosi 2023 -katsaus arvioi uhkatason pysyvän kohonneena myös vuonna 2024
Tietoturvan vuosi 2023 kokoaa tietoa, arvioita ja analyysejä menneen vuoden merkittävimmistä kyberilmiöstä, trendeistä ja tietoturvasääntelystä yksiin kansiin.

Harjoittelu ja varautuminen ovat osa yritysten vastuullisuutta
Miten toimitte, jos toimistolla syttyy kesken työpäivän tulipalo? Hätäuloskäynnit, kokoontumispaikat ja muut toimintatavat on luultavasi harjoiteltu yhdessä moneen kertaan. Hyvä! Mutta mitä jos kohdalle osuu tietomurto tai kiristyshaittaohjelma? Myös erilaisiin kyberhäiriöihin kannattaa varautua harjoittelemalla, muistuttaa Traficomin pääjohtaja Jarkko Saarimäki.

Kyberturvallisuuskeskuksen viikkokatsaus - 11/2024
Microsoft 365 -tilimurrot ovat taas kääntyneet nousuun. Tällä kertaa tunnuksia kalastellaan Dropboxin nimissä. Monivaiheinen tunnistautuminen on tehokas keino tietojenkalastelua vastaan.

Helmikuun Kybersää 2024
Helmikuussa vallitseva kybersäätila oli sateinen. Microsoft 365 -tilimurrot jatkuivat helmikuussakin. Myös haktivistit jatkoivat palvelunestohyökkäyksiään, kun kuun alussa suureen määrään suomalaisia organisaatioita kohdistui palvelunestohyökkäyksiä.

Tekoäly on yhä keskeisempi tekijä tulevaisuuden tietoturvaratkaisuissa
Tekoälystä ja sen hyödyntämisestä kyberturvallisuuden edistämisessä keskustellaan paljon. Jo tänä päivänä eri toimialoilla on käytössä erilaisia tekoälypohjaisia tietoturvaratkaisuja. Missä mennään tällä hetkellä ratkaisujen kehittämisessä ja käytössä? Millaisia kehityskulkuja voidaan nähdä tulevaisuudessa? Millaiset ovat ylipäätään tekoälyn mahdollisuudet tietoturvan parantamisessa?

Traficom palkitsee yhteistyön huijauspuheluiden ja huijausviestien estämiseksi Tietoturvan suunnannäyttäjä -tunnustuspalkinnolla
Traficom myönsi Tietoturvan suunnannäyttäjä tunnustuspalkinnon tahoille, jotka ovat olleet yhdessä laatimassa ja toteuttamassa toimenpiteitä kansainvälisten huijauspuheluiden ja huijausviestien estämiseksi. Yhteistyön ansiosta väärennetyillä suomalaisilla numeroilla soitetut huijauspuhelut ovat käytännössä loppuneet. Koska ongelma on maailmanlaajuinen, suomalainen osaaminen ja uranuurtava tekeminen herättää kiinnostusta myös kansainvälisesti.

Kyberhyökkäykset siirtyvät pilveen - Näin suojaudut ja raportoit Kyberturvallisuuskeskukselle
Pilvisiirtymän myötä myös kyberhyökkäykset siirtyvät pilveen. Niin kyberrikolliset kuin valtiolliset toimijat kohdistavat operaatioitaan entistä enemmän organisaatioiden pilviympäristöihin. Esittelemme tyypillisimmät murtautumiskeinot pilvipalveluihin ja neuvomme miten niiltä voi suojautua. Kyberturvallisuuskeskukselle voi ilmoittaa myös pilviympäristöihin kohdistuneista tietomurroista.

Kyberturvallisuuskeskuksen viikkokatsaus - 10/2024
Saitko sinäkin tekstiviestin, joka pelottelee liikennerikkomuksien seurauksilla? Niitä on nyt paljon liikkeellä. Huijauksia liikkuu myös muun muassa suomi.fi-palvelun nimissä.

Riskialttiit verkon reunalaitteet aktiivisten murtoyritysten kohteena
Verkon reunalla sijaitsevat laitteet voivat olla riskialttiita ja tarvitsevat erityistä huomiota organisaatioilta. Haavoittuvuudet, puutteet prosesseissa ja konfiguraatiovirheet altistavat organisaatiot hyökkääjille. Säännöllinen harjoittelu auttaa organisaatioita varautumaan erilaisiin kyberpoikkeamiin.

JetBrains TeamCity -ohjelmistossa kriittinen haavoittuvuus
JetBrains TeamCity -ohjelmistoon on julkaistu päivitys, joka korjaa kaksi tunnistautumisen ohittamisen mahdollistavaa haavoittuvuutta. Haavoittuvuudet koskevat TeamCity On-premises tuotteita. Korjaava päivitys on suositeltavaa asentaa mahdollisimman pian.

Kyberturvallisuuskeskuksen viikkokatsaus - 09/2024
Tällä viikolla kerromme erilaisista rekrytointihuijauksista sekä haitallisten liitetiedostojen vaarallisuudesta.

Anssi Kärkkäinen Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen uusi ylijohtaja
Traficomin Kyberturvallisuuskeskuksen uudeksi ylijohtajaksi on nimitetty TkT, DI, ye.ups. Anssi Kärkkäinen 4.3.2024 alkaen kolmen vuoden määräajaksi. Kärkkäisellä on laaja-alainen tausta kyberturvallisuuden eri johtotehtävistä sekä valtionhallinnon että elinkeinoelämän puolelta.

Kyberturvallisuuskeskuksen viikkokatsaus - 08/2024
Tällä viikolla kerromme mm. sähköpostitilien murtoaallosta ja siitä, miten toimitusjohtajahuijauksia sekä petoksen yrityksiä yritetään tehdä verkossa Matkahuollon ja Postin nimiä käyttäen.

Rikollisten tehtailemat tekstiviestihuijaukset vaikeutuvat - jo 70 lähettäjätunnusta on suojattu
Liikenne- ja viestintävirasto Traficomin ja operaattoreiden työ tekstiviestihuijausten kampittamiseksi kantaa hedelmää. Tähän mennessä eri organisaatiot ovat suojanneet jo 70 tekstiviestin lähettäjätunnusta. Traficom kannustaakin myös muita tekstiviestejä lähettäviä organisaatioita tarkistamaan suojaustarpeensa ja rekisteröimään tarvittavat tunnukset Traficomin palvelussa.

Kyberturvallisuuskeskuksen viikkokatsaus - 07/2024
Tällä viikolla kerromme mm. haavoittuvuuksista, ajankohtaisista tietojenkalastelukampanjoista ja siitä miten presidentinvaalit sujuivat kyberturvallisuuden näkökulmasta.

Kriittisiä haavoittuvuuksia Fortinetin FortiOS -ohjelmistossa
Fortinet julkaisi useita korjauksia FortiOS-ohjelmiston komponenttien haavoittuvuuksiin. Yhtä haavoittuvuuksista on jo todennäköisesti hyväksikäytetty, joten korjaavat päivitykset on suositeltavaa asentaa viipymättä.

Kyberturvallisuuskeskuksen viikkokatsaus - 06/2024
Tällä viikolla kerromme mm. pankkitunnusten kalastelusta OmaKannan sekä Suomi.fi-teeman avulla, ja palvelunestohyökkäyshavainnoista alkuvuoden osalta.

Tammikuun Kybersää 2024
Vuosi 2024 alkoi kybersäässä sateisissa merkeissä. Vuoden ensimmäinen kuukausi piti sisällään niin piikin Microsoft 365 -tilimurtojen ilmoitusmäärissä, kuin useampia kriittisiä haavoittuvuuksia. Myös haktivistien tekemät palvelunestohyökkäykset jatkuivat alkuvuonna.

Vieraskynä: Läheistäni huijataan – mitä voin tehdä?
Läheisellä voi olla tärkeä rooli romanssihuijauksen pysäyttämisessä. Taloudellisten menetysten lisäksi huijaus aiheuttaa uhreille ja heidän läheisilleen häpeää ja ahdistusta, kirjoittaa Jimi Tikkanen Nettideittiturva-hankkeesta.

Kriittisiä haavoittuvuuksia GitLabin Community Edition ja Enterprise Edition -tuotteissa
GitLab on julkaissut päivityksen Community Edition (CE) ja Enterprise Edition (EE) -tuotteiden kriittiseen haavoittuvuuteen. Korjaava versiopäivitys kannattaa asentaa mahdollisimman pikaisesti.

Useita kriittisiä haavoittuvuuksia konttiteknologioiden runc ja Moby BuildKit -työkaluissa
runc ja Moby BuildKit ovat konttiteknologian alustaratkaisuissa käytettäviä työkaluja, joihin yläkerrosten sovellukset, kuten Docker ja Kubernetes nojaavat. Työkaluissa on havaittu kriittisiä haavoittuvuuksia, joiden avulla hyökkääjä voi saada pääsyn järjestelmään ja sen arkaluonteisiin tietoihin. Haavoittuvuudet mahdollistavat myös jatkohyökkäyksien tekemisen.

Palvelunestohyökkäykset jatkuvat myös vuonna 2024
Palvelunestohyökkäyksellä pyritään aiheuttamaan hetkellistä haittaa esimerkiksi verkkosivuihin. Erityisesti haktivistien palvelunestohyökkäykset näkyivät Suomessa vuonna 2023. Sama näyttää jatkuvan myös tänä vuonna.

Kyberturvallisuuskeskuksen viikkokatsaus - 05/2024
Tällä viikolla kerromme Poliisin nimissä tehtävistä huijauspuheluista. Muistetaan myös hyvät uutiset – ensi viikolla vietetään Mediataitoviikkoa ja Tietoturva 2024 -seminaarin ilmoittautuminen on avattu.

Merkittävä haavoittuvuus GNU glibc-kirjastossa
GNU glibc-kirjastossa on havaittu puskurin ylivuotohaavoittuvuus, joka vaikuttaa useisiin Linux-jakeluihin. Haavoittuvuus mahdollistaa paikallisille käyttäjille oikeuksien korottamisen pääkäyttäjän (root) tasolle. Linux-jakeluista haavoittuvaiseksi on todettu ainakin Debian (versiot 12 ja 13), Ubuntu (23.04 ja 23.10) ja Fedora (37 - 39). Mainittuihin jakeluihin on tarjolla korjaavat päivitykset.

Kyberturvallisuuskeskuksen viikkokatsaus - 04/2024
Tällä viikolla kerromme voimakkaasti lisääntyneestä veroaiheisista huijauksista ja käyttäjätilien tietomurroista. Huijarit ovat taitavia laatimaan petoksia kulloinkin ajankohtaisista aiheista. Nyt petkutusten aiheiksi ovat valikoituneet tietomurrot ja veronpalautukset. Kyberala murroksessa -seminaarissa yleisöä kiinnosti mm. yritysten EU-sääntely.

Apple julkaisi kriittisiä päivityksiä useisiin tuotteisiinsa, haavoittuvuuksien hyväksikäyttöä on havaittu
Useissa Applen tuotteissa ja Safari-verkkoselaimessa on korjattu kriittisiä haavoittuvuuksia. Haavoittuvuudet korjaavat päivitykset on suositeltavaa asentaa välittömästi, sillä haavoittuvuuksien hyväksikäyttöä on jo havaittu maailmalla.

Kyberturvallisuuskeskuksen viikkokatsaus - 03/2024
Tällä viikolla kerromme pankkitunnuksia havittelevista huijauskampanjoista, vaalien kyberturvallisuudesta sekä syväväärennöksistä, ja siitä miten ne voidaan tunnistaa.

Kriittisiä haavoittuvuuksia Atlassianin tuotteissa
Atlassianin Bitbucket-, Confluence-, Jira-, Bamboo- ja Crowd-tuotteissa on useita haavoittuvuuksia, joista vakavimmat mahdollistavat hyökkääjälle mielivaltaisen koodin suorittamisen (RCE). Valmistaja kehottaa ryhtymään välittömästi toimenpiteisiin haavoittuvuuksien johdosta. Haavoittuviin ohjelmistoihin on olemassa ongelman korjaavat versiot. Haavoittuvuudet eivät koske Atlassianin itse pilvipalveluna tuottamia palveluita.

Vaalit turvataan viranomaisten yhteistyöllä
Alkanut vuosi on todellinen vaalivuosi niin Suomessa kuin maailmallakin. Presidentinvaaleihin ja europarlamenttivaaleihin valmistautuminen on useiden eri toimijoiden pitkäjänteistä varautumistyötä ministeriöistä ja virastoista aina kuntatasolle ja yksittäisille äänestyspaikoille asti. Vaikka jännitteinen kansainvälinen tilanne saattaa herättää kansalaisissa huolta, suomalainen vaalijärjestelmä on vakaa ja turvallinen.

Kyberturvallisuuskeskuksen viikkokatsaus - 02/2024
Tällä viikolla kerromme Ivantin ohjelmistohaavoittuvuuksista, jotka koskevat useita satoja kotimaisia palvelimia. Myös Akira-kiristyshaittaohjelmatapaukset ja OmaVero-huijaukset ovat näkyneet Kyberturvallisuuskeskuksen ilmoituksissa.

Joulukuun kybersäätä synkistivät kiristyshaittaohjelmat
Vuosi 2023 päättyi kyberturvallisuuden osalta sateisissa merkeissä. Jopa salamointia oli ilmassa, kun Kyberturvallisuuskeskus sai kaikkiaan kuusi ilmoitusta Akira-kiristyshaittaohjelmasta. Myös seurauksiltaan vakavien tietomurtojen määrä kasvoi joulukuussa.

Ivantin tuotteissa kriittisiä hyväksikäytettyjä haavoittuvuuksia
PÄIVITYS 31.1.2024: Ivanti julkaisi kaksi uutta haavoittuvuutta Ivanti Connect Secure (tunnettiin aikaisemmin nimellä Pulse Secure) sekä Ivanti Policy Secure -tuotteissaan. Toista 31.1. julkaistua haavoittuvuutta on jo hyväksikäytetty. Lukuisten kotimaisten organisaatioiden on syytä reagoida haavoittuvuuksiin välittömästi.

Suomalaiset organisaatiot Akira-kiristyshaittaohjelmien kohteena
Kyberturvallisuuskeskus vastaanotti 12 ilmoitusta Akira-kiristyshaittaohjelmatapauksista kotimaisilta organisaatioilta vuonna 2023. Tapaukset liittyivät erityisesti heikosti suojattuihin Ciscon VPN-toteutuksiin tai niiden paikkaamatta jääneisiin haavoittuvuuksiin. Toipuminen on yleensä vaikeaa.

Kyberturvallisuuskeskuksen viikkokatsaus - 01/2024
Tällä viikolla kerromme alkuvuonna auki olevista rahoitushauista ja kertaamme vuoden 2023 tärkeimpiä kybertapahtumia.

Osallistu alkuvuodesta 2024 auki olevien kyberturvallisuusrahoitushakujen esittelyn webinaariin 18.1.2024
Kyberturvallisuuden tutkimuksen, kehityksen ja innovaatioiden kansallinen koordinointikeskus esittelee alkuvuodesta 2024 auki olevia, Traficomin ja EU:n kyberturvallisuuden rahoitushakuja torstaina 18.1.2024 klo 10:00–11:30 järjestettävässä webinaarissa. Rahoitusohjelmasta riippuen rahoitusta voivat hakea yritykset, yhdistykset ja säätiöt, yliopistot, tutkimuslaitokset sekä julkisen sektorin toimijat.

Haavoittuvuus SMTP-protokollan toteutuksessa useissa eri sähköpostiohjelmistoissa
Vuoden 2023 lopulla SMTP-protokollan useisiin toteutuksiin julkaistiin nollapäivähaavoittuvuus. Haavoittuvuutta hyödyntämällä uhkatoimijat voivat väärinkäyttää haavoittuvia SMTP-palvelimia maailmanlaajuisesti lähettääkseen haitallisia sähköposteja mielivaltaisista sähköpostiosoitteista, mikä mahdollistaa mm. kohdistettuja tietojenkalasteluhyökkäyksiä. Haavoittuvuus koskee SMTP-ohjelmistoista ainakin Postfixiä, Sendmailia ja Eximiä.

Rahoitustukihaku modernien tietoturvaratkaisujen ja -innovaatioiden käyttöönottoon pk-yrityksissä on avattu
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on avannut mikroyrityksille ja pienille ja keskisuurille yrityksille haettavaksi rahoitustukea modernien tietoturvaratkaisujen ja -innovaatioiden käyttöönottoon. Haku on auki 2.1.–1.3.2024 klo 16:15 asti. Haettavana on yhteensä 1,5 miljoonaa euroa.

Kyberturvallisuuskeskuksen viikkokatsaus - 52/2023
Tällä viikolla kerromme suomalaisiinkin organisaatioihin hyökänneestä Akira-kiristyshaittaohjelmasta sekä Kyberala murroksessa -seminaarista. Vuoden viimeisessä viikkokatsauksessa toivotamme kaikille turvallista uutta vuotta 2024!

Kyberturvallisuuskeskuksen viikkokatsaus - 51/2023
Tällä viikolla kerromme mm. erilaisista petoksista ja elektronisten työkalujen tarjoamista mahdollisuuksista, Digitaalinen Eurooppa -ohjelmasta sekä yksityisten sähköpostitilien kalastelusta.

Traficom laatii suositusta NIS2-direktiivin kyberturvallisuuden riskienhallinnan toimenpiteistä
Liikenne- ja viestintävirasto Traficom valmistelee suositusta kyberturvallisuuden riskienhallinnan toimenpiteistä. Suosituksen taustalla on 16.1.2023 voimaan tullut NIS2-direktiivi, jonka tavoitteena on kyberturvallisuuden yhteisen tason varmistaminen kaikkialla Euroopan unionissa.

EU-rahoitusta kyberturvallisuussektorin eri osa-alueille Digitaalinen Eurooppa -ohjelmasta
Euroopan komission Digitaalinen Eurooppa -rahoitusohjelmassa on julkistettu uusia kyberturvallisuussektoria koskevia hakuja. Hakujen teemoja ovat muun muassa osaamisen kehittäminen sekä tekoälyn, kvanttikryptografian ja kyberkestävyyssäädöksen edistäminen.

Kyberturvallisuuskeskuksen viikkokatsaus - 50/2023
Tällä viikolla kerromme mm. WhatsAppissa liikkuvista rekrytointihuijauksista. Muistutamme myös, mitä tulee ottaa huomioon uuden älylaitteen hankinnassa ja käyttöönotossa.

Marraskuun kybersäässä kiristyshaittaohjelmat aiheuttivat salamointia
Lokakuun myrskyt jäivät varoituksen poistamisen myötä marraskuussa taa, mutta loppusyksyinen kybersää jatkui valtaosin sateisena. Erityisesti haittaohjelmien ja haavoittuvuuksien osalta salamointia aiheuttivat useat ilmoitukset kiristyshaittaohjelmahavainnoista. Kyberrikollisten kyky hyödyntää julki tulleita haavoittuvuuksia on nopeaa. Myös joulun aikaan onkin hyvä muistaa pitää päivityksistä huolta.

Apache Struts 2 -ohjelmistokehyksestä korjattu kriittinen haavoittuvuus
Apache-projektin tuottamassa web-sovellusten toteuttamiseen käytettävässä avoimen lähdekoodin Struts 2 -ohjelmistokehyksessä on havaittu kriittinen haavoittuvuus CVE-2023-50164. Haavoittuvuutta hyväksikäyttämällä hyökkääjä voi suorittaa verkon yli kohteessa mielivaltaista koodia ja ottaa mahdollisesti haltuunsa haavoittuvan järjestelmän. Haavoittuvuuden korjaamiseen on julkaistu ohjelmistopäivitys, joka tulee ottaa käyttöön välittömästi.

Lausuntopyyntö luonnoksesta määräykseksi teletoiminnan tietoturvasta
Liikenne- ja viestintävirasto Traficomin määräystä teletoiminnan tietoturvasta päivitetään. Traficom pyytää lausuntoa määräyksen ja perustelumuistion luonnoksista.

Apple julkaisi kriittisiä päivityksiä useisiin tuotteisiinsa
Apple julkaisi useisiin eri tuotteisiinsa monia kriittisiä haavoittuvuuksia korjaavat ohjelmistoversiot. Mukana myös vanhempia edelleen tuettuja ohjelmistoversioita, joihin ei vielä aiemmin ollut haavoittuvuuksia korjaavia versioita saatavilla. Haavoittuvuudet korjaavat ohjelmistoversiot tulee ottaa käyttöön viipymättä, koska osaa haavoittuvuuksista on havaittu jo hyväksikäytettävän.

EU:n Horisontti Eurooppa -rahoitushakuja julkistettu kyberturvallisuussektorille
Euroopan komission Horisontti Eurooppa -rahoitusohjelmassa on julkistettu uusia kyberturvallisuussektoria koskettavia tutkimus-, kehittämis- ja innovaatiohakuja.

Kansallisen koordinointikeskuksen järjestämän ensimmäisen rahoitustukihaun päätökset annettu
Kansallisen koordinointikeskuksen järjestämän ensimmäisen rahoitustukihaun päätökset annettiin 15.11.2023. Rahoitustukea oli haettavissa aikavälillä 16.6.–16.8.2023 yhteensä 500 000 euroa. Tukea myönnettiin yhteensä noin 485 000 euroa pk-yritysten kyberturvallisuutta parantaviin projekteihin.

Kyberturvallisuuskeskuksen viikkokatsaus - 49/2023
Tällä viikolla kerromme huijausviesteistä, joissa vastaanottaja koitetaan pelästyttää veronpalautusten peruutuksella. Muina aiheina ovat Akira-kiristyshaittaohjelma Suomessa sekä sijaisjärjestelyjen tärkeys myös joulupyhien aikana.

Vakavia haavoittuvuuksia Atlassianin tuotteissa
Atlassianin Bitbucket, Confluence ja Jira-tuotteissa on useita haavoittuvuuksia, jotka mahdollistavat hyökkääjälle mielivaltaisen koodin suorittamisen (RCE). Valmistaja kehottaa ryhtymään välittömästi toimenpiteisiin haavoittuvuuksien johdosta. Haavoittuviin ohjelmistoihin on olemassa ongelman korjaavat versiot. Haavoittuvuudet eivät koske Atlassianin itse pilvipalveluna tuottamia palveluita.

Kyberturvallisuuskeskuksen viikkokatsaus - 48/2023
Rikollisten tähtäimessä ovat nyt yritysten ja yhdistysten Facebook-tilit. Messengerin kautta lähetetyissä viesteissä väitetään, että käyttäjän tili aiotaan sulkea esimerkiksi tekijänoikeusrikkomuksen vuoksi.

Kriittinen haavoittuvuus Qlik Sense -tuotteessa
Kriittiseksi luokiteltu haavoittuvuus Qlik Sense -tuotteessa mahdollistaa hyökkääjälle oikeuksien korottamisen sekä mielivaltaisen koodin suorittamisen Qlik Sensen arkiston (repository) taustapalvelimella. Kyberturvallisuuskeskus varoittaa haavoittuvuudesta nyt, sillä kiristyshaittaohjelmatoimijan on havaittu hyväksikäyttävän sitä.

Kyberturvallisuuskeskuksen viikkokatsaus - 47/2023
Tällä viikolla kerromme mm. liikkeellä olevista Signal- ja Telegram-huijausviesteistä sekä siitä, miten Kelan nimissä lähetetään aktiivisesti huijaustekstiviestejä.

Kriittinen haavoittuvuus ownCloud -tuotteessa
ownCloud-tiedostonjako-ohjelmiston valmistaja on ilmoittanut tuotteessa havaitusta kriittisestä haavoittuvuudesta. Haavoittuvuus mahdollistaa hyökkääjälle pääsyn järjestelmässä olevaan osoitteeseen, josta saa luettua arkaluonteista tietoa.

Osallistu verkkotilaisuuteen EU:n uusista rahoitushauista kyberturvallisuussektorille
Kyberturvallisuussektorin osaamisen kehittämiseen on avautumassa uusia Euroopan komission rahoitushakuja. Hakujen yhteenlaskettu arvo on 46 miljoonaa euroa. Komissio esittelee hakuja 12.12.2023 verkkotilaisuudessa, johon hauista kiinnostuneet voivat osallistua. Kyberturvallisuuskeskuksen kansallinen koordinointikeskus (NCC-FI) tukee suomalaisia hakijoita hakemusvalmistelussa ja konsortion muodostamisessa.

Kyberturvallisuuskeskuksen viikkokatsaus - 46/2023
Tällä viikolla kerromme kiristyshaittaohjelmien uusista tuulista ja tilanteesta kotimaassa. Muistutamme myös virheellisestä oletuskonfiguraatiosta suositussa ServiceNow-alustassa.

Tietoturvan kehittämisen tukea 24 yritykselle - enintään 100 000 euron tuet jaettiin loppuun
Tietoturvan kehittämisen tuen enintään 100 000 euron tukina myönnettäväksi varattu 2 miljoonan euron määräraha on nyt myönnetty kokonaan. Tukea myönnettiin lopulta 24 yritykselle, kun kaiken kaikkiaan enintään 100 000 euron tukea haki 150 yritystä. Suuri määrä tukea hakeneista yrityksistä jäi siten ilman tukea. Liikenne- ja viestintävirasto Traficom tulee antamaan kyseisille yrityksille vielä erillisen päätöksen asiassa.

Kiristyshaittaohjelmissa uusia toimijoita ja toimintatapoja
Kuluneen vuoden aikana eri kiristyshaittaohjelmat ovat levinneet yhä nopeammin ympäri maailmaa. Myös kiristyshaittaohjelmien variaatiot sekä toimijoiden määrä ovat kasvaneet.

Kyberturvallisuuskeskuksen viikkokatsaus - 45/2023
Tällä viikolla kerromme muun muassa Microsoft 365 -tietomurtoaallon varoituksen päättymisestä, sekä OnniTV:llä esitettävästä Turvallisesti netissä -sarjastamme.

Lokakuun kybersäässä myrskysi monella rintamalla
Lokakuun kybersää oli myrskyvoittoinen. Erityisesti myrskyisyyttä selittää lokakuussa julkaistu vakava varoitus 1/2023, jossa varoitettiin Microsoft 365 -tietojenkalastelu- sekä tietomurtoaallosta. Aalto poiki Suomessa satoja ilmoituksia sähköpostitilimurroista. Lisäksi lokakuussa julkaistiin useita kriittisiä haavoittuvuuksia, joista monia oli myös käytetty jo hyväksi.

Microsoft 365 -tietomurtoaallosta kertova varoitus on poistettu
Suomalaisten organisaatioiden sähköpostitilejä kaapannut tietojenkalastelukampanja on hiipunut, ja ilmoitusmäärät Microsoft 365 -tilimurroista ovat kääntyneet laskuun. Vastaavia laajoja tietojenkalastelu- ja tietomurtokampanjoita nähtäneen tulevaisuudessakin, mutta tällä hetkellä syytä varoitukseen ei ole.

Kriittisiä haavoittuvuuksia Veeam ONE -ohjelmistossa
Veeam on ilmoittanut kahdesta kriittisestä haavoittuvuudesta Veeam ONE ohjelmistossa. Ensimmäinen haavoittuvuus (CVE-2023-38547) mahdollistaa koodin etäsuorittamiseen Veeam ONE -ohjelmiston asetustietokantanaan käyttämällä SQL-palvelimella. Toisessa haavoittuvuudessa (CVE-2023-38548) hyökkääjän on mahdollista saada käyttöönsä Veeam ONE -raportointipalvelussa käytetyn tilin NTLM-tiivisteen (hash). Haavoittuvat Veeam-versiot ovat Veeam ONE 11, 11a ja 12. Haavoittuvuuksiin on saatavilla korjaava päivitys.

Kriittisiä haavoittuvuuksia QNAP NAS -laitteissa
QNAP on julkaissut korjaavia ohjelmistopäivityksiä kahteen kriittiseen haavoittuvuuteen. Haavoittuvuudet mahdollistavat hyökkääjälle haavoittuvan järjestelmän etäkäytön. Ylläpitäjiä suositellaan asentamaan korjaava ohjelmistopäivitys mahdollisimman pian.

F5 BIG-IP tuotteissa kriittinen haavoittuvuus - Hyväksikäyttöä havaittu
F5 on julkaissut päivitykset kahteen haavoittuvuuteen CVE-2023-46747 ja CVE-2023-46748, joiden avulla hyökkääjä voi suorittaa etänä komentoja järjestelmässä. Toinen haavoittuvuuksista on luokiteltu kriittiseksi. F5 suosittelee haavoittuvien järjestelmien päivittämistä.

Kyberturvallisuuskeskuksen viikkokatsaus - 44/2023
Tällä viikolla kerromme vuokra- ja vastikerahojen perässä olevasta huijauskampanjasta sekä ServiceNow-alustassa havaitusta virhekonfiguraatiosta, joka on altistanut organisaatioita tietovuodoille. Muina aiheina ovat Kyberturvallisuuskeskuksen tulevaisuuten keskittyvä teemakuukausi sekä Digi- ja väestötietoviraston Taisto-harjoitus.

Virheellinen oletuskonfiguraatio ServiceNow -alustalla mahdollistaa tietovuodon
ServiceNow ilmoitti noin viikko sitten tukisivustollaan, että alustan virheelliset konfiguraatiot voivat mahdollistaa arkaluonteisen tiedon vuotamisen. Kyseinen tietoturva-aukko on palvelua käyttäville organisaatioille kriittinen huolenaihe, sillä se voi johtaa arkaluonteisten yritystietojen merkittävään tietovuotoon. Kyberturvallisuuskeskuksella on tiedossa tapauksia, joissa tätä tietoturva-aukkoa on hyödynnetty.

Kriittinen etäkäytön mahdollistava haavoittuvuus Apache ActiveMQ tuotteessa
Apache on julkaissut korjaavan ohjelmistopäivityksen ActiveMQ tuotteesta löytyneeseen etäkäytön mahdollistavaan haavoittuvuuteen. Ylläpitäjiä suositellaan asentamaan korjaava ohjelmistopäivitys mahdollisimman pian.

Kriittinen haavoittuvuus Atlassian Confluence -tuotteissa - Hyväksikäyttöä havaittu
Atlassian Confluence Data Center ja Server tuotteiden paikallisesti asennetuissa versioissa on havaittu kriittinen virheelliseen valtuuttamiseen liittyvä haavoittuvuus. Atlassian suosittelee asentamaan päivitykset välittömästi tai rajoittamaan haavoittuvuuden hyväksikäyttömahdollisuuksia estämällä palvelun näkyvyys julkiseen verkkoon. Haavoittuvuutta on hyväksikäytetty.

Euroopan kyberturvallisuuskuukauden teemana on sosiaalinen manipulointi
Internetissä kohtaamamme henkilöt voivat olla myös aivan muuta kuin mitä he väittävät. Henkilöt ja henkilöllisyydet voivat olla tekaistuja, digitaalisin keinoin muunneltuja tai siellä voidaan esiintyä sinulle tuttuna henkilönä, vaikkapa äitinäsi. Meitä yritetään huijata sosiaalisen manipuloinnin keinoin. Se on Euroopan tietoturvakuukauden teema tänä vuonna. Esittelemme vinkkejä ja neuvoja, miten sinä voi suojautua sosiaaliselta manipuloinnilta.

Kyberturvallisuuskeskuksen viikkokatsaus - 43/2023
Tällä viikolla kertaamme Microsoft 365 -tilien tietomurtoaallon tilannetta, sekä kerromme tietomurtojen aallosta haavoittuvissa Ciscon verkkolaitteissa. Lisäksi muistutamme, että Tietoturva 2023 -seminaarin sekä Ketjutonttu-kampanjan tuloskatsauswebinaarin tallenteet ja aineistot ovat saatavilla verkkosivuillamme.

Tietoturva 2023 -seminaarissa katsottiin tietoturvan tulevaisuuteen
Tietoturva 2023 -seminaari pidettiin torstaina 12.10.2023 Helsingissä sekä verkossa. Seminaarin teemana oli tänä vuonna kyberturvallisuuden ja -uhkien tulevaisuus. Erityisesti tekoäly ja toimitusketjut nousivat puheeksi monessa eri puheenvuorossa.

Keltainen varoitus: Tietojenkalastelun seurauksena Microsoft 365 -tilien tietomurtoaalto
Rikolliset kalastelevat väärennetyillä sähköpostiviesteillä Microsoft 365 -ympäristön salasanoja. Tietojenkalastelulla saatujen käyttäjätunnusten ja salasanojen avulla rikollisten on mahdollista murtautua M365-tilille. Kalasteluviestejä ja uusia tilimurtoja on kuluvalla viikolla raportoitu kymmenistä suomalaisista organisaatioista. Kalastelukampanja leviää organisaatiosta toiseen hyödyntämällä murrettujen käyttäjätilien yhteystietolistoja.

Kyberturvallisuuskeskuksen viikkokatsaus - 42/2023
Tällä viikolla kerromme Microsoft 365 -tilien tietomurtoaallosta ja annamme ohjeita kotiverkon ja reitittimien suojaamiseen.

Tietomurtoaalto leviää organisaatiosta toiseen – katkaise tietojenkalastelu
Suomalaisten organisaatioiden sähköpostitilejä kaapataan laajalle levinneen tietojenkalastelukampanjan avulla. Rikolliset ovat kalastelleet yritysten työntekijöiden käyttäjätunnuksia ja salasanoja sähköpostitse ja huijaussivujen avulla, sekä kirjautuneet saamillaan tunnuksilla Microsoft 365 -sähköpostijärjestelmiin. Kaapattuja tilejä käytetään uusien tietojenkalasteluviestien lähettämiseen sekä sisäisesti että muihin organisaatioihin.

Kriittistä Citrix Netscaler ja ADC -haavoittuvuutta käytetty hyväksi
Citrix julkaisi 10.10.2023 päivityksen haavoittuvuuteen CVE-2023-4966, jota on hyväksikäytetty jo elokuusta asti. Organisaatioiden tulee päivittää tuote viimeistään nyt ja tarkastaa, ettei hyväksikäyttöä ole tapahtunut.

Miten ohjelmistokehityksen turvallisuutta voidaan kehittää? Tuore selvitys kartoitti ohjelmistokehityksen nykytilaa ja kehittämistarpeita
Mikä on ohjelmistokehityksen turvallisuuden taso Suomessa tänään? Miten turvallista ohjelmistokehitystä ja ohjelmiston hankintaa voidaan kehittää kansallisella tasolla? Muun muassa näitä kysymyksiä tarkastellaan Traficomin ja Huoltovarmuuskeskuksen tuoreessa selvityksessä.

Osaamisyhteisö ja yhteistyö kansallisen koordinointikeskuksen ensimmäisen toimintavuoden toiminnan keskiössä
Liikenne- ja viestintävirastossa sijaitsevaan Kyberturvallisuuskeskukseen perustettiin tämän vuoden alussa uusi Kyberturvallisuuden tutkimuksen, kehityksen ja innovaatioiden Suomen kansallinen koordinointikeskus (National Coordination Centre Finland, NCC-FI ), jonka tehtävänä on luoda edellytyksiä suomalaiselle kyberturvallisuustoimialalle, kuten yrityksille, korkeakouluille ja tutkimuslaitoksille osallistua kansainväliseen tutkimus- ja kehitystoimintaan. Ensimmäinen toimintavuotemme alkaa olemaan muutamaa kuukautta vaille valmis, joten on hyvä aika pysähtyä ja tehdä yleiskatsaus kansallisen koordinointikeskuksen työntäyteiseen vuoteen.

Cisco IOS XE ohjelmiston web-käyttöliittymässä käyttöoikeuksien laajentamisen mahdollistava haavoittuvuus
Cisco julkaisi tiedotteen haavoittuvuudesta CVE-2023-20198, joka vaikuttaa Cisco IOS XE -ohjelmiston web-käyttöliittymään. Hyökkääjä voi käyttää haavoittuvuutta hyväkseen saadakseen haavoittuvan laitteen hallintaansa. Päivitys 23.10.2023: Tiedotteeseen lisätty myös järjestelmätason pääsyn mahdollistava haavoittuvuus CVE-2023-20273. Osaan IOS XE -järjestelmäversioista on saatavilla korjaukset.

Kansallisen koordinointikeskuksen rahoitustuki kannustaa pk-yrityksiä kyberturvallisuuden vahvistamisessa
Kansallisen koordinointikeskuksen ensimmäinen rahoitustukihaku pk-yritysten kyberturvallisuusprojekteille päättyi 16.8.2023. Vastaa palautekyselyyn ja vaikuta seuraaviin rahoitustukihakuihin! Seuraava rahoitustukihaku pk-yrityksille järjestetään alkuvuodesta 2024.

Kyberturvallisuuskeskuksen viikkokatsaus - 41/2023
Tällä viikolla kerromme mm. Suomeen kohdistuneista palvelunestohyökkäyksistä, sekä Veron nimissä tapahtuvasta pankkitunnuskalastelusta.

Tietoturvan suunnannäyttäjä -tunnustus Keski-Uudenmaan koulutuskuntayhtymä Keudalle
Liikenne- ja viestintävirasto Traficomin jakaman Tietoturvan suunnannäyttäjä -tunnustuksen sai tänä vuonna Keski-Uudenmaan koulutuskuntayhtymä Keuda. Tunnustuksen perusteluissa Keudaa kiitettiin muun muassa avoimesta viestinnästä, sen jouduttua marraskuussa 2022 kiristyshaittaohjelmalla tehdyn verkkohyökkäyksen kohteeksi.

Syyskuun Kybersäässä sateisuutta aiheuttivat huijauspuhelut sekä palvelunestohyökkäykset
Syyskuu oli huijauspuhelujen sekä palvelunestohyökkäysten värittämä. Väärennetyistä numeroista soitettuja huijauspuheluja ilmoitettiin jopa ennätysmäärä ennen lokakuun alussa voimaantullutta Traficomin määräystä. Kuukauden valonpilkahduksena olivat vähentyneet ilmoitusmäärät tietomurroista, tietomurron yrityksistä ja tietovuodoista.

Kyberturvallisuuskeskuksen viikkokatsaus - 40/2023
Tällä viikolla kerromme täysimääräisesti voimaantulleesta Traficomin määräyksestä, joka on antanut teleoperaattoreille uudet velvoitteet soittajan puhelinnumeron väärentämisen estämiseksi. Muina aiheina ovat QR-koodipohjaiset kalasteluviestit, NIS2-direktiivin kansallisen toimeenpanon eteneminen sekä onnistunut Ketjutonttu-kampanja.

Atlassian Confluence -tuotteissa kriittinen haavoittuvuus
Atlassian Confluence Data Center ja Server tuotteissa on havaittu kriittinen käyttöoikeuksien korottamisen mahdollistava haavoittuvuus. Haavoittuvuutta on Atlassianin tietojen mukaan havaittu jo hyväksikäytettävän rajatun asiakasjoukon piirissä. Atlassian suosittelee asentamaan päivitykset välittömästi tai rajoittamaan haavoittuvuuden hyväksikäyttömahdollisuuksia rajaamalla palvelun näkyvyyttä julkiseen verkkoon.

Lokakuussa esittelemme tietoturvan tekijöitämme kyberilmiöiden takana - sarjan ensimmäinen video julkaistu!
Ehkä sinäkin olet joutunut joko tietämättäsi tai tietoisesti kyberhyökkäyksen kohteeksi. Ne ovat voineet näkyä outoina viesteinä, puheluina tai häiriöinä palveluiden saatavuudessa ja toimivuudessa. Traficomin Kyberturvallisuuskeskus selvittää ja torjuu kyberhäiriöitä yhteistyössä muiden viranomaisten ja organisaatioiden kanssa. Päätimme avata muutamia viimeaikaisia kybertapahtumia tietoturva-asiantuntijoiden silmin ja videon keinoin. Näillä videoilla haluamme valottaa, mitä kyberhäiriöt ovat ja miten tietoturva-asiantuntijat ottavat niistä niskalenkin, usein yhteistyössä muiden toimijoiden kanssa.

Kampanja tunnisti ja korjasi toimitusketjuihin liittyviä kyberriskejä
Traficomin Kyberturvallisuuskeskuksen Ketjutonttu-kampanja paransi suomalaisen yrityskentän tietoturvaa tunnistamalla ja korjaamalla riskejä niiden toimitusketjuissa. Huoltovarmuuskeskuksen Digitaalinen turvallisuus 2030 -ohjelmasta rahoitettuun kampanjaan osallistui 150 organisaatiota ja yritystä.

Traficomin määräys lopettaa suomalaisiksi naamioidut valepuhelut lähes kokonaan
Huijaussoittojen estämistä on taklattu viranomaisten ja teleoperaattorien tiiviillä yhteistyöllä. Lokakuun alussa voimaan tulleella Traficomin määräyksellä teleoperaattorit velvoitetaan torjumaan yhä paremmin ulkomailta tulevia, mutta suomalaisiksi naamioituja puheluita, myös mobiilinumeroiden osalta. Soittojen suodatus on nyt käytössä kaikilla suomalaisilla, ulkomailta liikennettä vastaanottavilla teleoperaattoreilla. Työ puhelinnumeroita käyttävien huijausten estämiseksi jatkuu - Traficomissa on valmisteilla määräys, jonka avulla torjutaan tekstiviestihuijauksia.

Exim julkaisi korjauksia useisiin vakaviin haavoittuvuuksiin
Exim sähköpostin välitysohjelmistossa (Mail transfer agent - MTA) raportoitiin kuusi kappaletta nollapäivähaavoittuvuuksia Zero Day Initiative (ZDI) julkaisemana 27.9.2023. Tuolloin ohjelmiston kehittäjät eivät olleet vielä julkaisseet haavoittuvuuksiin liittyen mitään tiedotetta tai tarkempia tietoa haavoittuvuuksista eikä niiden hyväksikäytön estämisestä. 1.10.2023 Exim julkaisi tiedotteen haavoittuvuuksista sivuillaan, jossa kerrottiin aikataulu korjausten julkaisulle 2.10.2023 klo 15:00 sekä hyväksikäytön rajoituskeinoja.

Kyberturvallisuuskeskuksen viikkokatsaus - 39/2023
Tällä viikolla pankkiasiakkaita on yritetty huijata tuhansilla kalasteluviesteillä. Huijausviestien tarkoituksena on saada asiakkaita syöttämään pankkitunnuksensa huijarien tekemille valesivuille. Lisäksi annamme arvokkaita toimintaohjeita pilviympäristön poikkeamanhallintaan.

Vakava haavoittuvuus libwebp-kirjastossa
Google on julkaissut haavoittuvuuden (CVE-2023-4863) libwebp-ohjelmistokirjastossa. Haavoittuvuus mahdollistaa mielivaltaisen koodin suorittamisen käyttäjän tietokoneessa, jos haavoittuvaa kirjastoa käyttävällä selaimella lataa haitallisen verkkosivun. Google on arvioinut haavoittuvuuden vakavuudeksi (CVSS) täydet 10 pistettä.

Kyberturvallisuuskeskuksen viikkokatsaus - 38/2023
Tällä viikolla kerromme muun muassa haktivismista ja palvelunestohyökkäyksistä informaatiovaikuttamisen keinona. Lisäksi mukana on tietoa Ketjutonttu-kampanjan tulevasta tuloskatsauswebinaarista.

Useita haavoittuvuuksia Applen tuotteissa
Useissa Applen tuotteissa sekä Safari verkkoselaimessa on korjattu kriittisiä haavoittuvuuksia. Haavoittuvuudet korjaavat päivitykset on suositeltavaa asentaa välittömästi, sillä haavoittuvuuksien hyväksikäyttöä on jo havaittu maailmalla.

Kyberturvallisuuskeskuksen viikkokatsaus - 37/2023
Tällä viikolla kerromme aktiivisesta huijauspuhelukampanjasta, josta olemme saaneet lukuisia ilmoituksia kansalaisilta ja organisaatioista. Kerromme myös kiristyshaittaohjelmista ja kuntasektorille suunnatusta HYÖKY-palvelusta.

Tietomurrot ja tietojenkalastelu tekivät elokuun kybersäästä myrskyisän
Elokuussa kybersää oli jo syksyisen sateinen. Tietojenkalastelu oli hyvin vilkasta, ja Citrix Netscaler -haavoittuvuus johti useisiin tietomurtoihin Suomessa. Haavoittuvuuden hyödyntäminen vaikutti olleen nopeaa ja automatisoitua. Päivitykset olisikin hyvä asentaa mahdollisimman nopeasti aina kun niitä tarjotaan.

Traficomin Kyberturvallisuuskeskus tukee kuntien kyberturvallisuuden parantamista
Kunnilla on keskeinen rooli ja tehtävä erilaisten julkisten palveluiden tuottamisessa. Kuntien tietoverkoissa käsitellään ja hallinnoidaan suurta määrää erilaista tietoa. Mitä enemmän yhteiskunnan palvelut digitalisoituvat, sitä tärkeämpää on kiinnittää huomiota sähköisten palveluiden, tietoverkkojen ja -varantojen kyberturvallisuuteen. Tärkein tietoturvateko on tiedostaa, mikä on organisaation nykyinen tietoturvallisuuden taso. Mitä tulisi kehittää? Tämän jälkeen pitäisi myös viedä läpi tarvittavat kehitystoimet.

Kyberturvallisuuskeskuksen viikkokatsaus - 36/2023
Tällä viikolla Traficom sai osansa palvelunestohyökkäyksistä, mikä aiheutti palveluiden toimintaan lyhyen katkon. Kerromme myös Postin nimissä lähetetyistä huijausviesteistä.

Syyskuun teemakuukausi: Tietoturvailmiöt tutuksi
Loppuvuoden aikana Kyberturvallisuuskeskuksessa vietetään teemakuukausia. Teemakuukausien sarjan käynnistää syyskuussa Tietoturvailmiöt tutuksi -teemakuukausi, jonka aikana tarjoamme arvokasta tietoa yleisimmistä tietoturvauhkista ja siitä, miten voit suojata itsesi verkossa. Jatka lukemista ja ota ensimmäinen askel kohti turvallisempaa digitaalista elämää!

Miten pyydän tietojeni poistamista Yango-taksipalvelulta?
Oletko käyttänyt Yango-taksipalvelua ja toivot että Yango poistaisi palvelimiltaan itsestäsi kertyneet tiedot? Tiesitkö, että voit pyytää tietojen poistoa suoraan Yangolta EU:n tietosuoja-asetuksen (ns. GDPR) nojalla.

Kyberturvallisuuskeskuksen viikkokatsaus - 35/2023
Tällä viikolla muistutamme nopean reagoinnin tärkeydestä tietoturvapoikkeamatilanteessa. Esimerkiksi tietojenkalasteluun langetessa vakavat vahingot on vielä mahdollista estää nopeilla toimilla. Kerromme myös romanssipetoksista ja varoitamme veronpalautusaiheisista huijauksista.

Kriittisiä haavoittuvuuksia VMware Aria Operations for Networks -ohjelmistossa
VMware on julkaissut päivityksen, joka korjaa kaksi kriittistä haavoittuvuutta Aria Operations for Networks -ohjelmassa. Haavoittuvuuksien ansiosta hyökkääjät voivat ohittaa todennuksen ja saada koodin etäsuorittamisen korjaamattomissa laitteissa.

Kyberturvallisuuskeskuksen viikkokatsaus - 34/2023
Aggressiivinen tunnusten kalastelu piinaa sähköpostin käyttäjiä. Olkaa valppaina! Hälytyskellojen pitäisi soida, jos turvaposti-linkin takana kysellään erikseen käyttäjätunnusta ja salasanaa.

Kriittinen haavoittuvuus Juniperin Junos OS-järjestelmää käyttävissä SRX- ja EX-sarjan laitteissa
Juniper on julkaissut normaalista päivitystahdista poikkeavan turvallisuuspäivityksen SRX- ja EX-sarjan laitteilleen. Päivitys korjaa mainituilla laitteilla Junos OS-järjestelmässä havaitun ongelman, jossa neljää eri haavoittuvuutta ketjuttamalla hyökkääjä voi suorittaa laitteella verkon yli mielivaltaista koodia ilman kirjautumista. Päivitys on syytä suorittaa välittömästi.

Kyberturvallisuuskeskuksen viikkokatsaus - 33/2023
Kuluvan kesän aikana on tullut julki useita kriittisiä ohjelmistohaavoittuvuuksia. Onhan organisaatiossasi huolehdittu järjestelmien päivittämisestä myös lomien aikana?

Kyberturvallisuuskeskuksen viikkokatsaus - 32/2023
Viime aikoina huijaussivustoja on rekisteröity myös Suomen kansalliseen .fi-verkkotunnukseen. Sivustoilla pyritään .fi-verkkotunnuksen mainetta hyväksikäyttämällä kalastelemaan ihmisten verkkopankkitunnuksia.

Heinäkuun kybersäässä haavoittuvuudet aiheuttivat sateisuutta
Kyberrikolliset eivät lomaile, joten heinäkuussakin nähtiin monenlaisia tapahtumia tietoturvan maailmassa. Esimerkiksi viime kuun aikana julkaistiin useita kriittisiä haavoittuvuuksia. Myös pankkitunnuksia kalasteltiin ahkerasti suomi.fi-viranomaispalvelun sekä pankkien nimissä.

Kyberturvallisuuskeskuksen viikkokatsaus - 31/2023
Huijausviestejä on viime viikkoina ollut liikkeellä mm. Suomi.fi-palvelun ja Osuuspankin nimissä. Myös turvapostiksi naamioitujen sähköpostiviestien kanssa kannattaa olla tarkkana.

Uusi työkalu helpottaa kyberharjoituksen suunnittelua
Olitpa suunnittelemassa kyberharjoitusta ensimmäistä kertaa tai jo harjoittelun konkari, Kyberturvallisuuskeskuksen uusi harjoituksen suunnittelun työkalu auttaa muotoilemaan organisaatiollenne tarkoituksenmukaisen ja toimivan kyberharjoituksen.

Kyberturvallisuuskeskuksen viikkokatsaus - 30/2023
Tällä viikolla kerromme Kyberturvallisuuskeskuksen ajankohtaisten ohjelmistohaavoittuvuuksien kartoitustyöstä ja edelleen aktiivisista sosiaalisen median tilimurroista.

Useita kriittisiä haavoittuvuuksia Applen tuotteissa
Useissa Applen tuotteissa sekä Safari verkkoselaimessa on korjattu kriittisiä haavoittuvuuksia. Haavoittuvuudet korjaavat päivitykset on suositeltavaa asentaa välittömästi, sillä haavoittuvuuksien hyväksikäyttöä on jo havaittu maailmalla.

Kriittinen haavoittuvuus Ivanti Endpoint Manager Mobile (MobileIron Core) -tuotteessa
Ivanti on julkaissut Endpoint Manager Mobile -tuotteeseen päivityksiä, joilla korjataan kriittinen haavoittuvuus (CVE-2023-35078). Haavoittuvuutta hyväksikäyttämällä hyökkääjä voi päästä käsiksi järjestelmässä oleviin tietoihin ja tehdä joitakin muutoksia järjestelmään. Haavoittuvuuden hyväksikäyttöä on jo havaittu. Ivanti suosittelee järjestelmän päivittämistä välittömästi.

Kyberturvallisuuskeskuksen viikkokatsaus - 29/2023
Tällä viikolla kerromme USB-tikkujen avulla levitettävistä haittaohjelmista ja lisäksi kesäkuun Kybersäästä, annamme vinkkejä puhelimen tietoturvalliseen käyttöön sekä tietoturvalliseen kesään.

Kyberrikolliset eivät lomaile - Vinkit tietoturvalliseen kesään
Kesä on monelle meistä rentoutumisen ja henkisten akkujen lataamisen aikaa. Kun hyvät tietoturvataidot ovat osa arkisia rutiineja, ei kesäiltoja tarvitse käyttää salasanoista ja päivityksistä huolehtimiseen.

Kriittinen haavoittuvuus Citrix Netscaler Gateway ja ADC -ohjelmistoissa
Citrix on julkaissut tietoturvapäivityksiä korjatakseen yhden kriittisen (CVE-2023-3519) ja kaksi vakavaa haavoittuvuutta Citrix Netscaler ADC - ja Gateway -tuotteissaan. Citrix kehottaa kyseisten tuotteiden järjestelmänvalvojia päivittämään tuotteiden ohjelmistoversiot uusimpiin versioihin viipymättä. Haavoittuvuuksien hyväksikäyttöä on jo havaittu.

Kyberturvallisuuskeskuksen viikkokatsaus - 28/2023
Tällä viikolla kerromme kyberturvallisuustilanteesta Nato-huippukokousviikolla ja siitä, miten haittaohjelmatartunnat ovat yhä yleisempiä.

Kesäkuun kybersäässä nähtiin kesäsateita usealla rintamalla
Kesäkuun kybersää oli sateinen. Ilmoitukset sometilien murroista ovat jatkuneet korkealla tasolla. Tietojenkalastelussa käytetään yhä useammin hyväksi QR-koodien taakse laitettuja tietojenkalastelusivuja. Valonpilkahduksiakin kuitenkin mahtui joukkoon esimerkiksi pk-yrityksille suunnatun rahoitushaun auettua.

Haittaohjelmatartunnat ovat yhä yleisempiä
Haittaohjelmia ovat esimerkiksi erilaiset madot, virukset, sekä vakoilu- ja kiristysohjelmat. Rikolliset keksivät jatkuvasti uusia tapoja tartuttaa laitteita haittaohjelmilla ja kätkeä niiden haitallisuus. Haittaohjelmaa voi olla vaikea havaita, ennen kuin tartunta on jo tapahtunut.

Kyberturvallisuuskeskuksen viikkokatsaus - 27/2023
Tällä viikolla kerromme tietojenkalastelun tuoreesta ilmiöstä, jossa QR-koodia käytetään kalastelun toteutuksessa. Lue myös, miten rikolliset hyödyntävät elektronista SIM-korttia huijauksissaan.

QR-koodin käyttö tietojenkalastelussa yleistyy
QR-koodien käyttö lisääntyi koronapandemian aikana, kun esimerkiksi monet ravintolat ja yritykset pyrkivät vähentämään kontakteja. Samalla QR-koodien käyttö on yleistynyt myös huijauksissa.

Elektroninen SIM tarjoaa uuden hyökkäysvektorin rikollisille
SIM-kortin vaihtaminen puhelimesta toiseen on helppoa ja mutkatonta. Valitettavasti myös rikolliset osaavat hyödyntää tätä ominaisuutta.

Kyberturvallisuuskeskuksen viikkokatsaus - 26/2023
Toimitusjohtajahuijaukset aktivoituvat erityisesti kesällä. Microsoft 365 -tilejä on murrettu aktiivisesti viime kuukausina. Kirjoitimme uuden ohjeen, jotta tilin turvaaminen olisi entistäkin helpompaa.

Kriittinen haavoittuvuus FortiNAC -tuotteessa
Fortinetin on julkaissut FortiNAC -tuotteeseen päivityksen, jotka korjaavat kriittiseksi luokitellun haavoittuvuuden. Haavoittuvuutta hyväksikäyttämällä hyökkääjä voi suorittaa mielivaltaisia komentoja tai koodia tcp/1050 palveluun erityisesti muodostetun pyynnön kautta. Fortinet suosittelee päivittämään haavoittuvat tuotteet pikaisesti.

Kyberturvallisuuskeskuksen viikkokatsaus - 25/2023
Tietojenkalastelu- ja huijausviestit kehittyvät jatkuvasti. Arviomme mukaan noin sadan organisaation sähköpostitilejä on murrettu onnistuneesti lähikuukausien aikana. Tällä viikolla muistutamme myös verkkolaitteiden päivittämisen tärkeydestä.

Tietojenkalastelu- ja huijausviestien kanssa tulee olla yhä tarkempi
Tietojenkalastelu- ja huijausviestit kehittyvät jatkuvasti. Erilaiset teknologiat, kuten koneoppiminen ja tekoäly sekä psykologiset keinot auttavat rikollisia pyrkimyksissään voittaa uhrin luottamus. Kalastelukampanjat tuottavatkin jatkuvasti tulosta rikollisille ja Kyberturvallisuuskeskuksen arvion mukaan noin sadan organisaation sähköpostitilejä on murrettu onnistuneesti lähikuukausien aikana.

Zyxel korjasi kriittisen haavoittuvuuden verkkolevyasemissaan (NAS)
Verkkolaitevalmistaja Zyxel julkaisi korjaavat päivitykset kriittisiin haavoihin verkkolevyasemissa (NAS). Kyberturvallisuuskeskus suosittelee omistajia päivittämään kyseiset laitteet välittömästi.

Rahoitustukihaku pk-yrityksille modernien kyberturvallisuusratkaisujen käyttöönottoon on avattu
Kyberturvallisuuskeskuksen Kansallinen koordinointikeskus (NCC-FI) on avannut ensimmäisen rahoitustukihakunsa modernien kyberturvallisuusratkaisujen ja -innovaatioiden käyttöönottoon pk-yrityksissä. Rahoitustuella vahvistetaan ensisijaisesti pk-yritysten omia valmiuksia sekä Suomen kansallista kapasiteettia ja infrastruktuuria kyberhyökkäyksiltä suojautumiseen. Tukea voivat hakea Suomeen rekisteröidyt pienet ja keskisuuret yritykset. Haku on auki 16.6.–16.8.2023 klo 16:15.

Kyberturvallisuuskeskuksen viikkokatsaus - 24/2023
Tällä viikolla kerromme kiristyshaittaohjelmien kehittyvistä trendeistä ja muistutamme kyberturvallisuuden huomioimisesta myös alkaneella lomakaudella. Yhä useammin kiristyshaittaohjelmat kohdistuvat palautumisen mahdollistaviin varmuuskopioihin, ja tietojen salaamisen lisäksi hyökkääjät kiristävät varastetun tiedon julkaisulla.

Kyberturvallisuuskeskus CVE-tunnisteita jakavaksi CNA-toimijaksi
Kyberturvallisuuskeskus on hyväksytty haavoittuvuuksille CVE (Common Vulnerabilities and Exposures) -tunnisteita jakavaksi CNA-toimijaksi (CVE Numbering Authority).

Kriittinen haavoittuvuus Fortinetin FortiOS ja FortiProxy -ohjelmistoissa
Fortinetin FG-IR-23-097 päivitys korjaa kriittisen haavoittuvuuden FortiOS ja FortiProxy -ohjelmistojen SSL-VPN -komponentissa. Muistin käsittelyyn liittyvää kriittistä haavoittuvuutta hyväksikäyttämällä hyökkääjä voi suorittaa mielivaltaisia komentoja kohdelaitteella. Fortinet suosittelee päivittämään haavoittuvat ohjelmistot pikaisesti.

Kyberturvallisuuskeskuksen viikkokatsaus - 23/2023
Kesäkuun toisessa viikkokatsauksessa kerromme ikäviä uutisia väärennetyistä puhelinnumeroista, saastutetuista verkkopeleistä ja rikotuista palomuureista. Onneksi hyviäkin asioita tapahtuu: Keskusrikospoliisi ja Lounais-Suomen poliisilaitos ovat saaneet valmiiksi verkkopankkipetoksiin liittyvän esitutkinnan.

Toukokuun kybersäässä sosiaalisen median tilimurrot aiheuttivat salamointia
Toukokuun kybersää oli huijauspuhelujen ja erilaisten haavoittuvuuksien myötä sateinen. Myös myrskyä oli ilmassa, kun ilmoitusmäärät sosiaalisen median tilien murroista kasvoivat merkittävästi. Toukokuun kybersään pitkän aikavälin tarkastelussa on vuorossa puolijohdepula.

Post-Quantum Crypto -aikaan valmistautuminen on käynnissä myös Suomessa
Yhdysvaltalainen matemaatikko Peter Shor esitti vuonna 1994 kvanttitietokoneille algoritmin, jolla voidaan tehokkaasti jakaa isoja kokonaislukuja tekijöihinsä. Kvanttitietokoneiden kehitys on kovassa vauhdissa ja kun riittävän tehokas kvanttitietokone saadaan rakennettua, voidaan Shorin algoritmia käyttäen murtaa nykyiset julkisen avaimen salausalgoritmit, jotka ovat välttämättömiä mm. internetin turvalliselle toiminnalle.

Kyberturvallisuuskeskuksen viikkokatsaus - 22/2023
Tällä viikolla kerromme eri pankkien nimissä tapahtuvasta kalastelusta sekä sähköpostien mukana leviävistä haittaohjelmista. Muistutamme myös, mitä on hyvä ottaa huomioon, kun lapsi saa ensimmäisen älylaitteensa.

VISA OTP palvelinten päivitys ke 31.5. klo 9:30-16

Kybermittarista apua kyberturvallisuusriskien hahmottamiseen
Kybermittarin uutta versiota on kehitetty käyttäjiltä saadun palautteen perusteella. Kybermittarin uusi versio sekä uudet tukimateriaalit ovat saatavilla Kyberturvallisuuskeskuksen verkkosivuilla. Ilmoittaudu kesän ja syksyn esittely- ja koulutustapahtumiin!

Kyberturvallisuuskeskuksen viikkokatsaus - 21/2023
Tällä viikolla kerromme Facebookissa laajalle levinneestä huijauksesta, jossa tilejä kaapataan tekaistun rahapalkinnon verukkeella. Muina aiheina ovat uudet ylätason verkkopäätetunnukset ja Kyberturvallisuuskeskuksen asiantuntijat Disobey hakkeritapahtumassa.

Kriittinen haavoittuvuus GitLabin Community Edition ja Enterprise Edition tuotteissa
GitLab on julkaissut päivityksen Community Edition (CE) ja Enterprise Edition (EE) tuotteissa olevaan kriittiseen haavoittuvuuteen. Korjaava versiopäivitys kannattaa asentaa mahdollisimman pian.

Kriittisiä haavoittuvuuksia Zyxelin palomuurituotteissa - Hyväksikäytöstä viitteitä
Zyxel on julkaissut korjauspäivitykset kahteen kriittiseen haavoittuvuuteen. Haavoittuvuudet koskevat useita Zyxelin palomuurituoteperheitä. Korjaavat päivitykset kannattaa asentaa haavoittuviin tuotteisiin mahdollisimman pian.

Kyberturvallisuuskeskuksen viikkokatsaus - 20/2023
Tällä viikolla kerromme palvelunestohyökkäystilanteesta ja neuvomme teollisuusorganisaatioita suojautumaan kyberpoikkeamilta. Huoltovarmuuskeskus on julkaissut oppaan pilvipalveluihin liittyen.

Teollisuuden järjestelmätoimittajaan kohdistunut tietomurto edellyttää myös sen asiakkailta ripeitä toimenpiteitä
Organisaatioiden varautumisen tulee kattaa myös toimittajiin kohdistuvat poikkeamat. Pahimmillaan tärkeä toimittaja voi joutua kyberhyökkäyksen uhriksi, mikä vaatii pikaisia toimia myös asiakasorganisaatiossa.

Kyberturvallisuuskeskuksen viikkokatsaus - 19/2023
Tällä viikolla kerromme turvapostiteemaisista kalasteluviesteistä ja vahvan sähköisen tunnistuksen uusista vaatimuksista. Tutustu myös huhtikuun kybersäähän ja päivitystiistain mukanaan tuomiin korjauspäivityksiin.

Sähköpostikalastelut ja huijauspuhelut toivat huhtikuun kybersäähän epävakautta
Huhtikuussa kybersäässä havaittiin sekä keväisiä auringon pilkahduksia että perinteisiä sateitakin. Sähköpostikalastelut ja huijauspuhelut toivat kybersäähän epävakautta, kun taas esimerkiksi haittaohjelmien osalta mennyt kuukausi oli edellistä valoisampi ilmoitusmäärän ollessa hieman pienempi kuin maaliskuussa. Tässä kybersäässä ovat mukana myös neljä kertaa vuodessa päivitettävät TOP5-uhat.

Vahvan sähköisen tunnistuksen uudet vaatimukset tekevät asioinnista entistä turvallisempaa
Liikenne- ja viestintäviraston määräys koskien vahvaa sähköistä tunnistusta ja luottamuspalveluita astuu täysimääräisinä voimaan kesäkuussa 2023. Uudessa määräyksessä on kaksi tärkeää kohtaa, jotka tekevät sähköisestä asioinnista entistä turvallisempaa.

Vahva sähköinen tunnistus uudistuu - tietoa asiointipalveluille
Liikenne- ja viestintäviraston määräys M72B koskien vahvaa sähköistä tunnistusta ja luottamuspalveluita astuu voimaan täysimääräisenä kesällä 2023. Uudistetussa määräyksessä on vaatimuksia, jotka heijastuvat myös asiointipalvelutoteutuksiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 18/2023
Tällä viikolla kerromme suomalaisesta huippukyberosaamisesta ja yhteistyöstä, joka pääsi lavalle eräässä maailman suurimmista tietoturvatapahtumista. Kokosimme yhteen myös ajankohtaiset huijaukset ja kalastelut.

Turvapostiteemaiset kalasteluviestit johtavat sähköpostitilimurtoihin
Kyberturvallisuuskeskus on vastaanottanut alkuvuonna merkittävän määrän ilmoituksia turvapostiteemaisista kalasteluviesteistä. Uusi kampanja käynnistyi aktiivisena huhtikuun puolivälissä ja murrettuja sähköpostitilejä on havaittu Kyberturvallisuuskeskuksen tilastojen mukaan 20:ssa eri organisaatiossa. Turvapostiteemaisia kalasteluviestejä on lähetetty Suomessa huhtikuussa Kyberturvallisuuskeskuksen arvion mukaan viisinumeroinen määrä. Monivaiheisen tunnistautumisen käyttöönotto on edelleen tehokas keino tilimurtojen estämiseen.

Kyberturvallisuuskeskuksen viikkokatsaus - 17/2023
Tällä viikolla kerromme teknisen tuen huijauspuheluista ja suomi.fi-palvelun nimissä lähetetyistä kalasteluviesteistä.

Haavoittuvuuksien ilmoittamista helpottavaa käytäntöä ei vielä täysin hyödynnetä Suomessa
Miten saan tiedon, kun joku löytää haavoittuvuuden organisaationi verkkopalvelusta? Entä kuinka tiedän, kenelle ja miten ilmoitan löytämästäni haavoittuvuudesta? Kuinka organisaationi voi sopia haavoittuvuuden löytäjän kanssa yhteisistä pelisäännöistä, kun emme edes tunne toisiamme? Avuksi on ehdotettu käytäntöä, jossa yhteystiedot ja pelisäännöt julkaistaisiin aina samassa paikassa. Kyberturvallisuuskeskukselle tehdyssä opinnäytetyössä tutkittiin kyseistä käytäntöä. Artikkelissa on myös tutkimuksen tulosten valossa laadittuja neuvoja käyttöönottoon.

Kyberturvallisuuden uhkataso pysynyt kohonneena - kohdistettujen hyökkäysten määrä noussut
Suomalaisiin organisaatioihin kohdistuu nyt jatkuvasti kasvavaa kiinnostusta. Kyberhyökkäysten luonne on muuttunut. Erityisesti kohdistettujen kyberhyökkäysten määrä, joissa kohdeorganisaatio on tarkkaan valittu, on kasvanut. Tapausmäärän kasvusta huolimatta Traficom ja Suojelupoliisi pitävät yhteiskuntaa lamauttavaa kyberhyökkäystä epätodennäköisenä.

Kyberturvallisuuskeskuksen viikkokatsaus - 16/2023
Tällä viikolla kerromme aktiivisesta turvapostiteemaisesta kalastelukampanjasta ja kyberuhkatason noususta Euroopassa.

Selvitämme ohjelmistoturvallisuuden tilaa - vastaa kyselyyn
Kyberturvallisuuskeskus kartoittaa ohjelmistoturvallisuuden tilaa Suomessa. Nykytilanteen kartoittamisen lisäksi toivomme tietoa kipukohteista ja hyvistä käytännöistä, joilla voisimme tukea yrityksiä ja muita organisaatioita.

Kyberturvallisuuskeskuksen viikkokatsaus - 15/2023
Tällä viikolla kerromme mm. sosiaalisen median tilien tietomurroista sekä Microsoftin M365-käyttäjätilien tunnusten kalasteluista. Päivitystiistai toi mukanaan paljon päivityksiä - muistathan päivittää laitteesi!

Tietomurtojen ja huijausten määrät tekivät maaliskuun kybersäästä sateisen
Maaliskuun kybersää oli helmikuuta sateisempi. Tietomurtoilmoitusten noussut määrä ja alkukuun runsaat vuokranmaksuhuijausviestit toivat ilmaan pieniä myrskyn merkkejä. Vuoden alussa uudistuneessa kybersäässä on tässä kuussa mukana vuoden ensimmäisen kvartaalin päivitetyt tilastot huijausten, palvelunestohyökkäysten sekä Autoreporterin osalta.

Kriittisiä haavoittuvuuksia Applen tuotteissa - päivitä heti
Uusia ja kriittisiä päivityksiä Applen iOS, macOS Ventura, macOS Monterey, macOS Big sur ja iPadOS-laitteissa, sekä Safari verkkoselaimessa. Päivitykset tulee asentaa välittömästi, sillä hyväksikäyttöä on havaittu maailmalla.

Kyberturvallisuuskeskuksen viikkokatsaus - 14/2023
Tällä viikolla kerromme suomalaisten puhelinnumeroiden väärentämisestä. Muistutamme myös, että palvelunestohyökkäyksistä ei kannata huolestua, sillä niiden vaikutukset jäävät usein vähäisiksi.

Kyberturvallisuuskeskuksen viikkokatsaus - 13/2023
Tällä viikolla kerromme Hack and Leak -ilmiöstä sekä 3CXDesktopApp-videoneuvotteluohjelmistoon kohdistuneesta toimitusketjuhyökkäyksestä.

Toimitusketjuhyökkäys 3CXDesktopApp-videoneuvotteluohjelmistoon
Tietoturvayhtiöiden havaintojen mukaan maailmalla laajasti käytetyn 3CXDesktopApp-videoneuvotteluohjelman asennuspakettiin on ujutettu haitallista koodia, joka asentuu laitteelle ohjelmiston päivityksen tai asennuksen yhteydessä. Haitalliset ohjelmaversiot ovat Windows 3CX Desktop App 18.12.407 ja 18.12.416 sekä Mac 3CX Desktop App 18.11.1213, 18.12.402, 18.12.407 ja 18.12.416. Haitallisia versiopäivityksiä on ollut saatavilla maaliskuun 2023 aikana.

Hack and Leak -ilmiö yhdistää kyber- ja informaatiovaikuttamisen
Hack and Leak -ilmiöissä on kyse tapauksista, joissa hyökkääjän pyrkimyksenä on toteuttaa kohteelleen tietomurto ja tämän jälkeen varastaa ja hyödyntää uhrille kriittistä tietoa. Voidaan puhua niin sanotusta hybridihyökkäyksestä.

Varo, varmista, varoita -kampanja: Digihuijausten määrä kasvoi selvästi vuoden 2022 jälkipuoliskolla
Vuonna 2022 suomalaiset menettivät digihuijauksissa rikollisille yhteensä 32,4 miljoonaa euroa. Varo, varmista, varoita -kampanja muistuttaa, että huijauksia on mahdollista välttää.

Kyberturvallisuuskeskuksen viikkokatsaus - 12/2023
Tällä viikolla kerromme Postin nimissä lähetetyistä tekstiviesteistä, joiden avulla kalastellaan pankkitietoja sekä siitä, miten yritykset voivat parantaa M365-järjestelmiensä tietoturvaa.

Useita kriittisiä haavoittuvuuksia Samsung Exynos -piirisarjassa
Samsung Exynos -piirisarjassa olevassa baseband -komponentissa on havaittu neljä kriittistä haavoittuvuutta. Haavoittuvuuksien hyväksikäyttö mahdollistaa pahimmillaan komentojen suorittamisen etänä kohdelaitteeseen. Samsung on julkaissut korjaavan päivityksen, mutta sen saatavuus vaihtelee laitekohtaisesti.

Kyberturvallisuuskeskuksen viikkokatsaus – 11/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 10.3. - 16.3.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kriittinen haavoittuvuus Microsoft Outlookissa
Microsoft tiedotti Outlookin vakavasta haavoittuvuudesta, jonka avulla on mahdollista korottaa käyttöoikeuksia. Haavoittuvuus mahdollistaa NTLM Relay -hyökkäyksen. Haavoittuvuutta hyödynnetään lähettämällä tietynlainen sähköpostiviesti Outlook-ohjelmaan. Hyökkäys aktivoituu sähköpostiviestin saapuessa Outlook-ohjelmaan jo ennen sähköpostiviestin avaamista tai sen esikatselua.

Tietoturvan kehittämisen tuen hakijoiden joukossa eri kokoisia ja eri toimialoja edustavia yhteiskunnan kannalta kriittisiä yrityksiä
Tietoturvan kehittämisen tukea on myönnetty noin 1,8 miljoonaa euroa ja 77 yritykselle. Tukea saaneiden joukossa on monen kokoisia ja eri toimialoja edustavia yrityksiä. Kaiken kaikkiaan 86 yrityksen tukihakemuset on käsitelty. Hakemuksia on tullut tähän mennessä 656. Tukea myönnetään niin kauan kuin tuen myöntämiseksi varattu 6 miljoonan euron määräraha riittää.

Kyberturvallisuuskeskuksen viikkokatsaus - 10/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 3.3. - 9.3.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Helmikuun kybersäähän vakoilu toi myrskyn merkkejä
Helmikuun kybersäähän mahtui niin aurinkoa, sadetta kuin myrskyäkin. Myrskyn merkkejä havaittiin vakoilupuolella. Aurinko paistoi varsinkin automaation ja IoT:n maailmassa, johon sijoittuu myös helmikuussa julkaistu uusi ohje teollisuusautomaation kyberturvallisuuskontrolleihin liittyen.

Kriittinen haavoittuvuus Fortinetin FortiOS-käyttöjärjestelmässä
Fortinet julkaisi FortiOS-ohjelmistoon päivityspaketit, jotka korjaavat kriittiseksi luokitellun haavoittuvuuden.

Kyberturvallisuuskeskuksen viikkokatsaus - 9/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 24.2. - 2.3.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 8/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 17. - 23.2.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 7/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 10. - 16.2.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Sosiaali- ja terveydenhuoltoalalla kyberturvallisuutta parannetaan monessa verkostossa
Sote-alan toiminnan jatkuvuus riippuu entistä enemmän kyberturvallisuudesta. Suomessa ja maailmalla alan kyberturvallisuuden parantamiseksi tehdään yhteistyötä monella rintamalla. Kyberturvallisuuskeskus on mukana useissa verkostoissa, joista osaa se fasilitoi itse ja osaan osallistuu kutsuttuna. Suuri osa yhteistyöstä tapahtuu vapaaehtoisissa yhteenliittymissä.

Apple julkaisi korjaavan päivityksen kriittiseen haavoittuvuuteen tuotteissaan
Applen korjaamat haavoittuvuudet koskevat useita Applen laitteita sekä Safari-selainta. Applen julkaisemat päivitykset on syytä asentaa laitteille heti.

Käyttökatkot verkkopalveluissa ovat yleisiä ja usein vaarattomia
Palvelunestohyökkäykset organisaatioiden verkkosivuja ja -palveluja kohtaan ovat yleisiä. Käytännössä hyökkäyksiä tapahtuu koko ajan, kaikkialla. Niihin myös varaudutaan ja niitä torjutaan päivittäin. Sinulle palvelunestohyökkäys näkyy siten, että esimerkiksi pankin tai terveydenhuollon verkkosivu ei ole käytössä. Myös huoltokatkokset tai muut häiriöt voivat aiheuttaa katkoksia verkkosivulla.

Uudessa ohjeessa tietoa paikallisiin matkaviestinverkkoihin liittyvistä kyberuhkista ja riskienhallinasta
Millaisia kyberuhkia ja riskejä paikallisiin matkaviestinverkkoihin liittyy? Mitä verkkoja rakennettaessa pitää ottaa huomioon? Uudesta ohjeesta tietoa paikallisia matkaviestinverkkoja harkitseville organisaatioille.

Kyberturvallisuuskeskuksen viikkokatsaus - 6/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 3. - 9.2.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Tammikuun uudistettu Kybersää julkaistu
Kybersää uudistui vuodelle 2023. Mukana on päivitetyn ilmeen lisäksi niin uutta kuin vanhaa tuttua sisältöä. Tuote on suunnattu organisaatioille. Kybersään tavoitteena on kertoa kybermaailman tapahtumista mahdollisimman ymmärrettävästi ja entistä tiiviimmässä paketissa. Kybersää täydentää Viikkokatsausta ja koostaa kuukauden keskeiset tapaukset yhteen.

Eurooppalaisen Galileo-satelliittipaikannusjärjestelmän tarkkuuspalvelu on nyt käytössä
Galileon tarkkuuspalvelu on kaikille avoin ja sen käyttö on maksutonta. Uuden palvelun hyödyntämismahdollisuuksia löytyy esimerkiksi maa- ja metsätaloudesta.

Kyberturvallisuuskeskuksen viikkokatsaus - 5/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 27.1. - 2.2.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuden tutkimus- ja kehitystoimintaan vahvistusta Suomessa ja Euroopassa - EU:n kyberturvallisuuden osaamiskeskuksen Suomen kansallinen koordinointikeskus aloitti toimintansa
Euroopan kyberturvallisuuden teollisuus-, teknologia- ja tutkimusosaamiskeskuksen Suomen kansallinen koordinointikeskus aloitti virallisesti toimintansa vuoden 2023 alusta Liikenne- ja viestintävirastossa. Virastoon perustettu toiminto on osa EU:n laajuista koordinointikeskusten verkostoa. EU-laajuisen verkoston tehtävänä on parantaa kyberomavaraisuutta, tukea kyberturvallisuusalan tutkimusta ja vauhdittaa teknologian kehittämistä koko EU:ssa.

Tietoturvan kehittämisen tukea myönnetty ensimmäisille yrityksille vauhdittamaan tietoturvaa parantavien toimenpiteiden toimeenpanoa
Liikenne- ja viestintävirasto Traficom on myöntänyt tietoturvan kehittämisen tukea ensimmäisille yrityksille. Muiden yritysten hakemusten käsittely on täydessä vauhdissa. Viimeisten joukossa hakemuksensa jättäneet yritykset joutuvat kuitenkin vielä odottamaan päätöksiä hakemistaan tuista.

Kyberturvallisuuskeskuksen viikkokatsaus - 4/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 20.1. - 26.1.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Älylaitteiden heikko tietoturva sääntelyllä kuriin
Kaupan hyllystä mukaan voi tarttua laite, jonka tietoturva on heikko. Tilanne muuttuu 1.8.2024, kun tietoturvavaatimusten vastaiset laitteet voidaan poistaa myynnistä. Tulevaa sääntelyä silmällä pitäen valmistajien, maahantuojien ja myyjien pitää varmistaa tuotteiden tietoturvataso heti.

Kyberturvallisuuskeskuksen viikkokatsaus - 3/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 13.1. - 19.1.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 2/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 6.1. - 12.1.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Joulukuun kybersää oli pääosin sateinen, vaikka mukaan mahtui myös positiivisia uutisia
Vuosi 2022 päätettiin sateisessa kybersäässä. Viestintäverkkojen toimivuus oli joulukuussakin hyvällä tasolla, mutta palvelunestohyökkäykset lisääntyivät voimakkaasti. Sosiaalisen median tilimurtoja ilmoitetaan tasaista tahtia, ja tilien suojaamiseen kannattaakin kiinnittää huomiota. Lääkinnällisten laitteiden ylläpidon jatkuvuus puolestaan on tärkeää niin tietoturvan kuin eettisyyden vuoksi.

Kyberturvallisuuskeskuksen viikkokatsaus - 1/2023
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 30.12.2022 - 5.1.2023). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 52/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 23.12. - 29.12.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 51/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 16.12. - 22.12.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 50/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 9.12. - 15.12.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Loppusyksyiset tuulet pitivät marraskuun kybersään koleana
Marraskuun tuomat kyberilmiöt pitivät loppusyksyn kybersään koleana. Kiristyshaittaohjelmien määrän on havaittu lisääntyneen syksyllä niin Suomessa kuin maailmalla. Kiristyshuijauksissa puolestaan on näkynyt uudenlaisia teemoja. Auringonpilkahduksena Euroopan neuvosto hyväksyi uuden NIS2-direktiivin, joka tulee parantamaan EU:n kyberturvallisuutta tulevina vuosina.

Muista tietoturva myös joululahjaostoksilla
Harkitsetko älylelun ostamista pukinkonttiin? Ennen ostopäätöksen tekemistä kannattaa tutustua laitteen tietoturvaominaisuuksiin.

Palvelunestohyökkäyksissä selvää kasvua joulukuussa
Kyberturvallisuuskeskus on saanut joulukuussa poikkeuksellisen paljon ilmoituksia palvelunestohyökkäyksistä. Suurin osa hyökkäyksistä ei ole aiheuttanut näkyvää haittaa.

Apple julkaisi kriittisen haavoittuvuuden korjaavan päivityksen tuotteisiinsa
Applen korjaamat haavoittuvuudet koskevat useita Applen laitteita sekä Safari-selainta. Applen julkaisemat päivitykset on syytä asentaa laitteille heti.

Useita kriittisiä haavoittuvuuksia VMwaren virtualisointiohjelmistoissa
Useita kriittisiä haavoittuvuuksia VMwaren vRealize Network Insight (vRNI), ESXi, Workstation Pro / Player (Workstation), Fusion Pro / Fusion (Fusion) ja Cloud Foundation virtualisointiohjelmistoissa

Tukes varoittaa vaarallisista joululeluista
Myös Liikenne- ja viestintävirasto Traficom tutustui Tukesin pyynnöstä muutaman älylelun tietoihin.

Kriittinen haavoittuvuus Citrix Gateway ja Citrix ADC -ohjelmistoissa
Haavoittuvuutta hyväksikäyttämällä on mahdollista suorittaa mielivaltaisia komentoja etänä. Haavoittuvuutta hyväksikäytetään aktiivisesti, joten päivittäminen on erityisen tärkeää.

Tekoäly tulee muuttamaan myös kyberhyökkäyksiä
Miten tekoäly muuttaa kyberhyökkäysten luonnetta? Millaisia uhkia tekoäly muodostaa kyberturvallisuudelle lähivuosien aikana? Mitä uhkiin varautumisessa on hyvä ottaa huomioon?

Kriittinen haavoittuvuus Fortinetin FortiOS-ohjelmistossa
Fortinet julkaisi päivityspaketit FortiOS-ohjelmistoon, joka korjaa kriittiseksi luokitellun haavoittuvuuden.

Tietoturvasetelin valtava suosio oli iloinen yllätys
Tietoturvan kehittämisen tukea eli tietoturvaseteliä on voinut hakea Liikenne- ja viestintävirasto Traficomista 1.12. alkaen, ja jo nyt haettu rahoitus on ylittänyt myönnettävänä olevan rahoituksen.

Useita kriittisiä haavoittuvuuksia Neutrinolabsin xrdp etätyöpöytäprotokollan toteutuksessa
Useita kriittisiä haavoittuvuuksia Neutrinolabsin xrdp etätyöpöytäprotokollan toteutuksessa.

Kaksi haavoittuvuutta Linux Debian Cacti Web-rajapinnan palvelussa
Linux Debian Cacti Web-rajapinnan palvelussa on kaksi haavoittuvuutta. Haavoittuvuudet mahdollistavat hyökkääjän ohittaa LDAP-tunnistautumisen tai tietyillä injektionneilla mielivaltaisen koodin suorittamisen. Cacti -palveluun on korjaus 1.2.x ja 1.3.x versioissa.

Kyberturvallisuuskeskuksen viikkokatsaus - 49/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 2.12. - 8.12.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 48/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 25.11. - 1.12.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 47/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 18.11. - 24.11.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kyberturvallisuuskeskuksen viikkokatsaus - 46/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 11.11. - 17.11.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Tietoturvasetelin haku aukeaa pian - tutustu tietoturvan kehittämisen tuen ehtoihin ja hakemiseen
Valtioneuvosto teki lokakuussa päätöksen määräaikaisesta yrityksille myönnettävästä tietoturvan kehittämisen tuesta eli niin sanotusta tietoturvasetelistä. Tietoturvaseteliä voivat hakea yhteiskunnan kannalta elintärkeät yritykset eli niin sanotut huoltovarmuuskriittiset yritykset. Tietoturvasetelin tavoitteena on nostaa näiden yritysten tietoturvallisuuden tasoa ja sitä kautta parantaa koko yhteiskunnan kykyä suojautua kyberturvallisuusuhkia vastaan.

Kyberturvallisuuskeskuksen viikkokatsaus - 45/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 4.11. - 10.11.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Lokakuun kybersää synkisti syksyä
Lokakuun kybersää ei juuri tuonut auringonpilkahduksia. Olemme vastaanottaneet muutamia ilmoituksia kiristyshaittaohjelmista. Palvelunestohyökkäyksistä ilmoituksia on tullut selvästi tavallista enemmän. Myös lääkinnällisten laitteiden tietoturvallisuus on puhuttanut Yhdysvalloissa, ja asia onkin huomioitu myös Suomessa.

Kriittisiä haavoittuvuuksia VMware Workspace ONE Assist -ohjelmistossa
VMware on julkaissut päivityksen, joka korjaa kolme kriittistä haavoittuvuutta VMware Workspace ONE Assist -ohjelmassa. Haavoittuuvuuksien hyväksikäyttö saattaa mahdollistaa hyökkääjälle pääsyn verkkoon sekä järjestelmänvalvojan oikeuksien saamisen ilman tunnistautumista.

Kriittinen haavoittuvuus Citrix Gateway ja Citrix ADC -tuotteissa
Citrix on julkaissut tietoturvapäivityksiä korjatakseen kriittisen haavoittuvuuden (CVE-2022-27510) Citrix Application Delivery Controller (ADC) - ja Citrix Gateway -tuotteissaan. Citrix kehottaa kyseisten tuotteiden järjestelmänvalvojia päivittämään tuotteiden ohjelmistoversiot uusimpiin versioihin viipymättä.

Finanssialan kyberharjoituksessa vaihdettiin oppeja ja parhaita käytäntöjä
Toimialojen yhteiset työpöytäharjoitukset sopivat monenlaisille organisaatioille. Tällä kertaa finanssialan yhteisessä harjoituksessa treenattiin organisaatioiden välistä tiedonvaihtoa ja tutustuttiin viranomaisten rooleihin kyberhäiriössä.

Kyberturvallisuuskeskuksen viikkokatsaus - 44/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 28.10. - 3.11.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Tunnista turvallinen verkkosivu osoitteen perusteella!
Nettisivuja ja sähköpostia käyttäessä tärkeintä on säilyttää arkijärki ja pitää pää kylmänä. Hätiköityjä päätöksiä ei pidä tehdä, vaikka sinulle luvattaisiin satumaisia voittoja tai uhattaisiin "pankkitilin jäädyttämisellä" tai syytteellä laittomuudesta (joita et edes ole tehnyt).

Kaksi vakavaa haavoittuvuutta OpenSSL 3.0 -versiossa
Tietojen salaamiseen ja salattuun välittämiseen käytetyn OpenSSL-kirjaston versiosta 3.0 on löydetty kaksi vakavaa haavoittuvuutta. Uusin versio 3.0.7 on syytä päivittää mahdollisimman pian. Haavoittuvuudet eivät koske vanhempia 1.1.1 tai sitä edeltäneitä versioita.

Palvelunestohyökkäysten määrä on kasvussa - vaikutukset vähäisiä
Kyberturvallisuuskeskus on vastaanottanut syksyllä kasvavissa määrin ilmoituksia palvelunestohyökkäyksistä. Lokakuussa ilmoituksia on tehty enemmän kuin aiempina kuukausina. Nyt ilmoitetuilla palvelunestohyökkäyksillä on ollut vain vähäisiä vaikutuksia niiden kohteisiin.

Kiertävät sähkökatkot vaikuttavat myös teleyritysten verkkojen ja palvelujen toimivuuteen
Sähkön kantaverkkoyhtiö Fingrid Oyj on kertonut, että tämänhetkisessä maailmantilanteessa on järkevää varautua sähkön niukkuuteen ja siihen, että talvella sähköpula voi aiheuttaa sähkökatkoksia. Tässä artikkelissa kerromme, miten mahdolliset kiertävät sähkökatkot vaikuttavat mobiiliyhteyksien, kiinteiden laajakaistojen sekä televisio- ja radiopalvelujen toimintaan.

Kyberturvallisuuskeskuksen viikkokatsaus - 43/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 21.10. - 27.10.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Ohje välitystietojen käsittelyä koskevien tietojen tallentamisesta astuu voimaan 27.10.2022

Tietoturvan suunnannäyttäjä -tunnustus STT:lle - avoin tiedon jakaminen tukee kyberuhkiin varautumista
Liikenne- ja viestintävirasto Traficomin jakaman Tietoturvan suunnannäyttäjä -tunnustuksen sai tänä vuonna Suomen tietotoimisto STT. Tunnustuksen perusteluissa STT:tä kiitettiin avoimesta viestinnästä, sen jouduttua kyberhyökkäyksen kohteeksi kesällä 2022.

Kyberturvallisuuskeskuksen viikkokatsaus - 42/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 14.10. - 20.10.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Kriittinen haavoittuvuus Apache Commons Text -komponentissa
Apache Commons Text -komponentissa oleva haavoittuvuus mahdollistaa mielivaltaisen koodin suorittamisen etänä.

Kyberturvallisuuskeskuksen viikkokatsaus - 41/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 7.10. - 13.10.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.

Syyskuun kybersää jatkui vuodenaikaan nähden tavanomaisena
Nord Stream -kaasuputkien vuodot herättivät keskustelua mahdollisista vaikutuksista Suomen kansainvälisiin tietoliikenneyhteyksiin, jotka kulkevat merikaapeleissa. Exchange-palvelimien nollapäivähaavoittuvuus puolestaan tulee huomioida organisaatioiden turvallisuudessa, vaikka se ei olekaan yhtä vakava kuin viimevuotinen laajempi haavoittuvuus. Kuluttajien taas kannattaa huomioida jouluostoksia tehdessä myös älylelujen tietoturvallisuus. Lelujen ominaisuuksiin on hyvä tutustua ennen ostopäätöstä.

Kriittinen haavoittuvuus Adobe Acrobat ja Reader tuotteissa
Adobe Acrobat ja Reader tuotteissa on havaittu kriittinen haavoittuvuus Windows ja macOS käyttöjärjestelmissä. Onnistunut hyväksikäyttö voi johtaa mielivaltaisen koodin suoritukseen.

Kriittinen haavoittuvuus Adobe Commerce- ja Magento-verkkokauppa-alustoissa
Adobe on julkaissut korjauksen kriittiseksi luokiteltuun haavoittuvuuteen, joka antaa hyökkääjälle mahdollisuuden suorittaa komentoja etänä verkkokauppapalvelimella. Haavoittuvien ohjelmistojen päivittäminen on suositeltavaa.

Kysy kiristyshaittaohjelmista - me vastaamme!
Miten kiristyshaittaohjelmahyökkäys voi alkaa? Keille hyökkäyksestä on syytä kertoa? Lokakuussa ratkotaan yhdessä kiristyshaittaohjelmiin liittyviä kysymyksiä.

Kriittisiä haavoittuvuuksia Fortinetin FortiOS, FortiProxy, FortiSwitchManager ja FortiTester-ohjelmistoissa
Fortinet julkaisi päivityspaketit FortiOS, FortiProxy, FortiSwitchManager ja FortiTester -ohjelmistoihin, jotka korjaavat kriittiseksi luokiteltuja haavoittuvuuksia

Kriittinen haavoittuvuus Zimbra Collaboration (ZCS) -ohjelmistossa
Zimbra Collaboration Suite -tuottavuusohjelmistossa on havaittu haavoittuvuus, joka mahdollistaa mielivaltaisen koodin suorittamisen isäntäpalvelimella. Haavoittuvuutta käytetään aktiivisesti hyväksi, mutta sen väliaikaiseen korjaamiseen on jo keinoja. Kyseessä on nollapäivähaavoittuvuus, eikä varsinaista korjaavaa päivitystä ole vielä saatavilla. Ubuntu-järjestelmät eivät lähtökohtaisesti ole haavoittuvia.

Kybermittarin uusi versio saatavilla - syksyn koulutukset käynnistyvät viikolla 41
Traficomin Kyberturvallisuuskeskus julkaisi vuonna 2020 organisaatioiden kyberturvallisuuden arviointiin ja kehittämiseen Kybermittarin, jonka avulla organisaatiot voivat arvioida kyberturvallisuutensa nykytilaa ja tunnistaa kehityskohteita. Palvelua on kehitetty ja työkalun uusi versio on nyt saatavilla Kyberturvallisuuskeskuksen verkkosivuilta. Ilmoittautuminen kaikille avoimiin Kybermittarin esittely- ja koulutustapahtumiin on avoinna.

Kyberturvallisuuskeskuksen viikkokatsaus - 40/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 29.9. - 6.10.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin. TLP:CLEAR

Euroopan kyberturvallisuuskuukausi alkaa - ota käyttöön parhaat tietoturvavinkit
Lokakuussa laitetaan kyberturvallisuuden perustaidot kuntoon. Seuraa kampanjaa sosiaalisessa mediassa tunnisteilla #Choose2BeSafeOnline #ThinkB4UClick.

Tunnistautumista vaativa etäkäytön mahdollistava haavoittuvuus Microsoft Exchangessa
Microsoft Exchange-sähköpostipalvelimessa on havaittu haavoittuvuuksia, jotka mahdollistavat mielivaltaisen koodin suorittamisen. Haavoittuvuuksia käytetään aktiivisesti hyväksi. Microsoft on julkaissut korjaavat päivitykset.

Merikaapelit ovat internetin selkäranka
Nord Stream -kaasuputkien vuodot ovat ymmärrettävästi aiheuttaneet huolta myös kansainvälisten tietoliikenneyhteyksien toimivuudesta. Suomesta on useita yhteyksiä maailmalle ja vaikka häiriöt ovat mahdollisia, internet on varsin vikasietoinen. Teemme jatkuvaa yhteistyötä viestintäverkkoinfrastruktuurin suojaamiseksi sekä mahdollisten ongelmien ennaltaehkäisemiseksi, havaitsemiseksi ja korjaamiseksi.

Kyberturvallisuuskeskuksen viikkokatsaus - 39/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 23.9. - 29.9.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin. TLP:CLEAR

Tervetuloa Tietoturva 2022 -seminaariin 25.10.2022
Viime vuonna suuren suosion saavuttanut Tietoturva 2022 -seminaari tulee taas! Tapahtuma järjestetään Helsingin Tennispalatsissa tiistaina 25.10.2022 klo 9:00-16:30. Ohjelmaa voi seurata paikan päällä tai etäyhteyksin. Tilaisuuden aamupäivän ohjelma on suunnattu johdolle ja iltapäivän ohjelma kyberturvallisuuden asiantuntijatehtävissä toimiville. Olet luonnollisesti tervetullut seuraamaan koko tilaisuutta!

Kyberturvallisuuskeskuksen viikkokatsaus - 38/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 16.9. - 22.9.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin. TLP:CLEAR

Toimintaohjeita kyberhyökkäystilanteista toipumiseen
Miten kyberhyökkäyksistä selvitään? Miten kartoitetaan hyökkäyksen laajuus ja miten hyökkäys pysäytetään? Muun muassa näihin kysymyksiin löytyy vastaus Kyberturvallisuuskeskuksen julkaisemista käytännönläheisistä oppaista, jotka ovat maksutta saatavilla Kyberturvallisuuskeskuksen verkkosivuilta.

Kyberturvallisuuskeskuksen viikkokatsaus - 37/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 9.9. - 15.9.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin. TLP:CLEAR

Elokuun kybersää oli sateinen Suomessa ja maailmalla
Kyberturvallisuuskeskus arvioi pitkäaikaisten havaintojen analyysin perusteella Suomeen kohdistuneen kyberuhkatason nousseen, sillä Suomeen kohdennettu haitallinen liikenne on kasvanut ja muuttunut luonteeltaan vakavammaksi. Tietojenkalastelu- ja huijauskampanjat ovat voimissaan, mikä edellyttää valppautta niin organisaatioilta kuin kansalaisilta. Viranomaiset kuitenkin edistävät jatkuvasti kyberturvallisuutta. Erimerkiksi Suomesta lähtöisin olevia huijauspuheluita onkin saatu vähennettyä merkittävästi uudistetun määräyksen ja tiiviin operaattoriyhteistyön avulla.

Vahvan sähköisen tunnistuksen luotettavuudesta ja turvallisuudesta huolehditaan Suomessa monin tavoin
Sähköisen tunnistuksen luotettavuus ja turvallisuus ovat herättäneet paljon keskustelua S-Pankin kerrottua julkisuuteen häiriöstä, joka mahdollisti vahvan sähköisen tunnistuksen väärinkäytön huhtikuusta 2022 elokuun 2022 alkuun. Julkisuudessa on tämän johdosta esiintynyt huolta vahvan sähköisen tunnistuksen luottamuksen ja turvallisuuden tasosta. Yksikään tietojärjestelmä ei ole 100 % turvallinen, mutta vahva sähköinen tunnistaminen ja rekisteröidyt tunnistuspalvelut ovat kuitenkin tarkasti säänneltyjä ja valvottuja.

Kyberympäristön uhkataso on noussut - aktiviteetti Suomeakin kohtaan on lisääntynyt
Kyberhyökkäykset ovat lisääntyneet maailmanlaajuisesti kuluvan vuoden aikana. Samalla niitä kohdistuu hiljaisemman kevään jälkeen kasvavassa määrin myös Suomeen. Traficomin Kyberturvallisuuskeskuksen saamien ilmoitusten mukaan suomalaisiin organisaatioihin kohdistuvissa kyberhyökkäyksissä, erityisesti haittaohjelmien, tietojenkalastelun ja palvelunestohyökkäysten lukumäärät ovat kasvaneet.

Kyberturvallisuuskeskuksen viikkokatsaus - 36/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 2.9. - 8.9.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin. TLP:CLEAR

Kyberturvallisuuskeskuksen uusi viikkokatsaus - 35/2022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 26.8. - 1.9.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin. TLP:CLEAR

Tervetuloa tilaisuuteemme! - Kuluttajille suunnattujen älylaitteiden uudet tietoturvavaatimukset, yritysten vastuullisuus ja tietoturva?
Kuluttajille suunnattujen älylaitteiden tietoturvaan tulee uusia vaatimuksia 1.8.2024 alkaen. Jos valmistamamme ja markkinoimamme älylaite ei täytä uusia tietoturvavaatimuksia, mitä siitä voi seurata? Miten hyvästä tietoturvasta voi tehdä myyntivaltin? Miksi tietoturvasta huolehtiminen on osa yritysten vastuullisuutta?

Äly- ja digilaitteetkin kuuluvat kierrätykseen
Vanhat sähkö- ja elektroniikkalaitteet jäävät usein pöytälaatikkoon pölyttymään. Eurooppalaisessa keskivertokotitaloudessa on jopa 72 sähkö- ja elektroniikkalaitetta, joista 11 on rikki tai muuten pois käytöstä. Käytöstä pois jääneet laitteet sisältävät paljon käyttökelpoisia arvometalleja. Kun kierrätämme nämä materiaalit, vauhditamme kestävää digitalisaatiota ja esimerkiksi liikenteen sähköistymistä.

Kansainvälinen tiedonvaihtoprotokolla (TLP) päivittyi versioon 2.0
Kansainvälinen poikkeamanhallinnan ja turvallisuuden foorumi (FIRST) on julkaissut uuden version vuonna 2017 esitellystä liikennevaloprotokollasta (TLP - Traffic Light Protocol). Liikennevaloprotokollan tarkoituksena on ollut yhdenmukaistaa tiedonvaihtokäytäntöjä sekä parantaa kansainvälisten ja kansallisten julkisen sekä yksityisen sektorin toimijoiden välistä tiedonvaihtoa.

XD

What the hell is going on?!?!?

news.Ycombinator

Pluralistic

Krebs on Security

Proton Foundation Blog

Bellingcat

100r

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Summary Of Changes

Pino book & movie club

Summary Of Changes

Pino book & movie club

Summary Of Changes

News

Pino book & movie club

Summary Of Changes

News

Pino book & movie club

Summary Of Changes

Pino book club

Summary Of Changes

News

Pino book & movie club

Summary Of Changes

News

Pino book & movie club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book & movie club

Summary Of Changes

News

Pino book & movie club

Summary Of Changes

News

Pino book & movie club

Summary Of Changes

Pino book & movie club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes

News

Pino book club

Summary Of Changes