I have the baseless headcanon that Mary Poppins is Maleficent.
Maleficent reforms sometime in the fourteenth century, greatly reduced. She wanders the countryside in the shape of a harridan, another bogeyman to warn children of.
The peasantry - who remember Maleficent as the fey who inexplicably sent her minions to inspect every cradle in the kingdom - think that she is another of these goblins.
They call her La Mauvaise Paysanne.
***
She arrives in England in the eighteenth century on the back of a fairy tale.
Fairies take the shape of the stories told about them. The myth has changed, and so has she. She takes the shape of an enchantress, the punisher of naughty children, the rewarder of the good.
The English people call her the Merry Peasant.
***
By the nineteenth century, the edges of her myth have been sanded off entirely. She’s known as a fairy godmother who blesses good children.
She doesn’t mind this, but when she gets the chance to reshape her wand, she gives it a crow’s head in memory of her old familiar.
They’ve started calling her Mary Pauper.
***
By the twentieth century, Mary Poppins is more powerful than she’s been in centuries.
She’s also changed completely. She understands this to her core, and mostly she’s fine with it.
She misses it every now and then, of course. The palace, the minions, the mistress of all evil. She sniffs and says these are are ridiculous thoughts, but she thinks them nevertheless.
This is partly why she enjoys being a nanny. It’s a good compromise. She can be strict but fair with her charges, and every now and then she meets a particularly incorrigible parent who she can curse into oblivion.
the post means what it means. it doesn’t mean come to the largest city in the country with a police force that is extremely, extremely violent and as well equipped as most normal countries militaries or come to a state with a coastline. that is, in fact, probably the riskiest thing you could possibly do.
do not come to the united states. there is nothing here worth dying or being sent to a slave penal colony for.
We need one of those old fashioned tourism posters for the US with “There is nothing here worth dying or being sent to a slave penal colony for” as the tagline
History clearly shows that when hemp is targeted, so is THC producing cannabis. I remember republican congressjerks trying to take credit for cannabis being legal in so many states, but once again we see their true colors.
The Senate has criminalized an industry that it legalized seven years ago. Buried in last week's government funding bill was language that will shut down America's $2.8 billion hemp market and eliminate over 300,000 jobs.
A quirk in the 2018 Farm Bill allowed manufacturers to create psychoactive gummies and drinks while staying technically legal. — Read the rest
I enjoy coin collecting on a limited basis, and the US 1 Cent Piece (the penny is a British coin, the US mint has never made a "penny")was always a cost effective way to create a collection.
The last penny rolled off the press at 3:47 PM yesterday at the US Mint in Philadelphia, watched by US Treasurer Brandon Beach and a handful of mint workers. After 238 years, the one-cent coin officially died of economic inefficiency — it cost nearly four cents to make each penny. — Read the rest
The White House just released its list of 37 donors funding Trump's $300 million ballroom addition, and it reads like a who's who of corporate America trying to stay on the president's good side.
AP reports that tech giants dominate the roster — Amazon, Apple, Google, Meta, Microsoft — each ponying up undisclosed amounts after years of regulatory battles. — Read the rest
BRAND NEW KICKSTARTER! Pre-order Volume 1 and Volume 2 of The Complete Tom the Dancing Bug Library right here. Limited time. Plus a bonus comic book: Trump You!
Please join the team that makes it possible for your friendly neighborhood comic strip Tom the Dancing Bug to exist in this world: JOIN THE INNER HIVE! — Read the rest
The Dutch government has filed a protest with the US ambassador after plaques honoring black soldiers were removed from an American cemetery in that nation, calling it “indecent and unacceptable.”
‘Unacceptable’: Leaders demand permanent memorial for Black WWII soldiers after plaques removed
174 of the 8,200 U.S. soldiers who are buried at the Netherlands American Cemetery are Black.
Nearly one million African American soldiers fought in Europe during World War II. Now, plaques at a memorial site honoring the sacrifice of African American soldiers in the Netherlands have been removed at the only U.S. cemetery in the country.
According to NRC, the two panels celebrating the “Black Liberators” of the Netherlands from Nazi rule were removed from display “earlier this summer” without an exact reason given as to why.
More than 8,200 U.S. soldiers are buried at the Netherlands American Cemetery in Margraten. One hundred seventy-four of those troops were African Americans. Lawmakers in the Netherlands have called for either a temporary replacement of the plaques or a permanent monument to be erected in honor of the Black soldiers who helped build the cemetery, calling their removal “indecent” and “unacceptable.”
One of the panels at the memorial site celebrated the Black soldiers’ fight on two fronts: against Germany and racism in the U.S. military. The military was desegregated in 1948.
“Initially, that exhibition paid no attention to African-American soldiers whatsoever,” Kees Ribbens, a senior researcher at the NIOD Institute for War, Holocaust and Genocide Studies and endowed professor of popular historical culture of global conflicts and mass violence at Erasmus University Rotterdam, said. Ribbens says he was “shocked” to learn that the plaques commemorating the soldiers had been removed and offered an opinion as to why it happened.
“It aligns with the Trump administration’s policy,” he said.
I usually keep it tuned to whatever Alt/Classic Rock station is available, but Vladivostok FM was pretty great in GTA4 before a bunch of music licenses expired, and sometimes the talk radio station is entertaining.
Soundtrack Sunday
Welcome to Soundtrack Sunday, where a member of the PC Gamer team takes a look at a soundtrack from one of their favourite games—or a broader look at videogame music as a whole—offering their thoughts or asking for yours!
Ah, licensed music in videogames. An embarrassingly big contributor to my music taste over the years, highly favoured among the sports sims, episodic videogames, and open world free roam ditties à la Sleeping Dogs and Grand Theft Auto.
The latter is where I've ingested all kinds of music over the years, broadening my tastes to genres I never thought I would have bothered listening to. As a raging emo in the 2000s, the Grand Theft Auto games were my gateway to stuff I never would have listened to otherwise like hip-hop, country, and house.
That's thanks to the myriad of fictional radio stations that Rockstar has crafted over the years—it started introducing a large chunk of licensed music to its radio stations in Vice City—with carefully curated playlists that do so much for each game's worldbuilding and general vibes. Nothing beats cruising down roads in Vice City while '80s bangers like Out of Touch by Hall & Oates play, or diving into San Andreas' excellent East Coast hip-hop library with Biz Markie and Public Enemy.
(Image credit: Rockstar)
If you're anything like me, some radio stations will have stuck with you more than others. Country music is perhaps the very last genre I would voluntarily listen to in my day-to-day life, but I have so many fond memories of blasting K-Rose while playing San Andreas. It's my go-to radio station every time I boot that game up.
There's something about host Mary-Beth Maybell sharing far too many details about her life ("you ever stick your entire arm up a cow?") before going into the likes of All my Ex's Live in Texas, a song that regularly worms its way into my brain for days on end despite never listening to it outside the confines of the game.
Josh's favourite: K-DST
(Image credit: Future)
Mine is probably K-DST in San Andreas, which is the only reason I'm familiar with a whole bunch of classic rock.
Maybe it's recency bias though, but by far my favourite station has to be Grand Theft Auto 5's Non-Stop Pop FM. It's hosted by Cara Delevingne with the kind of weirdly pleasant wooden performance I'd expect from the British model—though she certainly calls me out with the line "This is the home for all the music you used to pretend not to like back when you were trying to be cool. You weren't cool."
The station is stuffed with pop bangers over three decades—Amerie's 1 Thing, Britney Spears' Gimme More, Lorde's Tennis Court—and one of my fondest memories of Grand Theft Auto Online comes from a late-night lockdown heist where I uttered the words to my partner-in-crime: "I hope to God they play Backstreet Boys," before flicking the radio on to I Want It That Way. It was the perfect post-diamond heist soundtrack as we drove back to base, most definitely annoying our real-life neighbours with our 3am warbling.
But with dozens of radio stations to choose from, am I right in crowning Non-Stop Pop FM as the reigning champion of the virtual airwaves, or have I blatantly missed far more iconic transmissions I should be tuning into instead?
Be sure to comment your favourite GTA radio station below, and let us know why it's the best of the best.
Republicans promised to run the country like a business, and they've run it into the ground. With the government shutdown stretching past a month, Transportation Secretary Sean Duffy says the skies may soon be closed for business. Air traffic controllers are still working without pay, SNAP benefits are expiring, and millions of Americans are about to spend Thanksgiving grounded and hungry. — Read the rest
Greetings from your friendly neighborhood National Park Service worker.
The government wants you to think a shutdown is no big deal. It’s is. They want things to keep running in the meantime. They will- but not safely and not paid. Because not everyone is necessarily aware what a shutdown means for Gov workers, this is how it works…
Employees fall into one of the following three categories:
Excepted: Unpaid, required to work (those needed to protect life and property).
Exempted: Paid, required to work (those funded by non-lapsed sources)
Furloughed: Unpaid, employees that are neither excepted nor exempted. These employees have been ordered to “expeditiously complete orderly shutdown activities” then head home. This may be a few minutes for some employees or a few days depending on their job duties and what it takes to perform an “orderly shutdown” of their activities.
Who is furloughed? Legit everyone but “safety” workers. So fees, maintenance, timekeepers, facilities, everybody. And no, those thousands of people will not be paid for whatever amount of time they aren’t working.
Who is Exempted? In my neck of the woods (pun intended) it’s law enforcement, fire, ems, search and rescue and dispatchers. Hey that sounds like a lot? Guess what - almost all of the law enforcement in the park are simultaneously EMS, search and rescue and the Fire department. One person, four jobs. That’s the way… It always is by the way, which is HIGHLY PROBLEMATIC (but that’s a different rant). We will keep doing those four jobs, unpaid and unsupported. When will we get paid for our work?- who knows. You may ask yourself - why do we have to keep working when everything is shutdown? Because they’re not closing the national parks. Yeah. So people are going to keep coming, keep using the bathrooms that won’t be cleaned, keep using the roads that won’t be maintained safely, keep getting hurt and in trouble.
Right now, there is a massive rollover DUI car accident on one side of the park and someone just got gored by an animal on the other side of the park. So all of us (the three people on shift at the moment) will be figuring out which one to heading out to. We have to choose. And it’s going to be extremely dangerous when we do get on scene because those “non-essential workers” that were furloughed? -Those are the people we count on daily to go above and beyond their own normal duties and help.
Those are the people who manage traffic around the accident for us so we don’t get hit. Those are the people that get extra resources for us (lights for night time, blankets, Gatorade if it’s a long extraction on scene). Those are the people that make sure we get paid for being called out in the middle of the night, the people that make sure all the protocols are being followed so everyone is safe, the victim advocates that talk to the families, they are the essential hands needed because- if you haven’t all forgotten- they already gutted our limping agency staff by like 30%.
What can you do?
The usual things you see - pester your local and government officials. Pester your money makers though even more - the businesses that give money to your local officials. But more immediately? Please do not come here. Please do not further burden the system. Tell other people not to come. Don’t let the government think we can make it work still- we can’t. Do not make us have to function as if things were okay, because they are really really not.
Greetings from Week Five of the shutdown.
What’s new?
Well, for a small group of us first responders, the government has now ordered that we be paid… from our park’s admission fee money fund. The admission fee money fund that is supposed to go directly towards improving the park – fixing roads, cleaning and fixing facilities, visitor experience stuff. The admission fee money fund that’s supposed to cover those improvements for the entire year… Is now being used to pay us. So guess what happens when that runs out? A.) no more pay, B.) no improving the park.
But the parks are still open? So wouldn’t the fees of people still coming in cover part of that? No. Because we’re not allowed to collect fees during the shutdown. The parks are open, not gaining any revenue, burning through their reserves, and becoming significantly more unsafe and generally trashed and destroyed, by the day.
What does that look like?
Last week it was very icy and a tour bus of 50 people slid partially off the road, blocking a whole lane of traffic. This was on the MAIN ROAD, on a blind curve, only 10 miles into the park.
We only have one remaining, non-furloughed plow/sander driver. For reference, we normally have 4-5. He was 50 minutes away (and then the sander broke so he had to go back to the garage for a bit to try and fix it.) The one remaining tow truck driver was almost 90 minutes away. There was only me and my coworker on shift to deal with traffic and we couldn’t direct people around the accident because the road all around it was still icy because the sander hadn’t gotten there and someone was bound to slide off again. So we had to just keep traffic stopped. For almost a two hours, every single visitor to the park was in stopped traffic. About 10 miles worth of cars just sat, parked in the road. Hundreds and hundreds of people.
Some of them turned around to go back to the entrance, but an RV slid off the road going the other way, so now traffic was blocked in both directions. Which meant when the sander WAS fixed, it couldn’t get through the traffic. And because it was just me and my coworker, we didn’t have anybody who could leave the scene of the accident to go down and clear that traffic for the sander.
As I stood there in the cold (thankful that I had pulled my yaktrax out of storage soon enough to use them for the occasion because the road was SOLID ICE) people kept getting out of their cars, coming up to me, and complaining. I’m not allowed to give political opinions at work, but I was able to provide them facts:
Fact: We only have one plow truck driver, because everyone else has been furloughed. If we had our normal amount, all the roads would be sanded and this probably wouldn’t have happened.
Fact: We only have two officers on right now. Usually, we can try to pull some people from other divisions to help with traffic- those people are also furloughed.
Fact: The reason you are in traffic right now is directly caused by the government shutdown.
The main thing I want to communicate to the general public, though, comes from the repeated question I got “Well, if the roads were so dangerous why didn’t you just close the park?”
Ma’am?
Fact: The administration has forbidden us from closing National Parks.
We were ordered to “Continue operations and services as normal”… with at least 65% of our staff furloughed.
Fun epilogue to the story is that 2 hours in, just as the sander and tow truck finally arrived, another car went careening off the road about 30 miles from there, blocking traffic for both lanes. I left one scene and came to that one we discovered the drive was HURT, and needed an ambulance. My coworker and I are also the EMTs/ambulance drivers (and fire department and search and rescue and…) so we had to have our dispatch center start calling people at home to come in and help. (Their overtime won’t be paid until the government restarts by the way).
Five people came in on their day off and we managed to transport to the hospital, do the crash report, clear the road… and deal with SEVEN MORE slide offs in the following two hours.
What are the takeaways from all this complaining I’m doing:
Fact: 65% or more of National Park Service staff that are furloughed and have no income right now. They still have bills though, and some people are in significant trouble financially (because it’s not like they paid us much in the first place).
Fact: Coming to your national park right now is not only extremely dangerous for you, but also causing significant and irreparable damage to the park- to the actual natural resource, to our infrastructure, and to our facilities.
Fact: Parks were ordered to use the finances that we usually would put towards keeping up said facilities and infrastructure, to pay the people we are forcing to work right now. BECAUSE THE GOVERNMENT HAS FORBIDDEN PARKS TO CLOSE THEIR DOORS AND SHUT THEIR GATES.
Please don’t come here. Please contact your local representative. Please spread the word
Because it looks like it’s going to be another busy day.
Internet Archive, a non-profit library dedicated to archived websites, music, books, apps, and all kinds of information on the internet, has been subjected to multiple lawsuits since its foundation in 1996. And one aimed at its library has reportedly had a major effect, according to what its founder told Ars Technica.
Internet Archive might be most well known for its website archiver, The Wayback Machine, but, in 2020, its Open Library was sued by four major book publishers. Effectively, the Open Library is a digital library, where the Internet Archive would 'loan' digital versions of physical books it owns, to emulate a library. These books would be lent at a 1-1 rate with what it owned. At the start of the Covid-19 pandemic, it created the National Emergency Library in response to libraries shutting down, which removed its prior lending restrictions.
In June last year, Hatchet, HarperCollins, Wiley, and Penguin Random House won their suit against Internet Archive's Open Library, taking out 500,000 books from the library. The Internet Archive lost its appeal just a few months later, in September 2024.
"We survived… but it wiped out the library," Internet Archive founder Brewster Kahle told Ars, also noting, "the world became stupider" in the wake of this decision and they have some choice words for "massive multibillion-dollar media conglomerates" that have succeeded at making "sure that Wikipedia readers don't get access to books."
Kahle tells the Examiner, "One hundred years ago in the United States, the legislatures and judiciary were very pro-libraries. Now we have licensing issues. We have the corporations, we’ve got book bans, we’ve got defundings, we’ve got criminalization of librarianship. It’s a challenging time in the United States and actually in many countries around the world, as we’re going through some political swings."
Kahle also reveals to the Examiner the ways he works with and around AI. Public domain works are crawled by AI, but everything else archived is not, "because there's not regulatory clarity".
When asked what they may try to archive next, Kahle explains, "3D environments, games, the human experience. And the digital-built experience—how do we go and learn from that? Boy, we really don’t know."
Mushrooms are the coolest. Not quite flora, not quite fauna, they are a secret third thing—isn't that neat? Many types of fungi have also been observed to form symbiotic relationships with the root systems of plants. Sometimes mutualistic, sometimes parasitic, this root-meets-fungus network is called 'Mycorrhiza'—and a similar web of mycelium may one day come to a rig near you.
No, this isn't my pitch for a funguspunk trilogy, this is actual science. Researchers at the Ohio State University recently found that mushrooms you can eat can also be trained to act as bioelectronic data processors (via phys.org). Specifically, the team grew shiitake and button mushrooms, dehydrated these cultures for long-term use, and trained the fungi to function like organic memristors through methodical electrocution.
I know that sounds wild, but that's not even the raddest part. The researchers observed the dehydrated fungus demonstrated an ability to remember past electrical states, with the mushrooms able to reproduce memory effects in a way not dissimilar to traditional semiconductor chips.
The research project was partly inspired by how human brains produce neural activity through electrical impulses. The paper's lead author, John LaRocco, explains: "Being able to develop microchips that mimic actual neural activity means you don't need a lot of power for standby or when the machine isn't being used. That's something that can be a huge potential computational and economic advantage."
After all, if our own lumps of meaty grey matter can be encouraged to produce a thought or two through electrical stimulation, then why not mushrooms? Joking aside, the research project was also motivated by more environmental concerns; the paper reflects on how "current semiconductor-based neuromorphic chips require rare-earth materials and costly fabrication processes," pitching "fungal computers" as a sustainable, even biodegradable alternative.
Obviously, you won't be able to play The Last of Us Part 2 Remastered on what amounts to a portobello mushroom suffused with electrodes any time soon, but this early research is no less compelling—especially with how screwed memory prices are thanks to AI. For one thing, when the researchers attempted to use their dehydrated mushroom cultures like RAM, they found the samples performed with a 90% accuracy rate. Performance waned when the fungus was exposed to more frequent electrical shocks but this was remedied by, you guessed it, adding more mushrooms to the circuit.
For another, the researchers are also keen to note that "shiitake has exhibited radiation resistance, suggesting its viability for aerospace applications." Rockets navigated by mushrooms—now that's a vision of the future I don't think I'd mind living in.
Now, before you get as excited as I am, it's probably worth taking note of the speed of these "fungal memristors". With a top speed of 5.85 kHz our Nick has noted that, "the RAM chips my first ZX Spectrum were 1000 times faster at switching... Admittedly, you couldn't eat them, though."
Biological computing is nothing new, and you may remember Cortical Labs' 'body in a box' wetware from earlier this year. But, costing $35,000, the CL1 presents a far greater cost to research institutes compared to, say, culturing some mushrooms, meaning those aforementioned fungal aircraft may not be such a far flung fancy after all.
A mummified dinosaur has given the most complete picture yet of dinosaur skin and, unexpectedly, hooves.
Two unfortunate duck-billed dinosaurs perished 66 million years ago in what is now Wyoming and were covered by a flash flood. Fast forward to 2025, and the two Edmontosaurus annectens have been transformed into mummies, enabling scientists to reconstruct the dinosaurs' skin, scales, crests, spikes, and hooves. — Read the rest
For years, Linux users who wanted to play PC games were out of luck. The operating system just didn't support most games. But that's rapidly changing. According to Slashdot, nearly 90% of games designed for Windows PCs now work on Linux machines too. — Read the rest
BRAND NEW KICKSTARTER! Pre-order Volume 1 and Volume 2 of The Complete Tom the Dancing Bug Library right here. Limited time. Plus a bonus comic book: Trump You!
Please join the team that makes it possible for your friendly neighborhood comic strip Tom the Dancing Bug to exist in this world: JOIN THE INNER HIVE! — Read the rest
Fans of LEGO and Nintendo rejoiced earlier this year when the LEGO Game Boy was released. The model is near perfect, with all the buttons of the original gaming handheld. It also includes two Game Paks and swappable lenticular displays to match the games. — Read the rest
Old School RuneScape (OSRS) is no stranger to madcap individuals doing harebrained tasks: 10,000 hour grinds, taking eight entire months to grind out a single baby mole, you name it. But trout guy, who has been attempting to make a dent in a stack of over 500,000 trout, might just be a secret genius.
As posted to the OSRS Reddit, "trout guy", or Lousifer in-game, has been trying to eat 500,000 trout for almost a week straight. "He keeps getting trout donations and the crowd keeps growing," writes user IronWurmple. "Last night it was about 40 people deep."
Just to make sure my leg wasn't being pulled, I made an OSRS account and booked it to Edgeville and, sure enough, at the time of writing, Lousifer is still eating trout with crowds of adoring fans.
"I lived through this," one player says. "Troutman, have my wife", says another. Whenever trout guy stops eating, everyone barks at him to eat more trout. Whenever he moves tiles, a manhunt starts until he is discovered again amongst the swarm. He cannot escape.
(Image credit: Jagex)
Edgeville is so flooded with pilgrims bearing fish for Lousifer that, at one point, the man himself even posted a screenshot to the subreddit, flaunting not only an inventory flooded with trout, but a Jagex mod coming along to pay him well-wishes. "Godspeed, trout man," says Mod Nin, before returning back to work: "Trout skill releasing Winter 2027."
However, this seems to be the tip of the iceberg. See, there are rumblings—some commenters in the aforementioned threads believe that trout guy might be manipulating the fish markets for their own personal gain.
"I spent 539k on 5000 trout at 107 gp each," writes one player. "That may be the highest trout prices have ever been in OSRS." Another adds: "What if trout man is merching everyone?"
It's definitely possible. If I hop onto osrs.exchange and search for trout, there's a massive spike in trout prices, which almost doubled on October 20 from 70 to 120 gold. If we take that five-day timeframe as gospel, that means trout guy, savvy fish scoffer that he potentially is, spent two days scarfing fish to gain notoriety, waited for the fish market to deplete, then offloaded his donated fish to an alt and sold it at a higher price.
(Image credit: OSRS exchange)
I've reached out to Lousifer, and I'll update this article if I receive a response from the guy. Until then, keep on scoffing, trout man. Even if you are playing us all for fools, what's the harm? That we might believe in something? That even a small fish can make it big on the grand exchange? We must believe in the smaller lies to believe the bigger ones. We must believe in trout guy.
As if DirecTV doesn't have enough trouble keeping customers, the satellite TV provider's streaming devices will show AI-generated screensaver ads next year, according to an announcement today from partnering ads company Glance.
People who use either of DirecTV’s two Gemini streaming devices will start seeing the ads “in early 2026,” per the announcement. DirecTV’s Gemini Air is an Android TV-powered USB device that people can plug into a TV for access to live TV channels, as well as streaming apps. Gemini Air doesn’t require a DirecTV satellite connection, and DirecTV gives all of its Internet customers the device. DirecTV first started selling Gemini devices in 2023, when it launched a separate Gemini set-top box that connects through DirecTV satellite setups.
DirecTV made an agreement with Glance to show AI-generated content and ads on Gemini devices' screensavers. Currently, Gemini devices show Google wallpapers as screensavers, which are on by default. When the new screensavers launch, Glance's AI content will show if the TV is idle for 10 minutes, The Verge reported.
It's certainly not an absence of demand that keeps "dead" games like Black & White or the original Civilization off the market. It's usually red tape and nebulous barriers involving copyright law and intellectual property ownership-flavored headaches that get in the way. And even though GOG has a team working on its preservation program full time, senior bizdev manager Marcin Paczynski said they found the process of digital necromancy "harder than we thought it would be," on a recent episode of The Game Business Show.
He added that the strange stories involved were enough to fill a book, and served up some examples that make me really want to read that book. One tidbit involved someone in the UK who had unwittingly inherited rights to several games, but was "nowhere to be found."
Paczynski told The Game Business: "He kind of fell off the grid, so we hired a guy in the UK that was supposed to find him. That was the type of person who was really, really living without any cell phone, without any online presence, just chilling. He didn't even know that he owned the rights because this was just a package with his inheritance … we have a lot of stories like that."
In the same interview, he mentioned a Vietnam veteran turned game developer turned business mogul behind a multimillion-dollar oil company, as well as more precarious stories like developers whose physical documentation of IP ownership was torched in a fire—the further back in time you go, the more game development relied on physical record-keeping. And notably, this is all before you get to the technical aspect of getting a game to function on modern machines and keeping it that way.
It's a wild set of stories and a good reminder of how hard it can be to do this sort of thing on the up and up. The length of GOG's Dreamlist, which catalogs users' top picks for additions to the preservation program, as well as the Video Game History Foundation's claim that around 87 percent of games are largely unplayable, can make the whole task of game preservation seem impossible. That said, players have made it clear the alternative—letting old games fade into memory—isn't something they'll accept.
Firmware security company Eclypsium has claimed that 200,000 Framework laptops and desktops that are running Linux have shipped with "what can only be described as signed backdoors." This is because they've shipped with UEFIs that allow memory read/write access that can apparently be used to compromise Secure Boot. And apparently "this situation is not unique to Framework."
That's according to the security company, which notes that UEFI shells that enable these vulnerabilities aren't backdoors placed by bad actors for malicious purposes (via Bleeping Computer). "Instead, they’re legitimate diagnostic tools signed with trusted certificates that contain functionality to effectively bypass security controls we’ve built into the boot process" the company says. "The implications? Systems that have a secure boot process, in reality, do not."
A UEFI shell is a command-line environment that loads before the operating system boots up. It allows you to perform diagnostics, update your firmware, and so on. Part of what goes on at this pre-OS stage of booting is your system checks whether UEFI applications are signed by Microsoft. If it's signed, your firmware will trust it and allow it to run things in the UEFI shell.
The problem, however, occurs with one UEFI shell command. Eclypsium explains: "At the heart of this issue is a seemingly innocent command: mm (memory modify). This command, present in many UEFI shells, provides direct read and write access to system memory. While this capability is essential for legitimate diagnostics, it’s also the perfect tool for bypassing every security control in the system."
(Image credit: Future)
Essentially, it seems like a malicious actor can use this command to directly write to memory, rather than interfacing with the UEFI code/variables themselves, to bypass security verification. The process is as follows:
Identify the target variable (gSecurity2)
Locate the Memory Address for that variable
Patch the security handler, using the mm command to overwrite it with NULL, or redirect it in such a way that makes it bypass verification.
Load and execute any UEFI module code now that the security handler is disabled
Establish persistence so the bypass happens automatically on each boot
This can allow the malicious actor to completely bypass Secure Boot. This is the part of the booting process I mentioned earlier, where your system verifies that nothing is compromised by checking digital signatures. The "mm" command seems to be able to bypass these checks entirely, which would mean you could then load and execute even non-verified, ie, potentially malicious, code.
This vulnerability has been discovered and tested in Framework Linux systems, and Eclypsium says "this information was disclosed to Framework, and they have been working on remediating the vulnerabilities affecting roughly 200k Framework laptops and desktops."
Given this isn't just a Framework problem, but presumably a problem with any UEFI shell that allows execution of the "mm" command, the security company thinks it might call for a complete change in approach to security:
"The concept of implicit trust based solely on digital signatures is fundamentally flawed when those signatures can be applied to components with dangerous functionality… those [organisations] that continue to operate under the assumption that 'signed equals safe' may find themselves on the wrong side of a fundamental shift in the threat landscape."
(Image credit: Framework)
Of course, there's also the fact that older systems don't run Secure Boot at all, and users can bypass Windows 11 Secure Boot requirements by modifying the install in Rufus, for instance. Although this will become increasingly difficult to get away with for gaming, given more and more games are requiring it and Steam now even lets you check if you have it enabled.
Given that we seem to be decidedly wading into the Secure Boot requirement era, it would be great if we could get it, y'know, actually doing its job and verifying system integrity. Without possible UEFI shell exploits like this, I mean. Perhaps stopping to assume that "signed equals safe" is the way after all. Until then, keep an eye out for BIOS updates from Framework and any other companies that recognise the vulnerability and patch it.
A team of researchers from UC San Diego and the University of Maryland have published a study [PDF warning] detailing their attempts to pick up unsecured information from the airwaves using a basic receiver system. Over the course of three years, the team pointed their off-the-shelf residential dish at various geostationary satellites and interpreted the data, and were shocked by what they found.
"There are some really critical pieces of our infrastructure relying on this satellite ecosystem, and our suspicion was that it would all be encrypted," said UCSD professor Aaron Schulman, speaking to Wired. "And just time and time again, every time we found something new, it wasn't."
Using a $180 satellite dish and roof mount, a $195 motor system, and a $230 tuner card, the team say they were able to pick up samples of the contents of US calls and text messages on the T-Mobile cellular network, along with data from in-flight Wi-Fi and utility infrastructure comms from oil rigs and electricity providers. Perhaps more troubling, however, was that military and law enforcement communications were also said to be easily accessible, revealing the locations of personnel, equipment, and facilities.
"They assumed that no one was ever going to check and scan all these satellites and see what was out there. That was their method of security," Schulman continues. "They just really didn't think anyone would look up."
What's also troubling is the relatively small scale of the researchers' efforts. Using their easily obtainable equipment from a San Diego location, they were only able to pick up signals from roughly 15% of satellites currently in operation, yet discovered numerous unencrypted communications—suggesting the problem may be more widespread than initially thought.
(Image credit: Starlink)
At one point, during a nine-hour recording session of T-Mobile's backhaul satellite communications, the researchers say they were able to view phone numbers, calls, and text messages from over 2,700 users. There is a small glimmer of hope, however, in that the team was only able to pick up data from one side, meaning that the data the users were receiving was open to access, not data being sent from their devices. Essentially, a one-sided conversation—but a leaked one, nonetheless.
The team seem keen to point out that they didn't actively intercept any of these communications, instead passively listening to what the receiver picked up.
"When we saw all this, my first question was, did we just commit a felony? Did we just wiretap?" says co-leader of the study Professor Dave Levin.
However, it appears that all that was needed to receive the unencrypted data was a small set of equipment, and the knowledge of how to use it. "These signals are just being broadcast to over 40 percent of the Earth at any point in time," said Levin.
The team say they were also able to receive unencrypted internet communications from US military sea vessels, and were able to discern the vessel's names as a result. However, data from Mexican military and law enforcement authorities seems far more detailed. The team say they were able to pick up the unprotected transmission of intelligence information on narcotics tracking, as well as military asset tracking and maintenance records for helicopters, sea vessels, and armoured vehicles, along with locations and mission details.
(Image credit: US Navy (Facebook))
The team has since notified the companies and agencies affected by the unencrypted information, with varying results. According to the researchers, T-Mobile, Walmart, and KPU have been re-scanned since being informed of the data breach and are now using some form of encryption, although other unnamed parties still appear to be broadcasting without a fix.
It's truly astonishing how much data the team was able to intercept with a relatively budget set of equipment, and it does make you wonder how easy it would be for less scrupulous entities to do the same. The researchers acknowledge that their work may enable others to begin tracking satellite communications, and that intelligence agencies with far superior equipment are likely to have been analysing the same unencrypted data.
However, they argue that the study may force more satellite communications providers to tighten up their security protocols. Schulman says: "As long as we're on the side of finding things that are insecure and securing them, we feel very good about it."
Please join the team that makes it possible for your friendly neighborhood comic strip Tom the Dancing Bug to exist in this world: JOIN THE INNER HIVE!
Coming soon! Volumes 1 and 2 of The Complete Tom the Dancing Bug! Sign up now to be informed when the Kickstarter launches VERY SOON! — Read the rest
