BSDForAll.Org | Forums - BSDforAll

Writes and Write-Nots

Sun, 03 Nov 2024 18:10:56 +0000

October 2024
I'm usually reluctant to make predictions about technology, but I feel fairly confident about this one: in a couple decades there won't be many people who can write.
One of the strangest things you learn if you're a writer is how many people have trouble writing. Doctors know how many people have a mole they're worried about; people who are good at setting up computers know how many people aren't; writers know how many people need help writing.
The reason so many people have trouble writing is that it's fundamentally difficult. To write well you have to think clearly, and thinking clearly is hard.
And yet writing pervades many jobs, and the more prestigious the job, the more writing it tends to require.
These two powerful opposing forces, the pervasive expectation of writing and the irreducible difficulty of doing it, create enormous pressure. This is why eminent professors often turn out to have resorted to plagiarism. The most striking thing to me about these cases is the pettiness of the thefts. The stuff they steal is usually the most mundane boilerplate — the sort of thing that anyone who was even halfway decent at writing could turn out with no effort at all. Which means they're not even halfway decent at writing.
Till recently there was no convenient escape valve for the pressure created by these opposing forces. You could pay someone to write for you, like JFK, or plagiarize, like MLK, but if you couldn't buy or steal words, you had to write them yourself. And as a result nearly everyone who was expected to write had to learn how.
Not anymore. AI has blown this world open. Almost all pressure to write has dissipated. You can have AI do it for you, both in school and at work.
The result will be a world divided into writes and write-nots. There will still be some people who can write. Some of us like it. But the middle ground between those who are good at writing and those who can't write at all will disappear. Instead of good writers, ok writers, and people who can't write, there will just be good writers and people who can't write.
Is that so bad? Isn't it common for skills to disappear when technology makes them obsolete? There aren't many blacksmiths left, and it doesn't seem to be a problem.
Yes, it's bad. The reason is something I mentioned earlier: writing is thinking. In fact there's a kind of thinking that can only be done by writing. You can't make this point better than Leslie Lamport did:
If you're thinking without writing, you only think you're thinking.
So a world divided into writes and write-nots is more dangerous than it sounds. It will be a world of thinks and think-nots. I know which half I want to be in, and I bet you do too.
This situation is not unprecedented. In preindustrial times most people's jobs made them strong. Now if you want to be strong, you work out. So there are still strong people, but only those who choose to be.
It will be the same with writing. There will still be smart people, but only those who choose to be.
Thanks to Jessica Livingston, Ben Miller, and Robert Morris for reading drafts of this.

Quote:Taken from: https://paulgraham.com/writes.html

Japan and EU announce security partnership amid growing regional tensions

Fri, 01 Nov 2024 18:07:14 +0000

Japan and the European Union have announced a security and defence partnership, as they seek to step up military ties amid growing tensions with China, North Korea and Russia.

“We live in a very dangerous world,” EU foreign policy chief Josep Borrell told reporters in Tokyo on Friday, alongside Japanese Foreign Minister Takeshi Iwaya.
“We live in a world of growing rivalries, climate accidents and threats of war. And there is only one antidote to this challenging world, which is partnerships among friends,” Borrell added, announcing the security partnership.

The agreement is the first that the EU has concluded with an Asia Pacific country, the two officials said.
“It is an historical and very timely step given the situation in both of our regions,” Borrell said.

The EU official is in Tokyo as part of an East Asia tour that includes South Korea, where he will also hold a strategic dialogue, underscoring the EU’s increasing engagement with the Asia Pacific region, as China and Russia step up joint military activities and North Korea sends troops to Russia.
Their talks came a day after North Korea test-fired what is believed to be a new type of ICBM-class ballistic missile.

Borrell and Iwaya also shared “grave concern” about Russia’s deepening military cooperation with North Korea, including the North’s troop deployment to Russia and arms transfers between the two countries, according to an EU statement. The two officials reiterated their commitment to supporting Ukraine and condemned Russian aggression.

Japan, under a new security strategy adopted in 2022, has been rapidly accelerating its military buildup through its alliance with the United States, its only treaty ally, and other partners, including Australia, the United Kingdom and a number of European and Asia Pacific countries, to deter an increasingly assertive China.

Tokyo has also significantly eased its voluntary arms export ban, seeking to expand its defence industry and play a greater role globally. Japan is jointly developing a next-generation fighter jet with the UK and Italy.

The text of the EU-Japan Security and Defence Partnership said they would promote “concrete naval cooperation” including through activities such as joint exercises and port calls, which could also include “mutually designated third countries”.

It also said the EU and Japan would discuss “the development of respective defence initiatives including exchange of information on defence industry-related matters”.
Earlier on Friday, Borrell met Japanese Defence Minister Gen Nakatani and shared the view that security in Europe and the Asia Pacific is interconnected as they agreed to deepen defence cooperation, Japan’s Ministry of Defence said in a statement.

The two officials expressed grave concern about North Korea’s missile development programme and its growing military cooperation with Russia, saying they are significant challenges for the international community.
“We reaffirmed the need for strengthened EU-Japan cooperation in security and defence, including on maritime security, cyber and hybrid threats amid growing regional and global security challenges,” Borrell said on the social media platform X.

Quote:Taken from: https://www.aljazeera.com/news/2024/11/1...source=rss

Lancet release yearly Countdown report raising alarm of increase in heat caused death

Wed, 30 Oct 2024 12:06:41 +0000

Tuesday Lancent released the 2024 Lancet Countdown report updating on environmental issues status, and their impact on health, this year. On Wednesday Lancent had an online launch event for the report.

122 people including advisors from World Health Organization, agencies of United Nations, and academic institutions contributed to the report. The report was on a global scale rather than a specific region such as Europe.

Among other conclusions, the authors noted heat caused deaths increasing rapidly and requiring urgent attention. The report noted an average person was exposed to 50 more days of dangerous temperatures this year compared with 2023. Other factors affecting health included extreme weather events, such as heat waves and floods, dust storms.

For instance, heat related sleep loss increased worldwide except three regions -- north-west of Australia, a region in Brazil, and a region near the Great Lakes in the United States.

The report included notes that less than 35% of countries were capable of assessing early symptoms of heat caused health issues, and less than 10% for mental issues pertaining to increased temperatures. The authors wrote this limited the resources available for prevention and for planning emergency response if needed.

Additionally, in the report, the authors noted the fossil fuel industry was continuing to setup new mining sites, a concerning trend in light of ready availability and necessity to adopt renewable energy sources.
The report included a summary of 15 parameters. The analysts wrote that in 2023, the planet was already 1.45 C warmer than pre-industrial levels, and was on track to reach 2.7 C heating by 2100.

The authors called for urgent action to reverse the effects of climate change and pollution to reduce their impact in the future, and for improvements to risk assessment and management of associated health and wellbeing issues.

Quote:Taken from: https://en.wikinews.org/wiki/Lancet_rele...sed_deaths

Trump claims ‘nobody loves Puerto Rican community more than I do’

Wed, 30 Oct 2024 06:45:14 +0000

Yeah, is that somekind of a joke? : - P

Why is Trump's face so orange? xD

Ex-president’s comments come after comedian at one of Trump’s recent rallies called Puerto Rico ‘island of garbage’

Donald Trump praised Puerto Ricans on Tuesday during a Pennsylvania rally, days after a comedian made a racist joke and referred to Puerto Rico as a “floating island of garbage” at one of his rallies.
“Nobody loves our Latino community and our Puerto Rican community more than I do,” the former president said a little over an hour into a rally in Allentown, in the Lehigh Valley, which has a sizable Latino population.
More than 68,000 people – over half of the total population – in Allentown are Hispanic or Latino, according to US census data. A few blocks from the rally, a home had a Puerto Rican flag posted on the door.
He also claimed that he had done a lot for Puerto Rico as president. Trump drew ridicule for tossing paper towels into a crowd on the island after it was ravaged by a hurricane; blocked hurricane aid; and mused about selling the island.

He also again praised the rally at Madison Square Garden, saying “the love was unbelievable” and told a rambling story about watching a SpaceX rocket that lasted longer than his discussion of Puerto Ricans.
Many of the speakers on Tuesday, including the Puerto Rican official Zoraida Buxó, emphasized their Puerto Rican heritage, signaling the campaign’s effort to win Puerto Rican voters in Pennsylvania, the key battleground state in this election, where polls show a tight race.

“We won’t get rattled, we won’t yield to ignorance, foolishness, or irrational thoughtlessness,” she said.
Senator Marco Rubio, another speaker at the rally, also joined Trump onstage during the former presidents remarks to share with the crowd comments from Joe Biden Tuesday in which the president condemned the remarks about Puerto Ricans and said: “The only garbage I see floating out there is his supporter’s – his – his demonization of Latinos is unconscionable, and it’s un-American”, according to a White House transcript. After

Republicans circulated a clip of the statement, calling it an attack on Trump supporters, Biden put out a statement saying he meant to refer to the comedian who made the joke.
A small protest arrived outside the arena just before the rally began on Tuesday. Some of the protesters were carrying signs that said Latinos for Harris-Walz, while others wore the Puerto Rican flag.

One of the people marching was Luis Gonzalez, a retired 65-year-old truck driver from Allentown. He wore a sweater with the Puerto Rican flag stitched on it.
“
The guy has no idea what he’s talking about,” he said. “I was born in Puerto Rico. That island as well as all the other islands around it are beautiful.
“For anybody to say that it’s a garbage island – they’ve never been to the Caribbean.”

But inside the rally, few people thought the fallout from the comment would have much effect on Trump. Some had not heard it.

“It was made in poor taste, I have to admit. But Donald Trump is Donald Trump, ” said Mark Melendez, 55, who is Puerto Rican and traveled to the rally from New Jersey. “I don’t think it will affect him; it might.”
At least one audience member was holding a sign that said “Boricuas for Trump”, using a term that describes people of Puerto Rican descent.

Jackie Beller, 60, who lives near Allentown, thought the joke was funny.
“If you take a comedian out of context and you look at it as a serious thing, yes, you would be offended,” Beller said.
“It’s all a joke – I’ve spoken to some Puerto Rican people and they weren’t offended, so I don’t know,” said Mary Mendez, 65, a retired paramedic from New York.

Trump’s speech kicking off the final week of the presidential race mixed personal attacks, grievance, anti-immigrant rhetoric and a smattering of policies. He accused Democrats of having already cheated, misrepresenting an ongoing investigation in Lancaster county in an example of how he is priming his supporters to challenge the election results if he loses.

His remarks were less an appeal to undecided voters than a full-throated appeal to his base, pledging that he would be able to fix all of the US’s ills.

“This is gonna be a very special time. It’s going to be America’s new golden age. Every problem facing us can be solved,” he said.

As Kamala Harris made her closing argument in Washington and called Trump “unstable” and “obsessed with revenge”, Trump called Harris a “low-IQ individual” and mused about getting retribution against Michelle Obama for criticizing him on the campaign trial.
“Michelle Obama was very nasty,” he said. “I’ve gone out of my way to be nice to Michelle. Haven’t said a damn thing about her. She hit me.”

Quote: Taken from: https://www.theguardian.com/us-news/2024...nnsylvania

Trump supporters are ‘garbage’ – Biden

Wed, 30 Oct 2024 06:25:23 +0000

The US president has argued that the rhetoric of the fans of the Republican candidate was “un-American”

The supporters of Republican presidential candidate Donald Trump are “garbage,” outgoing US President Joe Biden said on Tuesday. He later claimed that he misspoke and meant to condemn a specific speaker at Trump’s recent Madison Square Garden rally.

Biden made his comments during a Zoom call organized by the Hispanic advocacy group Voto Latino. He began by bringing up comedian Tony Hinchcliffe who made a joke on Sunday comparing Puerto Rico to “a floating island of garbage in the middle of the ocean.”

“Just the other day, a speaker at [the Trump] rally called Puerto Rico a floating island of garbage,” Biden said, adding that Puerto Ricans are “good, decent honorable people.”
“The only garbage I see floating out there is his supporters. His demonization of Latinos is unconscionable, and it’s un-American,” Biden stressed. “It’s totally contrary to everything we’ve done, everything we’ve been.”

The president went on to accuse Trump of trying to “divide the country based on race,” and insisted that the Democratic candidate, Vice President Kamala Harris, “will be a president for all of America.”
Biden later took to X to clarify that he had “referred to the hateful rhetoric about Puerto Rico spewed by Trump’s supporter at his Madison Square Garden rally as garbage.”
“That’s all I meant to say. The comments at that rally don’t reflect who we are as a nation,” Biden wrote.

The president’s remarks were quickly condemned by Trump’s allies. “He’s talking about everyday Americans who love their country,” Republican Senator Marco Rubio said, urging the Biden campaign to apologize. “We are not garbage, we are patriots who love America,” Rubio said during a Trump rally in Allentown, Pennsylvania.
Hinchcliffe himself had accused Democrats of overreacting to his set at the Madison Square Garden event.

“These people have no sense of humor,” he wrote on X on Sunday, claiming that the Harris team had taken the joke out of context “to make it seem racist.”

Both Democrats and Republicans have frequently accused each other of hateful rhetoric and demonization. Some conservatives have drawn a parallel between Biden’s ‘garbage’ comment and that of Hillary Clinton, who described Trump supporters in 2016 as a “basket of deplorables.” Trump himself has been recently criticized for labeling his opponents an “enemy from within.”

Quote:Taken from: https://www.rt.com/news/606713-biden-cal...mpaign=RSS

Council destroys missing tenant’s belongings after banning his family from flat

Fri, 25 Oct 2024 05:55:50 +0000

Damn... :P Stupid council! ^^

East Riding council promised to store Robert Bracewell’s possessions after his disappearance, but disposed of them

A council destroyed the belongings of a tenant who went missing, after banning his family from entering his flat.
Robert Bracegirdle, 75, disappeared from his home in Goole in 2020 after struggling with mental health issues. A police search failed to find him and a coroner later ruled that he had died by drowning in the nearby River Ouse.

His next of kin were forbidden access to his flat by East Riding council which promised to store his possessions until he was officially declared dead. However, when an inquest was held two years after his disappearance, the family discovered that the contents of his flat had been disposed of.

“The council told us that we were not allowed to enter the flat and remove any items because my uncle could not give permission,” said his niece, Charlotte Bracegirdle.

“It said that once it had repossessed the property through the courts, it would take a full inventory of the contents and put them into storage until an inquest. My mum contacted them when an inquest date was set and received a two-line email, which didn’t even address her by name, stating that the contents had been disposed of as is ‘standard procedure’ when a property has stood empty for a long period. We suspect some of the more high-value items may have been sold.”

The family, who live in London and did not have a key to the flat, say that the council has refused to tell them what happened to the items, which included family heirlooms and sensitive documents.
Bracegirdle’s niece Charlotte said personal items were destroyed that were important to the family, including a games table that Robert and his siblings had initialled and given to their father when he retired.

“This was one item I so wanted to cherish, along with a tapestry made by my grandmother and five paintings I’d given him. The police were not allowed to give us his phone and iPad until a death certificate had been issued following the inquest, so we don’t know how the council was able to throw all his belongings.”

The Guardian recently reported on daughters of a deceased council tenant who were barred from his flat and told the contents may be disposed of.

According to the probate expert Giles Peaker, partner of Anthony Gold Solicitors, relatives of council tenants who die without having made a will usually have to wait for a grant of probate before they can enter a property. However, in Bracegirdle’s case, probate could not be applied for until he was officially declared dead two years later, by which time his property had been disposed of.

“Under the Tort (Interference with Goods) Act 1977 the council would have to keep the deceased tenant’s belongings secure and serve a notice on the administrator, executor and/or on the public trustee requiring collection of the belongings before disposing of them. It appears that something has gone very wrong here,” Peaker said.

East Riding council declined to respond to questions about when and how Bracegirdle’s belongings were disposed of.
It said in a statement: “The council offers our deepest condolences, and regrets that the council’s actions caused distress at a difficult time for Mr Bracegirdle’s family. We acknowledge, now and at the time, that matters should have been dealt in a more sympathetic way. In response to the concerns that the family members have raised, we have changed our processes to ensure that similar cases are managed in a more sensitive way. This case is currently being dealt with by our insurers so we cannot comment in more detail at this time.”
Bracegirdle’s sister, Christina Bracegirlde, said she had not received an apology and had to contact the council repeatedly for answers that never came.

“Their curt responses have shown no understanding of our loss and have added to the grief of a family whose much-loved brother and uncle probably took his own life,” she said. “They have stolen memories from us as if my brother was of no value.”

Quote:Original article at: https://www.theguardian.com/uk-news/2024...-from-flat

Sabotage: Code added to popular NPM package wiped files in Russia and Belarus

Thu, 24 Oct 2024 08:24:28 +0000

Old news again, but... Mar 18, 2022 2:31 pm

When code with millions of downloads nukes user files, bad things can happen.

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software.

The application, node-ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
A deliberate and dangerous act

Two weeks ago, the node-ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node-ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.

To conceal the malice, node-ipc author Brandon Nozaki Miller base-64-encoded the changes to make things harder for users who wanted to visually inspect them to check for problems.
This is what those developers saw:

Code:
    +      const n2 = Buffer.from("Li8=", "base64");

    +      const o2 = Buffer.from("Li4v", "base64");

    +      const r = Buffer.from("Li4vLi4v", "base64");

    +      const f = Buffer.from("Lw==", "base64");

    +      const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");

    +      const e = Buffer.from("cnVzc2lh", "base64");

    +      const i = Buffer.from("YmVsYXJ1cw==", "base64");

These lines were then passed to the timer function, such as:

Code:
+          h(n2.toString("utf8"));

The values for the Base64 strings were:

Code:
[list]

[*]n2 is set to: ./

[*]o2 is set to: ../

[*]r is set to: ../../

[*]f is set to: /

[*]

[/list]

When passed to the timer function, the lines were then used as inputs to wipe files and replace them with the heart emoji.

Code:
+      try {

+        import_fs3.default.writeFile(i, c.toString("utf8"), function() {

+        });

“At this point, a very clear abuse and a critical supply chain security incident will occur for any system on which this npm package will be called upon, if that matches a geolocation of either Russia or Belarus,” wrote Liran Tal, a researcher at Snyk, a security company that tracked the changes and published its findings on Wednesday.

Tal found that the node-ipc author maintains 40 other libraries, with some or all of them also being dependencies for other open source packages. Referring to the node-ipc author’s handle, Tal questioned the wisdom of the protest and its likely fallout for the open source ecosystem as a whole.
“Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer’s future reputation and stake in the developer community?" Tal wrote. "Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?”
RIAEvangelist also came under fire on Twitter and in open source forums.
"This is like Tesla intentionally putting in code to detect certain drivers and if they vaguely match the description then to auto drive them into the nearest phone pole and hoping it only punishes particular drivers," one person wrote. A different person added: "What if the deleted files are actually mission critical that can kxll others?

Protestware comes of age
The node-ipc update is just one example of what some researchers are calling protestware. Experts have begun tracking other open source projects that are also releasing updates calling out the brutality of Russia’s war. This spreadsheet lists 21 separate packages that are affected.
One such package is es5-ext, which provides code for the ECMAScript 6 scripting language specification. A new dependency named postinstall.js, which the developer added on March 7, checks to see if the user’s computer has a Russian IP address, in which case the code broadcasts a “call for peace.”

“The people of Ukraine are fully mobilized and ready to defend their country from the enemy invasion,” the message translated into English read in part. “91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.” Here’s a snippet of the code:

The protestware event exposes some of the risks posed when armies of volunteer developers produce the code that’s crucial for hundreds or thousands of other applications to run. Some open source software automatically downloads and incorporates new dependency versions, and even for those that don't, the vast amount of code often makes manual reviews infeasible. That means an update from a single individual has the potential to throw a wrench in an untold number of downstream applications.

This risk was on full display in January, when the developer of two JavaScript libraries with more than 22 million downloads pushed an update that caused more than 21,000 dependent apps to spew gibberish, prefaced by the words “Liberty Liberty Liberty.” An infinite loop produced by the update sent developers scrambling as they attempted to fix their malfunctioning apps.

The disk-wiping function was added to node-ipc versions 10.1.1 and 10.1.2. Following the outcry over the wiper, the developer released updates that removed the malicious function. Snyk recommends that developers stop using the package altogether. If that’s not possible, the company advises the use of an npm package manager to override the sabotaged versions and pin a known good version.
“Snyk stands with Ukraine, and we’ve proactively acted to support the Ukrainian people during the ongoing crisis with donations and free service to developers worldwide, as well as taking action to cease business in Russia and Belarus,” Tal wrote. “That said, intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities.”

What we know about the xz Utils backdoor that almost infected the world

Thu, 24 Oct 2024 07:58:32 +0000

Quote:Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems.
The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

"This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library," software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.
Researchers have spent the weekend gathering clues. Here's what we know so far.

What is xz Utils?
xz Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. xz Utils provides critical functions for compressing and decompressing data during all kinds of operations. xz Utils also supports the legacy .lzma format, making this component even more crucial.

What happened?
Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.
Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to xz Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor. Thomas Roccia, a researcher at Microsoft, published a graphic on Mastodon that helps visualize the sprawling extent of the nearly successful endeavor to spread a backdoor with a reach that would have dwarfed the SolarWinds event from 2020.

What does the backdoor do?
Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it's not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware.

Wait, how can a compression utility manipulate a process as security sensitive as SSH?
Any library can tamper with the inner workings of any executable it is linked against. Often, the developer of the executable will establish a link to a library that's needed for it to work properly. OpenSSH, the most popular sshd implementation, doesn’t link the liblzma library, but Debian and many other Linux distributions add a patch to link sshd to systemd, a program that loads a variety of services during the system bootup. Systemd, in turn, links to liblzma, and this allows xz Utils to exert control over sshd.

How did this backdoor come to be?
It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.
The following year, JiaT75 submitted a patch over the xz Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to xz Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in xz Utils affairs. For instance, Tan replaced Collins' contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to xz Utils.
In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of xz Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into the following releases, according to security firm Tenable:

Fedora Rawhide
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Fedora Rawhide is the development distribution of Fedora Linux
Fedora 41
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.
https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Tumbleweed and openSUSE MicroOS
https://news.opensuse.org/2024/03/29/xz-backdoor/
Backdoored version of xz was included in Tumbleweed and MicroOS between March 7 and March 28
Kali Linux
https://www.kali.org/blog/about-the-xz-backdoor/
Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28

There’s more about Tan and the timeline here.

Can you say more about what this backdoor does?
In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.
Multiple people who have reverse-engineered the updates have much more to say about the backdoor.
Developer Sam James provided this overview:
This backdoor has several components. At a high level:
The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub.

There are crafted test files in the tests/ folder within the git repository too. These files are in the following commits:
tests/files/bad-3-corrupt_lzma2.xz (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)

tests/files/good-large_compressed.lzma (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)

A script called by build-to-host.m4 unpacks this malicious test data and uses it to modify the build process.

IFUNC, a mechanism in glibc that allows for indirect function calls, is used to perform runtime hooking/redirection of OpenSSH's authentication routines. IFUNC is a tool that is normally used for legitimate things, but in this case it is exploited for this attack path.

Normally, upstream publishes release tarballs that are different than the automatically generated ones in GitHub. In these modified tarballs, a malicious version of build-to-host.m4 is included to execute a script during the build process.
This script (at least in versions 5.6.0 and 5.6.1) checks for various conditions like the architecture of the machine. Here is a snippet of the malicious script that gets unpacked by build-to-host.m4 and an explanation of what it does:
if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then
If amd64/x86_64 is the target of the build

And if the target uses the name linux-gnu (mostly checks for the use of glibc)

It also checks for the toolchain being used:
if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
exit 0
fi
if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
exit 0
fi
LDv=$LD" -v"
if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
exit 0
And if you are trying to build a Debian or Red Hat package:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
This attack thusly seems to be targeted at amd64 systems running glibc using either Debian or Red Hat derived distributions. Other systems may be vulnerable at this time, but we don't know.
In an online interview, developer and reverse-engineer HD Moore confirmed the Sam James suspicion that the backdoor targeted either Debian or Red Hat distributions.

“The attack was sneaky in that it only did the final steps of the backdoor if you were building the library on amd64 (intel x86 64-bit) and were building a Debian or a RPM package (instead of using it for a local installation),” he wrote.
Paraphrasing observations from researchers who collectively spent the weekend analyzing the malicious updates, he continued:
When verifying an SSH public key, if the public key matches a certain fingerprint function, the key contents are decrypted using a pre-shared key before the public key is actually verified. The decrypted contents are then passed directly to system.
If the fingerprint doesn't match or the decrypted contents don't match a certain format, it falls back to regular key verification and no-one's the wiser.
The backdoor is super sneaky. It uses a little-known feature of the glibc to hook a function. It only triggers when the backdoored xz library gets loaded by a /usr/bin/sshd process on one of the affected distributions. There may be many other backdoors, but the one everyone is talking about uses the function indirection stuff to add the hook. The payload was encoded into fake xz test files and runs as a shellcode effectively, changing the SSH RSA key verification code so that a magic public key (sent during normal authentication) let the attacker gain access
Their grand scheme was:
1) sneakily backdoor the release tarballs, but not the source code
2) use sockpuppet accounts to convince the various Linux distributions to pull the latest version and package it
3) once those distributions shipped it, they could take over any downstream user/company system/etc
Researchers from networking firm Akamai also explain well how the backdoor works:
The backdoor is quite complex. For starters, you won’t find it in the xz GitHub repository (which is currently disabled, but that’s besides the point). In what seems like an attempt to avoid detection, instead of pushing parts of the backdoor to the public git repository, the malicious maintainer only included it in source code tarball releases. This caused parts of the backdoor to remain relatively hidden, while still being used during the build process of dependent projects.
The backdoor is composed of many parts introduced over multiple commits:
Using IFUNCs in the build process, which will be used to hijack the symbol resolve functions by the malware

Including an obfuscated shared object hidden in test files

Running a script set during the build process of the library that extracts the shared object (not included in the repository, only in releases, but added to .gitignore)

Disabling landlocking, which is a security feature to restrict process privileges

The execution chain also consists of multiple stages:
The malicious script build-to-host.m4 is run during the library’s build process and decodes the “test” file bad-3-corrupt_lzma2.xz into a bash script

The bash script then performs a more complicated decode process on another “test” file, good-large_compressed.lzma, decoding it into another script

That script then extracts a shared object liblzma_la-crc64-fast.o, which is added to the compilation process of liblzma

This process is admittedly hard to follow. We recommend Thomas Roccia’s infographic for a great visual reference and in-depth analysis.
The shared object itself is compiled into liblzma, and replaces the regular function name resolution process. During (any) process loading, function names are resolved into actual pointers to the process memory, pointing at the binary code. The malicious library interferes with the function resolving process, so it could replace the function pointer for the OpenSSH function RSA_public_decrypt (Figure 1).
It then points that function to a malicious one of its own, which according to research published by Filippo Valsorda, extracts a command from the authenticating client’s certificate (after verifying that it is the threat actor) and passes it on to the system() function for execution, thereby achieving RCE prior to authentication.

What more do we know about Jia Tan?

At the moment, extremely little, especially for someone entrusted to steward a piece of software as ubiquitous and as sensitive as xz Utils. This developer persona has touched dozens of other pieces of open source software in the past few years. At the moment, it’s unknown if there was ever a real-world person behind this username or if Jia Tan is a completely fabricated individual.
Additional technical analysis is available from the above Bluesky thread from Valsorda, researcher Kevin Beaumont, and Freund’s Friday disclosure.

Is there a CVE tracking designation?
Yes, it's CVE-2024-3094.

How do I know if the backdoor is present on my device?
There are several ways. One is this page from security firm Binarly. The tool detects implementation of IFUNC and is based on behavioral analysis. It can automatically detect invariants in the event a similar backdoor is implanted elsewhere.
There's also a project called xzbot. It provides the following:
honeypot: fake vulnerable server to detect exploit attempts

ed448 patch: patch liblzma.so to use our own ED448 public key

backdoor format: format of the backdoor payload

backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

Source: https://arstechnica.com/security/2024/04...the-world/

Over 6,000 WordPress hacked to install plugins pushing infostealers

Wed, 23 Oct 2024 09:52:03 +0000

Quote:WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware.
Over the past couple of years, information-stealing malware has become a scourge to security defenders worldwide as stolen credentials are used to breach networks and steal data.
Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware.
In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

ClickFix campaigns have become increasingly common this year, with threat actors compromising sites to display banners showing fake errors for Google Chrome, Google Meet conferences, Facebook, and even captcha pages.
Malicious WordPress plugins
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns.
"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko.
"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names.
The list of malicious plugins seen in this campaign between June and September 2024 are:

LiteSpeed Cache Classic Custom CSS Injector MonsterInsights Classic Custom Footer Generator Wordfence Security Classic Custom Login Styler Search Rank Enhancer Dynamic Sidebar Manager SEO Booster Pro Easy Themes Manager Google SEO Enhancer Form Builder Pro Rank Booster Pro Quick Cache Cleaner Admin Bar Customizer Responsive Menu Builder Advanced User Manager SEO Optimizer Pro Advanced Widget Manage
Simple Post Enhancer Content Blocker Social Media Integrator

Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign.
When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site.

Code:

When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners.

From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.
As you can see from the image below, the threat actors log in via a single POST HTTP request rather than first visiting the site's login page. This indicates that it is being done in an automated manner after the credentials have been already obtained.
Once the threat actor logs in, they upload and install the malicious plugin.

While it is unclear how the threat actors are obtaining the credentials, the researcher notes it could be through previous brute force attacks, phishing, and information-stealing malware.
If you are a WordPress operation and are receiving reports of fake alerts being displayed to visitors, you should immediately examine the list of installed plugins, and remove any that you did not install yourself.
If you find unknown plugins, you should also immediately reset the passwords for any admin users to a unique password only used at your site.

https://www.bleepingcomputer.com/news/se...ostealers/

Several Linux Kernel Driver Maintainers Removed Due To Their Association To Russia

Wed, 23 Oct 2024 07:37:16 +0000

Quote:Quietly merged into this week's Linux 6.12-rc4 kernel was a patch that removes a number of kernel maintainers from being noted in the official MAINTAINERS file that recognizes all of the driver and subsystem maintainers.

Sent out last week by Linux's second-in-command Greg Kroah-Hartman was the patch dropping a dozen maintainers from the kernel. Greg simply commented in there:
"Remove some entries due to various compliance requirements. They can come back in the future if sufficient documentation is provided."

This includes the maintainer of the Acer Aspire 1 EC driver, Cirrus Logic CLPS711X ARM architecture, Baikal-T1 PVT hardware monitor driver, Libata PATA drivers, libata SATA AHCI Synopsys DWC controller drivers, ASCOT2E media drivers, MIPS Baikal-T1 platform driver, NTB IDT driver, PPTP driver, Renesas R-Car SATA driver, Renesas Super-H Ethernet Driver, and the UFS file-system. Just the maintainer entries are being removed and not the actual drivers themselves.

The commonality of all these maintainers being dropped? They appear to all be Russian or associated with Russia. Most of them with .ru email addresses.

In response on the Linux kernel mailing list it was asked by others what are the "compliance requirements" and "sufficient documentation" needed... So far there isn't any public comment by Greg Kroah-Hartman. Presumably this is due to sanctions on Russia involving the war in Ukraine.

This is just dropping Russian maintainers from the kernel but isn't clear if patches from them will be accepted moving forward. Similarly, the driver code remains within the kernel -- including for Russian hardware such as around the Baikal CPUs from Russia's Baikal Electronics. So right now it appears to be little more than just not officially recognizing any formal kernel maintainers that are Russian.

A Christian town in Lebanon is now a scene

Tue, 22 Oct 2024 17:23:31 +0000

IsraHELL GENOCIDERS! :P

Quote:Once thought a haven from Israeli strikes, a Christian town in Lebanon is now a scene of carnage
Pervading everything was the overwhelming stench of rotting flesh mixed with concrete dust at the scene where 23 people including two children were killed, according to local officials.
A dead baby inside a destroyed pickup truck; a child’s severed arm buried in nearby rubble; toddler clothing and books shredded; flies swarming as officials collected body parts, some too small for body bags ending up in clear ziplock bags.

Pervading everything, the overwhelming stench of rotting flesh mixed with concrete dust at the scene where 23 people including two children were killed, according to local officials.
This was the aftermath of an airstrike Monday on the Lebanese Christian village of Aitou that Israel said had targeted a position held by Hezbollah, the Lebanese militant group.
Until then, this region of hilly olive groves and winding, sea-view roads had been a relative haven, one that felt far away from the war dominating Beirut and the country’s south.
Just last week, the area “was calm; everything was quiet,” Illy Edwan told NBC News as he surveyed the wreckage of his villa, which was reduced to rubble in the blast, its insulation and inner structure ripped to pieces, an adjacent vehicle twisted open like a burnt pretzel.
“My house used to be three-story, but look at it today,” he added.
Surrounding homes had glass and twisted metal strewn across their patios. Some nearby olive trees, laden with fruit ahead of the upcoming harvest, were also destroyed, their green leaves covered in gray soot from the explosion.
Hezbollah doesn’t usually have a presence here. But Edwan, who was not at home at the time of the bombing, said an official from the group had been visiting houses donating money to displaced people, some of whom had fled from southern Lebanon to escape the Israeli invasion, and asking about their concerns.
The Israel Defense Forces said in a statement that it had struck “a target belonging to the Hezbollah terrorist organization in northern Lebanon,” and that the reports of civilian casualties were “under review” and “being examined.”

https://www.nbcnews.com/news/world/thoug...rcna175876

More than 1m salmon die at the farms belonging to the largest UK supplier's

Tue, 22 Oct 2024 05:28:48 +0000

Wow poor salmon, poor animals

Quote:More than 1m farmed salmon die at supplier to leading UK retailers

Mowi Scotland, which supplies Tesco, Asda and Sainsbury’s, blames a rise in sea temperatures for the deaths, while campaigners say expanding farms will make things worse

More than a million dead fish, the biggest mass die-off of farmed salmon in Scotland in a decade, have been recorded at a farm belonging to the UK’s largest supplier.

The deaths at two adjacent Mowi Scotland sites in Loch Seaforth on the Outer Hebrides – licensed as one farm by the Scottish government – rose to just over a million during the year-and-a-half production cycle that it usually takes to raise a salmon in seawater, and which in this case began in spring 2023. Mowi supplies salmon to retailers including Sainsbury’s, Tesco, Asda and Ocado. Many of its farms, including those in the Hebrides, are certified under the RSPCA Assured label, which guarantees higher animal welfare standards.

The data, analysed from government statistics by Scotland’s Coastal Communities Network (CCN), which exists to protect Scotland’s coastal and marine environments, and NGO Free Salmon, is “deeply concerning”, said John Aitchison, speaking on behalf of CCN’s 30 member groups. Mass deaths of farmed salmon are a growing problem, he said, and can in some cases be an indicator of poor welfare.

At the end of last year, when mortality in Scotland’s farms hit record levels, Chris Packham called for a halt to the expansion of the Scottish salmon farming industry. Despite this, salmon remains the UK’s second most popular fish (after tuna), with sales in the year to June worth £1.3bn.

“This is the first time since 2014 [when regular reporting began] that more than a million farmed salmon deaths have been reported at a single farm site in one production cycle,” said Aitchison. “We expect to see more salmon deaths in Scotland because farms are becoming even larger.”

Meanwhile, activist group Animal Rising filmed salmon at Seaforth during the same production cycle in which the million deaths occurred, with the video appearing to show sick fish with patches of raw, descaled flesh, scraped mouths and swollen or burst eyeballs.

Mowi Scotland confirmed the death total of 1.05 million fish, which it said was a combined figure for two sites, Seaforth and Noster.

Ben Hadfield, Mowi Scotland’s chief operating officer, rejected any suggestions mass mortality is a sign of poor welfare and said the deaths were due to an unprecedented rise in sea temperatures which resulted in jellyfish blooms, a problem blighting Scottish production. Jellyfish stings to salmons’ eyes, skin and gills risk health problems and death. “[Any] suggestion that this is caused by bad farming, fixation with profits [or] overstocking is … very false and misleading,” Hadfield said.

Salmon mortality at Mowi Scotland has fallen by two-thirds this year due to normalisation of temperatures, the company said.

Of the Animal Rising footage, Hadfield said it was selective. “What the video shows is fish with eye damage after, you would think, jellyfish stings or wounds that are healing after jellyfish blooms. It does not show the majority of the population.”

Much of the salmon sold in UK supermarkets comes with the RSPCA Assured label. Last month, the RSPCA suspended three Scottish salmon farming sites from the scheme after the release of covert video footage by an animal rights group that showed alleged breaches of welfare regulations.

‘Unacceptable greenwashing’: Scottish farmed salmon should not be labelled organic, say charities
Read more
An RSPCA Assured spokesperson said it had removed Fiunary salmon farm, owned by Scottish Sea Farms, from the scheme, while Mowi’s Loch Alsh and Bakkafrost’s Ardcastle were sanctioned and are receiving extra, unannounced inspections. After this, Scottish Sea Farms and Bakkafrost told the news website West Coast Today they had taken immediate remedial action at the affected sites, while Mowi said it was carrying out its own internal investigation and that the Loch Alsh site was not currently supplying any of its customers.

In the case of the one million salmon deaths at Mowi’s Loch Seaforth sites, neither the video nor the record deaths have threatened Mowi’s higher welfare label, an RSPCA Assured spokesperson told the Guardian, because jellyfish-linked disease outbreaks and “other waterborne insults” were beyond the supplier’s control.

Why is Ukraine’s army facing a desertion crisis?

Mon, 21 Oct 2024 09:09:18 +0000

Quote:Why is Ukraine’s army facing a desertion crisis?
Thousands of men have abandoned their posts, blaming poor conditions on the front lines and open-ended service.

More Ukrainian soldiers have deserted the army this year than ever since the onset of a war that analysts say has seen both sides make gains and report losses.
Prosecutions for desertion from Ukraine’s army are thought to have hit at least 30,000 – quite possibly much more – already this year. This is several times the number in 2022, the year the war began when citizens and foreigners voluntarily poured into the military to push Russia back.

Those found guilty are given between five and 12 years in prison. However, some defectors say that is a better option than facing what might be an endless, undefined period on the battlefield.
Desertion has become so common that Ukraine’s parliament, the Verkhovna Rada, took the unprecedented step of decriminalising first-time attempts to flee the army on August 20, 2024, as long as those caught agree to return to duty.
Here’s why analysts say more men are leaving the army and why it is not just a problem for Ukraine:

According to the Kyiv Post, it is believed that about 60,000 people have been facing criminal charges for fleeing their posts since the war started. The Ukrainian daily cited documents from the prosecutor general, with almost half of those cases initiated this year.
However, British daily The Times also cited figures from the prosecutor general which, it said, showed some 51,000 criminal cases were initiated for desertion and abandonment of a military unit between January and September of this year. El Pais newspaper cited a closer figure of 45,543 desertions between January and August this year, which it said was data from the Prosecutor General’s Office which had been leaked to the Ukrainian press.
All these figures are much higher than the 22,000 criminal charges filed for the same offence in 2023 and just 9,000 cases in 2022.
It is unclear if those fleeing the army are mostly conscripts, or if some who earlier volunteered are also abandoning their posts. Volunteers who are not Ukrainian are allowed to withdraw from the army after six months of fighting.
However, for Ukrainian conscripts – that is, those mandated to join the fighting by a general mobilisation law that has been in force since March 2022 – conscription is for life. There is no time limit placed on it.
Why are so many soldiers deserting?
Low morale caused by exhaustion is the main reason.
Soldiers complain of having to grind through for days on end under heavy fire without a pause because there is no one to relieve them. Those on the front lines have told the media that they have gone from battle to battle with little rest since Russia’s invasion in 2022.
Troops are allowed to take 10 days off twice a year, but manpower shortages sometimes delay even those vacations. Soldiers and their families are pushing for breaks that range between a month’s vacation and a three-year rotation.
One soldier placed under investigation for desertion – Serhii Hnezdilov, who is also a journalist – told The Times newspaper in the UK: “At least in prison you know when you will be able to leave.” He was arrested after writing about his decision to leave the army on Facebook in protest against conditions in the army.

What condition is the army in?

It is not clear how many men Ukraine has lost in the war, but analysts say they might be in the tens of thousands. Western estimates put it at 80,000 soldiers.
Experts say the rising number of desertion cases comes as Ukraine faces a shortage of soldiers on the battlefield – a problem it is trying to solve by forcefully mobilising fighters.
As few as five to seven Ukrainian soldiers are having to face some 30 soldiers from the Russian side in some cases, Simon Schlegel, an analyst with the Crisis Group, told Radio Free Europe, a Prague-based publication.

Analysts estimate there are about one million military personnel in the Ukrainian army compared with some 2.4 million on the Russian side, but neither country publishes those figures. Ukrainian army commanders put the ratio of Russian versus Ukrainian combatants at 10 to 1.

Insufficient manpower is an old problem for Ukraine, even before the start of the war and despite early enthusiasm to join the military right after the invasion, analyst Keir Giles of the United Kingdom’s Chatham House think tank told Al Jazeera.
“Ukraine has been grappling with this for a long time,” he said, adding that the low numbers could also be fuelling further desertions. “There’s exhaustion, there’s shell shock … The initial flush of excitement about the war has worn off, and some people have started to realise that this is for the long haul.”
Alongside the mental and physical fatigue that many soldiers are suffering from prolonged periods at the front line, the Ukrainian army has to deal with inadequate weaponry and ammunition as well.

Despite some wins, including a major incursion into Russia’s Kursk region in August, Ukrainian troops have often found themselves on the back foot in the nearly 32-month-long war with Russia.
Crucially, soldiers say they are poorly armed and complain of having the enemy in sight, watching them advance, and being unable to fire because they have no ammunition, according to accounts from soldiers reported by CNN. Many said they felt guilt for not being able to provide infantry units with adequate cover. Commanders have also told journalists that they have been forced to watch men from entire units die in the war because of the weapons shortage.
Speaking in the United States Congress during a testimony on April 10, General Christopher Cavoli, head of US European Command, described Russia’s five-to-one advantage in artillery shells, predicting that would soon grow to 10 to one.
Why is the army in such a poor state?
Ukrainian officials blame Western allies – the European Union and the US – for being too slow to provide military aid. President Volodymyr Zelenskyy has repeatedly urged Washington, with Congress split on the issue of allocating more aid to Ukraine, to speedily deliver promised funds to allow the country to buy more artillery shells and air defence systems.

On April 24 this year, the US passed a bill after a delay of almost a year, granting a $61bn aid package largely meant for Ukraine. Military aid deliveries to the country as part of the package included vehicles, Stinger air defence munitions, ammunition for high-mobility artillery rocket systems and antitank munitions.
In a statement on April 29, Zelenskyy thanked the US government and said the support had “started arriving” but reiterated a need for speedier help.
“The speed of deliveries means stabilising the front,” Zelenskyy said.

European countries collectively delivered 118.2 billion euros ($128.2bn) to Ukraine between April 2022 and September 2024, while the US has delivered 84.7 billion euros ($91.9bn), according to data from the Germany-based Kiel Institute. Analysts say the upcoming US election that could see former President Donald

Trump return to the White House is causing more uncertainty for Ukraine. Trump has repeatedly threatened to cut US funding to the country and many of his Republican Party members back him on the topic.
Are conscription laws fuelling desertions?

Ukraine’s martial law, which entered into force at the start of the war, mandates young men to join the military.
Zelenskyy’s government says the army needs to enlist 500,000 out of about 3.7 million men of fighting age who are eligible for service.
Since the president signed a renewed mobilisation law in April 2024, men between the ages of 25 and 60 are now eligible. Previously, the range was 27 to 60.

The updated law obliges men of fighting age to update their information with the authorities and tightens punishments for draft dodging, with fines increased from about $13 to $215 and violators facing several days in detention.

Some criticise the conscription decree as a whole for its seeming rigidity: there are no legal ways to leave the military as a conscript, unless under special circumstances such as raising a minor or a child with a disability or caring for a spouse with a disability or severe sickness.

Debates around drafting ages are also raging: some factions want to keep more young men at home to run the economy. Others, especially those in the military, say more active men are needed on the battlefield.
Under Ukraine’s martial law, men are first drafted into military service in readiness for mobilisation or “call-up” when they actually go to fight.

President Zelenskyy faced some pressure before agreeing to sign the April law, reducing the drafting age to 25, according to Ukrainian media, amid calls to lower the drafting age to 20 or 18.
Videos on social media show men from the Ukrainian army raiding bars and restaurants and forcefully dragging young men away if they refuse to be drafted under the new law. The decree requires eligible men, at home or abroad, to register and carry their drafting papers on them at all times.
Elena Davlikanova, a professor at Ukraine’s Sumy State University (SSU), says the age debate fails to focus on the real reasons why people do not want to sign up.
“It is the lack of weapons and munitions that is the major stopper from mobilisation,” Davlikanova told Al Jazeera. “It would have been way cheaper to supply enough air defence systems on time than plan Ukraine’s reconstruction, the cost of which is close to half a trillion US dollars,” she added, referring to the estimated cost of rebuilding the devastated country.

Is there any way to avoid conscription?

Not officially. Martial law means those in the drafting age groups and categories are not allowed to leave the country. However, hundreds of young men have fled to neighbouring countries fearing conscription. Some have risked the freezing waters of the Tysa River, on the border with Romania, to get away, and many have drowned, according to Ukraine’s border patrol, which did not give specific numbers.
Those caught trying to leave the country are often fined and then released.

Is Russia facing the same problem?

Manpower and weaponry problems are also putting pressure on the Russian side, experts say. However, there are still more Russian soldiers than Ukrainian at the moment, and Russia has taken about 19 percent of Ukraine’s territory since the war started.
“We have to keep this context in mind when we talk about Ukraine because we don’t see what’s happening on the other end – Russia has years and years of practice keeping its information about losses secret,” Giles said.
Russian men aged between 18 and 30 are eligible to be drafted for a year. At present, conscripts are supposed to be legally exempt from combat if they do not have at least four months of training, although this is not happening in practice, analysts say.
Since the war started, Russian courts have tried some 8,000 cases of violations involving military personnel, more than 80 percent being desertions, according to Russian media outlet Mediazona.
Earlier this year, however, Ukrainian military intelligence reported that 18,000 soldiers in Russia’s southern military district had deserted.
The main reasons some give are a fear of getting wounded – or worse, dying – in a war that has no end in sight. By May, at least 500,000 Russian soldiers had either died or been wounded since the war began, according to the UK’s Ministry of Defence.
Alex Gatopoulos, Al Jazeera’s defence editor, noted that while Russia’s troop numbers might be bigger, “they’re not necessarily better”. The country is just catching up with Ukraine’s effective drone strategy, but Russian troops have lost an “exceptionally high number of tanks to Ukrainian attacks” as well as troops, he said.
“For Russia, the only path to a military victory is through attrition and the use of its larger armed forces to grind down the smaller Ukrainian army,” Gatopoulos said, referring to a “meat grinder” strategy that sees Russia push soldiers to the front lines despite high death tolls.
Russia has tried to entice men to join the army. Authorities in August quadrupled a one-time payment for enlistment since August. Soldiers who sign up now receive nearly 1 million roubles ($11,500) – almost 23 times the average monthly pay of about $500.
However, there is still little enthusiasm for joining up, analyst Kseniya Kirillova wrote in a paper for the US-based Center for European Policy Analysis.
“Russia’s regions only achieved 50-60 percent of their recruitment targets in 2023 … some recruitment offices are now focusing on coercing conscripts,” Kirillova noted.

The Fall of IsraHELL

Sun, 20 Oct 2024 15:20:33 +0000

Quote:I have previously written about Hamas’ Oct. 7, 2023, attack on Israel, calling it “the most successful military raid of this century.”

I have described the Hamas action as a military operation, while Israel and its allies have called it a terrorist action on the scale of what transpired against the United States on Sept. 11, 2001.

“The difference between the two terms,” I noted,
is night and day — by labeling the events of October 7 as acts of terrorism, Israel transfers blame for the huge losses away from its military, security, and intelligence services, and onto Hamas. If Israel were, however, to acknowledge that what Hamas did was in fact a raid — a military operation — then the competency of the Israeli military, security, and intelligence services would be called into question, as would the political leadership responsible for overseeing and directing their operations.

Terrorism employs strategies that seek victory through attrition and intimidation — to wear an enemy down and create a sense of helplessness on the part of the enemy. Terrorists by nature avoid decisive existential conflict, but rather pursue asymmetrical battle which pits their strengths against the weaknesses of their enemies.

The war that has gripped the Levant since Oct. 7, 2023, is not your traditional anti-terrorism operation. The Hamas-Israeli conflict has morphed into a conflict between Israel and the so-called axis of resistance involving Hamas, Hezbollah, Ansarullah (the Houthi of Yemen), the Popular Mobilization Forces, i.e. militias of Iraq, Syria and Iran. It is a regional war in every way, shape, or form that must be assessed as such.

The Prussian strategist Carl von Clausewitz noted in his classic work, On War, that “war is not merely a political act but a real political instrument, a continuation of political intercourse, a carrying out of the same by other means.”

From a purely military perspective, the Hamas raid on Israel on Oct. 7, 2023, was a relatively minor engagement, involving a few thousand combatants from each side.
As a global geopolitical event, however, it has no contemporary counterpart.

The Hamas raid triggered a number of varied responses, some of which were by design, such as luring the Israeli Defense Forces into Gaza, where they would become trapped in a forever war they could not win, triggering the dual Israeli doctrines governing military response to hostage taking of the “Hannibal Doctrine” and the Israeli practice of collective punishment, the “Dahiya Doctrine.”

Both of these doctrines put the IDF on display to the world as the antithesis of the “world’s most moral military” by exposing the murderous intent ingrained into the DNA of the IDF, a propensity for violence against innocents which defines the Israeli way of war and, by extension, the Israeli nation.
Prior to Oct. 7, 2023, Israel was able to disguise its true character to the outside world, convincing all but a handful of activists that its actions in targeting “terrorists” were proportional and humane.
Today the world knows Israel as the genocidal apartheid state it really is.
The consequences of this new global enlightenment are manifest.

Changing the ‘Face of the Middle East’
President Joe Biden, on Sept. 9, 2023, during the G20 summit in India, announced a major policy initiative, the India-Middle East-European Economic Corridor, or IMEC, a proposed rail, ship, pipeline and digital cable corridor connecting Europe, the Middle East and India.

Benjamin Netanyahu, the Israeli prime minister, commenting on Biden’s announcement, called the IMEC “a cooperation project that is the greatest in our history” that “takes us to a new era of regional and global integration and cooperation, unprecedented and unique in its scope” adding that it “will bring to fruition a years-long vision that will change the face of the Middle East and of Israel.”

But because the world now sees Israel as a criminal enterprise, the IMEC looks for all intents and purposes to be no more — the greatest cooperation project in Israeli history that would have changed the Middle East likely will never reach fruition.

For one thing, Saudi Arabia, a key player in the scheme, having invested $20 billion in it, says it will not normalize relations with Israel, necessary for the project, until the wars end and a Palestinian state is recognized by Israel, something the Knesset voted earlier this year would never happen.

The demise of the IMEC is just part of the $67 billion economic hit Israel has taken since the Gaza conflict began.

Tourism is down 80 percent. The southern port of Eilat no longer functions because of the anti-shipping campaign run by the Houthi in the Red Sea and the Gulf of Aden. Workforce stability has been disrupted by the displacement of tens of thousands of Israelis from their homes because of Hamas and Hezbollah attacks as well as the mobilization of more than 300,000 reservists. All this combine to create a perfect storm of economy-killing issues, which will plague Israel so long as the current conflict continues.

The bottom line is that, left unchecked, Israel is looking at economic collapse. Investments are down, the economy is shrinking, and confidence in an economic future has evaporated. In short, Israel is no longer an ideal place to retire, raise a family, work…or live. The biblical “land flowing with milk and honey,” if it ever existed, is no more.

This is an existential problem for Israel.

For there to be a viable “Jewish homeland,” demographics dictate there must be a discernable Jewish majority in Israel. There are just short of 10 million people living in Israel. About 7.3 million are Jews; another 2.1 million are Arabs (Druze and other non-Arab minorities comprise the reminder.)

There are some 5.1 million Palestinians under occupation, leaving a roughly 50-50 split when looking at the combined totals between Arab and Jew. An estimated 350,000 Israelis hold dual citizenship with an EU country, while more than 200,000 hold dual citizenship with the United States.

Likewise, many Israelis of European descent can easily apply for a passport simply by showing that either they, their parents, or even their grandparents resided in a European country. Another 1.5 million Israelis are of Russian descent, with many of those holding valid Russian passports.

While the main reasons for maintaining this dual-citizen status are convenience and economic, many view the second passport as “an insurance policy” — a place to run to if life in Israel becomes untenable.
Life in Israel is about to become untenable.

Escape From Israel

Israel had already suffered from a growing emigration problem derived from dissatisfaction with the policies of the Netanyahu government — some 34,000 Israelis permanently left Israel between July and October 2023, primarily in protest over the judicial reforms being enacted by Netanyahu.
While there was a spike in emigration immediately after the Oct. 7, 2023, attacks (some 12,300 Israelis permanently emigrated in the month following the Hamas attack), the number of permanent emigrants in 2024 was around 30,000, a drop from the previous year.

But now Israel is being bombarded on a near-daily basis by long-range drones, rockets, and missiles fired from Hezbollah, militias in Iraq, and the Houthi in Yemen. The Iranian ballistic missile attack of Oct. 1 vividly demonstrated to all Israelis the reality that there is no viable defense against these attacks.

Moreover, if the Israel-Iran conflict continues to escalate (and Israel has promised a retaliation of immense proportions), Iran has indicated it will destroy Israel’s critical infrastructure — power plants, water desalinization plants, energy production and distribution centers — in short, Israel will cease being able to function as a modern nation state.

At that point, insurance policies will be cashed in as hundreds of thousands of Israelis holding dual passports vote with their feet. Russia has already told its citizens to leave. And if millions of other Israelis who qualify for European passports opt to exercise that option, Israel will face its ultimate nightmare — a precipitous drop in the Jewish population that skews the demographic balance decisively toward non-Jews, making moot the notion of an exclusive homeland for the Jews.
Israel is rapidly becoming unsustainable, both as a concept (the world is rapidly tiring of the genocidal reality of Zionism) and in practice (i.e., economic and demographic collapse.)

The Changing View From the US

This is the current reality of Israel — in one year’s time, it went from “changing the face of the Middle East” to being an unsustainable pariah whose only salvation is the fact that it has the continued support of the United States to prop it up militarily, economically, and diplomatically.

And herein lies the rub.

That which made Israel attractive to the United States — the strategic advantage of a pro-American Jewish enclave in a sea of Arab uncertainty — no longer holds as firmly as it previously did. The Cold War is long gone, and the geopolitical benefits accrued in the U.S.-Israeli relationship are no longer evident.

The era of American unilateralism is fading, rapidly being replaced by a multi-polarity with a center of gravity in Moscow, Beijing and New Delhi. As the United States adapts to this new reality, it finds itself engaged in a struggle for the hearts and minds of the “global south” — the rest of the world outside the EU, NATO, and a handful of pro-Western Pacific nations.

The moral clarity that American leadership seeks to bring to the global stage is significantly clouded over by its ongoing unquestioned support for Israel.

Israel has, in its post-Oct. 7, 2023, actions, self-identified as a genocidal state totally incompatible with any notion of international law or the basic precepts of humanity.

Even some Holocaust survivors recognize that modern-day Israel has become the living manifestation of the very evil that served as the justification for its creation — the brutally racist ideology of Nazi Germany.
Israel is anathema for everything modern civilization stands for.
The world is gradually awakening to this reality.

So, to, is the United States.

For the moment the pro-Israeli lobby is mounting a rear-guard action, throwing its weight behind political candidates in a desperate attempt to buy the continued support of their American benefactors.

But geopolitical reality dictates that the United States, in the end, will not commit suicide on behalf of an Israeli state that has lost all moral legitimacy in the eyes of most of the world.

There are economic consequences attached to American support for Israel, especially in the increased gravitational pull of the BRICS forum, whose growing list of members and those who are seeking membership reads as a who’s who of nations fundamentally opposed to the Israeli state.
The deepening social and economic crisis in America today will create a new political reality where American leaders will be compelled by electoral realities to address problems which manifest on American soil.
The day when Congress can allocate billions of dollars without question to oversees wars, including those involving Israel, is coming to an end.

Political operative James Carville’s famous adage, “It’s the economy, stupid” resonates as strongly today as it did when he penned it back in 1992. To survive economically, America will have to adjust its domestic and international priorities, requiring conformity not only with the will of the American people, but a new, law-based international order which largely rejects the ongoing Israeli genocide.
Apart from die-hard Zionists who will hold out in the unelected “establishment” of government civil service, academia, and mass media, Americans will gravitate toward a new policy reality where unquestioned support for Israel is no longer accepted.
This will be the final straw for Israel.

The perfect storm of global rejection of genocide, sustained resistance on the part of the Iranian-led “axis of resistance,” economic collapse and realignment of American priorities will result in the nullification of Israel as a viable political entity. The timeline for this nullification is dictated by the pace of collapse of Israeli society — it could happen in a year, or it could unfold over the course of the next decade.
But it will happen.
The end of Israel.

And it all began on Oct. 7, 2023 — the day that changed the world.

https://ronpaulinstitute.org/the-fall-of-israel/

Over 100 Ukrainian drones downed in Russia overnight

Sun, 20 Oct 2024 10:13:11 +0000

Quote:Over 100 Ukrainian drones downed in Russia overnight – MOD
Four firefighters have been injured in an attack on Nizhny Novgorod Region, the local governor has said
null

Russian forces destroyed more than 100 Ukrainian drones attempting to target facilities in several regions overnight, the Defense Ministry in Moscow said on Sunday.

The military thwarted “an attempt by the Kiev regime to carry out a terrorist attack using an aircraft-type UAV against targets on the territory of the Russian Federation,” the ministry said.
Air defenses intercepted or destroyed 110 UAVs, 43 of which were taken down over the Kursk Region near the border, where fighting has been raging since early August.

Another 27 were destroyed over Lipetsk Region, 18 over Oryol Region, and eight over Nizhny Novgorod Region. Seven and six UAVs, respectively, were destroyed over the Belgorod and Bryansk Regions, and one was downed over Moscow Region.
Nizhny Novgorod Region Governor Gleb Nikitin said the local attack targeted an industrial zone outside region’s main city, located 800 km from the frontline. Citing preliminary data, he said four firefighters suffered minor shrapnel wounds.

Moscow Mayor Sergey Sobyanin said a Ukrainian drone, which was flying towards the Russian capital, was downed to the southeast of the city, but that no casualties or destruction have been reported.
Ukraine routinely launches drone attacks deep into Russia, with raids targeting energy facilities and other civilian structures.