Most security teams think of NTFS junctions and symbolic links as niche file system features. They let one directory point to another, like a shortcut that the OS treats as real. They exist for backward compatibility, storage management, things that rarely come up in a SOC. But they have a property that makes them interesting from an offensive perspective: any user can create them.

No admin privileges are required, and no special permissions beyond write access to the target folder.

We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths. Tools that try to scan the directory recursively, including EDR products, could follow the loop and never finish.

The malicious files sitting in the same folder go unexamined, creating a technique we’ve dubbed GhostTree.

How NTFS junctions work

Windows file paths are a fundamental part of the operating system, but they come with complexities. While most users interact with simple folder structures, the NTFS file system introduces advanced capabilities like junctions and symbolic links.

These features serve legitimate purposes, such as redirecting directories, maintaining backward compatibility with legacy applications that expect files to be in specific locations, or reorganizing files without physically moving them.

A junction is a type of NTFS reparse point that redirects one directory to another. Creating one requires only write permissions and a single command in CMD:

mklink /J C:\LinkToFolder C:\TargetFolder

This creates a junction named “LinkToFolder” that transparently points to “TargetFolder.” Any application accessing files through the junction sees the contents of the target directory as if they were local.

One constraint matters here though. Classic Windows systems impose a maximum path length of 260 characters, which is rooted in legacy software and file system design.

It is technically possible to extend this limit up to 32,767 characters via a registry key, but many applications and utilities are not equipped to handle paths beyond 260. 

Even though NTFS supports longer paths, practical usage remains restricted by existing software. That limit determines how deep the recursive loops can go, and how many unique paths GhostTree can produce.

GhostBranch

GhostBranch is the simpler of the two techniques. Any user can create a folder junction, setting both the junction’s name and destination. Consider this folder structure:

C:\Parent\program.exe

Run the command:

mklink /J C:\Parent\Child C:\Parent

This creates a logical loop by pointing a child folder back to its parent folder. The child directory now contains everything the parent does, including itself. The result is an unlimited number of valid paths to the same file:

C:\Parent\Child\Program.exe
C:\Parent\Child\Child\Program.exe
C:\Parent\Child\Child\Child\Child\Program.exe

Due to the loop, you can add multiple “Child” folders to the path, and it remains valid. Every one of these paths resolves to the same executable.

GhostTree

GhostTree builds on the GhostBranch concept by creating multiple child folders instead of one. For example, you can create two child folders:

mklink /J C:\Parent\Child1 C:\Parent
mklink /J C:\Parent\Child2 C:\Parent

Now every level in the path can branch through either Child1 or Child2, and both loop back to the parent. This allows various paths:

C:\Parent\Child1\Program.exe
C:\Parent\Child2\Program.exe
C:\Parent\Child1\Child1\Program.exe
C:\Parent\Child1\Child2\Program.exe

Path calculations

Both GhostBranch and GhostTree produce paths that can extend to the maximum length Windows allows. The difference is in path diversity, which is where GhostTree’s additional child folder changes things considerably.

GhostBranch

Within Windows, the maximum traditional path length is 260 characters. To maximize the number of directories, one can create single-letter folders (e.g., “P”) directly under the C: drive and employ an executable named 1.exe. 

Example paths include:

C:\P\1.exe
C:\P\P\1.exe
C:\P\P\P\...\1.exe

This configuration allows for approximately 126 unique directory structures due to path length limitations.

GhostTree

The GhostTree method introduces two parent folders, “P” and “B”, in contrast to the single-folder structure used previously. Examples include:

C:\B\1.exe
C:\P\B\1.exe
C:\P\B\P\B\...\1.exe

While the maximum depth remains around 126 folders, each level may be named either “P” or “B,” effectively creating a binary tree-like structure. With this configuration, each node represents a distinct path, and the total number of possible nodes is calculated as:

2^126 ≈ 8.5 × 10^37

How big is that? It’s vastly larger than the number of grains of sand on Earth (8.5 × 10^18) or even the atoms in your body (10^27).

Why this matters for defenders

With just two lines of code, a user can generate endless valid paths, making it impossible to finish scanning parent directories with the dir command recursively. The same applies to EDR products that scan folders for malicious files. An attacker places malware in the parent directory, sets up the GhostTree structure, and the containing folder becomes effectively unscannable. The scan hangs. The malicious files go unexamined.

We tested this technique against Windows Defender and confirmed it could be used to evade folder scans.

We reported the issue to Microsoft. The ticket was closed with the explanation that “bypassing Defender is not crossing a security boundary.” The issue was subsequently patched regardless.

Techniques like GhostTree are a reminder that endpoint scanning is only one layer of defense. Monitoring file system activity at the data layer catches what scanners miss, including anomalous junction creation and recursive directory structures that should not exist in normal operations.

Varonis monitors file access patterns and detects this kind of anomalous activity across file systems and cloud infrastructure.

Schedule your demo today.

Sponsored and written by Varonis.

The U.S. Federal Trade Commission (FTC) warned that Americans lost $3.5 billion to imposter scams in 2025, with reported losses nearly tripling since 2020.

Imposter scams were also the most reported fraud category last year, accounting for nearly one in three fraud reports filed with the FTC. In these scams, the fraudsters reach victims through text messages, phone calls, emails, social media, and search engine results. The costliest schemes typically involve a fake bank security alert that prompts targets to transfer funds to “protect” their accounts.

According to the FTC, victims lost nearly $1 billion to business impersonators (with bank impersonators being behind the most lucrative scams) and approximately $920 million to government impersonators. Social media was the most cost-effective attack vector for impersonators, with more than $2.1 billion in 2025 losses traced to social platforms (an eightfold increase since 2020).

Nearly one in three Americans who lost money in such scams were first contacted through social media, with Facebook losses alone exceeding those from text and email combined, while WhatsApp and Instagram ranked second and third.

“The FTC will use every tool available to combat one of the most pernicious forms of fraud—government and business impersonation—and to protect the integrity of the digital economy,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection.

Overall reported fraud losses across all categories have surged to about $16 billion in 2025, the highest on record and roughly 25% above the prior year.

In March 2024, the FTC also warned that scammers were impersonating its employees to steal money after receiving many reports of scams in which fraudsters impersonated agency personnel to pressure Americans via phone calls, email, or text messages into wiring or transferring money.

Since its Impersonation Rule took effect in April 2024, the FTC has brought a dozen enforcement actions, securing more than $70 million in consumer redress and halting some imposter schemes.

Last year, the FTC announced law enforcement actions under this rule against MediaAlpha (government imposter scheme), American Tax Service (IRS imposter scheme), Blackstone Legal (phantom debt business imposter scheme), Click Profit (business imposter money-making scam), and Accelerated Debt Settlement (government and business imposter scheme).

It also filed a complaint against Innovative Partners in April 2026, alleging the company impersonated the government and insurance carriers to sell fraudulent health plans.

The same month, the FBI warned in its 2025 Internet Crime Report that U.S. victims lost almost $21 billion to cyber-enabled crimes throughout last year.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

If you’ve ever used a pillow spray or lotion designed for sleep, you understand the power that scent can have on rest. So does Kimba, a new sleep technology company whose clinically validated, AI-powered Kimba device is now available for preorder in the US. The Kimba tracks your health metrics to release scents while you snooze, aiming to guide you into a deeper, more restorative sleep without the need for pills, the company said in a press release.

Unlike wearable devices that passively track your sleep, the Kimba seeks to actively improve it. It does so with built-in ambient sensors that monitor breathing patterns, movement, room disturbances, light levels and snoring, along with the ability to connect to wearables such as the Whoop, Oura Ring, Apple Watch, Fitbit and wearables by Garmin. Then it delivers personalized scents using three capsules contained in the device.

Kimba was founded by Ben Fuxbruner, a former special forces commander who dealt with post-traumatic stress disorder and chronic insomnia after a near-death injury. Sleep and brain science researchers, including olfactory and neuroscience expert Anat Arzi, who holds a doctoral degree in neurobiology, helped develop the Kimba device. 

“The influence of sensory input during sleep is significant,” Arzi in a statement. “Olfactory stimulation is uniquely beneficial for this because it can influence brain activity without waking the individual.”

Once the Kimba is released, I plan to test the product to see if it lives up to its promises and the price of about $600 a year.

It begins with a sleep assessment

It all starts with a sleep assessment on the Kimba app. This assessment helps the sleeper “to understand their sleep challenges, goals, preferences and lifestyle factors,” Fuxbruner told CNET. Those who preorder a Kimba will take the sleep assessment to create a personalized sleep profile and determine which three scent capsules they receive first.

There are currently 12 water-based, plant-derived scent formulations packaged in proprietary scent capsules that are replaced every three months. Scents include Soft Blue, created with Roman chamomile to support sleep initiation; Golden Grove, made with Austrian sandalwood to ground the body; and Lemon Calm, built with Bulgarian melissa (also known as lemon balm) to downshift anxiety. 

New capsules are scheduled to ship before replacements are needed, and these shipments are part of the Kimba membership.

According to Fuxbruner, the $299 preorder price includes the Kimba device, app access, a six-month membership with personalized scent deliveries and free shipping. After that, preorder you can continue receiving scents through your membership at the same discounted rate of $299 every six months (about $49.90 a month). That comes out to about $600 a year.

AI uses your data to pick your sleep scents

Following the sleep assessment, once you go to sleep, the Kimba will monitor nightly health metrics, including heart rate variability, movement, breathing patterns and data from wearable devices. Fuxbruner explained that it uses its proprietary adaptive AI to analyze this data and determine when, what and how much scent to deliver, and to make adjustments throughout the night to optimize recovery, sleep continuity and depth. 

Advertisement

Kimba’s machine learning models “learn how sleep patterns evolve over time and differ across individuals using physiological signals from wearables and Kimba’s own sensing systems,” said Fuxbruner. “Because Kimba’s objective is measurable: better sleep quality, continuity, recovery and cognitive performance, Kimba can continuously evaluate and optimize its models based on real-world outcomes.”

In other words, the more you use the Kimba system, the more personalized your scent experience should become. 

New scents are delivered quarterly

During the first few months of use, Kimba establishes a baseline using information from the onboarding questionnaire, sleep data collected from a wearable and using the Kimba’s built-in sensors. The device doesn’t use cameras but can detect sleep-related sounds, such as snoring.

“The system is designed to filter for specific sleep-relevant signals only, collecting only the information necessary to generate personalized sleep insights and scent recommendations,” said Fuxbruner. Conversations and other audio are not recorded, stored or retained, he said.

As data is gathered, the system identifies patterns between specific scent combinations and positive sleep outcomes, such as longer periods of deep sleep or fewer nighttime awakenings.

Then, each quarter, Kimba users will receive updated scent recommendations and before shipment, they can review these scents and why they’ve been endorsed in the Kimba app.

Kimba’s privacy policy 

All data is encrypted both in transit and at rest within the Kimba ecosystem, including the device and cloud infrastructure, Fuxbruner said.

Kimba’s privacy and security practices align with HIPAA requirements and the international ISO 27701 privacy management principles. Data is used solely to personalize and optimize your sleep experience and is not sold or shared with third parties for advertising purposes.

Current and future research

Arzi conducted a study with 50 participants over 48 nights and found that Kimba improved their sleep quality and cognitive performance. These findings are to be presented at conferences later this year. 

Under the guidance of sleep expert Peretz Lavie, Kimba is advancing two additional clinical studies: one using polysomnography (PSG, also known as a sleep study) to evaluate physiological sleep outcomes, and another focused on mental health and PTSD to explore Kimba’s impact on sleep and recovery.

You can register for preorder at kimba.ai. Shipping will begin this fall. 

Many websites will show you different prices, contents, ads, and search results depending on where you are. When marketers and academics see only one version of the internet, they might miss important information and draw the wrong conclusions.

Now is the time when residential proxies are useful. You can see websites from various places and get a better idea of what people all over the world see by routing internet data through real residential IP addresses.

What ProxyWing Offers Beyond Standard Residential Plans

One thing many residential proxy providers do is provide access to IP addresses. In a broader sense, ProxyWing is building a platform to address real-world business and study needs. The big residential IP pool is one of the best things about it. When a network is bigger, people can connect to more unique IP addresses from different places. This makes it easier to access location-sensitive information and reduces the number of restrictions that come with it.

One more benefit is that sessions can be changed. For some projects, IP addresses need to change all the time. Others need a connection that remains stable for longer. ProxyWing lets users choose between rotating sessions and sticky sessions, so they can use the feature that best fits their workflow. 

Real Use Cases We Tested for Marketers

Often, marketing professionals need accurate information about the region to make decisions. We looked at several real-world examples to assess how well ProxyWing works in an everyday marketing environment. 

1. Local Search Engine Result Tracking

In different towns and countries, we looked at how search results looked. With the residential IPs, it was easier to show correct localized search results. 

2. Watching the prices of competitors

Marketing teams often keep an eye on their competitors. Location-specific pricing research was possible thanks to the network, which didn’t cause many problems. 

3. Verification of Ad

We looked at different places or locations to see if online ads were showing up properly. Proxy servers let us see ads as people in our area would. 

4. SEO Campaign Analysis

We looked at search results from several different areas. Results were more accurate at reflecting local search conditions than standard connections. 

5. Tracking Affiliate Campaigns

Affiliate marketers must verify landing pages and tracking cnnections. Residential IPs offered dependable insights across various regions. 

Real Use Cases We Tested for Researchers

Researchers often need knowledge that is both unbiased and relevant to the area. We put ProxyWing to the test in a number of research-related situations. 

1. Getting information from schools

Researchers who are gathering public information from different places could more easily use statistics that are specific to those places. 

2. News Monitoring

Headlines in different places are often different. The network lets people see news from an area’s perspective. 

3. Studies of consumer behavior

Online behavior researchers could get a better picture of how people in different places interact with localized content. 

4. Search Engine Research

Differences in search results across areas could be clearly seen and recorded. 

5. Travel Data Collection

Travel prices vary widely depending on where you are, so residential IPs were useful for comparing how prices work across different areas. 

6. Monitoring of digital policies

Researchers examining differences in internet rules and content could access web experiences specific to their location. 

These examples showed how useful residential IP addresses are for gathering information important to a specific area. 

Configuration and Integration Experience

Setting up is one of the things that worries beginners the most. Thanks to ProxyWing, the process is pretty easy to understand.

Users can easily manage their credentials, select locations, and set up sessions on the dashboard thanks to its well-organized layout.

We tested how well the integration worked in several common ways.

Configurations performed in a browser took only minutes to complete. Most users can simply enter proxy credentials and begin routing traffic through the residential network.

Standard proxy integration steps were used to set up automatic tools. The documentation was clear enough to help connect browser automation platforms, scraping tools, and data collection systems.

Common proxy standards will be useful for developers building custom software. Integration didn’t require many changes to the way things were done before.

The choices for managing sessions were especially helpful. Users could choose between rotating and sticky sessions based on the project’s needs.

Performance remained stable throughout extended testing periods, and connection reliability was suitable for ongoing data collection and monitoring.

Overall, the setting process felt easy enough for beginners to handle while still giving advanced users enough options. 

Pricing and Plan Selection Guidance

The project’s goals, traffic needs, and projected usage levels will help you choose the best residential proxy plan. Long-term studies may require higher-volume plans so researchers can continue collecting data across multiple sites.

It’s more important to choose a plan based on how much you will actually use it than to pick the biggest package that’s offered. Estimating how much traffic you will use each month can help you make the most cost-effective choice.

A well-functioning network can save hours of work, ensure data accuracy, and reduce gaps that slow down important projects. ProxyWing’s residential proxy network is a good option if you want a solution with flexible plans, reliable performance, and extensive coverage. ProxyWing has plans for people with a range of needs and budgets, such as marketers who want to keep an eye on their competitors, researchers who want to collect location-specific data, or marketers who want to monitor their own local search rankings. Look more closely at your options and see how the right residential proxy plan can help you learn more, get more done, and feel more confident about your choices. 

Wrap Up

These days, the internet is becoming increasingly tailored to each person’s location. In different parts of the world, search results, ads, prices, information, and user experiences can vary widely. It is very important for marketers and academics to understand these differences.

The ProxyWing Residential Proxy provides access to a large residential IP network configured to deliver location-based visibility. It’s useful in many situations because it can target people by location, adapt to different session types, integrate with many systems, and consistently deliver results.

Whether you are monitoring SEO performance, advertising campaigns, customer behavior, academic research, or gathering data on a specific area, residential proxies can provide the information you need to make better decisions.

Based on our review, ProxyWing offers the key features researchers and marketers need, and its setup process is easy enough for both new and experienced users. It is a useful and effective residential proxy option for professionals who need location-specific information. 

Since launching in 2014, PopSockets have always been a quirky (and slightly bulky) grip for phones. They’re adored by those who love to accessorize their phones with their swappable designs and people who love to fidget with their accordion-style pop-out piece. But the company is now hoping to attract a new clientele with the Low-Pro, a new grip design that’s so thin that when collapsed, it sits lower than the camera bump on my iPhone 17 Pro Max. 

The Low-Pro goes on sale Tuesday for $40, launching first at Apple Stores and at PopSockets.com, with additional retailers at the end of July. You can see more of how it works in the latest episode of One More Thing, embedded below:

Advertisement

Watch this: Flat PopSockets Might Lure More Men: Hands-On With Low-Pro Grips

05:28

I’ve been using the MagSafe Low-Pro for the past week, and I can see the appeal this will have for those folks who just want something that slips effortlessly into their pants pockets. Like other PopSockets, it still attaches with the MagSafe magnetic backing. The front has a soft matte finish, and although it doesn’t make a “pop,” a finger nudge in any direction will raise the disk to reveal a slitted, flexible single piece of polymer. A metal ring around the edge becomes an adjustable swing-out stand to prop up your phone in portrait and landscape mode. 

When the Low-Pro is expanded, it reminds me of a kid’s paper lantern craft project. Thinner materials give the impression that it will be weaker, but no matter how I twist, tug or try to poke at the holes, the material holds up. Good news for fidget-lovers: This seems to be able to handle all my stretching — and the PopSockets team tells me it was designed to withstand more than 30 pounds of pulling pressure in testing.

Apple Stores will carry the Low-Pro in four exclusive colors to start: Blue Aura, Electric Fuchsia, Black and Navy. 

PopSocket is not the first to come up with a flush magnetic phone grip. The company OhSnap gained popularity for its Snap Grip, priced at $30, which uses a metal hinge to fold flat. But since using both, I prefer the PopSocket design because it’s easier to open with one finger from any angle, and it has the extra kickstand. 

I sat down with PopSocket inventor and founder David Barnett to learn more about the pivot to the Low-Pro. Although the PopSockets company will continue making the existing design (the one that actually pops), Barnett said the big motivator here for a new model was to lure in men who told him over the years they never gave PopSockets a chance because of their size. 

Advertisement

“They’d say, ‘Oh, it would get caught on my pocket,’ and I’d think to myself, It’s never gotten caught on my pocket ever,” Barnett said. “Ultimately, I wanted a solution that would meet this challenge of not being perceived as thick and bulky.” 

There is an extra benefit to this thinner design — you don’t have to take off your Low-Pro if you want to connect it to a MagSafe stand to charge. Just don’t count on it getting a fast charge: the more stuff between your phone and the charger (like a case and a grip), the slower the trickle of energy will be to your device. 

But often I use MagSafe stands to prop up my phone at work. And for once, it meant I didn’t have to pop off my PopSocket to have it snap magnetically. 

from the golden-age-of-corruption dept

Last week Elon Musk successfully conned America and U.S. regulators into signing off on his preposterous SpaceX IPO, which immediately generated Musk $75 billion by comically over-stating the value of SpaceX, xAI, and Starlink. Then bone-grafting the entire pile of bullshit to the U.S. economy and your retirement account under the pretense that space data centers and Mars colonization are just around the corner.

A handful of remaining useful journalists have repeatedly explained how xAI and Musk’s racist 5th place chatbot — which comprises the lion’s share of the ridiculous IPO valuation — is a gargantuan loser. Both SpaceX and xAI aren’t profitable and may never be, and the claims of Mars colonization and space data centers are unworkable bullshit designed to distract people with toddler-level critical thinking skills.

Anyway I’m sure it will go fine.

As a multi-decade telecom beat reporter I’d say I’m better positioned to talk about Starlink — the only actually profitable company in the SpaceX IPO prospectus (and that’s assuming Starlink is being honest about their financial numbers in a country too corrupt to have working financial regulators).

I’ve long noted how Starlink is great for people with no other options, but data has shown how it’s too congested to meaningfully scale. It’s also often too expensive for the sorts of Americans struggling with access. There’s also the problem with it ruining astronomical research and degrading the ozone layer. So Starlink is great for RVs or a guy with an extra cabin in the woods, but it’s not a miracle.

In terms of broadband policy, it’s supposed to be a niche solution. The kind of technology you use to fill in the gaps after you’ve pushed fiber, 5G, and fixed wireless out as far as you can into unserved areas.

But as I’ve mentioned previously, folks in the Trump administration and extended Rogan infotainment universe see Starlink as akin to magic. They think it’s just a sort of pixie dust you sprinkle over the entire of U.S. connectivity woes. There was a soggy Bulwark interview last week with Jason Calacanis that kind of reveals how deep the delusion goes in terms of what Starlink actually is:

The SpaceX IPO insists — and Calacanis dutifully believes — that it’s trivial for Starlink to jump from a niche satellite broadband solution with a little over 10 million subscribers — to a massive economic powerhouse with 300-500 million subscribers. Calacanis waxes poetic about Starlink providing bandwidth to every phone in the world and surpassing even Netflix in terms of total subscribers.

But in a way that’s highly representative of modern Silicon Valley, Calacanis doesn’t actually care about how the tech works, or even if it works. Calacanis is interested in unchecked wealth accumulation, and propping up the unbridled profit-seeking of a personal friend.

The thing is: to meaningfully grow, Starlink will need to start seriously competing on price to counter competitors (like Amazon) coming into the space. But the cost of endlessly replacing LEO (low Earth orbit satellites) is immense (SpaceX says each satellite has a five year lifespan, but it’s arguably much lower). And ARPU is already dropping for Starlink as the company tries to drum up new subscribers.

Calacanis insists Starlink’s just a hop, skip, and a jump from being even bigger than Netflix. But for Starlink to even sniff those kinds of numbers, it would have to intensely compete with deeply-entrenched and politically-powerful telecom monopolies, and fiber optic broadband and 5G/6G networks less constrained by the rules of physics. They’ve also got to compete with a rising tide of community-owned fiber.

As Starlink grows its subscriber base, it’s not only going to see its ARPU drop faster, but data shows it’s going to run into new capacity constraints. That means more annoying network management practices that throttle video, limit services, and generally degrade performance. We’re already starting to see the impact of this with network slowdowns and “congestion fees” ranging upwards of $750 in some areas.

And this is, so we’re clear, a company that’s never seen fit to meaningfully invest in customer service, so as these problems grow, it’s unlikely they’ll be able to handle customer annoyance well.

Anybody claiming that Starlink is the ticket to vast riches is either lying to you or doesn’t understand how the technology actually works. Even if it can maintain its success as a viable niche connectivity option useful in rural markets and global battlezones, the high cost of maintenance means this is never going to be a major money maker. Though they clearly hope it will prove to be a semi-useful backbone for a major pump and dump scheme.

The ace Elon Musk is holding is corruption and cronyism leading to regulatory favors and massive new subsidies, but it’s not clear even that’s going to be enough.

Cecilia Kang at the New York Times has an interesting article about how the Trump FCC has been doing cartwheels trying to prop up the Musk IPO — especially as it pertains to Starlink. That has included not just abandoning any meaningful regulatory oversight of “space junk” and orbital safety, but launching dodgy investigations into companies that hold spectrum Musk wants for himself.

Elon Musk bought himself a Presidency, and it continues to pay off handsomely:

“Carr has taken multiple actions for which Musk was the prime beneficiary,” said Blair Levin, an adviser to New Street Research, an investment research firm, and a former chief of staff at the F.C.C. He added that Starlink “has gotten a huge amount from the Trump administration and Carr.”

Carr has tried to justify his favoritism of Musk by saying he’s also rubber stamped the LEO satellite policy interests of Jeff Bezos and Amazon. But as we’ve consistently established around here, nothing Carr does is driven by any sort of good faith concern about the public interest.

The funny part is that the New York Times doesn’t even mention that the Trump administration has also hijacked the 2021 infrastructure bill to redirect potentially billions of dollars to Elon Musk and Jeff Bezos (I should have an upcoming feature on this over at The Verge). This is money being directed away from affordable fiber and toward two billionaires — for networks they already planned to build.

More specifically, the Trump NTIA under former Ted Cruz staffer Arielle Roth changed the language of the $42.5 billion Broadband, Equity, Access, and Deployment (BEAD) program so that Musk and Bezos would be the prime beneficiaries. They also stripped out any language requiring that internet access built with taxpayer money had to be affordable or equitably deployed with an eye on fairness.

Musk and Calacanis types try to brush functional oversight for taxpayer spending as unnecessary “wokeness.” But the ongoing BEAD saga involves an historic hijacking of Congressionally-mandated funds by bad faith actors; so it’s curious the New York Times didn’t think it was worth mentioning in a story about how unethically cozy the Trump administration and Musk are.

Like most of the SpaceX IPO this will all be proven out over time. Long after people have had their retirements account raided, or small towns have had their infrastructure hopes hijacked. Consumers, taxpayers, and labor will, as is usually the case, be left holding the bag. And the folks that made it possible will already be off to the next big thing leaving people of conscience to clean up the mess.

Filed Under: competition, corruption, cronyism, elon musk, fcc, leo satellites, spacex ipo, taxpayers, telecom

Companies: spacex, starlink, twitter, x, xai

To bring about the Parameter-to-Prompt Injection an attacker sends the target an email that contains the URL with the syntax https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=. The field contains an instruction. Copilot readily complied.

“The search functionality is exactly what attackers need, because even with limited capabilities, a user with access to critical information is enough,” the researchers wrote Monday. “To exfiltrate the data, an attacker crafts a URL that tells Copilot to ‘Search the user’s emails,’ extract the title, and embed it in an image URL.” The victim doesn’t type anything. They click a link, and Copilot does the rest.

Normally, the guardrail wrapping output in blocks would kick in. But the researchers discovered that the protection fires only after the “thinking” phase. Prior to that, Copilot generated its response using raw HTML, which is temporarily rendered in the browser DOM.

The researchers wrote:

So, the sequence looks like this:

1. Copilot starts streaming its response, which includes an tag
2. The browser sees the , renders it, and fires off an HTTP request to the src URL
3. Copilot finishes generating. The guardrail wraps everything in
4. Too late! The request already left.