The careful reader may note that my title is not quite accurate. It’s not every dependency you add that’s a problem; it’s every dependency you update.

Why not put that in the title, Mr. Hoyt?

Sometimes it’s lowkenuinely

Tl;dr: It’s “give us $300 million (which we know you won’t do), or we’ll order everyone involved in hosting your site to give up your name and address.”

For now, the monetary judgment is mostly a victory on paper, as recouping money from an unknown entity is impossible. For this reason, the music companies also requested a permanent injunction.

Permanent Injunction Targets Domains In addition to the damages award, Rakoff entered a permanent worldwide injunction covering ten Anna’s Archive domains: annas-archive.org, .li, .se, .in, .pm, .gl, .ch, .pk, .gd, and .vg.

Domain registries and registrars of record, along with hosting and internet service providers, are ordered to permanently disable access to those domains, disable authoritative nameservers, cease hosting services, and preserve evidence that could identify the site’s operators.

The judgment names specific third parties bound by those obligations, including Public Interest Registry, Cloudflare, Switch Foundation, The Swedish Internet Foundation, Njalla SRL, IQWeb FZ-LLC, Immaterialism Ltd., Hosting Concepts B.V., Tucows Domains Inc., and OwnRegistrar, Inc.

Anna’s Archive is also ordered to destroy all copies of works scraped from Spotify and to file a compliance report within ten business days, under penalty of perjury, including valid contact information for the site and its managing agents. That last requirement could prove significant, given that the identity of the site’s operators remains unknown.

A Way Out, at a Price In theory, Anna’s Archive has the option to prevent the domain suspension. The permanent injunction allows the site to seek relief from this measure, after showing that it has paid the full $322 million damages award and complied with all injunctive obligations.

That’s an unlikely option, to say the least. At the same time, however, it is not guaranteed that the site’s domain names will be suspended.

As reported previously, several domain names, including the Greenland-based .gl version, are linked to registries and registrars outside the jurisdiction of the U.S. court. As such, they previously did not comply to the preliminary injunction, and it is unknown whether the latest order changes that.

In September 2024, Amandla Thomas-Johnson was a Ph.D. candidate studying in the U.S. on a student visa when he briefly attended a pro-Palestinian protest. In April 2025, Immigration and Customs Enforcement (ICE) sent Google an administrative subpoena requesting his data. The next month, Google gave Thomas-Johnson’s information to ICE without giving him the chance to challenge the subpoena, breaking a nearly decade-long promise to notify users before handing their data to law enforcement.

Microsoft seems to have stripped away mentions of the “Copilot” brand in the Windows Insider version of the Notepad app. The Copilot button in the toolbar is gone, and instead, you’ll find a writing icon which will present you AI-powered writing assistance, such as rewrite, summarize, tone modification, format configuration, and more. Additionally, “AI features” in Notepad settings has been renamed to “Advanced features” and it allows users to toggle off AI capabilities within the app.

*and also burning everyone else’s money at the same time.

“One-time license… includes all future updates”

Where have I heard that before?

Bending Spoons identifies a popular product it thinks it can improve inside and out

*for most people on the internet.

For the rest of us, it’s important to be able to look inside of a thing we’re using and see that it’s not going to fry our machine, or use it to mine crypto, or spy on us.

A highly sophisticated, unpatched zero-day exploit is actively targeting users of Adobe Reader. Detected by the EXPMON threat-hunting system, this malicious PDF file is designed to steal sensitive local data and perform advanced system fingerprinting.

The exploit functions flawlessly on the latest version of Adobe Reader. It requires no user interaction beyond simply opening the malicious document.

The attack begins when a victim opens a specially crafted PDF, initially submitted to malware analysis platforms under the file name “yummy_adobe_exploit_uwu.pdf”.

It should.

Signal has internal settings for exposing or not exposing the sender/content of messages to iOS notifications.

In a public update, developer Mounir Idrassi reported the account was shut down without warning, explanation, or an apparent appeal process.

“I have encountered some challenges but the most serious one is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader. This termination impacts my work beyond VeraCrypt and has consequences for my daily job. Currently I’m out of options.”

This is significant because VeraCrypt is a cross-platform encryption application for Windows, macOS, and Linux. On Windows, it supports system encryption features that require signed components, including drivers and the bootloader.

According to Idrassi, the account termination prevents the project from continuing its standard Windows signing process. Independent reporting indicated that losing signing access could stop VeraCrypt from releasing updated Windows builds before a certificate-related deadline, potentially causing boot issues for some users with system encryption enabled.

In other words, if you’re a Windows user who uses VeraCrypt, you have reason to be concerned. In the newly surfaced GitHub issue, the reporter says VeraCrypt’s DcsBoot.efi appears to be signed through the Microsoft Corporation UEFI CA 2011 chain and warns that this will stop working on June 27, 2026. The issue also says that on some Windows 11 systems, this could trigger Secure Boot warnings or even cause the boot option to be ignored.

So, if VeraCrypt cannot restore its Windows signing path or ship updated signed components in time, the project could face a real Secure Boot-related deadline on affected systems.

Emphasis mine

Basically, they didn’t do this:

(I’m on Android, so I don’t know what the options look like in iOS, but they should be identical.)

More like What silly spell did she cast?

Reminded me of this:

https://www.youtube.com/watch?v=y2xkFSvSv7o

Is there anyone in the open source office suite space that has their shit together?

I was looking for alternatives now that I’m committed to migrating away from Microsoft, and it feels like moving from one room where everything’s on fire to… another room where everything’s also on fire.