Jack Ewing, reporting for The New York Times

The department’s procurement forecast for 2025, which details purchases the agency expects to make, includes $400 million for armored Tesla vehicles. The document does not specify which Tesla model, but the electric Cybertruck, which has a body of high-strength stainless steel, would be the most suitable vehicle.

Mr. Musk spent more than $250 million to help elect Mr. Trump, who then appointed him as the leader of a cost-cutting initiative that’s been called the Department of Government Efficiency.

The purchase of Cybertrucks, an atypical choice for government armored transport, is likely to raise conflict of interest issues, especially as Mr. Musk trumpets his own efforts to root out what he regards as unnecessary spending.

“Likely to raise” is doing a lot of work there. There’s just no way this is good clean procurement and everyone knows it. Either Musk should run his businesses and having nothing to do with the government or he should defer from accepting any and all government contracts for his businesses. Even someone trying to do this ethically couldn’t manage it; it’s inherently unethical. And Musk isn’t trying to do it ethically. By all accounts here, the Cybertruck isn’t even vaguely a good vehicle for the purpose of the State Department’s needs here. They need normal “big SUVs”, like Ford Expeditions and Chevy Suburbans. But Tesla doesn’t make any of those, so $400 million worth of Cybertrucks it is.

One side is powerless, at the moment, to stop it, and other side is in the midst of a full-on embrace of partisan corruption as policy.

One thing that makes Trump so hard to reckon with is that his graft is right out in the open. He ran a luxury hotel with his fucking name on it two blocks from the White House during his first term, and everyone with business before his administration — like when T-Mobile was trying to get approval for its acquisition of Sprint — knew they were expected to stay there.

Pre-Trump, it was the “catching” of concealed dealmaking and bribery that signaled corruption being rooted out. But you can’t get “caught” doing something that’s right out in the open. We just have to call it what it is: abject corruption.

See also: Jimmy Carter’s 2017 op-ed: “You People Made Me Give Up My Peanut Farm Before I Got To Be President”.

Sareen Habeshian and Russell Contreras, reporting for Axios, “Mayor Accuses ICE of Detaining Vet, U.S. Citizens in N.J. Immigration Raid”:

Immigration and Customs Enforcement (ICE) agents raided a Newark, New Jersey, business venue on Thursday and detained undocumented immigrants as well as U.S. citizens without warrants, the city’s mayor said. [...]

ICE agents entered the Ocean Food Depot restaurant where owner Luis Janota said around a dozen immigration authorities detained three people after receiving a complaint, PIX11 News in New York reports.

“I asked [the agents] what documentation they were looking for, and they said it was a license or a passport. I thought, who walks around with a passport?” Janota told the station. Janota said among the workers questioned was the manager of the restaurant’s warehouse, a Puerto Rican man and military veteran. Puerto Ricans are U.S. citizens.

“It looked to me like they were specifically going after certain kinds of people — not every kind, because they did not ask me for documentation or my American workers, Portuguese workers or white workers.”

That these raids are beginning and will surely escalate is no surprise. Trump campaigned heavily on the promise of mass deportations of undocumented immigrants. This is an issue where he’s doing what he said he’d do.

But there’s an obvious aspect of where these raids are taking place that isn’t being talked about enough. During the campaign Trump broadly promised to deport all of “them”. Even as recently as December he told NBC News’s Kristen Welker, in an interview on Meet the Press, that his aim was to deport all undocumented immigrants in the US.

The raids are taking place in deep blue cities in blue states. These are places that voted heavily against Trump. People in Newark didn’t vote for this. People in Chicago, Philadelphia, New York, and Boston didn’t vote for this. If this was really about following through on the popular demand of the voters who elected Trump, who see undocumented immigrants as a scourge on their communities, wouldn’t these raids focus on the states that voted for Trump — like, say, Texas and Arizona, which actually border on Mexico?

Liberals, who are more empathetic by nature, tend to focus on the direct human toll of immigration enforcement. Adam Serwer’s 2018 essay for The Atlantic is, if anything, more relevant today than when he wrote it: “The Cruelty Is the Point”. (Sub-head: “President Trump and his supporters find community by rejoicing in the suffering of those they hate and fear.” Also, Serwer expounded upon the argument into a best-selling book of the same title.) Those with bleeding hearts have trouble looking past the heartbreak of these raids.

But the second-order effect of widespread deportations will be economic. Undocumented workers make up a remarkably large sector of the US economy. The economic effects of mass deportations will be local, directly affecting the communities and cities where the deportations occur. Focusing these ICE raids on blue cities in blue states, is first and foremost, an attack on these immigrants themselves and their families and friends. But if, as I expect they will, the raids mostly or exclusively take place in Democratic cities and communities in Democratic states, it’s a de facto economic attack on blue states.

Trump voters in red states will get to enjoy watching footage of the raids on TV and social media, but it won’t be their neighbors getting deported, not their contractors and custodians and dishwashers, and it won’t be their communities whose economies suffer as a result. It’s seemingly impractical operationally and would be ruinous economically for the Trump administration to actually try to deport all undocumented immigrants in America. What is practical operationally are targeted raids in big cities. And the deleterious economic effects will be largely contained to those cities. It’s a big “fuck you” to blue states.

I’ve altered my media diet significantly after the election, deliberately choosing to skim, rather than consume, news regarding political affairs outside my interests in the tech industry in general and, of course, Apple in particular. I wrote a few weeks ago, in my column on Zuckerberg’s content-moderation-policy zig-zag at Meta:

My take on Trump post-election has been to stop paying attention, as best I can, to anything he says. I’m only paying attention to what he does. With any other national leader, there’s a correlation between their words and their eventual actions that makes paying attention to what they say worthwhile. With Trump, there’s almost no correlation, and his endless stream of outrageous proclamations amounts to nothing but a distraction.

This entire post is in contravention of my own guideline quoted above. But I’m making a hopefully rare exception on this undocumented immigration enforcement issue because so much attention, from both sides, is focused on the cruelty and heartbreak. And it does come down to paying attention to what Trump and his administration do, not say. He says they’re targeting all undocumented immigrants, but so far they’re only targeting those who live in places that are popularly opposed to it. And that’s where the costs — both emotional and economic — will be felt.

Jeff Bezos, yesterday at 10:29am on X:

Big congratulations to our 45th and now 47th President on an extraordinary political comeback and decisive victory. No nation has bigger opportunities. Wishing @realDonaldTrump all success in leading and uniting the America we all love.

Mark Zuckerberg, yesterday on Threads (natch) at 11:50am:

Congratulations to President Trump on a decisive victory. We have great opportunities ahead of us as a country. Looking forward to working with you and your administration.

Sundar Pichai, yesterday on X at 12:02pm:

Congratulations to President @realDonaldTrump on his decisive victory. We are in a golden age of American innovation and are committed to working with his administration to help bring the benefits to everyone.

Satya Nadella, yesterday on X at 12:36pm:

Congratulations President Trump, we’re looking forward to engaging with you and your administration to drive innovation forward that creates new growth and opportunity for the United States and the world.

Tim Cook, yesterday on X at 1:14pm:

Congratulations President Trump on your victory! We look forward to engaging with you and your administration to help make sure the United States continues to lead with and be fueled by ingenuity, innovation, and creativity.

I wonder how much Cook dithered over that cheerful-looking exclamation mark. I hope he regrets it. I wonder whether the latter four knowingly made the error of addressing former president and president-elect Trump as “President Trump”. Our nation only has one president at a time, and that president remains Joe Biden. I wonder too, what taste Cheetos-dusted 78-year-old testicles leave in one’s mouth. Whatever the flavor, I hope it lingers.

Veruca Salt: Like Captain Ahab, you are defined by an all-absorbing monomaniacal obsession: to find comfortable shoes that aren’t hideous.

Pavement: You spent your twenties watching movies off the Criterion Collection to impress boys, and it actually worked, so now you’re stuck with plotless black-and-white subtitled movies forever.

Smashing Pumpkins: You’ve disowned family members because they weren’t supportive enough of your career (i.e., they stopped buying the rash-inducing makeup and/or piss-scented essential oils from your MLM company).

Nirvana: You could never be one of those stereotypical soccer moms. (Your kids play lacrosse.)

Nine Inch Nails: You’re learning to pretend that gardening is an adequate replacement for the sexual adventures of your youth.

Eve 6: You go to PTA meetings just so you can whisper “critical race theory” into the microphone and then slip out the back door amid the pandemonium.

Jane’s Addiction: You suddenly realize you’ve saved a little money. You can’t decide if you should use it to fix your roof, your vision, your garage door, your feet, your skin, your wet basement, your dry vagina, your broken sidewalk, or your broken mental health. Before you choose, the dentist informs you that your kids need braces.

The Cardigans: In your quest to find comfortable shoes that aren’t hideous, you’ve convinced yourself that, with the right attitude, flats can be sexy. Unfortunately, your attitude is “desperately trying to make flats sexy.”

Neutral Milk Hotel: You vowed you’d never get a minivan. You got an SUV with a third row.

Mazzy Star: You have not yet admitted to yourself that succulents and macrame wall hangings are your generation’s Live Laugh Love decor.

Rage Against the Machine: You use the term “journey” to describe your training for a charity 5K, changes to your skincare routine, your evolving relationship with gluten, the fact that you occasionally take a yoga class, and your secretly failing marriage.

The Cranberries: Because you procrastinated so long on covering your grays, and now people think you’ve chosen to age gracefully, you’ve become a minor feminist icon.

Bikini Kill: You talk about your produce choices way too much, and now your friends’ secret nickname for you is “manic organic dream girl.”

Everclear: After hearing about the resurgence of lower back tattoos, you started an organization to educate young women on the dangers of the Tramp Stamp.

4 Non Blondes: You knit, and you’ve already given everyone you know a scarf. Time to retreat into decades of obscurity until people start having grandkids so you can make them baby blankets and regain some semblance of a purpose in life.

Pearl Jam: You’ve spent an inordinate amount of time on your town’s Facebook page complaining about how your favorite restaurant raised its credit card fees.

Blur: Just try to talk to you about TV without you explaining that the British Office was better than the American Office.

Garbage: You tell yourself you’re microdosing shrooms for creativity and productivity benefits, but in reality it’s the only way you can deal with the other moms at the playground.

Cake: Your entire identity is built around being Karen who is not a Karen.

Ben Folds Five: You know that no amount of glitter, hot glue, and parchment paper will fill the gaping pit of loneliness that is your middle-aged existence, but you’ll be damned if you aren’t going to at least try to craft your way out of this crippling depression.

No Doubt: You’ve finally given up on the quest to find comfortable, non-hideous shoes, but you still pretend your Birkenstocks are part of the “ironically ugly shoes” fashion trend.

Hansen: You’ve lost multiple friends because you say “don’t yuck my yum” too often.

Porno for Pyros: In a misguided attempt to bond, you showed your daughter a YouTube video of yourself flashing Perry Farrell at the original Lollapalooza. (“Look, honey, we have the same boobs!”)

Sixpence None the Richer: You love the Royal Family more than your own.

Hole: You don’t understand what the Bad Art Friend did wrong.

Harvey Danger: You can’t get through a single conversation without mentioning your junior year abroad in Paris.

Stone Temple Pilots: You put a HATE HAS NO HOME HERE sign in your front yard, and it’s not a lie, because technically hate is not the same thing as smoldering resentment, all-consuming envy, quiet hostility, and vindictive plotting to use subterfuge, fraud, or witchcraft to destroy the life of that stuck-up bitch in the charming Cape Cod across the street.

Letters to Cleo: You’re living a life less ordinary. (You have one kid or three kids instead of two kids.)

Dave Matthews Band: Your regular family is about to leave you because you won’t shut the fuck up about your Cross Fit family.

Radiohead: Every minor challenge of your life has been a warmup for this ongoing crisis: going through perimenopause while your kid is going through puberty.

SEE ALSO:

What Your Favorite ’90s Rock Band Says About the Type of Bored Suburban Dad You Are Today

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

Image: Shutterstock.

When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.

The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”

Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.

“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”

The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.

ANALYSIS

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.

“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.

Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.

“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”

Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.

KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.

“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”

MITIGATIONS

According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.

Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.

“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”

Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.

In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.

“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”

Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.

“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”

A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.