Linux’s 15-Year Secret Is Out

23

Nebula Security didn’t just find a bug. They found GhostLock (CVE-2025-4349), a use-after-free flaw that lived in the Linux kernel for fifteen years. Hidden. Unnoticed. It lets any logged-in user become root.

No special permissions needed. No network access required.

Since 2011, this flaw shipped in almost every mainstream distro. Nebula’s AI tool, VEGA, caught it. The exploit escapes containers. In tests it worked 97% of the time. They earned $92,337 from Google’s kernelCTF program.

It was patched in April.

But wait.

Is your system safe? Ubuntu listed versions 24.04 through 20.04 as vulnerable as of early July. Defenders should check their packages. Don’t assume a fix is waiting.

VEGA found this as part of a trend. Automated tools are combing through old code few humans have reread.

Flock Cameras & The Typhoon of Errors

“Hands on their guns.”

Joel Feder from The Drive was boxed in by four police cars. It happened in a Kohl’s parking lot. Late June. Plymouth, Minnesota.

Flock’s license plate cameras flagged his $155k Range Rover as stolen. The car was a test mule loaned from a dealer. The cops had tracked him for days.

Why? A typo.

2,000 miles west in Los Angeles, a Jaguar Land Rover plate was reported lost. The entry was 34 03 DDT but typed as 34 DDT. The middle digits dropped.

Flock read the large chars. Ignored the weird format. Started alerting cops on every match.

Four other Land Rovers were being watched that same week. Feder got stopped first. The plate wasn’t stolen. Misplaced during a photoshoot.

This happened two weeks after The Drive reported on Flock overreach. The irony burns.

Other Noise

Amid warnings about Volt Typhoon hackers pre-positioning in US critical infrastructure, insurers ran a war game. They found a menacing threat.

Meanwhile ICE’s oversight group opened over 100 files. Target: online critics. They cite doxing. Threats against employees.

The EU voted on the “Chat Control” bill. Tech firms can now scan private messages again. Aims to stop child abuse material. The Parliament extended the law. A majority voted no. It passed anyway.

MSG kept a database of fans. Taylor Swift wedding guests? Categorized. Labels like “DO NOT HOST.” Or “high risk.”

On a lighter note.

Scammers hijacked gov’t sites to peddle OnlyFans leaks. Copyright complaints from the creators themselves brought them down. People stayed safe.

The Accenture Breach

Accenture got hit. An actor called “888” claims they lifted 35 GB. Source code. Keys. Tokens.

It’s listed on a dark web forum. Accenture calls it an isolated incident. Remediated. No operational impact. They won’t say what was taken. Or how.

BleepingComputer saw a screenshot of a cloned Azure DevOps repo.

This isn’t 888’s first swing at them. Or the company’s first hit. LockBit hit Accenture in 2021.

Bad timing. Accenture runs ICE’s cyber defense. $56.5m contract. Ends this August. Recompeting now.

$22k Hackers?

The Pentagon wants hackers. Not graduates. Just people with aptitude.

Cyber RAP offers 12-month gigs. Learn to guard DoD networks.

Pay? $22,584 a year.

You wash out? You owe them back the training cost. CIO Kirsten Davies calls it ditching gatekeeping for patriotic drive.

Raw aptitude. No living wage.