An anonymous reader quotes a report from Ars Technica: Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center. The action, announced Thursday, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands. "The police then seized several botnet servers from a hosting provider for investigation," the NCSC said. "The botnet was taken offline by the provider because it was used for criminal purposes."

According to a report Thursday by the NL Times, the botnet was linked to ASOCKS, a Russia-based company that provides residential proxy services. These services cater to people and organizations who want to obscure their locations or identities by proxying their Internet traffic through third-party devices. Proxy services are often used for illicit or unethical purposes such as performing DDoS attacks, running botnet command-and-control servers, operating phishing operations, and scraping website content. [...] It's unclear how the 17 million devices controlled by the botnet taken down by the Dutch police came to be that way.

Rockstar Games has a 2,000-employee studio in Scotland called Rockstar North. And Thursday its workers announced they'd formed a union, reports the gaming news site Aftermath: The union [part of the wider Independent Workers of Great Britain (IWGB) union] includes workers from Rockstar Games offices in Leeds, London, Edinburgh, Dundee, and Lincoln, the Rockstar Games Workers Union said in a YouTube video published on Thursday... Last year, Rockstar Games employees told Aftermath that the company's insistence on return-to-office policies was a problem for many workers.

Rockstar Games, for its part, claimed the policies were related to productivity and security concerns... The video posted Thursday outlines what happened over the past several months, starting with the firing of more than 30 Rockstar Games employees in October 2025 for what the company said was "discussing confidential information in a public forum," a Rockstar Games spokesperson said in a statement to Bloomberg in November. The union disagreed: It said at the time that the workers were gathered in a private Discord server with employees and union organizers — the beginnings of the union announced Thursday. The IWGB is working to fight the firings in court.

Workers and outside union supporters gathered globally after the employees were fired, in front of Rockstar Games' offices, to protest what the union called union busting by Rockstar Games... "We believe the [firings] were unlawful and retaliatory — connected to the workers' collective activity of organizing at Rockstar," IWGB Game Workers Union co-founder Austin Kelmore told Aftermath at the time. "This action by Rockstar came shortly after reaching 10 percent of eligible workers at Rockstar in the union...." [10% is the threshhold for legal recognition by the U.K. government.] The workers have received support from government officials; in December, UK Prime Minister Keir Starmer called the firings of the unionizing workers "a deeply concerning case."

"A security researcher published a series of unpatched bugs in Microsoft products," reports TechCrunch, "along with code to exploit them."

Microsoft's response to the researcher? "Threatening to take legal action and call the cops on them." On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle "Nightmare Eclipse," for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker.

The core of Microsoft's complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been "responsible," as Microsoft's blog put it. The other side of the company's argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA. "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world," Microsoft wrote...

In a series of blog posts published in the last couple of weeks — without providing many specific details — Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse's implication was that they had no choice but to release the vulnerabilities publicly... The researchers published the bugs on open source repositories GitHub (owned by Microsoft) and GitLab. The researchers' accounts on those platforms have been banned...

In response to this latest controversy with Nightmare Eclipse, countless researchers have shared their bad experiences reporting bugs to Microsoft.
Thanks to long-time Slashdot reader Elektroschock for sharing the news.

IBM and Red Hat are committing $5 billion to a new initiative called "Project Lightwell," which aims to secure open-source software supply chains with AI-assisted vulnerability discovery, triage, patch validation, and upstream maintenance. Longtime Slashdot reader wiggles shares a press release from IBM: IBM and Red Hat today announced Project Lightwell, a $5 billion commitment backed by new frontier AI capabilities and a global force of more than 20,000 engineers to help enterprises secure open source software. Together, these investments establish a new model for enterprise use of open source software, from upstream development through production environments.

Project Lightwell will establish a trusted enterprise clearinghouse combined with a global force of engineers to identify and fix vulnerabilities at scale. The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to validate and test fixes across an unprecedented volume of open source code. These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management.

IBM and Red Hat have already begun collaborating with a select group of early adopters on Project Lightwell, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells Fargo. The real-world insights from these initial deployments will actively shape how vulnerabilities are identified, validated, and remediated at scale across complex software supply chains.

An anonymous reader quotes a report from Ars Technica: Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices. The technique, laid out in a research paper (PDF), exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs -- even on other browsers -- and the apps that were open on the visitor's device. FROST requires no interaction from the visitor other than opening the site hosting the attack. [...] Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS (origin private file system), an allocated storage space that's reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor.

While each file system is sandboxed, meaning it's isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network -- a system that uses deep learning to analyze text, audio, and images -- the attacker can deduce various apps and websites open on the device. "The attacker continuously measures SSD contention by performing random reads from a large OPFS file," the researchers explained. "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."

Linux stable kernel maintainer Greg Kroah-Hartman says Rust can help Linux deal with a flood of AI-discovered security bugs (namely Dirty Frag, Copy Fail, and Fragnesia) by preventing common C mistakes around memory, locking, error handling, and untrusted data at build time rather than during human review. It's "not a silver bullet" and does not mean rewriting the whole kernel, but he said new drivers and subsystems will increasingly use Rust as Linux evolves forward. ZDNet reports: Kroah-Hartman illustrated those pitfalls with real C bugs in the kernel, including a 15-year-old Bluetooth bug that dereferenced a pointer without checking it and a Xen bug where "we forgot to unlock" in an error path. "The majority of the bugs in the kernel are this tiny, minor stuff," he explained. "Error conditions aren't checked, locks aren't forgotten, unreleased memories leak, and vulnerabilities add up over time. They crash the kernel. This is what we live with in C. This is why we don't like it." Kroah-Hartman argued that the "best beauty of Rust" is catching those mistakes at build time rather than in review. For example, when it comes to locking, he highlighted Rust's locking abstractions in the kernel: "The only way you can get access to inner pointers of structures is by grabbing that lock, and releasing the lock automatically. The compiler does it, it's guarded, the lock happens, everything's happy. You just can't write code to access these values...without grabbing the lock. The compiler will not let you."

Those properties, he argued, directly remove a huge fraction of the bugs he sees: "This is going to save us those two things. First, 60% of the bugs in the kernel right there, they're gone. Thank you." The payoff is earlier, more automated enforcement: "If this happens at build time, not review time, don't make me a maintainer who has to read your code [and] say, 'Oh, then you properly check that error value. Oh, did you properly grab the locks in the right spot?' Rust gives us that for free. This is the best thing ever." Even if Rust vanished tomorrow, Kroah-Hartman argued, it has already forced the kernel to clean up C code and interfaces. He credited Rust's influence outright: "We stole this from Rust. Thank you. It's a good idea, so if Rust disappeared tomorrow, we have cleaned up the C code in the kernel so much and taken in the ideas. We thank you, you've made Linux better with it just by existing."

[...] What ultimately sold a number of core maintainers, including him, on Rust was how it "makes reviewing code easier." With CI [Continuous Integration] bots enforcing builds and Rust's type system enforcing key invariants, maintainers can "focus on the logic" rather than resource bookkeeping: "I can care about that one function. I don't have to worry about the rest of this stuff, because I assume that it works properly, because it was built properly." Internally, he said, the top maintainers have already made their call on Rust's status: "The Linux kernel maintainers, we get together every year and talk about what the processes are doing. Last year, we said the Rust experiment is over. It's not an experiment. This is for real." The rationale: "The people behind it are real. We trust them. We know what they're doing. They've shown and put in the work to make Rust a viable language in the kernel, and we're going to make this stick. Let's go full speed ahead. And, as always," he said wryly, "world domination proceeds." "If you never remember anything else in my talk, just remember these four words. It came from Microsoft Security many, many years ago," Kroah-Hartman told attendees. "They realized all input is evil. You have to validate all input."

wiredmikey shares a report from SecurityWeek: Anthropic says its Claude Mythos model discovered thousands of severe vulnerabilities across more than 1,000 open source software (OSS) projects. According to the AI giant, Mythos Preview has identified more than 23,000 potential vulnerabilities. Of these, 1,900 have been reviewed by external security firms, and 1,726 have been confirmed, including over 1,000 rated "high" or "critical" severity.

The findings are still being reviewed, and Anthropic estimates that nearly 3,900 critical and high-severity vulnerabilities will be confirmed based only on current findings. As the scans are ongoing, the company believes the number of severe vulnerabilities may reach 6,200. Anthropic says more than 1,100 unverified findings have been reported to vendors, and 75 issues with a critical or high severity rating have been patched. Vendors have published 65 security advisories. "The number of patches is still relatively low for three reasons. First, we're still early in the 90-day window that's set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon," the AI company explained.

"Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we're reliant on scanning for the patches ourselves using Claude. Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem," it added.

Tech industry layoffs may be worse at large tech companies than the rest of the IT industry. The New York Times argues those layoffs have now shifted the culture at Big Tech companies, after interviewing more than two dozen of their workers. "Cooperation and collegiality are on the wane; chumminess between employees and managers has cooled as mutual suspicion pervades their relationships; and a throbbing economic anxiety infects almost every conversation.

"Perhaps no site on the internet reflects this transformation more vividly than Blind, where users can post in private channels restricted to employees of a single company, or public channels visible to anyone..." Since 2022, large tech companies have collectively laid off more than 150,000 workers, unraveling what many tech workers once perceived as a guarantee of affluence and employability. The threat of being replaced by artificial intelligence has loomed over those who remain. This year alone, Amazon has indicated that it is laying off more than 15,000 workers, Block 4,000, Meta 8,000 and Oracle an estimated 30,000... By most measures, the sentiments that Blind tracks have taken a turn for the worse. During the nearly four years before tech companies began major layoffs in the fall of 2022, Meta and Microsoft employees posted about career success — topics like how to maximize their salary or win promotions — more than four times as often as they posted about job insecurity, according to Blind. Since then, the ratios have lurched in the opposite direction: Meta and Microsoft employees have posted about job insecurity roughly 1.5 times as often as they post about success...

The shift has had practical effects. A Meta employee said in an interview that some workers on her team now used less vacation time and that, in a break with custom, people frequently checked on their projects while on vacation. They increasingly worry about getting a poor performance review or losing their job if they aren't constantly available. The employee, who declined to be identified for fear of retribution, said she and many of her colleagues frequently checked Blind because it could be comforting to see how many other Meta workers shared their anxieties. Employees at several companies said in interviews that their morale was further undermined by the feeling that the layoffs were abrupt and arbitrary, and executed with little empathy.

Several tech workers said it was the scarcity of information about possible layoffs that raised their cortisol levels and made it difficult to focus on their jobs. They often fill the vacuum by turning to Blind, which, in addition to posts by workers, features a "tech layoff tracker" that lists both layoff rumors and those it has confirmed. "I was on Blind five days a week," said Faith Wilkins El, a software engineer who was laid off from Oracle in late March, after more than four years at the company. Wilkins El, who is part of the Oracle Workers Collective, a group seeking better severance agreements with the company, said navigating Blind was sometimes stressful because it was hard to know what was true or false. (Blind says it has a security team to weed out bad actors, like those who may try to register under fake email addresses.) Still, she found it more helpful than not because the layoffs came as less of a shock after she spent time on the site. "I was trying to get prepared mentally," she said.

Blind is capitalizing on the increased interest with new products. It plans to unveil a service called Blind AI, which will allow employers to simulate their workers' reactions to certain changes, like a stricter in-office mandate. And it is close to releasing a feature to alert users that layoffs are imminent.

Developers for several top videogames have joined unions under the Communication Workers of America — including Call of Duty, Fallout, Overwatch, Diablo and World of Warcraft. Last month workers on the online game Magic: The Gathering Arena team announced their own CWA union.

The gaming news site Aftermath shares some interesting details: Owner Hasbro and Wizards of the Coast could have voluntarily agreed to the union, but instead the issue is going to an official vote with the National Labor Relations Board in June... [O]ne Arena developer shared on Bluesky that one of the reasons they were inspired to organize was because Wizards changed its remote work policy, requiring them to move across the country or to a more expensive state to remain employed. (Changes to remote work have been one of the big drivers of unionization and union action among video game developers.) If the union is successful, the company wouldn't be able to unilaterally change working conditions like remote work; it would have to negotiate with the union over the decision. There's no guarantee unionized employees would get what they want, but they'd have more of a say, and the opportunity to directly influence their work situation, than they would without a union.

Slashdot reader wiredmikey writes: Threat actors are exploiting a vulnerability in shared content delivery network (CDN) infrastructure to hide connections to malicious domains. Researchers say the vulnerability could impact roughly 88 million domains and can bypass DNS filtering and protective DNS controls, potentially enabling stealthy command-and-control communications and other evasive attacks.
Dubbed "Underminr," the exploit "presents the SNI and HTTP Host of a domain," writes SecurityWeek, "while forcing a request to the IP address of another tenant on the same shared edge." The mismatch, ADAMnetworks reports, has been exploited in attacks targeting large-scale hosting providers, including those that have implemented mitigations against domain fronting...

Threat actors' increased reliance on AI is expected to lead to a surge in attacks. "Once Underminr becomes parametric information for AI-generated malware, we could expect to see it in every attack that needs to evade protective DNS as part of the attack chain," ADAMnetworks CEO David Redekop says.

Linus Torvalds spoke this week at the Linux Foundation's Open Source Summit North America, reports ZDNet — and described how AI is impacting Linux kernel development: "In the last six months, we've seen a lot more commits," Torvalds noted, estimating that "the last two releases, it's been about 20% more commits than we had in the previous releases over many years.... The real change that happened in the last six months was that the AI tools actually got good enough for a lot of people... we're seeing a definite uptick in just development on pretty much all fronts...."

On the positive side, he framed AI-discovered bugs as "short-term pain" with long-term benefits: "When AI finds a bug in any source code... long term is you found a bug, we fixed it, that the end result is better for it." After all, he continued, "I think finding bugs is great, because the real problem is all the bugs you didn't find..." For small teams or solo maintainers, he said, flood-style AI bug reports can cause real burnout, especially when "it's a bug report, and when you ask for more information, the person has done a drive-by and doesn't even answer your questions anymore."
The AI news site Techstrong notes this quote from Torvalds. "I have a love-hate relationship with AI. I actually really like it from a technical angle, I love the tools, I find it very useful and interesting, but it is definitely causing pain points." The chief challenge with AI is that it forces people to change how they work, he found. People get into a rut, and AI challenges their norm. The Linux security mailing list got the brunt of this new wave of AI-generated commits. Not all bugs are security issues, but when "people think that when they find a bug with AI, the first reaction seems to sometimes be let's send it to the security list, because this may have security implications," Torvalds said. As a result, the security list — watched over by a small group of maintainers — was overrun by duplicate entries...

The Linux project learned to manage the bug influx with a set number of tools to sort out and deprioritize the obvious drive-by reports (ones where the person submitting the report won't even answer any questions). One tool, Sashiko, reviews all the patches submitted on the mailing list. "Sometimes the review is not great, but quite often it finds issues and it asks questions and says, 'Hey, what about this issue?'" he said.
Linux also updated their documentation, partly just to address "an uptick in bug and security reports from discoveries made in full or in part with AI."

"The numbers show that layoffs in the U.S. are roughly at or below levels from before the pandemic," reports the Washington Post, "although they are higher than in 2022 when businesses snapped up workers as the economy roared back to life...

"A different measure that accounts for the growing U.S. workforce shows that layoffs affected about 1.2% of employed people in March, a number that has been steady for years outside of the pandemic..." In the technology industry, where Meta and other companies are regularly announcing job cuts, the layoff picture is complex. There has been a marked increase in layoffs in recent months in what the Labor Department calls the information industry, which includes employment of software developers and other tech workers. But Matthew Martin, senior U.S. economist at the research and consulting firm Oxford Economics, noted that hiring has also increased in that category, which includes media and entertainment. The combination of hiring minus layoffs in the information industry is effectively a wash, Martin said. Layoffs at Big Tech companies like Meta and other high-profile employers don't necessarily reflect what is happening in the country, Martin said, and draw far more attention than what may be slow and steady workforce growth. "There's a lot more headlines about job cuts than there are [about] expansion plans by businesses," he said.

In his view, technology companies may be pushing out some workers and replacing them with people who have different skills as they respond to the demands of AI. It's true that businesses in some industries are devoting enormous sums of money and attention to AI. It's changing how some people work and a minority of American businesses are rolling out AI tools. But it's also become a trend for bosses to blame layoffs on the productive capabilities of AI and its ability to replace workers, even when job cuts may have little to do with the technology. Sam Altman, CEO of ChatGPT-maker OpenAI, has taken note of the pattern that he and others call "AI washing," essentially a high-tech form of whitewashing... "You know something is happening all the time when they have a word for it," said Gautam Mukunda, who teaches leadership at the Yale School of Management...

AI-related employment changes are tiny so far, said Nathan Goldschlag, director of research at the Economic Innovation Group, a Washington think tank. He pointed to a recently published analysis of Census Bureau surveys, which found more than 95 percent of businesses that use AI said it hasn't changed their staff sizes — and AI-related employment increases were more common than decreases.

Aikido Security found that deleted Google API keys can continue authenticating for a median of about 16 minutes and as long as 23 minutes, despite Google Cloud's UI claiming that once a key is deleted it can no longer make API requests. Dark Reading reports: Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window -- the time between a key's deletion and its last successful authentication -- for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case. In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window was up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said.

And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up."

[...] Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach. "This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers."

To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote. Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post.

Trump Mobile confirmed that a third-party platform exposed customers' personal data to the open internet. The data included names, email addresses, mailing addresses, phone numbers, and order IDs. TechCrunch reports: Chris Walker, a spokesperson for the Trump-branded phone maker, told TechCrunch that the company is investigating the exposure and has not found evidence that content or financial information spilled online. The company said there was no breach of Trump Mobile's network, systems, or infrastructure. Walker said that the exposure was linked to a third-party platform provider that supports "certain Trump Mobile operations." He did not name the provider.

[...] On Wednesday, two YouTubers who ordered Trump Mobile's phone said a researcher alerted them that their personal information was exposed online. The YouTubers Coffeezilla and penguinz0 said they tried to alert Trump Mobile of the exposure after the researcher also tried but to no avail. Walker said Trump Mobile is evaluating whether it needs to notify customers of the exposure of their personal data. Further reading: Trump Phones Start Shipping - But Were There Really 600,000 Preorders?

An anonymous reader quotes a report from Ars Technica: Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user's browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted.

The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visit malicious sites, provide anonymous proxy browsing by others, enable proxied DDoS attacks, and monitor user activity. Nonetheless, the exploit could allow an attacker to wrangle thousands, possibly millions, of devices into a network. Once a separate vulnerability becomes available, the attacker could use it to then compromise all those devices.

"The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out," said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. He said using the exploit code Google prematurely published would be "pretty easy," although scaling it to wrangle large numbers of devices into a single network would require more work. In the thread of Rebane's disclosure to Google, two developers said in separate responses that it was a "serious vulnerability." Its severity was rated S1, the second-highest classification.

Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, he learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code. Google representatives didn't immediately respond to an email asking how and why it published the vulnerability and if or when a fix would become available. The exploit works by abusing Chromium's Browser Fetch API to open a service worker that remains persistently active. A malicious website can trigger it through JavaScript, creating a connection that can be used "for monitoring some aspects of a user's browser usage and as a proxy for viewing sites and launching denial-of-service attacks," reports Ars.

Depending on the browser, those connections "either reopen or remain open even after it or the device running it has rebooted," effectively turning the device into part of a "limited botnet."