Malicious hackers are exploiting a critical vulnerability in a widely used security camera to spread Mirai, a family of malware that wrangles infected Internet of Things devices into large networks for use in attacks that take down websites and other Internet-connected devices.
The attacks target the AVM1203, a surveillance device from Taiwan-based manufacturer AVTECH, network security provider Akamai said Wednesday. Unknown attackers have been exploiting a 5-year-old vulnerability since March. The zero-day vulnerability, tracked as CVE-2024-7029, is easy to exploit and allows attackers to execute malicious code. The AVM1203 is no longer sold or supported, so no update is available to fix the critical zero-day.
That time a ragtag army shook the Internet
Akamai said that the attackers are exploiting the vulnerability so they can install a variant of Mirai, which arrived in September 2016 when a botnet of infected devices took down cybersecurity news site Krebs on Security. Mirai contained functionality that allowed a ragtag army of compromised webcams, routers, and other types of IoT devices to wage distributed denial-of-service attacks of record-setting sizes. In the weeks that followed, the Mirai botnet delivered similar attacks on Internet service providers and other targets. One such attack, against dynamic domain name provider Dyn paralyzed vast swaths of the Internet.
Complicating attempts to contain Mirai, its creators released the malware to the public, a move that allowed virtually anyone to create their own botnets that delivered DDoSes of once-unimaginable size.
Kyle Lefton, a security researcher with Akamai’s Security Intelligence and Response Team, said in an email that it has observed the threat actor behind the attacks perform DDoS attacks against “various organizations,” which he didn’t name or describe further. So far, the team hasn’t seen any indication the threat actors are monitoring video feeds or using the infected cameras for other purposes.
Akamai detected the activity using a “honeypot” of devices that mimic the cameras on the open Internet to observe any attacks that target them. The technique doesn’t allow the researchers to measure the botnet’s size. The US Cybersecurity and Infrastructure Security Agency warned of the vulnerability earlier this month.
The technique, however, has allowed Akamai to capture the code used to compromise the devices. It targets a vulnerability that has been known since at least 2019 when exploit code became public. The zero-day resides in the “brightness argument in the ‘action=’ parameter” and allows for command injection, researchers wrote. The zero-day, discovered by Akamai researcher Aline Eliovich, wasn’t formally recognized until this month, with the publishing of CVE-2024-7029.
Wednesday’s post went on to say:
How does it work?
This vulnerability was originally discovered by examining our honeypot logs. Figure 1 shows the decoded URL for clarity. Decoded payload
Enlarge/ Fig. 1: Decoded payload body of the exploit attempts
Akamai
Fig. 1: Decoded payload body of the exploit attempts
The vulnerability lies in the brightness function within the file /cgi-bin/supervisor/Factory.cgi (Figure 2).
In the exploit examples we observed, essentially what happened is this: The exploit of this vulnerability allows an attacker to execute remote code on a target system.
Figure 3 is an example of a threat actor exploiting this flaw to download and run a JavaScript file to fetch and load their main malware payload. Similar to many other botnets, this one is also spreading a variant of Mirai malware to its targets.
Enlarge/ Fig. 3: Strings from the JavaScript downloader
Akamai
In this instance, the botnet is likely using the Corona Mirai variant, which has been referenced by other vendors as early as 2020 in relation to the COVID-19 virus.
Upon execution, the malware connects to a large number of hosts through Telnet on ports 23, 2323, and 37215. It also prints the string “Corona” to the console on an infected host (Figure 4).
Enlarge/ Fig. 4: Execution of malware showing output to console
Akamai
Static analysis of the strings in the malware samples shows targeting of the path /ctrlt/DeviceUpgrade_1 in an attempt to exploit Huawei devices affected by CVE-2017-17215. The samples have two hard-coded command and control IP addresses, one of which is part of the CVE-2017-17215 exploit code:
The botnet also targeted several other vulnerabilities including a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. We have observed these vulnerabilities exploited in the wild several times, and they continue to be successful.
Given that this camera model is no longer supported, the best course of action for anyone using one is to replace it. As with all Internet-connected devices, IoT devices should never be accessible using the default credentials that shipped with them.
Enlarge/ Ukrainian FPV drone hunting Russian army assets along a road.
Imagine receiving a traffic ticket in the mail because you were speeding down a Russian road in Kursk with a Ukrainian attack drone on your tail. That’s the reality facing some Russians living near the front lines after Ukraine’s surprise seizure of Russian territory in Kursk Oblast. And they’re complaining about it on Telegram.
Rob Lee, a well-known analyst of the Ukraine/Russia war, comments on X that “traffic cameras are still operating in Kursk, and people are receiving speeding fines when trying to outrun FPVs [first-person-view attack drones]. Some have resorted to covering their license plates but the traffic police force them to remove them.”
Volunteers and military volunteers who arrived in the Kursk region are asking the traffic police not to fine them for speeding when they are escaping from the drones of the Ukrainian Armed Forces.
Several people who are near the combat zone told Mash about this. Cameras are still recording violations in the border area, and when people try to escape from the drones, they receive letters of happiness [tickets]. One of the well-known military activists was charged 9k [rubles, apparently—about US$100] in just one day. He accelerated on a highway that is attacked almost every hour by enemy FPV drones. Some cover their license plates, but the traffic police stop them and demand that they remove the stickers.
Mash claims that the traffic police are sympathetic and that given the drone situation, “speeding can be considered as committed in a state of extreme necessity.” But those who receive a speeding ticket will have to challenge it in court on these grounds.
The attack drones at issue here are widely used even some distance beyond the current front lines. Russian milbloggers, for instance, have claimed for more than a week that Ukrainian drones are attacking supply vehicles on the important E38 highway through Kursk, and they have published photos of burning vehicles along the route. (The E38 is significantly to the north of known Ukrainian positions.)
So Russians are understandably in something of a hurry when on roads like this. But the traffic cameras don’t care—and neither, apparently, do the traffic police, who keep the cameras running.
Estonian X account “WarTranslated” provides English translations of Russian Telegram posts related to the Ukraine war, and the traffic cam issue has come up multiple times. According to one local Russian commentator, “In frontline areas, they continue to collect fines for violating traffic rules… For example, drivers exceed the speed limit in order to get away from the drone, or drive quickly through a dangerous place; the state regularly collects fines for this.”
Another Russian complains, “The fact is that in the Kursk region, surveillance cameras that monitor speeding continue to operate. There are frequent cases when fighters are fined when they run away from enemy FPV drones. Papering over license plates on cars does not help, either. For example, a guy from the People’s Militia of the city of Kurchatov was sent to 15 days of arrest because of a taped-over license plate.”
Indian IT firm Infosys has been accused of being “exploitative” after allegedly sending job offers to thousands of engineering graduates but still not onboarding any of them after as long as two years. The recent graduates have reportedly been told they must do repeated, unpaid training in order to remain eligible to work at Infosys.
Last week, the Nascent Information Technology Employees Senate (NITES), an Indian advocacy group for IT workers, sent a letter [PDF], shared by The Register, to Mansukh Mandaviya, India’s Minster of Labor and Employment. It requested that the Indian government intervene “to prevent exploitation of young IT graduates by Infosys.” The letter signed by NITES president Harpreet Singh Saluja claimed that NITES received “multiple” complaints from recent engineering graduates “who have been subjected to unprofessional and exploitative practices” from Infosys after being hired for system engineer and digital specialist engineer roles.
According to NITES, Infosys sent these people offer letters as early as April 22, 2022, after engaging in a college recruitment effort from 2022–2023 but never onboarded the graduates. NITES has previously said that “over 2,000 recruits” are affected.
Unpaid “pre-training”
NITES claims the people sent job offers were asked to participate in an unpaid, virtual “pre-training” that took place from July 1, 2024, until July 24, 2024. Infosys’ HR team reportedly told the recent graduates at that time that onboarding plans would be finalized by August 19 or September 2. But things didn’t go as anticipated, NITES’ letter claimed, leaving the would-be hires with “immense frustration, anxiety, and uncertainty.”
The letter reads:
Despite successfully completing the pre-training, the promised results were never communicated, leaving the graduates in limbo for over 20 days. To their shock, instead of receiving their joining dates, these graduates were informed that they needed to retake the pre-training exam offline, once again without any renumeration.
The Register reported today that Infosys recruits were subjected to “multiple unpaid virtual and in-person training sessions and assessments,” citing emails sent to recruits. It also said that recruits were told they would no longer be considered for onboarding if they didn’t attend these sessions, at least one of which is six weeks long, per The Register.
CEO claims recruits will work at Infosys eventually
Following NITES’ letter, Infosys CEO Salil Parekh claimed this week that the graduates would start their jobs but didn’t provide more details about when they would start or why there have been such lengthy delays and repeated training sessions. Speaking to Indian news site Press Trust of India, Parekh said:
Every offer that we have given, that offer will be someone who will join the company. We changed some dates, but beyond that everyone will join Infosys and there is no change in that approach.
Notably, in an earnings call last month [PDF], Infosys CFO Jayesh Sanghrajka said that Infosys Is “looking at hiring 15,000 to 20,000” recent graduates this year, “depending on how we see the growth.” It’s unclear if that figure includes the 2,000 people who NITES is concerned about.
In March, Infosys reported having 317,240 employees, which represented its first decrease in employee count since 2001. Parekh also recently claimed Infosys isn’t expecting layoffs relating to emerging technologies like AI. In its most recent earnings report, Infosys reported a 5.1 percent year-over-year (YoY) increase in profit and a 2.1 percent YoY increase in revenues.
NITES has previously argued that because of the delays, Infosys should offer “full salary payments for the period during which onboarding has been delayed” or, if onboarding isn’t feasible, that Infosys help the recruited people find alternative jobs elsewhere within Infosys.
Infosys accused of hurting Indian economy
NITES’ letter argues that Infosys has already negatively impacted India’s economic growth, stating:
These young engineering graduates are integral to the future of our nation’s IT industry, which plays a pivotal role in our economy. By delaying their careers and subjecting them to unpaid work and repeated assessments, Infosys is not only wasting their valuable time but also undermining the contributions they could be making to India’s growth.
Infosys hasn’t explained why the onboarding of thousands of recruits has taken longer to begin than expected. One potential challenge is logistics. Infosys has also previously delayed onboarding in relation to the COVID-19 pandemic, which hit India particularly hard.
Additionally, India is dealing with a job shortage. Two years is a long time to wait to start a job, but many may have minimal options. A June 2024 study of Indian hiring trends [PDF] reported that IT job hiring in hardware and network declined 9 percent YoY, and hiring in software and software services declined 5 percent YoY. The Indian IT sector saw attrition rates drop from 27 percent in 2022 to 16 to 19 percent last year, per Indian magazine Frontline. This has contributed to there being fewer IT jobs available in the country, including entry-level positions. With people holding onto their jobs, there have also been reduced hiring efforts. Infosys, for example, didn’t do any campus hiring in 2023 or 2024, and neither did India-headquartered Tata Consultancy Services, Frontline noted.
Over the past two years, Infosys has maintained a pool of people to pull from at a time when an IT skills gap in India is expected in the coming years that coincides with a lack of opportunities for recent IT graduates. However, the company risks losing the people it recruited as they might decide to look elsewhere. At the same time, they deal with financial and mental health concerns and make requests for government intervention.
Enlarge/ Martin Shkreli—he’s back, and he’s still got copies of that Wu-Tang Clan album.
The members of PleasrDAO are, well, pretty displeased with Martin Shkreli.
The “digital autonomous organization” spent $4.75 million to buy the fabled Wu-Tang Clan album Once Upon a Time in Shaolin, which had only been produced as a single copy. The album had once belonged to Shkreli, who purchased it directly from Wu-Tang Clan for $2 million in 2015. But after Shkreli became the “pharma bro” poster boy for price gouging in the drug sector, he ended up in severe legal trouble and served a seven-year prison sentence for securities fraud.
He also had to pay a $7.4 million penalty in that case, and the government seized and then sold Once Upon a Time in Shaolin to help pay the bill.
The album was truly “one of a kind,” a protest against the devaluation of music in the digital age and the kind of fascinating curio that instantly made its owners into “interesting people.” The album came as a two-CD set inside a nickel and silver box inscribed with the Wu-Tang logo, and the full package included a pair of customized audio speakers and a 174-page leather book featuring lyrics and “anecdotes on the production.”
In a complicated transaction, PleasrDAO purchased the album from an unnamed intermediary, who had first purchased it from the government. As part of that deal, PleasrDAO created a non-fungible token (NFT—remember those?) to show ownership of the album. The New York Times has a good description of what this entailed:
To tie “Once Upon a Time” to the digital realm, an NFT was created to stand as the ownership deed for the physical album, said Peter Scoolidge, a lawyer who specializes in cryptocurrency and NFT deals and was involved in the transaction. The 74 members of PleasrDAO… share collective ownership of the NFT deed, and thus own the album.
Makin’ copies…
But after purchasing the album and sharing the collective ownership of its NFT, PleasrDAO discovered that its “one of a kind” object wasn’t quite as exclusive as it had thought.
Shkreli had, in fact, made copies of the music. Lots of copies. On June 30, 2022, PleasrDAO said that Shkreli played music from the album on his YouTube channel and stated, “Of course I made MP3 copies, they’re like hidden in safes all around the world… I’m not stupid. I don’t buy something for two million dollars just so I can keep one copy.”
Shkreli began taunting PleasrDAO members about the album, telling one of them, “I literally play it on my discord all the time, you’re an idiot” and claiming that PleasrDAO was concerned about an album that “>5000 people have.” Shkreli claimed on a 2024 podcast that he had “burned the album and sent it to like, 50 different chicks”—and that this had been extremely good for his sex life.
Shkreli even offered to send copies of the album to random Internet commenters if they would just send him their “email addy.” He also told people to “look out for a torrent” and hosted listening parties for the album on his X account, which reached “potentially over 4,900 listeners.”
We know all of these details because PleasrDAO has sued Shkreli, claiming that he is acting in violation of the asset forfeiture order and that he is misappropriating “trade secrets” under New York law.
Shkreli “knew that by distributing copies of the Album’s data and files or by playing it publicly, his actions would decrease the Album’s marketability and value,” said PleasrDAO. They have asked a federal judge to stop Shkreli—and also to get them a list of everyone he has distributed the album to.
Enlarge/ The Wu-Tang Clan album sits inside this box.
Not a secret
Shkreli’s response to all this is, in essence, “so what’s the problem?”
When he purchased the album for $2 million in 2015, he also acquired 50 percent of the copyrights to the package. Before the album was seized by the government, Shkreli says he took advantage of his copyright ownership to make copies as he was “permitted to do under his original purchase agreement.” The government, he says, seized only the individual, physical copy of the album, and Shkreli was within his rights to retain the copies he had already made.
As for trade secrets, well—a trade secret actually has to be “secret.” Thanks to his own actions, Shkreli has made sure that the album is not a secret. “Because Defendant legally purchased and shared the work before the Forfeiture Order and the Asset Purchase Agreement, the work is no longer a trade secret,” his lawyers wrote in his defense.
The Empire State strikes back
On August 26, 2024, a federal judge in Brooklyn issued a preliminary injunction (PDF) in the case as the two parties prepare to battle things out in court. The injunction prevents Shkreli from “possessing, using, disseminating, or selling any interest in the Wu-Tang Clan album ‘Once Upon a Time in Shaolin’ (the ‘Album’), including its data and files or the contents of the Album.”
Furthermore, Shkreli has to turn over “all of his copies, in any form, of the Album or its contents to defense counsel.” He also must file an affidavit swearing that he “no longer possesses any copies, in any form, of the Album or its contents.”
By the end of September 2024, Shkreli further must submit a list of “the names and contact information of the individuals to whom he distributed the data and files” and say if he made any money for doing so.
Enlarge/ It’s hard work, survival crafting, but there are moments for song, dance, and tankards.
North Beach Games
The dwarves of J.R.R. Tolkien’s writing are, according to the author himself, “a tough, thrawn race for the most part, secretive, retentive of the memory of injuries (and of benefits),” and “lovers… of things that take shape under the hands of the craftsmen rather than things that live by their own life.”
Is it secrecy and avarice that explains why The Lord of the Rings: Return to Moria spent its first year of existence as an exclusive to the Epic Games Store? None can say for certain. But the survival crafting game has today arrived on Steam and Xbox, adding to its PlayStation and EGS platforms and bringing a 1.3 “Golden Update” to them all. Steam Deck compatibility is on its way to Verified, with a bunch of handheld niceties already in place.
The Golden Update grants new and existing players a procedurally generated sandbox mode to complement the game’s (also generated) campaign, new weapons and armor, crossplay between all platforms with up to eight players, specific sliders for difficulty settings, and… a pause function in offline single-player, which seemingly was not there before.
Launch trailer for Return to Moria on Steam and consoles (and its Golden Update).
What are you actually doing in Return to Moria? You, a dwarf in the Fourth Age of Middle-Earth, are tasked by Gimli Lockbearer with heading into Moria (i.e. Khazad-dûm) to recover its treasures. Except every Moria is different, generated from random generation seeds. You mine for materials, use materials to make gear and goods, set up base camps with stations and fixtures, and, of course, fight the things you awaken in the depths.
The campaign is procedurally generated, but it tells a narrative with a beginning, middle, and end. And runes—lots of runes.
North Beach Games
Dwarves? Underground? Making stuff? Yes, of course.
North Beach Games
There will be goblins.
North Beach Games
Not only does a release on new cross-compatible platforms give you a chance to check out a potentially overlooked gem, but this is also version 1.3 of the game. Reviews of the game at release in October 2023 were closely aligned around one point: it needed more time to cook.
PC Gamer found the game authentic to Tolkien’s lore, intriguing in its depictions of underground spaces, and alternately goofy and harrowing in building and fighting. But bugs, stuttering, clipping errors, and disbelief-shattering oddities brought the experience down a good deal. Polygon was more critical of the game’s tile-based layouts and laborious backtracking. “A few patches could see this become a survival game that can hold its own against the more popular entries in the genre,” wrote Ford James.
In a “Quality of Life Showcase,” Game Director Jon-Paul Dumont details how the game has advanced over the past 10 months. The map is color-coded and easier to read, the ambient music and transitions are improved, combat improvements make it feel better and more grounded (another point of review contention), and player gripes about inventory management, cooking, building, and crafting have been tackled.
I haven’t played enough of the game to render any kind of verdict on it, but I’m always eager to see the work of a team actively fixing after launch—digging in, if you will.
$321 million from today’s announcement will be spent on 41 different projects across the country—these projects are a mix of level 2 AC chargers as well as DC fast chargers. The remaining $200 million will continue funding DC fast chargers along designated highway corridors.
The Joint Office of Energy and Transportation, which administers the federal funding, called out a $15 million project to install chargers at 53 sites in Milwaukee and a $3.9 million project to install publicly accessible chargers on the Sioux Reservation in North Dakota as examples of the latest awards.
“Today’s investments in public community charging fill crucial gaps and provide the foundation for a zero-emission future where everyone can choose to ride or drive electric for greater individual convenience and reduced fueling costs, as well as cleaner air and lower healthcare costs for all Americans,” said Gabe Kline, executive director of the Joint Office of Energy and Transportation.
The Biden administration set a goal of 500,000 EV chargers nationwide by 2030. The Joint Office’s latest data shows more than 189,000 chargers across the country, although fewer than 44,000 of these were DC fast chargers.
But it cites real improvements over the past few years—56 percent of the most heavily trafficked highways have a fast charger every 50 miles, up from 38 percent in January 2021. And in June, it says an additional 3,000 charging ports were added to the national network. Other funding has gone to repairing or upgrading existing infrastructure, starting with a currently inoperable site in Washington, DC.
At the same time, progress has not been especially rapid for the highway charger NEVI (National Electric Vehicle Infrastructure) program. NEVI funds are administered by the states, similar to the way they manage federal highway funding, and the extra layers of bureaucracy have meant that the first NEVI-funded charging station—located in Ohio—only became operational in mid-December 2023.
Tetris Forever includes several versions of the game that had been released over the years.
Nintendo
There’s also a new game called Tetris Time Warp that combines gameplay styles from several prior entries.
Nintendo
A combination documentary and classic game compilation called Tetris Forever is headed to PC, Nintendo Switch, and other platforms later this year, according to an announcement.
The game will include 15 Tetris games, from an “accurate” version of the first Tetris for the Electronika 60 to an NES version of the game and more, including Tetris 2 + Bombliss, Super Tetris 3, and Tetris Battle Gaiden, among others.
In addition to that, it will feature a new take called Tetris Time Warp, which will see players jumping “between gameplay styles from across the series” in real time as they complete each board. The game will support up to four players.
The game is developed by Digital Eclipse, which previously made waves with a docu-game called The Making of Karateka that combined the classic game with documentary footage. It also made a remaster of the original Wizardry.
Tetris Forever is the latest in the same docu-game series that included The Making of Karateka. As such, the classic games will be presented in an interactive digital museum-like format and will be accompanied by over an hour of documentary clips “about the history of Tetris and its key players.”
Tetris Forever was announced as part of a Nintendo Direct stream this morning. The reveal focused on the experience of playing the game on the Nintendo Switch and also noted that the original NES version of Tetris is coming to Nintendo Switch Online’s classic game library this winter.
However, the game also appeared on Steam, so there will be a PC release. Releases on other consoles are likely as well. The Steam page says the game is coming sometime before the end of this year but doesn’t get more specific than that. There’s no pricing information yet, either.
The Tetris Forever announcement video from Nintendo Direct.
Enlarge/ Mercedes-Benz got into the passenger infotainment game with the EQS.
Mercedes-Benz
Jumping into a new car from the driver’s seat of something built before 2010 can cause quite the case of future shock. Over that time, automakers have been on a technology frenzy, loading up new vehicles with all manner of gizmos, gadgets, and features, some meant to make your life easier, others to make your journey safer. But do car buyers actually want all this stuff? A new survey by JD Power suggests they may not.
With enough time, a new convenience feature just becomes something buyers expect to be there. Starter motors replaced hand cranks for a reason, and I imagine most modern motorists would prefer not to deal with manual chokes. Manual window winders became more expensive and heavier than electric ones, leading to their extinction.
Some of the technology creep has come about by regulation or the threat of it. While many bemoan the “iPad on the dash,” the legal requirement for a backup camera means there needs to be a screen in the car to display that feed. Steering wheels and dashboards grew to conceal airbags. And now vehicle fascias conceal sensors that can alert the driver or stop the car in the event of an imminent head-on crash.
But according to JD Power’s Tech Experience Survey, which “measures problems encountered and the user experience with advanced technologies as they first enter the market,” advanced technology in cars needs to solve real problems, and too much tech simply doesn’t do that.
For example, drivers generally appreciate advanced driver assistance systems, known as ADAS in the industry; blind spot monitoring solves a real problem. But does anyone ever actually use their automatic parking system? JD Power found that systems that partially automate a driving task—even the most advanced hands-free systems—had a low perceived usefulness, a finding that dovetails nicely with data published last month by the Insurance Institute for Highway Safety that revealed partial automation did not make cars any safer.
Enough with the screens
My current bete noir is the trend for automakers to include an additional infotainment screen directly in front of the front passenger, separate from the main infotainment screen in the center stack. Blame Ferrari, which started adding a passenger screen to its supercars in the perhaps misguided impression that Ferrari drivers wanted their passengers to know how fast they were actually going.
The early Ferrari passenger displays were somewhat limited, but they have morphed into a second fully fledged infotainment display for the not-driver. Porsche did this with the Taycan, then Mercedes brought us the “hyperscreen,” which was really three separate displays and plenty of blank dashboard, all bonded to a single sheet of glass. The latest trick, as seen in some new Audis, is to have an active privacy mode so that the passenger can watch video but the driver can’t see anything at all on that display.
If the idea of giving passengers their own display when there’s already one immediately next to it sounds excessive, welcome to my club. We’re not alone—JD Power says passenger screens are negatively reviewed by many owners and notes that “it is difficult for dealers to teach new owners how to use the primary infotainment screen, let alone a second one.”
Other examples of new technology solving a nonexistent problem include facial recognition, fingerprint scanners, and gesture control. Having experienced all three in various new cars over the past few years, I am not surprised by their inclusion. I never felt safe enough, though, with Genesis’ facial recognition to leave the key at home, and BMW’s gesture controls mean that you might accidentally turn the sound system to full volume if you talk with your hands too much.
But not every new innovation was met with opprobrium. JD Power calls out AI-based features like smart climate control as having quickly won popularity.
“A strong advanced tech strategy is crucial for all vehicle manufacturers, and many innovative technologies are answering customer needs,” said Kathleen Rizk, senior director of user experience benchmarking and technology at JD Power. “At the same time, this year’s study makes it clear that owners find some technologies of little use and/or are continually annoying.”
The market research company says its tech survey is designed to help automakers decide where to invest their R&D resources. If we start seeing any objectionable in-car tech become less common, we’ll know which OEMs were paying attention.
Enlarge/ India’s Small Satellite Launch Vehicle launched for the third time this week.
ISRO
Welcome to Edition 7.08 of the Rocket Report! Lots of news as always, but what I’m most interested in is the launch of the Polaris Dawn mission. If all goes as planned, the flight will break all sorts of ground for commercial spaceflight, including the first-ever private spacewalk. Best of luck to Jared Isaacman and his crew on their adventurous mission.
As always, we welcome reader submissions, and if you don’t want to miss an issue, please subscribe using the box below (the form will not appear on AMP-enabled versions of the site). Each report will include information on small-, medium-, and heavy-lift rockets as well as a quick look ahead at the next three launches on the calendar.
RFA One blows up a booster. The first stage of Rocket Factory Augsburg’s first orbital launcher was destroyed in a fireball during a test-firing Monday evening at a spaceport in Scotland, Ars reports. It’s a notable event for the European commercial space industry as the German launch startup aimed to send its first rocket into space later this year and appeared to be running ahead of several competitors in Europe’s commercial launch industry that are also developing rockets to deploy small satellites in orbit. BBC obtained video of the fiery explosion.
Now comes the hard work of an anomaly investigation … In a statement, RFA said there was “an anomaly that led to the loss of the stage” Monday evening. The company said no one was injured and reported that the launch pad had been “saved and secured.” This was the same rocket RFA planned to launch on its inaugural test flight. The hot fire test Monday was the first with all nine engines on RFA One’s first stage. “We are now working closely with SaxaVord Spaceport and the authorities to gather data and info to eventually resolve what happened,” RFA said. “We will take our time to analyze and assess the situation.” On Thursday, the cause was attributed to a turbopump fire. (submitted by SPHK_Tech, gizmo23, brianrhurley, Jay500001, and Ken the Bin)
Orbex says it’s targeting a 2025 launch, but get real. UK-based Orbex is now projecting a 2025 first launch of its small launch vehicle, the company’s chief executive told Space News recently. Phil Chambers, chief executive of the United Kingdom-based company, said the company was making progress on both its Prime small rocket and launch site at Sutherland Spaceport in northern Scotland. “We are shooting for a 2025 launch,” Chambers said but declined to be more specific about a launch date other than to say that the company wanted to avoid a launch in winter because of poor weather conditions. “But I do want it to be 2025.”
Shooting to be the first orbital launch success from the UK … There is an interesting detail in the story that caught my eye: “Vehicle subsystems are going through critical design reviews, with some flight hardware under construction.” Let’s be honest, if they’re still working through the critical design review process for subsystems, the chance of a launch in 2025 is zero, and honestly for a company founded in 2015 it should not provide much confidence that the company will ever successfully launch an orbital rocket. (submitted by EllPeaTea)
The easiest way to keep up with Eric Berger’s space reporting is to sign up for his newsletter, we’ll collect his stories in your inbox.
SSLV makes its third launch. India successfully launched its third Small Satellite Launch Vehicle on Thursday, placing an Earth observation satellite into orbit and completing the solid rocket’s development process, Space News reports. The rocket carried the experimental Earth observation EOS-08 spacecraft into its intended 475-kilometer circular orbit for the Indian Space Research Organization.
Two for three … According to ISRO chairman S. Somanath, the successful completion of the SSLV’s development phase paves the way for technology transfer to Indian industry, enabling serial production and operational deployment of the SSLV. The first SSLV flight failed in August 2022 when an upper stage malfunction left its payloads stranded in a very low orbit. The second launch, in February 2023, was successful. (submitted by Ken the Bin)
Indian firm plans suborbital launch. A Chennai-based startup, Space Zone India, plans to launch its Rhumi-01 suborbital rocket on Saturday from a mobile launcher. The hybrid vehicle, combining both solid and liquid rocket propellants, will carry three cubesats and 50 smaller picosats on its debut launch, the New Indian Express reports.
Seeking to recycle rockets … According to the company’s website, the Rhumi launch vehicle can reach an altitude of about 30 km. The three cubesats are designed to monitor and collect data on atmospheric conditions, including cosmic radiation intensity, UV radiation intensity, air quality, and more. The company said most of the rocket is designed to be recoverable and reused. (submitted by brianrhurley)
Sierra Space kicking the tires on ULA. Boeing and Lockheed Martin are in talks to sell their rocket-launching joint venture United Launch Alliance to Sierra Space, Reuters reports. A deal could value ULA at around $2 billion to $3 billion, sources told the publication. A potential deal would be an ambitious move for Sierra Space, spun off from Sierra Nevada in 2021 to focus on bringing to market its long-delayed Dream Chaser spaceplane. A deal with ULA could give the company a rocket, Vulcan, for uncrewed and potentially crewed launches of Dream Chaser.
A source believes the deal is unlikely … ULA has been up for sale, actively, for more than a year. Blue Origin and Cerberus Capital Management had placed bids in early 2023 for the company, but none of those offers resulted in a deal. I heard about Sierra’s interest last Friday, but the Reuters story came out before I could write something up. I will say, from the reporting I have been able to do, that the discussions between Sierra and ULA’s owners were serious and substantial. However, at this time, my best information indicates that a sale is unlikely to happen. The parents believe ULA is worth more than Sierra is willing to pay. Sierra would also need to borrow substantially to make any transaction happen. (submitted by Hacker Uno and Ken the Bin)
Enlarge/ A high-resolution commercial Earth-imaging satellite owned by Maxar captured this view of the International Space Station on June 7 with Boeing’s Starliner capsule docked at the lab’s forward port (lower right).
Senior NASA leaders, including the agency’s administrator, Bill Nelson, will meet Saturday in Houston to decide whether Boeing’s Starliner spacecraft is safe enough to ferry astronauts Butch Wilmore and Suni Williams back to Earth from the International Space Station.
The Flight Readiness Review (FRR) is expected to conclude with NASA’s most consequential safety decision in nearly a generation. One option is to clear the Starliner spacecraft to undock from the space station in early September with Wilmore and Williams onboard, as their flight plan initially laid out, or to bring the capsule home without its crew.
As of Thursday, the two veteran astronauts have been on the space station for 77 days, nearly 10 times longer than their planned stay of eight days. Wilmore and Williams were the first people to launch and dock at the space station aboard a Starliner spacecraft, but multiple thrusters failed and the capsule leaked helium from its propulsion system as it approached the orbiting complex on June 6.
That led to months of testing—in space and on the ground—data reviews, and modeling for engineers to try to understand the root cause of the thruster problems. Engineers believe the thrusters overheated, causing Teflon seals to bulge and block the flow of propellant to the small control jets, resulting in losing thrust. The condition of the thrusters improved once Starliner docked at the station when they weren’t repeatedly firing, as they need to do when the spacecraft is flying alone.
However, engineers and managers have not yet reached a consensus about whether the same problem could recur, or get worse, during the capsule’s journey back to Earth. In a worst-case scenario, if too many thrusters fail, the spacecraft would be unable to point in the proper direction for a critical braking burn to guide the capsule back into the atmosphere toward landing.
The suspect thrusters are located on Starliner’s service module, which will perform the deorbit burn and then separate from the astronaut-carrying crew module before reentry. A separate set of small engines will fine-tune Starliner’s trajectory during descent.
If NASA managers decide it’s not worth the risk, Wilmore and Williams would extend their stay on the space station until at least February of next year, when they would return to Earth inside a Dragon spacecraft provided by SpaceX, Boeing’s rival in NASA’s commercial crew program. This would eliminate the threat that thruster problems on the Starliner spacecraft might pose to the crew’s safety during the trip to Earth, but it comes with myriad side effects.
These effects include disrupting crew activities on the space station by bumping two astronauts off the next SpaceX flight, exposing Wilmore and Williams to additional radiation during their time in space, and dealing a debilitating blow to Boeing’s Starliner program.
If Boeing’s capsule cannot return to Earth with its two astronauts, NASA may not certify Starliner for operational crew missions without an additional test flight. In that case, Boeing probably wouldn’t be able to complete all six of its planned operational crew missions under a $4.2 billion NASA contract before the International Space Station is due for retirement in 2030.
FRR-eedom to speak
The Flight Readiness Review at NASA’s Johnson Space Center in Houston will begin Saturday morning. Ken Bowersox, a former astronaut and head of NASA’s Space Operations Mission Directorate, will chair the meeting. NASA Administrator Bill Nelson will participate, too. If there’s no unanimous agreement around the table at the FRR, a final decision on what to do could be elevated above Bowersox to NASA’s associate administrator, Jim Free or to Nelson.
“The agency flight readiness review is where any formal dissents are presented and reconciled,” NASA said in a statement Thursday. “Other agency leaders who routinely participate in launch and return readiness reviews for crewed missions include NASA’s administrator, deputy administrator, associate administrator, various agency center directors, the Flight Operations Directorate, and agency technical authorities.”
NASA has scheduled a press conference for no earlier than 1 pm ET (17: 00 UTC) Saturday to announce the agency’s decision and next steps, the agency said.
Lower-level managers will meet Friday in a so-called Program Control Board to discuss their findings and views before the FRR. At a previous Program Control Board meeting, managers disagreed on whether the agency was ready to sign off that the Starliner spacecraft was safe enough to return its astronauts to Earth.
There’s one new piece of information that engineers will brief to the Program Control Board on Friday:
“Engineering teams have been working to evaluate a new model that represents the thruster mechanics and is designed to more accurately predict performance during the return phase of flight,” NASA said. “This data could help teams better understand system redundancy from undock to service module separation. Ongoing efforts to complete the new modeling, characterize spacecraft performance data, refine integrated risk assessments, and determine community recommendations will fold into the agency-level review.”
Enlarge/ A 13-year-old celebrates getting the Pfizer-BioNTech COVID-19 vaccine in Hartford, Connecticut, on May 13, 2021.
With the impending arrival of the 2024–2025 COVID-19 vaccines approved yesterday, some Americans are now gaming out when to get their dose—right away while the summer wave is peaking, a bit later in the fall to maximize protection for the coming winter wave, or maybe a few weeks before a big family event at the end of the year? Of course, the group pondering such a question is just a small portion of the US.
In a press briefing Friday, federal health officials were quick to redirect focus when reporters raised questions about the timing of COVID-19 vaccination in the coming months and the possibility of updating the vaccines twice a year, instead of just once, to keep up with an evolving virus that has been producing both summer and winter waves.
“The current problem is not that the virus is evolving so much, at least in terms of my estimation,” Peter Marks, the top vaccine regulator at the Food and Drug Administration, told journalists. “It’s that we don’t have the benefits of the vaccine, which is [to say] that it’s not vaccines that prevent disease, it’s vaccination. It’s getting vaccines in arms.” When exactly to get the vaccine is a matter of personal choice, Marks went on, but the most important choice is to get vaccinated.
Estimates for this winter
The press briefing, which featured several federal health officials, was intended to highlight the government’s preparations and hopes for the upcoming respiratory virus season. The FDA, the Centers for Disease Control and Prevention, and the Department of Health and Human Services (HHS) are urging all Americans to get their respiratory virus vaccines—flu, COVID-19, and RSV.
CDC Director Mandy Cohen introduced an updated data site that provides snapshots of local respiratory virus activity, national trends, data visualizations, and the latest guidance in one place. HHS, meanwhile, highlighted a new outreach campaign titled “Risk Less. Do More.” to raise awareness of COVID-19 and encourage vaccination, particularly among high-risk populations. For those not at high risk, health officials still emphasize the importance of vaccination to lower transmission and prevent serious outcomes, including long COVID. “There is no group without risk,” Cohen said, noting that the group with the highest rates of emergency department visits for COVID-19 were children under the age of 5, who are not typically considered high risk.
So far, CDC models are estimating that this year’s winter wave of COVID-19 will be similar, if not slightly weaker on some metrics, than last year’s winter wave, Cohen said. But she emphasized that many assumptions go into the modeling, including how the virus will evolve in the near future and the amount of vaccine uptake. The modeling assumes the current omicron variants stay on their evolutionary path and that US vaccination coverage is about the same as last year. Of course, beating last year’s vaccine coverage could blunt transmission.
Amazon may be forced to meet some unionized delivery drivers at the bargaining table after a regional National Labor Relations Board (NLRB) director determined Thursday that Amazon is a joint employer of contractors hired to ensure the e-commerce giant delivers its packages when promised.
This seems like a potentially big loss for Amazon, which had long argued that delivery service partners (DSPs) exclusively employed the delivery drivers, not Amazon. By rejecting its employer status, Amazon had previously argued that it had no duty to bargain with driver unions and no responsibility for alleged union busting, The Washington Post reported.
But now, after a yearlong investigation, the NLRB has issued what Amazon delivery drivers’ union has claimed was “a groundbreaking decision that sets the stage for Amazon delivery drivers across the country to organize with the Teamsters.”
In a press release reviewed by Ars, the NLRB regional director confirmed that as a joint employer, Amazon had “unlawfully failed and refused to bargain with the union” after terminating their DSP’s contract and terminating “all unionized employees.” The NLRB found that rather than bargaining with the union, Amazon “delayed start times by grounding vans and not preparing packages for loading,” withheld information from the union, and “made unlawful threats.” Teamsters said those threats included “job loss” and “intimidating employees with security guards.”
Sean M. O’Brien, the Teamsters general president, claimed the win for drivers unionizing not just in California but for nearly 280,000 drivers nationwide.
“Amazon drivers have taken their future into their own hands and won a monumental determination that makes clear Amazon has a legal obligation to bargain with its drivers over their working conditions,” O’Brien said. “This strike has paved the way for every other Amazon worker in the country to demand what they deserve and to get Amazon to the bargaining table.”
Unless a settlement is reached, the NLRB will soon “issue a complaint against Amazon and prosecute the corporate giant at a trial” after finding that “Amazon engaged in a long list of egregious unfair labor practices at its Palmdale facility,” Teamsters said.
Apparently downplaying the NLRB determination, Amazon is claiming that the Teamsters are trying to “misrepresent what is happening here.” Seemingly Amazon is taking issue with the union claiming that an NLRB determination on the merits of their case is a major win when the NLRB has yet to issue a final ruling.
According to the NLRB’s press release, “a merit determination is not a ‘Board decision/ruling’—it is the first step in the NLRB’s General Counsel litigating the allegations after investigating an unfair labor practice charge.”
Amazon’s spokesperson, Eileen Hards, told Ars that the NLRB office confirmed to Amazon that it will be “dismissing most of the Teamsters’ more significant claims it filed last year in Palmdale.” That apparently includes dismissing the Teamsters’ claims that Amazon unlawfully terminated its contract with one of their DSPs and that Amazon had a legal obligation to honor the Teamsters’ contract with that DSP.
Next, the NLRB will determine if the “remaining allegations should be decided by an administrative law judge,” Hards said. After that, Amazon will have opportunities to appeal any unfavorable rulings, first to the Board and then to a federal appeals court, the NLRB confirmed to Ars.
Hards confirmed that Amazon still expects all the Teamsters’ remaining claims will be dismissed.
“As we have said all along, there is no merit to the Teamsters’ claims,” Hards told Ars. “If and when the agency decides it wants to litigate the remaining allegations, we expect they will be dismissed as well.”
But Hards declined to comment on the impacts of the NLRB’s determination that Amazon is a joint employer of the unionized delivery drivers.
One Amazon driver in Palmdale, Jessie Moreno, said that worker conditions for Amazon drivers could improve because of the determination.
“Amazon can no longer dodge responsibility for our low wages and dangerous working conditions, and it cannot continue to get away with committing unfair labor practices,” Moreno said. “We are Amazon workers, and we are holding Amazon accountable.”
Amazon drivers uniting “like never before”
The NLRB determination came following a complaint from 84 Amazon workers from Palmdale, California, who became the first Amazon delivery drivers to unionize in April 2023, represented by Teamsters Local 396.
While their DSP recognized the union, workers launched an unfair labor strike in June 2023 after Amazon allegedly “engaged in dozens of unfair labor practices in violation of federal labor law in an effort to quash workers’ organizing efforts,” the Teamsters said.
The picket line quickly expanded “to over 50 Amazon warehouses across 10 states,” the Teamsters said. Most recently, drivers in Skokie, Illinois, “launched their own unfair labor practice strike in June 2024,” right around the same time that “more than 5,500 members of the Amazon Labor Union in New York voted by an overwhelming 98.3 percent to affiliate with the Teamsters.”
In their blog, the Teamsters said that Amazon “has avoided responsibility for its drivers through its DSP subcontractor business model” since 2018, but drivers hope that yesterday’s NLRB determination could put an end to the dodgy tactic.
“The NLRB’s joint employer determination shatters that myth” that “DSP drivers are not official employees of Amazon” and “makes clear that through its DSP business model, Amazon exercises widespread control over drivers’ labor and working conditions, making Amazon the drivers’ employer,” the Teamsters said.
The Teamsters said that they are “confident” that “the NLRB’s regional determination for the Palmdale workers will extend to Amazon DSP drivers who unionize nationwide.” One union member and Amazon driver, Brandi Diaz, celebrated what she considered to be the US government recognizing that the DSP program is a “sham.”
“We wear Amazon uniforms, we drive Amazon vans, and Amazon controls every minute of our day,” Diaz said. “Amazon can no longer have all the benefits of their own fleet of drivers without the responsibilities that come with it. The time has come for Amazon drivers across the country to organize with the Teamsters and demand what we deserve.”
Drivers are currently fighting to increase wages and improve driver safety amid what they claim are unchecked dangerous conditions they must navigate as Amazon drivers. Moreno said that the NLRB determination was a significant step toward unionizing more drivers and ending Amazon’s allegedly unfair labor practices nationwide.
“We have been on strike to stop Amazon’s lawbreaking and we are winning at the NLRB, while we are uniting Amazon workers across the country like never before,” Moreno said.
