EP 251. This week's update with a side of Fries....
McDonald’s AI-driven hiring platform faces scrutiny after a critical security flaw exposed millions of applicants’ personal data to potential hackers.  
Swedish security personnel inadvertently disclosed Prime Minister Ulf Kristersson’s private whereabouts through fitness app Strava, raising national security concerns. 
Qantas confirms a massive data breach affecting 5.7 million customers, exposing personal details via a third-party platform breach by the Scattered Spider group. 
Jack Dorsey’s Bitchat app, touted for secure decentralized messaging, faces skepticism as untested security vulnerabilities spark concerns among researchers. 
As quantum computing nears, industries are urged to adopt post-quantum cryptography to safeguard sensitive data against future decryption threats. 
North Korean hackers deploy the sophisticated “Contagious Interview” scam, using AI-driven personas to trick job-seekers into installing malicious software.  
OpenAI challenges Microsoft with a forthcoming AI-powered productivity suite, aiming to disrupt the dominance of Microsoft 365 and Google Workspace.  
A DOGE employee’s accidental leak of xAI’s API key on GitHub provides access to advanced AI models, all r  adding up to some pretty silly security lapses.
Please pass the ketchup!

For this week's full transcript and additional links, click here.

Emerging Trends in Privacy, Security, and AI

Decentralized, Offline Messaging with Bitchat

Jack Dorsey’s Bitchat is a privacy-first messaging app that bypasses internet and servers, using Bluetooth Low Energy (BLE) mesh networking to transmit encrypted, ephemeral messages between nearby devices. It doesn’t require phone numbers, accounts, or cloud storage, and messages disappear by default. Bridge devices help extend communication range, making Bitchat ideal for secure, off-grid use.

Google Gemini AI and Privacy Risks

Gemini AI now accesses third-party app data on Android to offer personalized help, such as reading messages or travel plans. This is enabled by default, raising privacy concerns due to the opt-out model. Users can disable this by adjusting settings in the Gemini app and Android assistant preferences, protecting themselves from unwanted data sharing.

Stalkerware and the Catwatchful Data Breach

Stalkerware secretly monitors victims' phones. The Catwatchful breach exposed the inner workings of such an app, leaking over 620,000 files from thousands of Android devices. Sensitive data—including messages, calls, locations, and recordings—was compromised. The incident emphasized the dangers of covert surveillance and the importance of frequent device audits.

AT&T’s Account Lock Against SIM Swapping

To counter SIM swapping—a fraud tactic for hijacking phone numbers—AT&T introduced Account Lock. Enabled via the myAT&T app, it blocks unauthorized changes to accounts, like SIM swaps or billing info updates. Only primary and secondary account holders can manage the feature, and alerts are sent when changes are attempted.

Free IP Address SSL from Let’s Encrypt

Let’s Encrypt now offers free TLS/SSL certificates for IP addresses, a feature that previously required paid services. This allows users with static IPs to secure websites via HTTPS without needing a domain name, broadening access to internet security for individuals and small organizations.

Debate Over Artificial General Intelligence (AGI)

AGI, defined as machine intelligence equal to or exceeding human capability across tasks, remains an ill-defined concept. The lack of consensus complicates investment, regulation, and measurement in the AI field, making it difficult to assess progress or set meaningful policy benchmarks.

Microsoft’s AI-Based Layoff Support Draws Criticism

After laying off nearly 1,000 employees, Microsoft suggested affected staff use AI tools like Copilot for emotional support. This move was widely criticized as insensitive and profit-driven, spotlighting the growing unease with replacing human empathy with AI in sensitive situations.

This week takes us from blueteeth to AI emotional support
Jack Dorsey’s innovative Bitchat app pioneers secure, internet-free messaging via Bluetooth, redefining decentralized communication.
Google’s Gemini AI introduces context-aware assistance on Android, sparking privacy debates with its opt-out data access model.
A major breach exposes Catwatchful’s invasive stalkerware, compromising thousands of Android devices with covert surveillance.
Finally, AT&T’s Account Lock feature empowers customers to safeguard their accounts against rising SIM swapping threats.
Let’s Encrypt revolutionizes online security by offering free TLS/SSL certificates for IP addresses, enhancing accessibility.
The elusive definition of AGI fuels debate, challenging tech giants like Microsoft and OpenAI in their race for innovation.
Microsoft’s AI-driven layoff support sparks discussion, as displaced employees are encouraged to use Copilot for emotional resilience.
Obviously lots of news and emotion packed into this week's update.  Let's go cry an AI.

For a full transcript click here.

North Korean IT Worker Fraud Scheme:

The U.S. Department of Justice uncovered a covert North Korean operation involving IT workers fraudulently securing remote jobs at over 100 American tech companies using stolen or fake identities. These workers operated within U.S.-based "laptop farms" and created shell companies to obscure over $5 million in illicit earnings. Funds were funneled to the North Korean government, supporting weapons development. The scheme also involved data theft, including sensitive source code from a U.S. defense contractor.

Android 16 Anti-Surveillance Feature:

Android 16 introduces a “network notification” security upgrade that alerts users when their device connects to suspicious or unencrypted cell networks. It specifically guards against fake cell towers, such as stingray devices, by warning users about network requests for identifiers or lack of encryption, enhancing protection from mobile surveillance and forced downgrades to insecure protocols.

Critical Printer Vulnerabilities:

Rapid7 researchers identified eight major vulnerabilities affecting printers from Brother, Ricoh, Toshiba, Konica Minolta, and Fujifilm. The most critical flaw (CVE-2024-51978) lets remote attackers bypass admin authentication by exploiting a companion vulnerability (CVE-2024-51977) that reveals the printer's serial number—used to generate default admin credentials. This enables unauthorized reconfiguration and access to stored sensitive documents.

Microsoft Authenticator Password Phase-Out:

Microsoft will remove password autofill and access features from its Authenticator app starting July 2025. The move supports a transition to passwordless sign-ins using biometrics (e.g., facial recognition, fingerprints) and passkeys, aligning with industry shifts toward stronger, phishing-resistant authentication methods.

NIH Open-Access Research Mandate:

A new U.S. NIH policy mandates that all taxpayer-funded research be freely accessible upon publication. This accelerates an open-access directive initiated under Biden and implemented during the Trump administration. The policy enhances public access to scientific discoveries and may enable AI tools to help interpret complex studies for broader audiences.

Pro-Scottish Independence Account Shutdowns:

On June 12, multiple X (formerly Twitter) accounts advocating for Scottish independence vanished in sync with an Israeli cyber strike on Iran. The timing and scope of internet outages in Iran imply that the accounts were likely Iranian-run disinformation tools designed to destabilize the UK under the guise of grassroots political advocacy.

Facebook Camera Roll Upload Concerns:

Facebook is asking users to opt in to uploading unshared photos from their camera roll to Meta’s servers to enable AI-generated content (e.g., collages). While Meta states that content remains private and isn't used for advertising, users must accept AI Terms that permit facial recognition, retention of loosely defined personal data, and potential human review—raising serious privacy concerns over intimate, unshared images.

Meta’s AI Superlab Push:

Meta has launched “Meta Superintelligence Labs” and is heavily investing in top AI talent, reportedly offering compensation packages in the $10 million range. This underscores Meta's ambition to lead in high-end AI development, marking its entry into the elite tier of the global “AI arms race” beyond consumer-facing chatbots.

This week we've got loads of news and loadsa money!
North Korean IT workers secretly landed remote jobs at over 100 U.S. tech companies, funneling millions to fund Kim Jong Un’s weapons program.  The operation ran for years undetected—until the FBI knocked on the wrong contractor’s door.
Android 16 is getting a stealthy new feature that alerts users when their phone connects to suspicious cell towers.
Think your phone isn’t being watched?  Your operating system might soon say otherwise.
A massive printer vulnerability affects nearly 700 Brother models and devices from other major brands.
Hackers can bypass admin passwords with nothing but a serial number—guess what’s sitting unsecured in your office?
Microsoft is phasing out passwords in its Authenticator app, starting a full pivot to biometrics and passkeys.  You’ve got until August 2025 before your autofill feature goes dark.
The NIH now requires that all taxpayer-funded research be freely available the moment it's published.  In a surprise move, the Trump administration just fast-tracked open science—seriously.  What?
Dozens of pro-Scottish independence X accounts suddenly went dark after Israeli strikes crippled Iranian cyber infrastructure.  Turns out, your favorite “local activist” might have been powered by Tehran.
Facebook wants permission to scan your unposted camera roll photos using Meta AI for creative suggestions.  Say "yes", and you’re handing over your private moments—whether you shared them or not.
Meta just launched a new AI superlab and is throwing around $10M pay packages to build it.  Zuckerberg’s not just building chatbots—he’s recruiting an AI dream team.
Loadsa everything.  Let's go get rich!

Find the full transcript to this podcast here.

What are the latest trends in large-scale cyberattacks, and how can individuals help prevent them?

Large-scale cyberattacks, especially Distributed Denial of Service (DDoS), are growing in both scale and sophistication. One recent attack hit 7.3 Tbps, unleashing 37.4 TB of junk traffic in 45 seconds. These attacks often harness botnets made up of compromised Internet of Things (IoT) devices—like home routers or cameras—that have default credentials or unpatched software.

How to help prevent this:

Change default passwords on IoT devices

Regularly update firmware

Disable unused services (e.g., Telnet)

Use firewalls and segment your network

How do smart TVs and other smart devices compromise privacy, and what's being done?

Smart devices like TVs and speakers often use Automatic Content Recognition (ACR) to monitor what you're watching and send this data to manufacturers or advertisers—often without clear consent. This data fuels detailed user profiling and cross-device tracking.

In response, the UK’s Information Commissioner’s Office (ICO) now requires manufacturers to ensure transparency, secure data handling, and routine data deletion—or face enforcement. Consumers can protect themselves by disabling ACR (e.g., SyncPlus on Samsung, Live Plus on LG) and reviewing privacy settings.

What are the current limitations of LLM-based AI in enterprise settings?

A Salesforce-led study found that large language model (LLM) AI agents succeed at only 58% of basic CRM tasks and just 35% of multi-step ones. More concerning, they exhibit poor confidentiality awareness. Prompting helps slightly but often hurts task accuracy. Current benchmarks fail to assess sensitivity to confidential data, raising red flags for enterprise use without rigorous testing.

What are the geopolitical implications of AI and cyber operations?

AI and cyber tools are shaping geopolitical strategies. The U.S. accuses Chinese AI firm DeepSeek of aiding military intelligence and bypassing export controls. Chinese law further mandates data sharing with its government, raising global privacy concerns. Meanwhile, cyberattacks are weaponized to disrupt infrastructure and spread disinformation—as seen in Iran’s state TV hijacking and a $90M crypto exchange hack.

How do data brokers threaten personal safety, and what can you do?

Data brokers compile and sell personal data—including home addresses—without vetting buyers. This can lead to stalking or worse, as shown in the murder of Rep. Melissa Hortman, allegedly found via a “people search” site.

The U.S. lacks federal regulation, but California’s "Delete Act" is a step forward. Until broader laws are in place, individuals must manually opt out of data broker sites or hire services to assist in removing their information.

How are ransomware groups evolving?

Groups like Qilin are getting more professional. Their “Call a Lawyer” service gives affiliates legal guidance to classify stolen data, assess damages, and negotiate ransoms more effectively—maximizing economic pressure on victims. It’s a troubling move toward organized, businesslike cybercrime.

Why is ACR in smart TVs a privacy issue?

ACR continuously scans all video content viewed on your TV—even from HDMI devices—and sends data to third parties. It enables:

Tracking without consent

Data monetization for targeted ads

Cross-device profiling

Potential security risks from unmaintained TV firmware

Why should you secure IoT devices?

Unpatched IoT devices can be infected and used in global botnet attacks. By securing your devices, you're not only protecting yourself but also helping reduce the scale of global cyber threats.

In this week's update: A massive 7.3Tbps DDoS attack overwhelmed a Cloudflare customer’s site with 37.4 terabytes of junk traffic in just 45 seconds, highlighting the growing scale of cyber threats.
Smart TVs equipped with Automatic Content Recognition (ACR) technology track viewing habits across devices, raising significant privacy concerns due to extensive data collection.
Then the UK’s Information Commissioner’s Office has issued new guidance to curb excessive data collection by smart devices like TVs, speakers, and air fryers, prioritizing user privacy.
A Salesforce study revealed that LLM-based AI agents achieve only 58% success on simple CRM tasks and struggle with confidentiality, exposing gaps in real-world enterprise applications.
U.S. officials claim Chinese AI firm DeepSeek is aiding China’s military and evading export controls, raising concerns about its global AI model usage.
The suspected killer of Minnesota State Rep. Melissa Hortman allegedly used online “people search” sites to find her address, underscoring the dangers of unregulated data brokers.
Iran’s state TV was hijacked and its largest crypto exchange lost $90 million in cyberattacks, signaling the rising role of cyber operations in geopolitical conflicts.
The Qilin ransomware group now offers a “Call a Lawyer” service to its affiliates, providing legal advice to enhance extortion efforts and project professionalism.
Drop the telly, we've got a lot to cover this week!

For the full transcript to this podcast click here.

Windows Hello's Facial Authentication Update

Microsoft updated Windows Hello to require both infrared and color cameras for facial authentication, addressing a spoofing vulnerability. This enhances security but disables functionality in low-light settings, potentially inconveniencing users and pushing some toward alternatives like Linux for flexible authentication.

EchoLeak and AI Security

'EchoLeak' is a zero-click vulnerability in Microsoft 365 Copilot, discovered by Aim Labs, allowing data exfiltration via malicious emails exploiting an "LLM Scope Violation." It reveals risks in AI systems combining external inputs with internal data, emphasizing the need for robust guardrails.

Denmark’s Shift to LibreOffice and Linux

Denmark is adopting LibreOffice and Linux to boost digital sovereignty, reduce reliance on foreign tech like Microsoft, and mitigate geopolitical and cost-related risks. This follows a 72% rise in Microsoft software costs over five years.

Chinese AI Firms Bypassing U.S. Chip Controls

Chinese AI companies evade U.S. chip export restrictions by processing data in third countries like Malaysia, using tactics like physically transporting data and setting up shell entities to access high-end chips and return trained AI models.

Mattel and OpenAI Partnership

Mattel’s collaboration with OpenAI to create AI-enhanced toys introduces engaging, safe experiences for kids but raises privacy and security concerns, highlighting the need for "Zero trust" models in handling children’s data.

Apple’s Passkey Import/Export Feature

Apple’s new FIDO-based passkey import/export feature allows secure credential transfers across platforms, enhancing security and convenience. It uses biometric or PIN authentication, replacing less secure methods and improving interoperability.

Airlines Selling Passenger Data to DHS

The Airlines Reporting Corporation, owned by U.S. airlines, sold domestic flight data to DHS’s CBP, including names and itineraries, with a clause hiding the source. This raises privacy concerns about government tracking without transparency.

WhatsApp’s New Ad Policy

WhatsApp’s introduction of ads in its "Updates" section deviates from its original "no ads" philosophy. While limited and preserving chat encryption, this shift alters the ad-free experience that attracted its two billion users.

https://rprescottstearns.blogspot.com/2025/06/broken-windows-it-privacy-and-security.html

EP 247.

... and in this update, Microsoft has updated Windows Hello to require both infrared and color cameras for facial authentication, improving security by addressing a spoofing vulnerability, though it now requires visible lighting. This increases biometric reliability and inconvenience to users in low-light settings. Consider exploring alternative operating systems like Linux for flexible authentication options.

Aim Labs identified and helped patch 'EchoLeak,' a zero-click vulnerability in Microsoft 365 Copilot that risked data exfiltration via malicious emails, highlighting the need for stonking great AI guardrails.

Denmark is shifting from Microsoft Office and Windows to LibreOffice and Linux to enhance digital sovereignty and reduce reliance on foreign technology, driven by security, economic, and geopolitical priorities.

Chinese AI companies are bypassing U.S. chip export controls by processing data in third countries like Malaysia, using suitcases of hard drives to transport AI-training data.

Mattel has teamed up with OpenAI to develop AI-enhanced toys, promising safe, engaging, and age-appropriate experiences, with the first product set to launch later this year.

Apple’s new passkey import/export feature, built on FIDO Alliance standards, enables secure credential transfers across platforms, boosting interoperability while maintaining biometric security.

This advances user convenience and cross-ecosystem flexibility. Now you can adopt passkeys to streamline secure authentication across your devices and platforms.

A data broker owned by major U.S. airlines sold passenger flight data to DHS, prompting privacy concerns as agencies track travel without disclosing data sources.

WhatsApp will begin displaying ads in its Updates section, using limited user data like location for targeting, while preserving end-to-end encryption for chats and messages.

INTERPOL’s Operation Secure dismantled over 20,000 malicious IPs linked to 69 malware variants, arresting 32 suspects and seizing significant data to curb phishing and fraud.

Find the full transcript for this podcast here.

Meta and Yandex covertly tracked Android users through their apps, which listened silently on local ports to intercept browsing data and link online activities to user identities, evading common privacy measures like cookie deletion or Incognito Mode. Users can protect themselves by uninstalling these apps, switching to privacy-focused browsers (e.g., Firefox, Brave, DuckDuckGo), and closely managing device permissions.

Sonoma County faces criticism and a lawsuit from the ACLU for expanding drone surveillance beyond cannabis cultivation monitoring into widespread warrantless surveillance of private properties. This has raised concerns over constitutional privacy rights, government overreach, and accountability.

New York's "Keep Police Radio Public Act" seeks to maintain transparency by preventing the NYPD from encrypting radio communications completely, ensuring continued access for emergency responders and the press. This transparency balances public oversight and law enforcement needs, essential for democratic accountability.

AI-generated influence operations, some linked to China, have surfaced, spreading misinformation on social media platforms on geopolitical topics. Users are advised to adopt digital skepticism, critically evaluate online content, and verify information to avoid falling victim to AI-driven propaganda.

BADBOX 2.0 malware has infected over a million IoT devices like uncertified Android TVs and tablets, turning them into proxies for cybercriminal activities. The FBI advises users to purchase certified devices from reputable brands, regularly update firmware, monitor suspicious network activity, and isolate infected devices quickly.

Recent findings indicate Chinese state-backed hackers infiltrated a U.S. telecom company in 2023, earlier than previously known, using sophisticated malware. This underscores persistent threats to critical communication infrastructures and highlights the vulnerability of essential national systems.

Apple’s research reveals significant limitations in current advanced AI models’ actual reasoning abilities. Despite impressive superficial outputs, these models collapse when facing complex or novel tasks, raising doubts about their cognitive capabilities. Apple's findings prompt caution about relying too heavily on AI-driven systems.

The overarching theme connecting these issues is the rapid erosion of individual privacy and national security due to covert data tracking, unauthorized surveillance, sophisticated cyberattacks, and misuse of advanced AI technologies. This underscores the need for greater transparency, robust security practices, and enhanced critical awareness from individuals to protect fundamental rights and national security interests.