EP 271. For this week’s holiday update:

Santa’s naughty list exposed in data breach. A lighthearted reminder from a past holiday hoax: even Santa's list isn't immune to data breaches.

How China Built Its 'Manhattan Project' To Rival the West in AI Chips. China's clandestine push to master extreme ultraviolet lithography signals a major leap toward semiconductor self-sufficiency, challenging Western dominance in AI-enabling technology.

Apple Fined $116 Million Over App Privacy Prompts. Italy's antitrust authority has penalized Apple €100 million for imposing stricter privacy consent requirements on third-party apps than on its own, tilting the playing field in the App Store ecosystem.

Cyberattack Disrupts France's Postal & Banking Services During Christmas Rush. A major DDoS attack crippled La Poste’s online services and banking arm at the peak of the holiday season, highlighting the vulnerability of critical infrastructure during high-traffic periods.

Browser Extensions With 8 Million Users Collect Extended AI Conversations. Popular Chrome and Edge extensions trusted by millions have been caught secretly harvesting full AI chat histories, raising serious concerns about privacy in everyday browsing tools.

How a PNG Icon Infected 50,000 Firefox Users. A clever malware campaign hid malicious JavaScript inside innocent-looking PNG extension icons, infecting tens of thousands of Firefox users through trusted add-ons.

Most Parked Domains Now Serving Malicious Content. Expired and typosquatted domains, once benign placeholders, now predominantly redirect users to scams, malware, and fraudulent sites, making casual web navigation riskier than ever.

What's up with the TV? Massive Android Botnet infects 1.8 Million Devices. The Kimwolf botnet has compromised over 1.8 million Android TV boxes, turning everyday smart devices into powerful tools for proxy traffic and massive DDoS attacks.

Mass Hacking of IP Cameras Leave Koreans Feeling Vulnerable in Homes, Businesses. Widespread breaches of 120,000 internet-connected cameras in South Korea exposed private footage sold online, eroding public trust in consumer surveillance technology.

The FCC has barred new imports of foreign-made drones, citing unacceptable risks of espionage and disruption, with DJI-the market leader-facing the most significant impact.

FSF Says Nintendo's New DRM Allows Them to Remotely Render User Devices 'Permanently Unusable' Nintendo's updated terms grant the company sweeping authority to remotely disable Switch consoles and accounts for perceived violations, sparking debate over true ownership in the digital age.

This week we’ve got the sleigh piled high, so call out the reindeer and we’ll get this update out to children all over the world!

Global: Over 10,000 Docker Hub Images Found Leaking Credentials, Auth Keys

The widespread exposure of sensitive keys in Docker images underscores the dangers of embedding secrets in container builds. Developers should prioritize centralized secrets management and routine scanning to prevent lasting breaches even after quick fixes.

CN: Chinese Whistleblower Living In US Is Being Hunted By Beijing With US Tech

This case highlights how advanced surveillance tools can erase borders, enabling persistent transnational repression. It serves as a stark reminder that personal data, once captured, can fuel harassment far beyond its intended use.

EU: 193 Cybercrims Arrested, Accused of Plotting 'Violence-As-a-Service'

The successful disruption of "violence-as-a-service" networks shows that coordinated law enforcement can counter the dangerous blend of online recruitment and offline crime. Continued vigilance is essential to protect communities from these evolving hybrid threats.

Global: Google will shut down “unhelpful” dark web monitoring tool

Google's decision to retire its dark web monitoring feature reflects the challenge of turning breach notifications into truly actionable advice. Users should seek security tools that not only alert but also guide clear, practical steps for protection.

Global: Second JavaScript Exploit in Four Months Exposes Crypto Sites to Wallet Drainers

Repeated supply-chain vulnerabilities in core JavaScript libraries reveal how quickly dependencies can become attack vectors. Maintaining rigorous patch management and dependency monitoring is now as critical as safeguarding cryptocurrency itself.

RU: All of Russia’s Porsches Were Bricked By a Mysterious Satellite Outage

The mass immobilization of connected vehicles illustrates the hidden risks of over-reliance on remote satellite systems for essential functions. As cars grow smarter, resilience against connectivity failures must become a design priority.

RU: Russian Hackers Debut Simple Ransomware Service, But Store Keys In Plain Text

Even motivated threat actors can sabotage their own operations through basic security oversights like hardcoding keys. This flaw reminds defenders that attacker mistakes can offer unexpected opportunities for recovery without payment.

US: More Than 200 Environmental Groups Demand Halt To New US Datacenters

The growing backlash against unchecked data center expansion ties AI progress directly to real-world strains on energy, water, and household bills. Balancing technological advancement with sustainable infrastructure is no longer optional but urgent for communities nationwide.

EP 270.

In this week’s update:Security researchers uncover over 10,000 publicly available Docker Hub images exposing sensitive credentials and API keys, posing severe risks to production systems and AI services.
A former Chinese official now seeking asylum in the United States reveals ongoing transnational harassment by Beijing, leveraging advanced surveillance tools-including those developed by American companies.
European law enforcement dismantles sophisticated "violence-as-a-service" networks in a major operation, arresting 193 suspects accused of recruiting teenagers for real-world attacks and intimidation.
Google announces the upcoming shutdown of its dark web monitoring service, citing user feedback that breach alerts lacked actionable guidance for meaningful protection.
A critical vulnerability in the popular React JavaScript library enables attackers to inject wallet-draining malware into legitimate cryptocurrency platforms, marking the second major supply-chain exploit in recent months.
Hundreds of Porsche vehicles across Russia suddenly become inoperable due to a widespread failure in satellite-dependent anti-theft systems, leaving owners stranded amid ongoing connectivity issues.
Pro-Russian threat actors launch a Telegram-based ransomware-as-a-service platform, only to undermine their own operation by carelessly hardcoding master decryption keys in plaintext.
Over 230 environmental organizations urge Congress to impose a nationwide pause on new data center construction, highlighting the facilities' escalating strain on electricity, water resources, and climate goals driven by AI expansion.
Let’s go have a look, but honey don’t forget the keys!

Find the full transcript to the podcast here.

Modern security is defined less by a single network perimeter and more by a web of interconnected partners, vendors, and shared infrastructure, where one weak link can trigger widespread impact. Criminals are exploiting this by abusing trusted relationships and platforms: in logistics, attackers impersonate freight middlemen to take over identities, push fake loads, and use malicious links to compromise carrier systems and hijack real-world cargo, while a breach at a fintech provider and an IT failure shared across London councils show how third-party or shared services can ripple across many institutions. At the same time, phishing campaigns that spoof familiar tools like Calendly and major brands turn everyday business workflows into delivery channels for account takeover and abuse of ad and business platforms.Alongside this erosion of perimeter and trust, artificial intelligence introduces a new, unstable risk frontier. Research into “syntax hacking” shows that AI safety controls can be bypassed simply by changing sentence structure, revealing how current models often key on grammar rather than true meaning and leaving dangerous gaps in protections. Real-world deployments amplify these concerns: surveillance firm Flock reportedly relied on overseas gig workers to review sensitive footage to train its systems, illustrating how technically brittle AI is already entangled with serious privacy and labor issues. This moment echoes early social media, with warnings that—without strong governance—AI could evolve into a tool of control rather than shared benefit.Even as these advanced threats grow, many major incidents still stem from basic failures. A breach at Illuminate Education exposed unencrypted data for millions of students due to missing fundamentals like access controls and patching, while the Australian Bureau of Meteorology spent heavily on a website overhaul that degraded services and public trust, underscoring how poor project governance can be as damaging as outright insecurity. In response, governments and regulators are escalating both direct enforcement and strategic policy: Europol has physically dismantled a major crypto-mixing service used for money laundering, while EU lawmakers push for “digital sovereignty” by demanding EU institutions replace Microsoft tools with European alternatives. Together, these themes show a security landscape where fragile trust, immature AI governance, and unresolved basics collide with increasingly assertive institutional responses.

EP 269. In this week’s update:Organized crime syndicates are now recruiting skilled hackers to orchestrate sophisticated digital hijackings of entire truckloads of high-value cargo.A bizarre Windows preview update has turned the password field invisible, leaving Microsoft advising users to blindly click where the button once appeared.Australia’s $62 million weather-service overhaul launched on one of the hottest days of the year—only to deliver a slower, less functional site that enraged farmers and the public alike.The FTC has slammed edtech provider Illuminate Education for egregious security failures that allowed a single hacker to steal sensitive records of over 10 million students.A startling new study reveals that simply rearranging sentence syntax—not content—can trick major language models into ignoring their own safety guardrails.The company behind America’s sprawling network of AI-powered license-plate cameras quietly relies on low-wage overseas freelancers to label footage of U.S. drivers and pedestrians.In a major blow to cybercrime, Europol and partners have seized servers, €25 million in Bitcoin, and shut down one of the world’s largest cryptocurrency money-laundering services.European Parliament members are demanding the institution ditch Microsoft Office 365 and U.S. hardware in favor of homegrown alternatives to reclaim digital sovereignty.Let’s jump in the cab and take this week’s rig for an adventure!

Find the full transcript to this week's podcast here.

The EPA approved two new PFAS-containing pesticides for food crops and plans four more. Scientists warn this deliberately increases dietaryexposure to persistent chemicals linked to cancer and birth defects.

A magician who implanted an RFID chip in his hand for stage tricks forgot the password and is now permanently locked out of the device inside his own body. Perhaps he should have had the password tattooed backwards on his forehead.

A fired Ohio contractor plead guilty to resetting 2,500 coworker passwords via PowerShell, paralyzing the company and causing $862,000 in damages. We’re thinking this will keep him fired for quite a while

MI5 warns MPs that Chinese state agents are aggressively targeting lawmakers and staff through fake recruiter profiles on LinkedIn to cultivate intelligence sources. LinkedIn is not the friend it once was.

NordPass data confirms Gen Z now chooses weaker passwords than 80-year-olds, proving every generation remains terrible at basic security hygiene. Wait… Your password is worse than your grand mothers? Please subscribe to this podcast

Prominent cryptographer accuses NSA of rigging IETF process to force adoption of deliberately weakened post-quantum encryption standards despite community objections. That could explain some of the very trivial ways some of these encryption algos have been broken lately.

Microsoft’s new Copilot Actions can autonomously edit user files but openly warns it’s vulnerable to hijacking that enables data theft or malware installation. Sweet, right?

U.S. Cyber Command quietly awarded millions to a stealth startup building fully autonomous AI agents designed for large-scale offensive cyberattacks. The twist is that they are not writing code to help AI help people, in this case it’s code to help AI. Why bother with the slow middle man?

Researchers unveiled EchoGram, a subtle token trick that silently disables safety guardrails on GPT-4, Claude, Gemini, and nearly every major LLM. Guardrails. Great concept, but not so much in practice.

EP 268

The US Environmental Protection Agency (EPA) approves PFAS-containing pesticides for everyday food crops, opening a new pathway for “forever chemicals” to reach dinner plates.
​
A magician who implanted an RFID chip in his hand for performances discovers the ultimate trick: he’s permanently locked out by his own forgotten password. He must not be Gen X
Fired Ohio contractor pleads guilty to crippling his former employer’s network with a single script, causing $862,000 in damage, chaos for thousands of workers, but he might get free room and board out of it for the next 10 years
MI5 warns parliamentarians that Chinese state agents are systematically targeting them through fake recruiter profiles on LinkedIn. Now Parliamentarians can be just like the rest of us!
NordPass data reveals Gen Z now picks even weaker passwords than 80-year-olds, proving humanity will never get the secure password thing right.
A leading cryptographer accuses the NSA of orchestrating a quiet IETF takeover to force through deliberately weakened post-quantum encryption standards.
Microsoft’s new Copilot Actions can autonomously manage your files-yet the company admits it can be tricked into stealing data or installing malware. Oh, yes. We all want that.
U.S. Cyber Command quietly funds a stealth AI startup to build autonomous systems capable of executing large-scale offensive cyberattacks.
HiddenLayer researchers expose a subtle token-sequence attack that silently bypasses safety guardrails on GPT-4, Claude, Gemini, and nearly every major LLM.
C'mon, put your dentures in and let’s see if we can come up with a password better than your Gran.

Find the full transcript of this podcast here.

This week's security landscape is defined by three converging vectors: the expansion of threats into physical and environmental domains, persistent vulnerabilities in core digital infrastructure, and the escalating strategic battle over data, privacy, and artificial intelligence.The lines between digital and physical threats are dissolving, forcing a new risk calculus where leaders must model non-traditional, high-impact consequences. This is evident in the rise of physical coercion against cryptocurrency holders, known as 'wrench attacks,' and in corporate extortion campaigns. Checkout.com’s response—publicly refusing a ransom and instead donating the demanded sum to cybersecurity research at Carnegie Mellon and Oxford—demonstrates that integrity under real-world pressure is now a critical security posture. This new risk paradigm also encompasses environmental stability, with Iceland formally classifying the potential collapse of the AMOC ocean current as a national security risk. While these real-world threats demand new security paradigms, they are compounded by persistent weaknesses in the foundational digital infrastructure they often target.Foundational technologies continue to exhibit critical weaknesses that are being exploited with increasing subtlety. A simple enumeration flaw exposed 3.5 billion WhatsApp phone numbers—a vulnerability Meta was warned about using the exact same technique in 2017 but dismissed. In the software supply chain, a massive npm incident saw over 150,000 packages poisoned not with overt malware, but through nuanced incentive abuse. This trend culminates in the browser itself, which has become the primary theater for stealth attacks like session hijacking that render traditional perimeter defenses obsolete. This effectively redefines the enterprise perimeter, demanding a strategic pivot from network-centric to identity-centric security models. The pervasiveness of these foundational weaknesses is directly fueling a large-scale strategic response, escalating the battle over data control, user privacy, and AI.This strategic tug-of-war over data and dominance is now intensifying. On one side, legal challenges from the ACLU and EFF target pervasive surveillance networks like Flock's license plate readers. On the other, a push for user empowerment is gaining momentum through privacy-centric technologies. Windows 11's expanded native support for passkeys and Google's new Private AI Compute platform signal a market shift toward giving users greater control over their data and authentication. This conflict extends to the geopolitical stage, where the US and China are now engaged in an AI 'cold war,' racing for supremacy in a technology that will redefine global power.Security is now a multi-front concern where digital infrastructure, physical safety, and geopolitical strategy are inextricably linked.