blog 2 Minutes
I’ve spent the week watching people try to solve human problems with technical solutions and technical problems with human rage. Neither works as well as you’d think.
Also, while I was speaking at infosec about the latest AI threats people need to be wary of, my motorbike which was in the “secure” ExCel car park got stolen. There’s an analogy in there somewhere. I just can’t put my finger on it.
The Booby Trap Defence
A developer embedded code that deletes itself if touched by AI tooling. Now he’s getting threats from people who apparently believe sabotage is a legitimate development philosophy.
The position on AI is irrelevant. I won’t lie that I kind of admire the audacity of someone thinking you can fight a culture war by rigging explosives in someone else’s repository.
The FBI Knocks Twice
A journalist got a visit from the FBI about his reporting. They wouldn’t say why. So he’s suing to find out, which is the correct response when transparency suddenly becomes a one-way mirror.
Accountability shouldn’t stop just because you’re holding the badge.
https://www.rcfp.org/litigation/whittaker-v-doj/
The Pi Heist
Someone physically installed a Raspberry Pi inside a bank’s network switch. Not to exfiltrate data. To replay legitimate PIN verifications and drain ATMs remotely.
The perimeter was never the problem. The assumption that anything inside the perimeter is trustworthy remains the gift that keeps on giving.
One Click, Full Access
GitHub’s browser-based VSCode has a webview bug that hands over a token with full read-write access to all your repos, including private ones. One click on a malicious link and the keys are copied.
https://blog.ammaraskar.com/github-token-stealing/#why-full-disclosure
The Harness Problem
Your AI agent gets all the scrutiny. The harness that actually executes its instructions gets none. It’s got more privilege than the model and you’ve probably never even looked at it.
We’re so busy worrying about what the brain might do that we forgot to check what the hands are holding.
https://cybersec.pillar.security/s/your-agent-harness-has-more-privilege-than-your-agent-27726
Google Goes Home
The European Parliament swapped Google for Qwant (I’m not even going to try to pronounce that), a French privacy-first search engine. It’s a lovely gesture. Whether a genuinely privacy-respecting tool can survive prolonged contact with institutional governance is a question we’ll have answered soon enough.
https://www.politico.eu/article/european-parliament-ditches-google-for-french-search-engine
Even Criminals Have HR
Nova ransomware gang had to publicly fire someone for breaking rule one: don’t infect Russia or CIS countries. The apology was immediate and free. The alternative would not have been.
Turns out even transnational cybercrime syndicates have an employee handbook and consequences for violating it. Just not the kind with a tribunal.
Vulnmaxxing and Vendor Lock-In
Funny how the tool that suddenly finds ten thousand bugs also sells you the only tool capable of fixing them at speed.
The poor get poorer, just with better metrics this time.
https://www.defendersinitiative.com/p/the-unintended-consequences-of-vulnmaxxing
That’s your lot. If you’re still reading these on LinkedIn instead of your inbox, you can fix that. If you’ve got a story I missed or just want to tell me I’m wrong, reply to this. I read them all, even the angry ones.
Especially the angry ones.