Robert Grupe's AppSecNewsBits 2025-02-22

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Hacker steals record $1.46 billion from Bybit ETH cold wallet
With $1.46 billion worth of cryptocurrency stolen in a single attack, this is now the largest cryptocurrency hack ever, almost doubling the previous record.
The crypto exchange says its security team is now investigating the incident with the help of external blockchain forensic experts. According to Bybit, anyone with the expertise to help track the stolen funds is also welcome to assist. Bybit says all other cold wallets are fully secure, client funds are safe, and exchange operations were undisrupted by the incident.
"Please rest assured that all other cold wallets are secure. I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated," Bybit's CEO said. "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss."

Major Data Breach Exposes 2.7 Billion Records, Including Smartphone And Wi-Fi Details
Mars Hydro, a Chinese company specializing in indoor growing and hydroponics equipment that was exposed to a massive breach compromising 2.7 billion records due to an unprotected database.
Since the database at Mars Hydro was not protected by a password, it led to major records being leaked that included Wi-Fi SSID network names and passwords, IP addresses, email addresses, and details regarding the smartphones used and whether they supported iOS or Android.
Not only does this lead to the potential threat of unauthorized access to the devices and the networks, but it also can give cybercriminals room to monitor communication and target users through compromised contact information. It could even lead to man-in-the-middle attacks where traffic between users and devices can be manipulated.

Hundreds of Dutch medical records bought for pocket change at flea market
"A few weeks ago, I came back from Turnhout in Belgium. I was on my way home but stopped at Weelde [airfield] because I really had to go to the toilet. There was a flea market next to the airbase. I went to have a look and bought five hard drives of 500GB each for €5 each..." After hooking them up when he returned home, Polet found medical data on the HDDs, including the Dutch equivalent of Social Security Numbers, dates of birth, home addresses, medication details, and other GP and pharmacy data. The records were from 2011-2019. The data originated from Nortade ICT Solutions, which used to be based in Breda before going out of business. It was an IT company developing software for, you guessed it, the healthcare sector.
Dutch law mandates that storage devices like HDDs that contain medical data must be erased by a professional, and the erasure must be certified. First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the data should have been encrypted, and of course, the hard drives should have been decommissioned responsibly.

Medusa ransomware gang demands $2M from UK private health services provider
Previously known as Virgin Care and now owned by Twenty20 Capital, HCRG runs child and family health and social services across the UK for the NHS and local authorities.
On its dark-web site, the Medusa crew claimed it had stolen 2.275 TB of data from HCRG, and will either sell that information to a buyer for $2 million (£1.6 million), delete its copy of that info for the same amount, or leak it all online if no one pays up by February 27. Additionally, the gang claims it will delay the release for $10,000 (£8,000) per day, presumably to keep negotiations open. It has already leaked samples, totaling 35 pages, of what's said to be pilfered information, including passport and driving license scans, staff rotas, a birth certificate, and data from background checks.
Even if the healthcare group did pay, there's no guarantee Medusa wouldn't double-dip by selling the data anyway. 78 percent of organizations that paid a ransom were attacked again, with 63 percent facing demands for an even larger payout the second time around.

Critical flaws in Mongoose library expose MongoDB to data thieves, code execution
Mongoose is an Object Data Modeling (ODM) library for MongoDB to enable database integrations in Node.js applications. It allows JavaScript objects to be mapped to MongoDB documents, providing an abstraction layer to help with the management and validation of structured data. Mongoose has 19,593 dependents, according to its Node Package Manager page, and over 27,000 stars on GitHub.
CVE-2024-53900 (9.1), a classic SQL injection bug that adds to the pile already causing US security agencies to fume. The vulnerability hinged on the mechanics of Mongoose's populate() method and the library allowing the $where operator to be used in match queries. A specially crafted query could bypass MongoDB's server-side JavaScript restrictions and potentially lead to remote code execution (RCE). It meant attackers could access, manipulate, or exfiltrate data in MongoDB they ordinarily shouldn't be able to.
Dat Phung, a researcher, reported the vulnerability in early November, and Mongoose patched it in version 8.8.3, disallowing the use of $where in match queries. On December 17, Phung discovered a bypass in the patched version that still allowed for RCE and could lead to data theft. Mongoose addressed this second discovery in version 8.9.5 and the National Vulnerability Database (NVD) assigned it a separate identifier: CVE-2025-23061 (9.0). It turns out the initial patch (8.8.3) only blocked the use of $where in a single nested level, but Phung realized that if $where was embedded inside an $or operator, then the patch could be bypassed and MongoDB data could then be compromised.
In just the last seven days version 8.8.3 was downloaded more than 38,500 times, suggesting the attack surface remains sizable. The downloads for 8.9.5 stand at just over 250,000 for the same period, however, and the most up-to-date version (8.10.0) has more than 452,000 downloads.

Palo Alto firewalls under attack as miscreants chain flaws for root access
Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces.
Exposing management consoles to the internet is a known risk. Security vendors strongly advise against it unless absolutely necessary, though it remains a "challenge" for some, as one vendor politely told us. Some admins expose the consoles to the public internet as it eases remote management chores, and hope security through obscurity protects them.
PAN declined to specify how many customers are affected, but historically, most users keep their management interfaces private. Still, even those with restricted access must patch to stay secure.

HP ditches 15-minute wait time policy due to 'feedback'
HP started to play a recorded message to punters ringing up its call centers that warned of a longer wait time of 15 minutes and apologized for the inconvenience. HP had decided to inconvenience customers deliberately to make them give up and use online support. On the fifth, tenth and thirteenth minute, the recorded message again mentioned the longer wait times and, ta-da, suggested trying other forms of digital support. I
t went down like a lead balloon internally at HP, with some staff on the front line unhappy that they were having to deal with a decision taken by management, who didn't have to directly interact with customers left hanging on the telephone.
HP Inc abruptly ditched the mandatory 15-minute wait time that it imposed on customers dialling up its telephone-based support team due to "initial feedback."

Newspaper publishing giant Lee Enterprises has confirmed that a ransomware attack is behind ongoing disruptions impacting the group's operations for over two weeks.
As a local news provider and one of the largest newspaper groups in the United States, Lee publishes 77 daily newspapers and 350 weekly and specialty publications across 26 states. Its newspapers have a daily circulation of over 1.2 million, and digital editions reach more than 44 million unique visitors.
US newspaper publisher uses linguistic gymnastics to avoid saying its outage was due to ransomware
US newspaper publisher Lee Enterprises is blaming its recent service disruptions on a "cybersecurity attack," per a regulatory filing, and is the latest company to avoid using the dreaded R word.
Many of its newspapers delayed their print editions for days at a time when the attack first took hold, apologizing to their readers, and promising that editions would be delivered albeit a little late and in some cases in a smaller format. Listed companies have become adept at describing ransomware without actually saying the word in recent times, Lee being one of them. It told the Securities and Exchange Commission (SEC) that "threat actors unlawfully accessed the company's network, encrypted critical applications, and exfiltrated certain files." That sounds an awful lot like double extortion ransomware to us.

What’s Weak This Week

• CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability: Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.

• CVE-2025-23209 Craft CMS Code Injection Vulnerability: Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

• CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability: Palo Alto Networks PAN-OS contains an external control of file name or path vulnerability. Successful exploitation enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.

• CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability: SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.

• CVE-2025-0108 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability: Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts. 

HACKING

Attackers broke into a company network in 48 minutes by flooding phishing messages
Roughly a dozen employees inside a manufacturing company received a tsunami of phishing messages that was so big they were unable to perform their day-to-day functions. The spam barrage, it turned out, was simply a decoy. It created the opportunity for the threat actors to contact the affected employees through the Microsoft Teams collaboration platform, pose as IT help desk workers, and offer assistance in warding off the ongoing onslaught.
Within minutes, at least two of the employees took the bait and followed instructions to open the Quick Assist remote access app built into Windows and hand off control of their desktops to the person on the other end.
In the first seven minutes, they connected the employee desktop to their remote command-and-control server by opening IP ports 443 and 10443, which are typically reserved for TLS traffic. They then attempted to use the SMB networking tool, also built into Windows, to upload a malicious Dynamic Link Library file to a sensitive OneDrive directory responsible for performing updates. The technique—known as DLL sideloading—works by placing a malicious DLL file in the same directory as a vulnerable application.
When SMB failed, the attacker tried uploading the file using RDP, short for the remote desktop protocol, combined with the Windows PowerShell command window. This time, the upload worked as planned. The attacker went on to use PowerShell to trigger the malicious payload to run on compromised administrator accounts. With that, the attacker was able to connect to the control server through the targeted network.
The attacker then used the connection to gain privileged system rights by accessing a service account, likely compromised earlier, for managing an SQL database. Using credentials stored inside the database, the attacker created a new account and assigned it the highest administrative permissions available.
The attacker used the privileged system rights to scan the network for vulnerable targets using the SoftPerfect Network Scanner. The attacker had now gained persistent, privileged access to the network and was in a position to exfiltrate sensitive data from it.

Phishing attack hides JavaScript using invisible Unicode trick
The new obfuscation technique exploits invisible Unicode characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164). Each ASCII character in the JavaScript payload is converted into an 8-bit binary representation, and the binary values (ones and zeros) in it are replaced with invisible Hangul characters. The obfuscated code is stored as a property in a JavaScript object, and since Hangul filler characters are rendered as blank space, the payload in the script looks empty.
The attackers use extra concealment steps, like encoding the script with base64 and using anti-debugging checks to evade analysis. The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website. The attacks are tough to detect as empty whitespace reduces the likelihood that even security scanners will flag it as malicious. Since the payload is just a property in an object, it could be injected into legitimate scripts without raising suspicion; plus, the whole encoding process is easy to implement and doesn't require advanced knowledge.

This open text-to-speech model needs just seconds of audio to clone your voice
AI startup Zyphra unveiled a pair of open text-to-speech (TTS) models this week said to be capable of cloning your voice with as little as five seconds of sample audio. In our testing, we generated realistic results with less than half a minute of recorded speech.
Companies like Audible are exploring text-to-speech AI to expand audiobook production, allowing narrators to create AI-generated voice clones of themselves. Meanwhile, legal challenges surrounding AI voice cloning are already hitting similar businesses.
We can also see this technology used to scam unsuspecting victims into believing that a loved one is in trouble, and that they just need a few hundred dollars worth of gift cards to get them out of a bind. Or to ruin someone's career by using it to make an abusive call with their voice to their boss. Or generate fake political messages, or... the examples are endless.

Fake CS2 tournament streams used to steal crypto, Steam accounts
Threat actors are exploiting major Counter-Strike 2 (CS2) competitions, like IEM Katowice 2025 and PGL Cluj-Napoca 2025, to defraud gamers and steal their Steam accounts and cryptocurrency. Earlier this month, CS2 achieved a new peak player count of over 1.7 million concurrent players on Steam.
The channels that promote these scams are hijacked legitimate YouTube accounts, which the scammers rebrand as needed to impersonate professional players. What they show in these livestreams is loops of old gameplay footage, making it appear live to anyone who hasn't watched them before. QR codes or links on these videos direct viewers to malicious websites where they are requested to log in with their Steam account, supposedly to claim their gifts or send cryptocurrency to receive double in return.

Russia-aligned hackers are targeting Signal users with device-linking QR codes
The primary attack channel is Signal's "linked devices" feature, which allows one Signal account to be used on multiple devices, like a mobile device, desktop computer, and tablet. Linking typically occurs through a QR code prepared by Signal.
Another ease-of-use feature, Signal "Group Link" invite pages, is similarly being exploited, with its QR codes linking a user's device instead of adding them into a group chat. These are often hosted on a lookalike URL, such as "signal-confirm[.]site," or "signal-protect[.]host."
While Signal is a known and popular target, this threat is not only limited to Signal, but also extends to other widely used messaging platforms, including WhatsApp and Telegram.

How Phished Data Turns into Apple & Google Wallets
If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.
And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.
People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.
If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.

Hackers planted a Steam game with malware to steal gamers’ passwords
Valve removed a game called PirateFi from its online store Steam because the product was laced with malware. Whoever planted it modified an existing video game in an attempt to trick gamers into installing an info-stealer called Vidar.
PirateFi was built by modifying an existing game template called Easy Survival RPG, which bills itself as a game-making app that “gives you everything you need to develop your own singleplayer or multiplayer” game. The game maker costs between $399 and $1,099 to license. This explains how the hackers were able to ship a functioning video game with their malware with little effort.

Leaked chat logs expose inner workings of secretive ransomware group
Researchers are poring over the data and feeding it into ChatGPT. The FBI and Cybersecurity and Infrastructure Security Agency said Black Basta had targeted 12 of the 16 US critical infrastructure sectors in attacks mounted on 500 organizations around the world.
One notable attack targeted Ascention, a St. Louis-based health care system with 140 hospitals in 19 states. Other victims include Hyundai Europe, UK-based outsourcing firm Capita, the Chilean Government Customs Agency, and UK utility company Southern Water.
The communications come in the form of logs of more than 200,000 messages members of Black Basta sent to each other over the Matrix chat platform from September 2023 to September 2024. Heightened tensions have contributed to growing rifts between the current leader, believed to be Oleg Nefedov, and his subordinates. The person who published the messages said the move was in retaliation for Black Basta targeting Russian banks. It turns out that the personal financial interests of Oleg, the group's boss, dictate the operations, disregarding the team's interests.

Thousands Rescued From Notorious Scam Compounds
For years, crime syndicates have been luring people—often those with good English or Chinese language skills—to Thailand with fake job offers, then trafficking them to the centers in Myanmar, where they are forced to try to scam people around the world. around 7,000 people who were rescued from the illegal operations are waiting to be transferred to Thailand.

APPSEC, DEVSECOPS, DEV

New OWASP Non-Human Identities Top 10
Non-human identities represent a vast chunk of credentials used by a typical organization, up to 50 times higher than the number of human identities. Non-human identities (NHIs) are used to identify, authenticate, and authorize different software entities to access secured resources.
These entities include applications, workloads, APIs, bots, and automated systems. Unlike human identities, NHIs are not controlled and often not intrinsically tied to a human. Their identity object and authentication often work differently to that of a human, and common human user security measures do not apply to them.
Examples of NHIs include:

• Service accounts used in backend systems to connect multiple subsystems.

• Roles associated with automated services to access cloud resources.

• API or Access Keys used by microservices to access database applications.

• Applications used by third parties to perform tasks and enhancements. Mismanagement of NHIs introduces significant security risks.

Key issues include:

• Excessive Permissions: NHIs are commonly granted very broad access to resources which leads to a widespread damage if compromised.

• Credential Mismanagement: NHI credentials can easily be wrongly managed: leaving hardcoded keys in code, poor or no rotation policies, and usage of deprecated authentication method make NHI vulnerable to compromise.

• Lack of Monitoring: NHIs are notoriously under-monitored, allowing malicious activity to go unnoticed. The key issues above make it so a compromised NHIs can lead to unauthorized access, data breaches, or attacks on infrastructure.

With NHIs playing critical roles in development pipelines, cloud environments, and SaaS ecosystems, securing them is essential.

Shadow AI emerges as growing new security concern
A recent audit of a financial firm found 65 unauthorized AI tools in use, far exceeding the security team’s estimates. Research suggests that most shadow AI adoption stems from employees seeking efficiency rather than malicious intent.
However, the unchecked use of these tools poses regulatory and cybersecurity risks, especially as governments impose stricter AI-related compliance requirements.
To mitigate these risks, experts advocate for centralized AI governance, enhanced security controls, and employee education. Establishing a vetted AI tool inventory, conducting audits, and integrating AI oversight with governance, risk, and compliance frameworks can help organizations balance security with innovation.

Netflix Show: Zero Day Ending, Explained: Who Was Responsible for the Cyberattack — and Is Proteus Real?
Netflix's new Robert De Niro-led political drama ends with a shocking revelation about the Zero Day attack 

VENDORS & PLATFORMS

Check out this free automated tool that hunts for exposed AWS secrets in public repos
Github Dorking refers to the practice of using GitHub's advanced search operators to construct queries that can locate environment files, JSON configurations, and source code files potentially containing credentials. However, because it relies on static keyword searches, this method may not effectively reveal secrets that have been obfuscated or encoded.
TruffleHog is an open-source tool that scans Git repositories for high-entropy strings and credential patterns to help identify potential hardcoded AWS keys. High-entropy strings are character sequences designed to be extremely unpredictable, a critical feature for ensuring strong security. However, TruffleHog isn't designed for real-time monitoring and may sometimes generate false positives "due to its reliance on entropy-based detection.
AWS-Key-Hunter periodically retrieves commits from target repositories and scans for AWS keys in both plaintext and base64-encoded formats. When it identifies an exposed key, it sends an immediate alert to a dedicated Discord channel. The program has some limitations, such as it looks only at .env, , ini, .yml, .yaml, and .json files, and has some incomplete matching of access keys, so it may not be perfect for you – but the code's there to improve and adapt if you so wish.

When a Lifetime Subscription Can Save You Money—and When It’s Risky
A one-time payment is too good to be true for services with high recurring costs. These companies might compromise your security and privacy to make money in other ways.

Chase will soon block Zelle payments to sellers on social media
According to scam reports from Chase customers who filed Zelle or wire transfer claims between June and December 2024, almost 50% of all reported scams originated on social media. Chase explained that the payments service should not be used to buy goods from retailers or merchants, "including on or through social media or social media marketplaces or messaging apps."

Using Privacy.com's virtual credit cards
Why I never use my personal credit card for free trials, and what I do instead 

LEGAL & REGULATORY

Centene: Healthcare outfit that served military personnel settles allegations it faked infosec compliance for $11M
The orgs will pay $11,253,400 to settle claims that HNFS falsely certified compliance with certain infosec requirements in a contract with the Department of Defense a decade ago. In agreeing to the settlement, neither Centene Corporation nor HNFS admit any guilt and, per usual with these types of court resolutions, there is "no determination of liability." Also per usual: the $11 million financial penalty isn't even a slap on the wrist for Centene Corporation, which raked in $163.1 billion of revenue in its most recent full financial year.
Under the government contract, HNFS was required to adhere to certain privacy standards and cybersecurity requirements. Those standards included scanning for known vulnerabilities and patching security flaws in a timely manner, plus submitting an annual report to the DHA that certified compliance with certain infosec standards and privacy controls.
However, according to the DOJ, between 2015 and 2018 HNFS falsely certified compliance with those controls and ignored reports from third-party security auditors. Plus the healthcare provider allegedly ignored its own internal audit of cybersecurity risks related to asset management, access controls, configuration settings, firewalls, end-of-life hardware and software in use, patch management, vulnerability scanning, and password policies. This potentially put millions of data describing military personnel and their families' personal and health-related info at risk.

Class action lawsuit against UnitedHealth's AI claim denials advances
A federal judge has dismissed five out of seven counts in a class action lawsuit against UnitedHealth Group but will allow it to continue, with the suit claiming that UHG, UnitedHealthcare and naviHealth denied claims by using an artificial intelligence program instead of medical professionals in Medicare Advantage plans.
They claim in the lawsuit that the use of AI to evaluate claims for post-acute care resulted in denials, which in turn led to worsening health for the patients and in some cases resulted in death.
They said the AI program developed by UnitedHealth subsidiary naviHealth, nH Predict, would sometimes supersede physician judgement, and has a 90% error rate, meaning nine of 10 appealed denials were ultimately reversed. UnitedHealth Group was sued over its alleged use of AI algorithms back in 2023.
An investigation suggests UnitedHealth pressured employees to use the algorithm to issue payment denials to those on Medicare Advantage plans, setting a goal for employees to keep patient rehabilitation stays within 1% of the length of stay predicted by nH Predict.
The lawsuit alleges that elderly patients are being prematurely kicked out of facilities, or forced to dip into their family savings, to continue to receive care. "The fraudulent scheme affords defendants a clear financial windfall in the form of policy premiums without having to pay for promised care."
Cigna was sued the same year for allegedly using AI algorithms to deny claims, and Humana faced a similar accusation in court.
Cugna was accused of developing an algorithm known as PXDX to enable its doctors to automatically deny payments in batches of hundreds or thousands at a time for treatments that did not match certain preset criteria.
A Cigna Healthcare spokesperson said at the time that the vast majority of claims reviewed through PXDX were automatically paid and that the process does not involve algorithms, AI or machine learning, but a simple sorting technology that has been used for more than a decade to match up codes.

GitLab and its execs sued again and again over 'misleading' AI hype, price hikes
For the third time in five months, GitLab or its execs have been sued over allegedly misleading investors about AI capabilities and demand. Unlike the securities complaint aiming to compensate investors, the derivative complaints seek relief from individual executives to be paid to the company, along with management reforms.
"Defendants assured investors of customer acceptance of its new pricing model and AI integration at every phase of the software development lifecycle, providing positive customer testimonials and promoting the company’s renewals and churn rates, when, in fact, market demand for GitLab’s AI product was materially different than represented due, in part, to: significant concerns amongst potential customers regarding security and data privacy; GitLab’s AI features did not possess the capabilities expressed; deployment was delayed; and when GitLab’s AI features were made available to customers, feedback was largely negative."

Apple pulls iCloud end-to-end encryption feature in the UK
This decision follows a secret order from the United Kingdom government demanding that Apple create a backdoor that would provide access to the unencrypted data of any Apple user worldwide.
"ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices. We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy."

UK drops ‘safety’ from its AI body, now called AI Security Institute, inks MOU with Anthropic
The UK Department of Science, Industry and Technology announced that it would be renaming the AI Safety Institute to the "AI Security Institute." (Same first letters: same URL.) With that, the body will shift from primarily exploring areas like existential risk and bias in large language models, to a focus on cybersecurity, specifically "strengthening protections against the risks AI poses to national security and crime."
Alongside this, the government also announced a new partnership with Anthropic to "explore" using Anthropic's AI assistant Claude in public services; and Anthropic will aim to contribute to work in scientific research and economic modeling. And at the AI Security Institute, it will provide tools to evaluate AI capabilities in the context of identifying security risks.
Anthropic is not the only one that is working with the government. A series of new tools that were unveiled in January were all powered by OpenAI.
"The changes I'm announcing today represent the logical next step in how we approach responsible AI development -- helping us to unleash AI and grow the economy as part of our Plan for Change. The work of the AI Security Institute won't change, but this renewed focus will ensure our citizens -- and those of our allies -- are protected from those who would look to use AI against our institutions, democratic values, and way of life."

Nearly 10 years after Data and Goliath, Bruce Schneier says: Privacy’s still screwed
It has been nearly a decade since famed cryptographer and privacy expert Bruce Schneier released the book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World - an examination of how government agencies and tech giants exploit personal data. Today, his predictions feel eerily accurate.
At stake, he argued then, was a possibly irreversible loss of privacy, and the archiving of everything. As he wrote, science fiction author Charlie Stross described the situation as the "end of prehistory," in that every facet of our lives would be on a computer somewhere and available to anyone who knew how to find them.
Surveillance capitalism is just too entrenched as a business model, and the large tech monopolies have too much power, to change that anytime soon. 

And Now For Something Completely Different …

‘Uber for Armed Guards’ Rushes to Market Following the Assassination of UnitedHealthcare CEO
Protector lets the user book armed guards on demand. Right now it’s only available in NYC and LA. According to its marketing, every guard is either “active duty or retired law enforcement and military.”
Every booking comes with a motorcade and users get to select the number of Escalades that’ll be joining them as well as the uniforms their hired goons will wear.