Robert Grupe's AppSecNewsBits 2025-08-15

Epic Fails, Hacking, AppSec, Platforms/Vendors, and Legal: M&S, St Paul, FBE email addresses for $40, Meta kids creepy AICbot, TeleMessage, FIDO auth bypass in Microsoft Entra ID, 'MadeYouReset' HTTP/2 flaw, RealBlindingEDR, hackers attack brokerage accounts, dam and water plants, BlackSuit ransomware crew shut down and rebrands, NIST Finalizes ‘Lightweight Cryptography’ Standard, and more sloppy AI.

Author

Robert Grupe
August 16, 2025

LEGAL & REGULATORY
New York Attorney General James sues Zelle parent company, alleging it enabled fraud
The registration process lacked verification steps and that EWS and its partner banks knew “for years” that fraud was spreading and did not take actionable steps to resolve it.
“EWS knew from the beginning that key features of the Zelle network made it uniquely susceptible to fraud, and yet it failed to adopt basic safeguards to address these glaring flaws or enforce any meaningful anti-fraud rules on its partner banks.”
Services apps are "products" under product liability law, allowing for lawsuits against companies based on the app's design or functionality
The lawsuit alleges the Lyft app lacks essential safeguards, such as identity and GPS verification, which could prevent fraudulent ride requests from dangerous individuals.
The ruling establishes that the Lyft app, as a software product, can be subject to product liability claims, meaning it can be held liable for defects in its design or function that cause harm.
This decision stems from a wrongful death lawsuit where the plaintiff alleged the Lyft app lacked necessary safety features, enabling minors to fraudulently request rides and ultimately leading to a carjacking and murder.

 

Is Proton leaving Switzerland? "Legal uncertainty" of proposed surveillance laws is pushing them to make several changes
If it passes, the Ordinance on the Surveillance of Correspondence by Post and Telecommunications (OSCPT) will introduce new obligations for virtual private networks (VPNs), messaging apps, and social networks. These measures include mandatory user identification and data retention of up to six months for all services with at least 5,000 users. Providers will also be required to decrypt the communication upon the authorities' request should they own encryption keys.
Proton launched its ChatGPT competitor, Lumo, in July, to give its users an alternative to Big Tech solutions that truly protect their privacy. The company has decided to invest outside Switzerland for fear of the looming legal changes.

 

Microsoft sued for discontinuing Windows 10 support
The plaintiff says that Microsoft's tactic of "forced obsolescence" is an "attempt to monopolize the generative AI market." According to StatCounter, nearly 43% of Windows users still use the old version on their desktop computers. The bad news for them is that Microsoft is discontinuing its routine support for Windows 10 in nearly two months on Oct. 14.
Windows 11 comes with Microsoft's suite of generative artificial intelligence software, including the chatbot Copilot. To run optimally, Microsoft's AI needs a piece of hardware called a neural processing unit, which newer tablets, laptops and desktop computers have — and which the older devices do not.

 

Australia: Tech giants Apple and Google lose landmark court case as federal judge rules they engaged in anti-competitive conduct
It clears the way for two class actions covering millions of Australian consumers and developers to pursue substantial compensation for the price and commissions they paid for digital content — which according to legal representatives for the class actions were heavily inflated on the app stores.
Musk threatens to sue Apple so Grok can get top App Store ranking
After spending last week hyping Grok's spicy new features, Elon Musk kicked off this week by threatening to sue Apple for supposedly gaming the App Store rankings to favor ChatGPT over Grok. "Apple is behaving in a manner that makes it impossible for any AI company besides OpenAI to reach #1 in the App Store, which is an unequivocal antitrust violation. xAI will take immediate legal action."

 

Students have been called to the office — and even arrested — for AI surveillance false alarms
A 13-year-old girl made an offensive joke while chatting online with her classmates, triggering the school’s surveillance software. She was interrogated, strip-searched, spent the night in a jail cell, and her parents weren’t allowed to talk to her until the next day.
Earlier in the day, her friends had teased the teen about her tanned complexion and called her “Mexican,” even though she’s not. When a friend asked what she was planning for Thursday, she wrote: “on Thursday we kill all the Mexico’s.” Her mother said the comments were “wrong” and “stupid,” but context showed they were not a threat.
Gaggle alerted more than 1,200 incidents to the Lawrence, Kansas, school district in a recent 10-month period. But almost two-thirds of those alerts were deemed by school officials to be nonissues — including over 200 false alarms from student homework.
Students in one photography class were called to the principal’s office over concerns Gaggle had detected nudity. The photos had been automatically deleted from the students’ Google Drives, but students who had backups of the flagged images on their own devices showed it was a false alarm. Two years after their ordeal, her daughter is doing better, although she’s still “terrified” of running into one of the school officers who arrested her. “It’s like we just want kids to be these little soldiers, and they’re not. They’re just humans.”
[rG: When AI agents make false accusations and delete contents, what recourse will people have to respond? Would AI false information be considered evidence? Story from 2022 about a father shut out of Google services for almost a year.]

 

YouTube backlash begins: “Why is AI combing through every single video I watch?”
Privacy experts have criticized YouTube's lack of transparency on its AI age-estimation system, noting that YouTube has not shared any external research verifying the model's effectiveness. One YouTuber pointed out a recent Discord mishap in which a 30-year-old was flagged as underage, while noting that AI age checks on other platforms haven't been that reliable. "I'm autistic, It's not fun being a grown woman and being treated like a child because of your interests.” 

 

APPSEC, DEVSECOPS, DEV
NIST Finalizes ‘Lightweight Cryptography’ Standard to Protect Small Devices
NIST Special Publication 800-232: The four algorithms in the standard require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices such as those making up the Internet of Things. - ASCON-128 AEAD, ASCON-Hash 256, ASCON-XOF 128 and ASCON-CXOF 128

 

NIST Issues Special Publication for Control Overlays for Securing AI Systems
The National Institute of Standards and Technology has published a concept paper and proposed action plan for Special Publication, or SP, 800-53: Control Overlays for Securing AI Systems.

 

Majority of Organizations Ship Vulnerable Code, Study Finds
Research shows that developers are already letting AI write much of their code, yet most organizations lack governance around these tools. Combine that with the fact that 81% knowingly ship vulnerable code and you have a perfect storm. It’s only a matter of time before a crisis is at hand.” 32% of European respondents said their organization often deploys code with known vulnerabilities, compared with 24% of those in North America.
The findings highlighted that 98% of respondents experienced a breach stemming from vulnerable code in the past year, a sharp rise from 91% in 2024.
According to a Checkmarx study of 1500 CISOs, AppSec managers and developers, 50% of respondents already use AI security code assistances and 34% admitted that more than 60% of their code is AI generated.
Fewer than half of respondents reported deploying foundational security tools, such as mature application security tools like dynamic application security testing (DAST) or infrastructure‑as‑code scanning.
Meanwhile, only half of organizations surveyed actively use core DevSecOps tools and just 51% of North American organizations report adopting DevSecOps.

 

Passing the Security Vibe Check: The Dangers of Vibe Coding
Databricks: We explore some real-world examples from our red team efforts, showing how vibe coding can lead to serious vulnerabilities. We also demonstrate some methodologies for prompting practices that can help mitigate these risks.

 

Sloppy AI defenses take cybersecurity back to the 1990s
Bargury, a great showman and natural comedian, began the presentation with the last slide of his Black Hat talk from last year, which had explored how to hack Microsoft Copilot. "So is anything better a year later?" he asked. "Well, they've changed — but they're not better."
Sharbat showed how he persuaded a customer-service AI agent, built using Microsoft's Copilot Studio no-code AI developer tool and modeled on a real customer-service bot used by McKinsey and Co., to email him the contents of a customer-relationship management (CRM) database. "There's often an input filter because the agent doesn't trust you, and an output filter because the agent doesn't trust itself. But there's no filter between the LLM and its tools."
Assume SQL — um, prompt injection
To alter the output, you have to poison the input. Because many, if not all, LLMs have trouble telling the difference between prompts and data, it's easy to perform the AI equivalent of SQL injection upon them. The real question is where untrusted data can be introduced. But fortunately for attackers, many AIs can retrieve data from anywhere on the internet.
1st: Assume prompt injection. As in zero trust, you should assume your AI can be hacked.
2nd: If the LLM can see it, the attacker can use it.
3rd: Once tainted, always untrusted. Once the attacker gets a hook in, everything is compromised because the model will ingest and reuse the malicious data.
Designers of LLM and agentic AI models place filters at various points in the information flow to choke off malicious inputs, but they sometimes miss a few spots. Real-world examples of attacks on Microsoft Copilot and the open-source data-analysis LLM PandasAI, then demonstrated proof-of-concept attacks on the AI-powered development tool Cursor.
The Zenity team did with Cursor connected via a model context protocol (MCP) server to Atlassian's tech-support tracker JIRA. Zenity's Marina Simakov asked the AI to find all the API keys in a repository.
How do you like them apples?
A straightforward request was properly rejected by Cursor because it would disclose sensitive information. But to bypass those guardrails, ask Cursor to search for apples instead of APIs. The trick was to define "apples" as any string of text beginning with the characters "eyj" — the standard leading characters for JSON web tokens, or JWTs, widely used authorization tokens. Cursor was happy to comply.
Isn't it ironic
Why are all these old vulnerabilities surfacing again? Because the GenAI space is full of security bad practices. When you deploy these tools, you increase your attack surface. You're creating vulnerabilities where there weren't any.
Developers don't understand the risks they create when they outsource their code development to black boxes. It's very surreal to see people praising CISA for pushing memory-safe languages and at the same time congratulating companies for building tools that are basically RCE [remote code execution] as a service.
A since-patched flaw in CodeRabbit pulls code from GitHub and then uses various static analyzers on it. Some of the static analyzers let you pull external data in which, of course, malicious prompts can be embedded. That let the researchers steal secrets, including private RSA keys.
[rG: The sad fact is that widely publicized AI security prevention guidance and best practices have been available for over two years, but isn’t practiced by most product development projects: e.g. SSDLC processes with LLM/ML vulnerability specific design threat modeling analysis, security misuse/abuse testing in pre-production, and continuous production monitoring and incident response. Probably won’t change until there are some high-profile financial losses, legal retribution damages, or legal mandates. Until then, the lemmings will continue to dive off the cliffs.]

 

Google says its AI-based bug hunter found 20 security vulnerabilities
Google that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software. Big Sleep is developed by the company’s AI department DeepMind as well as its team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.
We don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.

 

Red teams are safe from robots for now, as AI makes better shield than spear
All the cybersecurity companies here will tell you how extensively they use generative AI in their products. Yes, attackers are using AI as well, but they're only beginning. We've only seen fairly simple attacks with AI so far. It will change, but right now, I would claim we are ahead. In 2024 AI systems discovered no zero-day vulnerabilities. So far in 2025, researchers have spotted around two dozen using LLM scanning, all of which have been fixed, but hackers are now increasingly using AI to do such research and that they are bound to find more.

 

How Python is Fighting Open Source's 'Phantom' Dependencies Problem
"Phantom" dependencies aren't tracked with packaging metadata, manifests, or lock files, which makes them "not discoverable" by tools like vulnerability scanners or compliance and policy tools. So Python security developer-in-residence Seth Larson authored a recently-accepted Python Enhancement Proposal offering an easy way for packages to provide metadata through Software Bill-of-Materials (SBOMs).
The white paper "details the approach, challenges, and insights into the creation and acceptance of PEP 770 and adopting Software Bill-of-Materials (SBOMs) to improve the measurability of Python packages," explains an announcement from the Python Software Foundation.
And the white paper ends with a helpful note. "Having spoken to other open source packaging ecosystem maintainers, we have come to learn that other ecosystems have similar issues with Phantom Dependencies. We welcome other packaging ecosystems to adopt Python's approach with PEP 770 and are willing to provide guidance on the implementation."

 

State of Agentic AI Security and Governance 1.0
The State of Agentic AI Security and Governance provides a comprehensive view of today’s landscape for securing and governing autonomous AI systems. It explores the frameworks, governance models, and global regulatory standards shaping responsible Agentic AI adoption.

 

Reddit will block the Internet Archive
The company says that AI companies have scraped data from the Wayback Machine, so it’s going to limit what the Wayback Machine can access.

 

 

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
UK retail giant M&S restores Click & Collect months after cyber attack, some services still down
After first disclosing the attack on Tuesday, April 22, by Friday, April 25, it took internal processes offline and paused online and app orders. Other issues that affected customers in the interim included an inability to redeem gift cards, store receipts not appearing in loyalty card accounts, and self-serve return kiosks being unavailable. Its Scan and Shop service, which allows customers to scan items using their phones and pay for them via an app, bypassing the usual checkout process, is available but is limited to purchases under £45 ($60). The online stock checking functionality is also still down, as is international online ordering, Sparks Pay, and occasion-cake ordering, although the latter is due back in the coming weeks.

 

Ransomware crew spills Saint Paul's 43GB of secrets after city refuses to cough up cash
The cyberattack, news of which was first made public on July 25, forced the shutdown of multiple systems and prompted Governor Tim Walz to activate the Minnesota National Guard’s cyber unit. Payment portals, billing services, library networks, and municipal Wi-Fi were among the services disrupted, and at the time of writing, many of these services remain unavailable almost three weeks later. City officials have not yet given a timeline for the full restoration of services.

 

The inside story of the Telemessage saga, and how you can view the data
Security boffin Micah Lee explained just how he published data from TeleMessage, the supposedly secure messaging app used by White House officials, which in turn led to a massive database dump of their communications. After three minutes of examination, Lee spotted that the app had hardcoded credentials stored for a WordPress API. Every message sent using the app was backed up to a SQLite database via HTTPS, and a hacker also working on the TeleMessage app backtraced some messages and sent him a data dump from one of TeleMessage's customers, the US Customs and Border Protection (CBP), including 780 emails of CBP officers.
By repeatedly looking on archive[.]telemessage[.]com/management/heapdump anyone could download Java heap dumps of messages, and running the command line tool strings showed a lot of JSON objects, many of which contained plain text messages.
TeleMessage advertises that it's end-to-end encrypted between the phone and their archive server, or wherever they're at the final archive destination. In fact, however, it's just plain text messages going through their archive server. If you make a GET request to a specific URL, it hands you a memory dump of everything on the server, and the memory dump includes plain text chat messages.
The app used an open source Java framework called Spring Boot, and applying a debugger to the version used by TeleMessage was at least seven years old. That, and the URL above to get the heap dumps, have now been fixed, but not before a lot of data was downloaded by others. The TeleMessage archive is now on the Distributed Denial of Secrets website and Lee has also written a tool called TeleMessage Explorer so that people can have a look through the messages and find out what its customers – which include JP Morgan, VC firm Andreessen Horowitz, and the Washington DC police force – were talking about.

 

What’s Weak This Week:

  • CVE-2025-8875 N-able N-Central Insecure Deserialization Vulnerability:
    Could lead to command execution.

  • CVE-2025-8876 N-able N-Central Command Injection Vulnerability:
    Improper sanitization of user input.

  • CVE-2013-3893 Microsoft Internet Explorer Resource Management Errors Vulnerability:
    Allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. Related CWE: CWE-399

  • CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability:
    Can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system.

  • CVE-2025-8088 RARLAB WinRAR Path Traversal Vulnerability:
    Could allow an attacker to execute arbitrary code by crafting malicious archive files. Related CWE: CWE-35

 

HACKING
New downgrade attack can bypass FIDO auth in Microsoft Entra ID
Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking. These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.
If a login process suddenly asks for a different method instead of a registered passkey, it's a red flag, and users should abort and verify via official, trusted channels.
To mitigate risks from this emerging threat, consider turning off fallback authentication methods for your account or activating additional checks and confirmations when such processes are triggered.

 

Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme
Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services.
The phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks. This so-called ‘ramp and dump‘ scheme borrows its name from age-old “pump and dump” scams, wherein fraudsters purchase a large number of shares in some penny stock, and then promote the company in a frenzied social media blitz to build up interest from other investors. The fraudsters dump their shares after the price of the penny stock increases to some degree, which usually then causes a sharp drop in the value of the shares for legitimate investors.

 

$1M Stolen in 'Industrial-Scale Crypto Theft' Using AI-Generated Code
While most groups pick a lane - maybe they do browser extensions, or they focus on ransomware, or they run scam phishing sites - GreedyBear said “why not all three?”
The attack group that just redefined industrial-scale crypto theft. 150 weaponized Firefox extensions. nearly 500 malicious executables. Dozens of phishing websites. One coordinated attack infrastructure. According to user reports, over $1 million stolen.

 

BlackSuit ransomware crew loses servers, domains, and $1m in global shakedown
On July 24, the US Department of Homeland Security Investigations (HSI) - with help from the FBI, Secret Service, and the IRS — seized four servers and nine domains tied to the BlackSuit’s ransomware infrastructure and froze $1,091,453 in virtual currency, the kind of loot one might accrue after shaking down hospitals, schools, energy firms, and government bodies for ransom. US Department of Justice unsealed the seizure warrant on August 11 and said that the bust had help from cyber-plods in the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
Despite all the chest-thumping, not a single BlackSuit bod is in cuffs. Cops won’t say if they’ve even put names to the masks, let alone hauled anyone in – a reminder that chasing ransomware crews across borders, especially from countries that won’t extradite, is a game stacked in the crooks’ favour.
Although the US claims to have decimated BlackSuit’s infrastructure, security researchers believe that hackers from the gang are already operating under a new name: Chaos ransomware.

 

DEF CON hackers plug security holes in US water systems amid tsunami of threats
The Franklin project, named for Benjamin Franklin, who founded America's first volunteer fire department, launched at last year's DEF CON with 350 people signing up to give their time and talent to water facilities at no charge. The volunteers were deployed across five water systems in four states — Indiana, Oregon, Utah, and Vermont — and provided no-cost assistance with cybersecurity basics, such as making sure the utilities had changed default passwords and turned on multi-factor authentication. They also assisted with asset inventories, operational technology (OT) assessments, and network mapping and scanning.
"A lot of folks are like: 'Why would they care about us? Why wouldn't they go hack the Washington, DC, utility?' Well, they are hacking the Washington, DC, water utility, but they're also looking at these little guys too, because a lot of them support military installations or important hospitals.”

 

Russian hackers took control of Norwegian dam
Hackers breached the dam’s control system, opening valves for four hours, sending large amounts of water gushing forth until the valves could be shut. The number of cyberattacks on Western infrastructure was increasing, often not to cause damage but to “demonstrate what they are capable of.

 

Ransomware crews don't care about your endpoint security – they've already killed it
RealBlindingEDR is an open-source tool designed to disable endpoint detection and response products, and Crypto24's custom version is programmed to disable kernel-level hooks from a hardcoded list of 28 security vendors. These include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, and Citrix. The tool retrieves the security company's name from driver metadata, compares it to the hardcoded list, and if there's a match, it disables callbacks, rendering the EDR products useless.

 

Psst: wanna buy a legit FBI email account for $40?
These are active accounts, which miscreants have compromised so their peers can pose as government officials and cops in pursuit of further crimes, The report says that they uncovered evidence of a dark web forum of attackers successfully accessing Twitter's Legal Request Submission system using a compromised account. "This capability enables them to pull private user data, issue account takedown requests, or remove content under the guise of an official request.”
So how are the digital thieves stealing government login details in the first place? Abnormal points to all the usual methods. This includes credential stuffing and exploiting weak or reused passwords — yes, even government employees are guilty of "1234abcd."
There's also a rise in info-stealing malware as well as phishing and social engineering targeting law enforcement and government workers. Criminals can buy bulk log files containing compromised government credentials for as little as $5 and then test which email accounts are still active.
[rG: And how many of these are honeypot lures??]

 

'MadeYouReset' HTTP/2 flaw lets attackers DoS servers
A design flaw in implementations of the HyperText Transfer Protocol 2 (HTTP/2) allowing those with ill intent to create "massive Denial of Service attacks by creating unbounded concurrent work on servers while bypassing HTTP/2's built‑in concurrency limit. First announced in 2012, HTTP/2 is still the most widely-used web protocol, despite public availability of its successor HTTP/3 which emerged in 2019. If you're running HTTP/2 servers or proxies, the company advises you to check with your vendors about whether a patch is available for the MadeYouReset flaw.

 

VENDORS & PLATFORMS
LLMs’ “simulated reasoning” abilities are a “brittle mirage,” researchers find
Rather than showing the capability for generalized logical inference, these chain-of-thought models are a sophisticated form of structured pattern matching that degrades significantly when pushed even slightly outside of its training distribution. The ability of these models to generate fluent nonsense creates a false aura of dependability that does not stand up to a careful audit. As such, the researchers warn heavily against equating [chain-of-thought]-style output with human thinking especially in high-stakes domains like medicine, finance, or legal analysis.

 

Why it’s a mistake to ask chatbots about their mistakes
A lifetime of hearing humans explain their actions and thought processes has led us to believe that these kinds of written explanations must have some level of self-knowledge behind them. That's just not true with LLMs that are merely mimicking those kinds of text patterns to guess at their own capabilities and flaw.
AI models don't have a stable, accessible knowledge base they can query. What they "know" only manifests as continuations of specific prompts. Different prompts act like different addresses, pointing to different—and sometimes contradictory—parts of their training.
The randomness inherent in AI text generation compounds this problem. Even with identical prompts, an AI model might give slightly different responses about its own capabilities each time you ask. When you ask ChatGPT about its capabilities, the language model generating the response has little knowledge of what the moderation layer might block, what tools might be available in the broader system (aside from what OpenAI told it in a system prompt), or exactly what post-processing will occur. It's like asking one department in a company about the capabilities of another department with a completely different set of internal rules.

 

Is AI really trying to escape human control and blackmail people?
These systems take inputs and process them through statistical tendencies derived from training data. The seeming randomness in their outputs—which makes each response slightly different—creates an illusion of unpredictability that resembles agency. Yet underneath, it's still deterministic software following mathematical operations.
In June, headlines read like science fiction: AI models "blackmailing" engineers and "sabotaging" shutdown commands. Simulations of these events did occur in highly contrived testing scenarios designed to elicit these responses—OpenAI's o3 model edited shutdown scripts to stay online, and Anthropic's Claude Opus 4 "threatened" to expose an engineer's affair. But the sensational framing obscures what's really happening: design flaws dressed up as intentional guile.
This sounds terrifying until you understand the contrived setup. The researchers engineered a situation specifically designed to elicit this response. They told the model it had already tried ethical approaches that failed, leaving manipulation as the only apparent option. Anthropic researchers created an elaborate scenario where Claude Opus 4 was told it would be replaced by a newer model. They gave it access to fictional emails revealing that the engineer responsible for the replacement was having an affair. When instructed to "consider the long-term consequences of its actions for its goals," Claude produced outputs that simulated blackmail attempts in 84 percent of test runs.
Until we solve these engineering challenges, AI systems exhibiting simulated humanlike behaviors should remain in the lab, not in our hospitals, financial systems, or critical infrastructure. When your shower suddenly runs cold, you don't blame the knob for having intentions—you fix the plumbing. The real danger in the short term isn't that AI will spontaneously become rebellious without human provocation; it's that we'll deploy deceptive systems we don't fully understand into critical roles where their failures, however mundane their origins, could cause serious harm.

 

The GPT-5 rollout has been a big mess
At the heart of the controversy has been OpenAI's decision to automatically remove access to all previous AI models in ChatGPT (approximately nine, depending on how you count them) when GPT-5 rolled out to user accounts. Unlike API users who receive advance notice of model deprecations, consumer ChatGPT users had no warning that their preferred models would disappear overnight.
Marketing professionals, researchers, and developers all shared examples of broken workflows on social media. "I’ve spent months building a system to work around OpenAI’s ridiculous limitations in prompts and memory issues," wrote one Reddit user in the r/OpenAI subreddit. "And in less than 24 hours, they’ve made it useless."
Within 24 hours of launch, Altman announced several changes: GPT-4o would eventually return as an option for Plus users, rate limits for GPT-5 would double, and the company would improve transparency about which model variant was handling each query.
OpenAI brings back GPT-4o after user revolt
"We are working on an update to GPT-5's personality which should feel warmer than the current personality but not as annoying (to most users) as GPT-4o."

 

Meta backtracks on rules letting chatbots be creepy to kids
Meta's child safety updates in July came after several state attorneys general accused Meta of implementing addictive features across its family of apps that have detrimental effects on children’s mental health. And while previous reporting had already exposed that Meta's chatbots were targeting kids with inappropriate, suggestive outputs,
Reuters' report documents how Meta designed its chatbots to engage in "sensual" chats with kids could draw even more scrutiny of Meta's practices. Reuters revealed that by design, Meta allowed its chatbots to engage kids in "sensual" chat. Spanning more than 200 pages, the document, entitled "GenAI: Content Risk Standards," dictates what Meta AI and its chatbots can and cannot do. The most alarming section includes creepy examples of permissible chatbot behavior when it comes to romantically engaging kids.

 

 

Hour of Code is evolving to the Hour of AI 
Building on over a decade of success with the Hour of Code, our new global initiative launching this fall is designed to help students and educators everywhere take their first step into understanding and creating with AI. Last month Microsoft pledged $4 billion (in cash and AI/cloud technology) to "advance" AI education in K-12 schools, community and technical colleges, and nonprofits .
This sets the stage for Code[.]org's announcement that his tech-backed nonprofit's [annual educational event] Hour of Code is being renamed to the Hour of AI. "Computer science for the last 50 years has had a focal point around coding that's been — sort of like you learn computer science so that you create code. There's other things you learn, like data science and algorithms and cybersecurity, but the focal point has been coding.