Feedback & Followups
- Microsoft is continuing to tighten GitHub’s defenses against supply-chain attacks propagating via the platform: GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns — thehackernews.com/…
❗ Action Alerts
- Apple Patches 30+ iOS, macOS, Safari Flaws, Including AI-Discovered WebKit Bugs — thehackernews.com/…
- Unusually, only three products patched this time
- “Apple said it’s making the security updates much earlier than before in response to concerns that AI tools could accelerate the development of exploits and act as an enabler of cyber warfare, shrinking the window between discovery and weaponization to hours.” — The Hacker News
- Many of the bugs were also found by AI!
- FFmpeg ‘PixelSmash’ bug triggers code execution on media file open — cyberinsider.com/…
- Servers that process video are the most important to patch ASAP
- Home users with video processing automations may need to patch a copy installed via something like Homebrew
- Embedded in many open source — keep an eye out for patches to any open source players/editors you use
- ⚠️ Linux Desktop Users & Android Users: more local privilege escalation bugs in the Linux kernel, including one that’s a little different to most:
- 🧯 New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries — thehackernews.com/…
- Generally, these kinds of bugs are not that important for NosillaCastaways: “Prioritize systems where “local user” does not mean trusted user: multi-tenant hosts, CI/CD runners, Kubernetes nodes, build workers, and shared research or lab machines.” — The Hacker News
- ⚠️ New “Bad Epoll” Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android — thehackernews.com/…
- Unusually, this one can be triggered from within the browser
- Also, unusually, this Linux kernel bug also affects Android
- ⚠️ Chrome Browser Users: Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability — thehackernews.com/…
- The plugin “carries a Featured badge on the Chrome Web Store” … how‽‽‽ 🤯
- ⚠️ Ubiquity Users: If you were slow to patch your router, you really need to get on it now: CISA warns of max severity Ubiquiti flaws exploited in attacks — www.bleepingcomputer.com/…
- Related: Microsoft quietly extends free Windows 10 ESU support to October 2027 — www.bleepingcomputer.com/…
Worthy Warnings
- Order-tracking app Shop abused to push callback phishing attacks — www.bleepingcomputer.com/…
- This is a really commonly used platform; you’ll likely recognise the logo!
- “Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users’ order histories to trick them into providing sensitive data or installing remote access software … “
- “… Despite the observed wave of fraudulent invoices, it is unclear how they are inserted into the Shop app …”
- “… Shop is a legitimate shopping app, and users inherently trust it, so orders that appear there are far more likely to prompt responses from unsuspecting users.” — Bleeping Computer
- Apple Hide My Email Users: there is an undisclosed vulnerability in Hide My Email that makes it possible for attackers to discover the underlying true email address — 9to5mac.com/…
- The bug is undisclosed, so few, if any, attackers are actually capable of reversing the addresses at the moment (could change in the future)
- This is a nice-to-have feature. If you choose not to use it, you expose your address anyway, so even if the protection is currently imperfect, it’s still better than you would get if you just stopped using the feature!
- Apple have been working to fix this for over a year, and it’s not clear if this is because they don’t care, or, if the problem is extremely difficult to fix.
- Speculation (by Bart): the recent announcement that these private addresses will be moving to their own separate domain may be related to fixing this issue
- LastPass says customer data exposed in Klue supply chain breach — cyberinsider.com/…
- “The company stressed that the compromise was limited to systems connected to Klue and did not affect LastPass products, infrastructure, or customer password vaults.” — Cyberinsider
- No passwords or payment info, ‘just’ contact details (including physical addresses) and support case numbers, ideal phishing fodder 🙁
- Why you should avoid using built-in TV apps, and favour dedicated boxes that get software updates: 50% of LG and Samsung smart TV apps embed residential proxies — cyberinsider.com/…
- Troy Hunt humorously explains why the ‘data deletion’ services ubiquitously advertised on podcasts are a lot less effective than their ad copy suggests: Swimming Pools, Pee, and Trying to Delete Your Data From the Internet — www.troyhunt.com/…
- ⚠️ Claude Customers: Anthropic to introduce age and ID checks for Claude users on July 8 — cyberinsider.com/…
- “Anthropic has updated its privacy policy to disclose that Claude users may be asked to verify their age or identity beginning July 8, a change that could require submitting government-issued identification documents and biometric data.” — Cyber Insider
- The policy: “… in certain circumstances, users may be asked to complete age or identity verification …” (clear as mud 🙁)
- ⚠️ AirPort Users: AirPort Utility is leaving the App Store — here’s what it means for your old router — www.cultofmac.com/…
- These routers have been out of support for years, so they have been unsafe to run for a long time
- Will become unmanageable, too!
- “If your network still relies on AirPort, it’s time to start looking at a mesh system or a NAS system before Apple decides for you” — Cult of Mac
- Time for a new router!!!
Notable News
- 🧯 Apple AirDrop and Android Quick Share flaws expose users to wireless attacks — cyberinsider.com/…
- New AirDrop security flaws are significant, but aren’t a giant threat — appleinsider.com/…
- “The researchers didn’t identify a way to steal files, bypass Apple’s security protections, or execute arbitrary code on affected devices. Instead, the vulnerabilities repeatedly crash the background service that powers AirDrop and several other Continuity features until the service restarts.” — Apple Insider
- Attackers also have to be physically close!
- 🇺🇸 US Supreme Court limits police access to people’s location history — cyberinsider.com/…
- “… ruled that law enforcement’s acquisition of historical location data through geofence warrants constitutes a Fourth Amendment search … police must satisfy the Constitution’s warrant requirements …” — Cyber Insider
- Cloudflare Users: Your site, your rules: new AI traffic options for all customers — blog.cloudflare.com/…
- Finer-grained category-based controls for allowing/denying bots: Search, Agent, Training
- Sensible defaults — real-time search agents allowed, and agentic agents allowed on sites that don’t advertise (ads require humans to monetise, so default to requiring humans for those sites), and training blocked.
- Continuing progress to prepare for a quantum-computing world:
- Cybersecurity Improvements:
- Google releases new privacy controls for activity history, personalization — www.bleepingcomputer.com/…
- WhatsApp is now warning users attempting to message unknown numbers — cyberinsider.com/…
- “WhatsApp has introduced a new security feature designed to make users think twice before starting conversations with unfamiliar phone numbers.” — Cyber Insider
- WhatsApp rolls out usernames to help users hide their phone number — www.bleepingcomputer.com/… 🎉
- This is a very important privacy improvement
- Usernames can even be locked down with a code, so even if someone knows your username but doesn’t have your code, they still can’t message you!
- Not live yet, but username reservation is open now, so grab the handle you want before it’s gone!
- Opera rolls out Paste Protect feature to fight ClickFix attacks — www.bleepingcomputer.com/…
- Brave browser introduces Containers for secure account isolation — cyberinsider.com/…
Excellent Explainers
- A pair of great explanations of two often misunderstood macOS security protections:
Palate Cleansers
- From Bart:
- Some nice terminal ice-water-in-hell for Windows users:
- Hands on with Intelligent Terminal, an AI-powered Windows Terminal — www.bleepingcomputer.com/… (Open-source clone of Windows terminal released by Microsoft)
- Microsoft’s Coreutils project brings Linux commands to Windows — www.bleepingcomputer.com/…
- An educational game for adults: Daily gerrymandering puzzle — gerrymandle.cc
- Recommended by Kantor on the Podfeet Slack
- A fun way to really understand why redistricting matters!
- Some of the challenges are darn difficult!
- A sanity-saving tip: Stop previews from autoplaying on Apple TV — sixcolors.com/… (it works 🎉)
- 🎧 The Vergecast: # The **epic** story of Markdown — overcast.fm/… (note the title 😀)
- An amazing long read: Where to Find the Colors Your Screen Can’t Show You — moultano.wordpress.com/…
- I finally understand why I can never capture the amazing greens I see in spring forests here in Ireland — it’s not that I’m somehow inept, it’s that even the P3 wide colour space on Apple’s devices can’t represent some colours, including those greens, and more mundanely, the unique aquamarine colour of ‘green’ traffic lights!
- You learn where to find these un-capturable colours in the real world so you can enjoy them with your actual eyes!
- XKCD 3262: Sports Commentary

- Purely for the hover text: “The plural of anecdote may not be data, but the singular of data is anecdote.” 😀
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |
