Feedback & Followups
- Age Verification Developments:
- πΊπΈ Apple have expanded their Digital ID technology to provide anonymous age verification in the US β www.macobserver.com/β¦
- βA Digital ID in Apple Wallet created using a U.S. passport can be used to confirm that youβre an adult.β β Apple
- πΊπΈ Utah becomes first US state to require age verification for VPN use β cyberinsider.com/β¦
- Not quite as nuts as it sounds, VPN providers don’t need to provide age verification, websites with adult content need to block VPNs (not possible to do reliably of course!).
- iOS RCS support: Apple have officially announced that RCS will start rolling out with iOS 26.5, but it will be gradual, as carriers move to enable the feature on their networks β cyberinsider.com/β¦
- πΊπΈ More welcome enforcement actions in the US: FTC orders Kochava to stop selling peopleβs location data β cyberinsider.com/β¦
- The SANS Institute did a good writeup of the malicious HomeBrew ads we discussed last time, including screenshots β isc.sans.edu/β¦
- Notice the initial link is clearly marked as an ad, though it could of course be an ad by the actual developers β¦
- Bart’s advice remains β “never click ads in search results, assume they’re all dishonest or malicious” (because too many are!)
β Action Alerts
- Google pushes massive Chrome security update to patch 127 flaws β cyberinsider.com/β¦
- There have been two notable Linux Kernel Zero-days in the last week:
- Patches are slowly starting to roll out from the various distributions for the first, and similar fixes for the second should follow soon.
- There are workarounds for both vulnerabilities, but since they involve disabling kernel features, they should only be applied with an understanding of the impact this would have on the specific device. For typical home users, both workarounds should be safe, though.
- Server-focused advanced security products like Microsoft Defender for Linux’s optional EDR feature (endpoint detection & response) have been updated to detect and block attempts to exploit these vulnerabilities.
- Both vulnerabilities are local privilege escalation bugs, allowing non-root users logged into the machine to gain root privileges
- This makes the bugs catastrophic for shared computing environments like shared hosting and school labs.
- For home users, the danger is much less β as we say on the show, “if you already have malware on your device, it can now become root”, but of course, you have a bigger problem: you already have malware!
- π§― For most NosillaCastaways, in your personal capacity at least, these bugs can get a cautious fire-extinguisher emoji. Do still patch when official patches are released though!
- βCopy Failβ gives root access to all Linux systems via 732-byte exploit β cyberinsider.com/β¦
- New Linux ‘Dirty Frag’ zero-day gives root on all major distros β www.bleepingcomputer.com/β¦
- β οΈ WhatsApp users β patch all your clients on all OSes ASAP: WhatsApp warns of Instagram Reels bug that could load risky content β cyberinsider.com/β¦
- β οΈ Ollama Users β patch ASAP: Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak β thehackernews.com/β¦
Worthy Warnings
- β οΈ Claude AI + Google Chrome users: βClaudeBleedβ allows any Chrome extension to control Anthropicβs AI assistant β cyberinsider.com/β¦
- The issue has been partially fixed in the latest plugin update, but depending on your configuration, you might still be at risk!
- “According to the report, attackers could still bypass the new protections by abusing Claudeβs ‘Act without asking’ mode or by triggering alternative side-panel execution flows that restored autonomous behavior.” β Cyber Insider
- β οΈ WordPress Site Owners β check you don’t have the Quick Page/Post Redirect plugin installed: Popular WordPress redirect plugin hid dormant backdoor for years β www.bleepingcomputer.com/β¦
- β οΈ CPanel/WHM Users β check your hosting company has been keeping your server patched, and if you can, check the sign-in logs for unexpected sign-ins:
- A reminder of why we need to stay vigilant: πΊπΈ FTC: Americans lost over $2.1 billion to social media scams in 2025 β www.bleepingcomputer.com/β¦
Notable News
- A rare retrograde step: Instagram Ends Message Encryption Making Your DMs Less Private β www.macobserver.com/β¦
- A good reminder to treat all postings on any social media site as if everything you post in any format could easily become public at any stage.
- When you need secure messaging, use a messaging service with good security, not a social media platform!
- π¨π¦ β οΈ Canadian NosillaCastaways β now might be a good time to reach out to your elected representatives to share your views: Apple and Meta warn Canadaβs Bill C-22 forces encryption backdoors β cyberinsider.com/β¦
- Some small but nice cybersecurity enhancements:
- Signal to roll out anti-phishing safeguards following account takeovers β cyberinsider.com/β¦ (none of Signal’s systems nor their encryption were broken, the attacks were purely social engineering)
- Microsoft to deprecate legacy TLS in Exchange Online starting July β www.bleepingcomputer.com/β¦ (needed, but could break legacy clients!)
- Meta enhances security of WhatsApp and Messenger encrypted backups β cyberinsider.com/β¦
- Proton Mail rolls out quantum-resistant encryption for all users β cyberinsider.com/β¦
Excellent Explainers
- What Is Hacking? Types, Techniques, and How to Protect Yourself β www.intego.com/β¦
- Physicist Hannah Fry explains how agentic AI works using OpenClaw experimentation to illustrate: Why AI Agents are either the best or worst thing weβve ever built
Interesting Insights
- An approachable yet deep interview with a leading Quantum Computing researcher: Breaking encryption with quantum computing β Interview with Chris Peikert β cyberinsider.com/β¦ (definitely a long read!)
Palate Cleansers
- From Bart: an excellent three-part long- read from Ars on the history of the Internet:
- An Ars Technica history of the Internet, part 1 β arstechnica.com/β¦
- A history of the Internet, part 2: The high-tech gold rush begins β arstechnica.com/β¦
- A history of the Internet, part 3: The rise of the user β arstechnica.com/β¦
- I join the story about ΒΌ way through Part 2 in the age of Netscape Navigator & Internet Explorer 3 π
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| π§ | A link to audio content, probably a podcast. |
| β | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| π | A link to graphical content, probably a chart, graph, or diagram. |
| π§― | A story that has been over-hyped in the media, or, “no need to light your hair on fire” π |
| π΅ | A link to an article behind a paywall. |
| π | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| π© | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| π¦ | A link to video content. |