Feedback & Followups
- Some notable anecdotes to illustrate why Bart and Allison are so cautious about agentic AI:
- Over 20,000 Instagram accounts stolen in Meta AI support hack — www.bleepingcomputer.com/… (An agentic support agent could be easily talked into resetting passwords without proof of account ownership!)
- OpenClaw AI agent found falling for phishing attacks, spills user data — www.bleepingcomputer.com/… (Agents can be phished too 😕)
- New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets — thehackernews.com/… (Patched, but there are many more where those came from!)
- An interesting new variant of the supply chain attacks that are compromising so many sites at the moment: OptinMonster WordPress plugin hacked in CDN supply-chain attack — www.bleepingcomputer.com/…
- No malicious code was secretly added into a software update this time!
- Malicious code secretly added to web-hosted JavaScript code the company’s plugins loaded
- A single attack compromising multiple plugins!
- Vendor needed to fix their hosted code, but site owners didn’t need to patch anything
- Site owners are advised to check their sites for unauthorised admin accounts.
- A useful response to the embarrassing VSCode store supply-chain hack of GitGub discussed last time: VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks — thehackernews.com/… (A good first step, but much more needed!)
- WhatsApp says it caught NSO attempting to spy on users again — cyberinsider.com/…
- 🇬🇧 More strong criticism of misguided UK plans:
- Signal and Mullvad warn about the UK’s plans to scan people’s phones — cyberinsider.com/… (to detect nudes on kids’ phones)
- UK to require ID or face scan before you can make social media accounts — www.bleepingcomputer.com/… (to facilitate a social media ban for kids)
- Related: Apple announced a big overhaul of parental controls for their OS 27 variants that are very much aimed at empowering parents rather than replacing them — www.macobserver.com/…
- Apple have explained exactly how their Terminal click-fix protections work: If your Mac blocks a Terminal command paste or script — 📣 Apple PR
- Interesting that they’re not targeting all the warnings at regular Terminal users, but focusing on users that rarely use the Terminal app — clever way to avoid alert fatigue
- 🇨🇦 Some good news from Canada for a change: Canada introduces privacy law with GDPR-like penalties for data breaches — cyberinsider.com/… (The start of the legislative process, not the end)
Listener Questions
A tip from Joop
This is not actually a listener question, but I’m gonna bend the rules a little 🙂
Nosillacastaway Joop asked if I’d seen the new open source iOS app Loupe, which shows all the data your iPhone makes available to apps (I had, but hadn’t taken the time to actually install it yet).
Inspired by Joop’s reminder, I installed it immediately and started exploring!
The app is free and open source, and extremely transparent about what it does and how it does it, and with good reason! The information it reveals is more than a little thought-provoking!
What the app does is show you every piece of information every iOS API makes available to apps installed on your device. Both the information apps can access without permission promts, and then with permission prompts.
The information is grouped by category, and by permission prompt, making it clear what extra information each prompt is protecting.
After spending quite some time exploring what the apps I choose to install onto my phone can access (if their developers choose to call the relevant APIs), I have some thoughts!
- Those annoying prompts are really important, they are protecting some very sensitive data!
- Apple have done their best to limit the data available to apps without additional permission to just what’s needed to facilitate the kinds of rich apps we expect on our iPhones. There was nothing that made me think “why on earth would you expose that!”
- The information available without additional permissions is directly concerning from a privacy point of view — there’s no way for developers to directly link your phone to you, the person.
- However, when you collect all the individually innocuous data points together, you can build a robust fingerprint, enough to be used as a so-called super cookie by unscrupulous developers. could sell to data brokers who could then start connecting the dots across every unscrupulous app you have installed!
- The risk from these fingerprints generally doesn’t come from an individual developer using it to join the dots between your activities on two of their apps (there are simpler, more direct ways of doing that, like having you log in with the same account!)
- The risk comes from data brokers and ad networks paying developers to share your data with them. This is how free apps generate income!
- The information being exposed without granting extra permissions is absolutely anonymous, so when you read an App Store nutrition label, and it says the app sends data “not associated with you”, it’s almost certainly sending a fingerprint to one or more data brokers as a revenue source!
- All ad-powered apps and many ad-free free apps declare that they share anonymous information — that’s how they monetise their otherwise free apps!
Thinking about it for just a few seconds, I could see immediately that I have a very unique fingerprint from these utterly sensible and innocuous data points! Apps on my phone can see that I have three keyboard languages installed — en-IE, nl-IE, and ga-IE (English, Dutch, and Irish with an Irish keyboard layout), and that my preferred locale for number and currency formatting is IE (Ireland). Other API calls reveal to apps that I’m currently using an orange iPhone 17 Pro Max with a specific disk capacity, and my current IP address, sampled over time, reveals that I spend most of my time on educational and residential ISPs in the greater Dublin area. How many Irish Orange iPhone 17 Pro Maxes with my storage capacity are there with those language preferences? I’d be prepared to wager there’s exactly one, mine!
There are hundreds of data points. I stand out because of my language preferences, but somewhere, in all those individually mundane data points, we’re all a little bit unusual in our own ways! For example — accessibility features only work well when apps obey them, so the APIs have to reveal your current settings in terms of contrast, animation level, font size, and so on. Of the people who enable at least one accessibility feature, you can rest (un)assured that few other people who share your ISP pattern have exactly those settings!
Do you have even one custom font installed?
I could go on, but you get the idea!
Great apps need these APIs, so Apple have done as much as it is possible to do, but nothing Apple do can change the reality that installing an app is an act of trust!
All in all, this little peek under the covers confirms my strong belief that the only way to avoid being tracked is to follow the money, read those nutrition labels, and pay for apps and services with your money rather than your privacy!
❗ Action Alerts
- Google Chrome emergency update fixes actively exploited flaw in V8 — cyberinsider.com/… (all platforms, and technical details withheld to give users time to patch)
- A Record-Breaking Patch Tuesday for June 2026 — krebsonsecurity.com/… & Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws — www.bleepingcomputer.com/…
- Microsoft’s nemesis strikes again with another two zero-days irresponsibly published right after Patch Tuesday
- RoguePlanet, a local privilege escalation flaw in Defender — www.bleepingcomputer.com/… (not catastrophic since malicious code needs to get into your device to abuse this kind of bug, but bad)
- GreatXML, another BitLocker full disk encryption bypass — thehackernews.com/… (Like his previous BitLocker flaws, this does not break the encryption, and it requires physical access to the unlocked drive, so not relevant to regular NosillaCastaways)
- ⚠️ Beats Studio Buds Users: Apple fixes Beats Studio Buds flaw that let hackers spy on conversations — www.bleepingcomputer.com/…
- ⚠️ NGINX users: F5 issues out-of-band patches for critical NGINX vulnerabilities — www.bleepingcomputer.com/… (Patchy-patchy-patch-patch!)
Worthy Warnings
- ⚠️ Facebook Users: Meta to Use Off-Site Business Data for Feed and AI Personalization — thehackernews.com/… (The torrent of data web stores, websites, and apps get paid to send Meta about everything Facebook users do across those participating sites, including purchases, will be fed into their LLM training data — maybe a worthy final straw?)
- ⚠️ Apple App Store Users: Researchers Say Apple Records Every Tap You Make in the App Store — www.macobserver.com/… (apparently part of Apple’s personal suggestions feature, and not for targeted ads, but nonetheless, very off-brand for Apple 🙁)
- ⚽ Soccer Fans: A good topic-specific warning about the kinds of scams fans need to be aware of: How to Avoid World Cup Scams, Fake Streams & Phishing — www.intego.com/…
- Firefox AI Plugin Users: Firefox AI Chatbot feature exposed users to email theft risk — cyberinsider.com/… (Problem with the API the browser provides for all AI plugins to use, and current fix is not really a fix, just a crude workaround)
- 🇺🇸 ⚠️ US-based Heart Patients: iRhythm discloses data breach, says hackers stole patient info — www.bleepingcomputer.com/… (Very sensitive data, and the company are not being communicative 🙁)
- 🇬🇧 🇪🇺 Google Users: Google to use UK and EU user IP addresses for ad personalization — www.bleepingcomputer.com/… (Reminder: if you value your privacy, you can buy high-quality privacy-protecting search from Kagi!)
Notable News
- There’s a lot of misunderstanding about just how Siri AI will integrate with Gemini, and I’m hearing poorly informed people wrongly say Apple are giving up on their privacy focus; that couldn’t be more wrong — cyberinsider.com/…
- Apple will unify the email domains used by Sign in with Apple and iCloud+ Hide My Email under the
private.icloud.comdomain — developer.apple.com/…- This will make it possible for unscrupulous websites to deny the use of Apple’s anonymous email addresses.
- I agree with John Gruber that this is not a bad thing. Any site that does that is clearly the kind of site you want to avoid — daringfireball.net/…
- A12 & A13 Apple devices face an unpatchable SecureROM vulnerability — appleinsider.com/…
- This bug requires physical access and booting the phone into recovery mode, but it bypasses secure boot, allowing unsigned and modified OSes to boot on these devices.
- For typical NosillaCastaways, this is not a security concern, but high-risk users can no longer use these older devices.
- The most notable thing about these bugs is that they provide a permanent jailbreaking opportunity.
- Proton VPN passes no-logs audit that found no user activity retention — cyberinsider.com/…
Interesting Insights
- A good first-hand report on what Anthropic Mythos can and can’t do: XBOW tests Anthropic’s Mythos Preview for offensive security — www.bleepingcomputer.com/…
Just Because it’s Cool 😎
- 🎧 Hear a security researcher tell the fascinating tale of how Stuxnet and Fast16 sabotaged Iran’s centrifuges and nuclear calculations: Planet Money: Can computer hackers get inside your mind? — www.npr.org/…
Palate Cleansers
- From Bart:
- 🖼️ NASA Astronomy Picture of the Day for 15 June 2026: Triple Shockwave from Sun Crossing Rocket — apod.nasa.gov/…
- 🎧 Some of my favourite podcasts and podcasters are producing amazing content to celebrate the 250th anniversary of the US Declaration of Independence:
- The Legacy podcast from the UK did an excellent series on the so-called founding fathers, and expanded the concept to the founding mothers. There are amazing episodes making up the mini-series both before and after this recommended one: Legacy: 1776 – The Founding Mothers — overcast.fm/…
- 99% Invisible is partnering with the BBC to tell the story of America through 100 objects — 99percentinvisible.org/…
- Malcolm Gladwell is partnering with President Obama to re-examine the story of the Reconstruction era: Reconstruction: The Unfinished Promise: Prologue- Malcolm Gladwell and President Obama — overcast.fm/…
- 🎦 The Fascinating Story of the Victorian Mechanical Computers that still keep many British railways running safely: Why do some British trains still rely on old levers? — youtube.com/…
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |