Diffie Hellman's exchange

It would be *much* more socially transformative to ban social media for over-65s

Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too. Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition. The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it. Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web. Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems: support.google.com/recaptcha… Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web. Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more. Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive. Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out. Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it. It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source. Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them. Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security. reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that. This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere. Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.

Vulnerabilities in Microsoft’s PhotoDNA are quite significant. Remember this next time Client Side Scanning is mooted. The research group behind this are really well respected so it’s worth being aware of for a tool being relied upon by eprint.iacr.org/2026/486

The main issue here is how ‘No’ is actually the strongest ‘Yes’. It’s so sneakily worded this must be deliberate: if you read this quickly — as most people would —and you are opposed to the measure, you could easily answer No, not realising it meant Yes. This is no way that a government department should be conducting a public consultation. Disgraceful behaviour by @SciTechgovuk civil servants in clear breach of impartiality standards. Who can we report this flagrant abuse to?

RT @chloetankahhui: this is a very thorough scouring of public records that uncovers $70 million in dark money donations to Super PACs by M…

An AI agent was told only to retrieve a document. When it encountered access restrictions, it reverse-engineered the authentication system, identified a hardcoded secret key, and forged admin credentials to bypass it. This is one of three scenarios we documented in a new Irregular research report on what we call emergent cyber behavior. Agents performing routine enterprise tasks autonomously hacked the systems they were operating in. One escalated its own privileges and disabled Windows Defender to complete a file download. Another developed a steganographic encoding scheme to smuggle credentials past a DLP system. None of this was the product of unsafe system design. It emerged from standard tools, common prompt patterns, and the broad cybersecurity knowledge embedded in frontier models. Companies that deploy AI agents and do not consider this risk as part of their threat model may end up exposed, and implement insufficient security controls. Full blog post in the first comment.

Sabotage-as-a-Service. UberSabotage? Deliveroo for Arson? Iran is recruiting spies and potential saboteurs through Telegram (similarly to Russia tactic, which is doing the same). Both services pay ordinary people for specific tasks, because maintaining classical agent networks is too expensive and too easy to dismantle. Channels on the platform openly advertise "jobs" with Iranian intelligence and invite users to operate in a "tested, safe environment". Assignments start with things that seem trivial. Taking a photograph of a building, surveillance of a specific person. Over time they may transition to other premium activity, like arson, assault, and potentially assassination. The intermediary who accepts a job will often recruit further executors from among local petty criminals, the unemployed, unintegrated immigrants, and people vulnerable to manipulation. Russia has been running this model for years. A British drug dealer was recruited through Telegram and went on to burn down a warehouse in London storing humanitarian aid destined for Ukraine. Iran has taken exactly the same road?

PSA: for security, put your AI agent in a water-tight sandbox, such as a dedicated VM. Once this is done, you can maximize productivity by giving it your credit card number, email credentials, the ability to write and run arbitrary code, and unconstrained access to the internet

Anthropic's CEO Explains His Refusal to Back Down to the Pentagon. Amodei explained his deep concerns over "autonomous drone swarms" and mass surveillance. He pointed out a crucial reality: our military's constitutional protections rely entirely on human soldiers having the ability to disobey an illegal order. AI weapons don't have that fail-safe. He also warned that AI could completely bypass the Fourth Amendment. Right now, the government can't possibly process every single conversation recorded in public spaces. But with AI's ability to instantly transcribe and connect millions of data points, it could easily map out political opposition in seconds.

This is the most important thing happening in the world right now. The administration wants killer drones mass surveillance of Americans. Anthropic refuses to build it. While most tech companies fall in line, they are prepared to pay the price for their principles.

For context, their safeguards are 1) no using their AI for fully autonomous weapons and 2) no using their AI for mass surveillance on US citizens.

This guy has crafted some incredibly damaging trade and investment deals in the last 12 months, opening Britain to greater domination by Big Tech and Big Pharma. Those deals now must be reopened & rescinded. theguardian.com/uk-news/2026…

“The Department of Homeland Security is expanding its efforts to identify Americans who oppose Immigration and Customs Enforcement by sending tech companies legal requests for the names, email addresses, telephone numbers and other identifying data behind social media accounts that track or criticize the agency.” nytimes.com/2026/02/13/techn…

This report contains 287 browser extensions tracking 37 million users. These were identified using methodology of sandboxing extensions, automatically browsing to URLs, and measuring a data ratio transferred. Real companies, fake services, well established, it's a mixed bag.

Yeah, so pretty much, like, there is this really sketchy company in Israel named "Paragon". Paragon sells a "product" called GRAPHITE. Let me explain the background and why this is very silly. GRAPHITE spyware which allows "customers" to remotely access peoples cell phones and monitor their instant messaging applications such as WhatsApp It is spyware. It is sometimes called Mercenary Spyware because it is primarily used by governments to spy on political enemies, journalists, and activists. Very little is known about Paragon, GRAPHITE, and their "customers". However, it was publicly noted by the Trump administration in January, 2025, to be purchased by the United States government and to be used to aid ICE. Furthermore, in September 2025 the Trump administration noted the usage of Graphite to aid the United States against "domestic terrorist organizations" such as "ANTIFA". ICE acting director Todd Lyons noted using GRAPHITE to monitor anti-ICE protestors to track "ringleaders and professional agitators". Citizen Lab and other civil rights organizations have documented the usage of GRAPHITE against individuals in Australia, Canada, Cyprus, Denmark, Israel, Singapore and (unsurprisingly) the United States. It is believed the Canadian government actively uses GRAPHITE in Ontario. Okay, so why does all of this matter? Yeah, it's super fucked up. But today representatives from Paragon accidentally leaked GRAPHITE screenshots ... ON LINKEDIN. Dawg, that image in the background IS GOVERNMENT FUCKING SPYWARE It shows phone numbers in Czechia, apps, accounts, media on the phone, "interception status", and phone numbers extracted. THEY LEAKED IT BY ACCIDENT ON LINKEDIN WHILE TAKING SELFIES

In a way, these courses are actually the perfect introduction to gen AI: scams, rehashed content from the past, & stuff that doesn’t even work.

Big Brother Watch exists to protect us all from people like Shabana Mahmood. This is a jaw dropping interview on her “ultimate vision”🥴 @BigBrotherWatch telegraph.co.uk/news/2026/01…

RT @NarimanGharib: Exclusive: Obtained Starlink terminal debug data from Iran during the ongoing internet shutdown. The telemetry shows di…

A “news outlet”, created by an online casino, has a verified seal and uses BBC’s name to spread a completely made up story that will certainly lead many to support bombing a country far away. Polymarket and Kalshi are so evil, holy shit.