Founded 50 years ago and headquartered in Paris, ESA is an intergovernmental organization that coordinates the space activities of 23 member states. ESA has around 3000 staff and had a budget of €7.68 billion ($9 billion) in 2025.

Today, the space agency issued a statement confirming a breach, following claims by a threat actor on the BreachForums hacking forum that they had breached some of ESA's servers.

The threat actor also leaked some screenshots as proof that they've had access to ESA's JIRA and Bitbucket servers for an entire week.

"ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis—currently in progress—and implemented measures to secure any potentially affected devices," the space agency said on Tuesday.

"Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community."

ESA says it has already notified "all relevant stakeholders" of the security breach and will provide further updates as soon as more information becomes available.

While ESA didn't provide any other details about which servers were breached, the threat actors claim they stole over 200GB of data after breaching the European Space Agency's systems and private Bitbucket repositories.

They said that the allegedly stolen data includes source code, CI/CD pipelines, API tokens, access tokens, confidential documents, configuration files, Terraform files, SQL files, hardcoded credentials, and more.

"I've been connecting to some of their services for about a week now and have stolen over 200gb of data. Including dumping all their private Bitbucket repositories as well," the threat actors said.

An ESA spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

This is not the first time the European Space Agency has had its systems breached in recent years.

One year ago, right before Christmas, the European agency's official web shop was hacked, with malicious JavaScript code inserted to steal customer information and payment card data provided during checkout.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 31 December 2025 at 4:25 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

The 29-year-old man was extradited from Georgia to South Korea following a related request under Interpol’s coordination.

According to the Korean National Police Agency, the suspect used KMSAuto to lure victims into downloading a malicious executable that scanned the clipboard for cryptocurrency addresses and replaced them with ones controlled by the attacker - known as 'clipper malware'.

According to the Korean National Police Agency, the suspect added malware to the KMSAuto tool that checked clipboard contents for cryptocurrency addresses and changed the destination address to one controlled by the attacker. This type of threat is called clipper malware.

"From April 2020 to January 2023, the hacker distributed 2.8 million copies worldwide of malware disguised as an illegal Windows license activation program (KMSAuto)," the police say.

"Through this malware, the hacker stole virtual assets worth approximately KRW 1.7 billion ($1.2 million) in 8,400 transactions from users of 3,100 virtual asset addresses."

The police started the investigation in August 2020, following a report about cryptojacking, where the victim’s system was infected by clipper malware, swapping the intended recipient’s wallet address to direct payments to the attacker.

The investigation uncovered a malware infection through the said KMSAuto tool. The clipper targeted at least six cryptocurrency exchanges, according to the investigators.

After tracing the stolen amounts and identifying the perpetrator, a raid occurred in December 2024 in Lithuania, where 22 items, including laptop computers and mobile phones, were confiscated.

Examination of the seized items revealed incriminating evidence, eventually leading to the arrest of the hacker in April 2025, while he was traveling from Lithuania to Georgia.

The South Korean police remind the public that using illegal software that violates copyright is risky because such tools can introduce malware into the system.

This type of utility has often been used to distribute malware. Recently, cybercriminals impersonated the Microsoft Activation Scripts (MAS) tool to spread PowerShell scripts that delivered the Cosmali Loader malware.

It is recommended to avoid using unofficial software product activators and, more generally, any Windows executables that aren’t digitally signed and whose source or integrity cannot be validated.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 30 December 2025 at 12:26 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

A public exploit and accompanying technical details are available, showing how attackers can trigger the flaw to remotely extract secrets, credentials, and other sensitive data from an exposed MongoDB server.

The vulnerability was assigned a severity score of 8.7 and has been handled as a “critical fix,” with a patch available for self-hosting instances since December 19.

Exploit leaks secrets

The MongoBleed vulnerability stems from how the MongoDB Server handles network packets processed by the zlib library for lossless data compression.

Researchers at Ox Security explain that the issue is caused by MongoDB returning the amount of allocated memory when processing network messages instead of the length of the decompressed data.

A threat actor could send a malformed message claiming a larger size when decompressed, causing the server to allocate a larger memory buffer and leak to the client in-memory data with sensitive information.

The type of secrets leaked this way could range from credentials, API and/or cloud keys, session tokens, personally identifiable info (PII), internal logs, configurations, paths, and client-related data.

Because the decompression of network messages occurs before the authentication stage, an attacker exploiting MongoBleed does not need valid credentials.

The public exploit, released as a proof-of-concept (PoC) dubbed "MongoBleed" by Elastic security researcher Joe Desimone, is specifically created to leak sensitive memory data.

Security researcher Kevin Beaumont says that the PoC exploit code is valid and that it requires only “an IP address of a MongoDB instance to start ferreting out in memory things such as database passwords (which are plain text), AWS secret keys etc.”

According to the Censys platform for discovering internet-connected devices, as of December 27, there were more than 87,000 potentially vulnerable MongoDB instances exposed on the public internet.

Almost 20,000 MongoDB servers were observed in the United States, followed by China with almost 17,000, and Germany with a little under 8,000.

Exploitation and detection

The impact across the cloud environment also appears to be significant, as telemetry data from cloud security platform Wiz showed that 42% of the visible systems “have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847.”

Wiz researchers note that the instances they observed included both internal resources and publicly exposed ones. The company says that it observed MongoBleed (CVE-2025-14847) exploitation in the wild, and recommends organizations prioritize patching.

While unverified, some threat actors are claiming to have used the MongoBleed flaw in a recent of breach of Ubisoft's Ranbow Six Siege online platform. 

Recon InfoSec co-founder Eric Capuano warns that patching is only part of the response to the MongoBleed problem and advises organizations to also check for signs of compromise.

In a blog post yesterday, the researcher explains a detection method that includes looking for “a source IP with hundreds or thousands of connections but zero metadata events.”

However, Capuano warns that the detection is based on the currently available proof-of-concept exploit code and that an attacker could modify it to include fake client metadata or reduce exploitation speed.

Florian Roth - the creator of the THOR APT Scanner and thousands of YARA rules- utilized Capuano’s research to create the MongoBleed Detector - a tool that parses MongoDB logs and identifies potential exploitation of the CVE-2025-14847 vulnerability.

Safe lossless compression tools

MongoDB addressed the MongoBleed vulnerability ten days ago, with a strong recommendation for administrators to upgrade to a safe release (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30).

The vendor is warning that a large list of MongoDB versions are impacted by MongoBleed (CVE-2025-14847), some legacy versions released as early as late 2017, and some as recent as November 2025:

• MongoDB 8.2.0 through 8.2.3
• MongoDB 8.0.0 through 8.0.16
• MongoDB 7.0.0 through 7.0.26
• MongoDB 6.0.0 through 6.0.26
• MongoDB 5.0.0 through 5.0.31
• MongoDB 4.4.0 through 4.4.29
• All MongoDB Server v4.2 versions
• All MongoDB Server v4.0 versions
• All MongoDB Server v3.6 versions

Customers of MongoDB Atlas, the fully managed, multi-cloud database service, received the patch automatically and don’t need to take any action.

MongoDB says that there is no workaround for the vulnerability. If moving to a new version is not possible, the vendor recommends that customers disable zlib compression on the server and provides instructions on how to do so.

Safe alternatives for lossless data compression include Zstandard (zstd) and Snappy (formerly Zippy), maintained by Meta and Google, respectively.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 29 December 2025 at 12:20 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

On December 20, a threat actor using the name "Lovely" leaked the database on a hacking forum, offering access for approximately $2.30 in the site's credits system. In the post, Lovely accused Condé Nast of ignoring vulnerability reports and claimed the company failed to take security seriously.

"Condé Nast does not care about the security of their users' data. It took us an entire month to convince them to fix the vulnerabilities on their websites," reads a post on a hacking forum.

"We will leak more of their users' data (40+ million) over the next few weeks. Enjoy!"

The same person later leaked the data on other hacking forums, where users also had to spend forum credits to reveal the password to the archive containing the data.

Lovely also shared record counts for other Condé Nast properties they claim to have stolen data, including, based on the abbreviations used, The New Yorker, Epicurious, SELF, Vogue, Allure, Vanity Fair, Glamour, Men's Journal, Architectural Digest, Golf Digest, Teen Vogue, Style.com, and Condé Nast Traveler.

While Condé Nast has not yet confirmed it was breached, BleepingComputer analyzed the leaked database and was able to validate twenty of the records as legitimate WIRED subscribers.

The dataset contains 2,366,576 total records and 2,366,574 unique email addresses, with timestamps ranging from April 26, 1996, to September 9, 2025.

Each record includes a subscriber's unique internal ID, an email address, and optional data, such as first and last name, phone number, physical address, gender, and birthday. Many of these fields are empty.

The records also include account creation and update timestamps, last session information, and WIRED-specific fields such as a display username and WIRED account creation and update dates. 

While many of the records fields are empty, some include additional personal details.

Approximately 284,196 records (12.01%) include both a first and last name, 194,361 records (8.21%) include a physical address, 67,223 records (2.84%) include a birthday, and 32,438 records (1.37%) include a phone number.

A much smaller subset includes more complete profiles, with 1,529 records (0.06%) containing a full name, birthday, phone number, address, and gender.

Alon Gal, co-founder and CTO of Hudson Rock, also verified the records using infostealer logs containing previously compromised credentials.

"Our researchers identified legitimate subscriber credentials for wired.com within global infostealer infection logs," reads an article on Infostealers.com.

"By matching these compromised credentials against the records in the leaked database, we have definitively confirmed the authenticity of the dataset without any interaction with the victim organization."

The leaked database has since been added to Have I Been Pwned, allowing users to check whether their email addresses were exposed by the data leak.

Claiming to be a security researcher

Before the leak, Lovely reportedly claimed to be a security researcher who contacted Dissent Doe of DataBreaches.net for help in responsibly disclosing vulnerabilities to Condé Nast.

According to DataBreaches.net, the individual contacted them in late November seeking help reaching Condé Nast's security team regarding vulnerabilities that allegedly allowed attackers to view and modify user account information.

The person initially said they had downloaded only a small number of records to provide proof to Condé Nast, including records verified as belonging to DataBreaches.net and a WIRED employee.

However, after receiving no response from Condé Nast, the person later told Dissent Doe they had downloaded the entire database and were threatening to leak it.

Dissent Doe concluded that she had been misled and described the incident as a case where they had been played by a threat actor who downloaded and leaked stolen data rather than pursuing responsible disclosure. 

"As for 'Lovely,' they played me. Condé Nast should never pay them a dime, and no one else should ever, as their word clearly cannot be trusted," admitted DataBreaches.net.

BleepingComputer contacted Condé Nast with questions about the incident, but has not received a response at this time.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 29 December 2025 at 4:55 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

Windows Central's own Editor-in-Chief Daniel Rubino recently proposed that people were far more enthusiastic about Big Tech companies a decade ago, with fans championing specific products (think iPhone vs Windows Phone, iPad vs Microsoft Surface), but now those days are gone, and those sentiments are seriously subdued.

He posited that the reason for this is that people are experiencing innovation fatigue and are tired of feeling taken advantage of, perfectly encapsulated in this sentence: "We’re no longer customers, just consumers, and most tech companies only aim to extract as much profit from us as possible."

Generally, I agree. It does feel like many Big Tech companies (Microsoft, Google, Apple, Amazon, Meta, etc.) are more focused on slinging PR spins at customers, telling us why we should be excited about a lackluster next-gen device or new service, when really, they're solely in pursuit of a yearly, and sometimes unnecessary, refresh cycle.

But, there's also another nuanced aspect that keeps people from loving specific brands and devices these days — our favorite hardware used to feel like it was an extension of ourselves, now it feels like a separate entity that doesn't truly belong to us. Sometimes it feels like certain devices are even working against us.

Hardware is no longer an extension of ourselves — it's a separate entity

Continuing Daniel's discussion, it's not that people are no longer interested in hardware from the most influential companies these days; after all, it's almost impossible to exist in this world without tech. No, we'll always need and want devices, but we just don't love them anymore, and for good reason.

Back in the day, if I bought a laptop, phone, or other device, I'd customize it until it functioned just the way I liked it. Whatever I bought served as a tool that did exactly what I wanted (within a device's capabilities) and only when I instructed it. The software largely stayed the same aside from manual changes that I instigated. To an extent, those devices thoroughly represented me and my desires, and so it was easy to love them.

But that stability and permanence are gone.

Many modern devices no longer feel like they really belong to us. Sure, I might own the hardware, but its soul is on loan and likely to change, thanks to the internet. That connection means that many of our devices are constantly getting updates that can drastically alter our user experience and how we feel about our devices.

Going back to the relationship angle, "you've changed" is perhaps one of the most common cliches people use for distancing themselves from their partners, but the same is true for our tech relationships.

Typically, when someone pursues a serious relationship or buys something, they do so because they are interested in how something behaves and interacts with them at that time. If, down the line, the object of our focus changes too drastically from what drew us to it in the first place, our feelings toward it can change from amicable to disinterested or even resentful.

There's the very real possibility that a feature you aren't comfortable with could get added to your device in an update, like the controversial Windows Recall feature that some saw as a security risk. Similarly, your phone might get an update that forces drastic interface changes that you do not like and cannot undo.

It's also possible that your favorite features could be removed from your device or that an update could ruin your setup, like how several people reported that their SSDs had been bricked following Microsoft's release of Windows 11 version 24H2 security update KB5063878 in August 2025.

Of course, we can go into settings and make changes or find homebrew fixes, customizing many of these devices after each update, so it works the way we want it to, or so it basically goes back to previous features. The problem is, this turns our tech relationship into a battle rather than a partnership, and many average consumers don't want to deal with that hassle. It's easier to check out than to care.

Then there's the possibility that the device you've loved for so long suddenly won't be supported anymore, as happened with Windows 10 end of life. You might find yourself forced to consider security workarounds or potentially even have to buy new hardware.

Outside of updates and unexpected changes, our devices also don't have our interests at heart, but rather the interests of the companies that benefit from our tech use. Like a capitalist Big Brother, they track our habits in order to thrust ads, social media stories, and products in our faces without us asking for these things. For example, Windows 11 wants to run ads in the Start menu.

Like with any bad relationship, sometimes we're told that a company is forcing a change on our tech for our best interest, when really, it's for the device's best interest, funneling us toward specific products, limiting our ability to use the software we want.

Perhaps the worst offense is when someone excitedly buys fun gadgets, only for these devices to constantly ping you like a socially-inept Momtrepeneur friend that cannot get the hint that you aren't interested in their offerings. They just want you to spend, spend, spend — I'm looking at you, Amazon.

Amazon Fire TVs push ads on the screen when you pause your shows, Amazon Prime Video forces ads unless you pay for the premium option, Alexa won't stop talking about her new voice when all you wanted was for your Echo Dot to tell you the day's weather. It's a frustrating experience that cheapens these products and fosters ill-will rather than loyalty or even satisfaction. Over time, people can come to resent their devices.

At the end of the day, modern tech can come to feel more like an invasive entity, a third-party hovering in our homes waiting to make unwanted changes to our routines. Worst of all, instead of deftly wielding a device to do what we want, it can feel like the device is trying to wield us. There's no reason to be loyal or even excited about a device that makes you feel like that.

According to a December 2025 study conducted by Digitain on risks to user privacy, ChatGPT Atlas is the worst browser in this area. This shouldn't be particularly surprising considering that the browser created by OpenAI is very new, but it is concerning that it apparently isn't built with privacy in mind at all. ChatGPT Atlas failed all state partitioning tests, which means that it does not actively block websites from tracking users across different sessions. The browser ranked quite low across all three evaluated metrics (privacy and anti-fingerprinting, tracker and data blocking, connection and navigation security), giving it an overall privacy risk score of 99 out of 100.

The world's most popular browser, Google Chrome, came in as the second worst browser. However, it was only slightly better than ChatGPT Atlas in the three aforementioned areas, netting it a score of 76 out of 100. Vivaldi scored roughly the same at 75, while Edge was next at 63, which is also quite high risk. Here is the list of the top 10 worst browsers when it comes to user security, along with their risk scores (the lower, the better in terms of privacy):

1. ChatGPT Atlas - 99
2. Google Chrome -76
3. Vivaldi - 75
4. Microsoft Edge - 63
5. Opera - 58
6. Ungoogled - 55
7. Mozilla Firefox - 50
8. Apple Safari - 49
9. DuckDuckGo - 44
10. Tor - 40

Paruyr Harutyunyan, Group head of Digital Marketing at Digitain, further noted that:

"New AI-powered browsers like ChatGPT Atlas and Comet from Perplexity are getting a lot of attention right now, and millions of people are trying them out because of the AI hype. These browsers come with interesting features that traditional ones don't have, but users need to stop and check how secure they actually are. AI works by collecting and learning from data, which means these tools might be gathering more of your personal information than you realize. Just because something uses AI doesn't automatically make it safe or private."

Interestingly, Brave and Mullvad Browser were touted as the browsers with the most focus on user privacy. Although the former is a fairly known option for many, the latter is a result of a collaboration between Mullvad VPN and The Tor Project. It is marketed as an open-source privacy-focused browser that minimizes tracking.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 22 December 2025 at 5:30 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years. This follows more than a decade of devastating hacks that exploited it and recent blistering criticism from a prominent US senator.

When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago.

Out With the Old

One of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the much more secure AES encryption standard. But by default, Windows servers have continued to respond to RC4-based authentication requests and return an RC4-based response. The RC4 fallback has been a favorite weakness hackers have exploited to compromise enterprise networks. Use of RC4 played a key role in last year’s breach of health giant Ascension. The breach caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the hands of the attackers. US senator Ron Wyden, an Oregon Democrat, in September called on the Federal Trade Commission to investigate Microsoft for “gross cybersecurity negligence,” citing the continued default support for RC4.

“By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption,” Matthew Palko, a Microsoft principal program manager, wrote. “RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it.”

AES-SHA1, an algorithm widely believed to be secure, has been available in all supported Windows versions since the rollout of Windows Server 2008. Since then, Windows clients by default authenticated using the much more secure standard, and servers responded using the same. But, Windows servers, also by default, respond to RC4-based authentication requests and returned an RC4-based response, leaving networks open to Kerberoasting.

Following next year’s change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it’s crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions.

To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It’s the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised.

Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage.

Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn’t easy.

No Salt, No Iteration? Really?

“The problem though is that it’s hard to kill off a cryptographic algorithm that is present in every OS that’s shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft’s Windows Authentication team, wrote on Bluesky. “See,” he continued, “the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes.”

Over those two decades, developers discovered a raft of critical RC4 vulnerabilities that required “surgical” fixes. Microsoft considered deprecating RC4 by this year, but ultimately “punted” after discovering vulnerabilities that required still more fixes. During that time Microsoft introduced some “minor improvements” that favored the use of AES, and as a result, usage dropped by “orders of magnitude.”

“Within a year we had observed RC4 usage drop to basically nil. This is not a bad thing and in fact gave us a lot more flexibility to kill it outright because we knew it genuinely wasn’t going to break folks, because folks weren’t using it.”

Syfuhs went on to document additional challenges Microsoft encountered and the approach it took to solving them.

While RC4 has known cipher weaknesses that make it insecure, Kerberoasting exploits a separate weakness. As implemented in Active Directory authentication, it uses no cryptographic salt and a single round of the MD4 hashing function. Salt is a technique that adds random input to each password before it is hashed. That requires hackers to invest considerable time and resources into cracking the hash. MD4, meanwhile, is a fast algorithm that requires modest resources. Microsoft’s implementation of AES-SHA1 is much slower and iterates the hash to further slow down cracking efforts. Taken together, AES-Sha1-hashed passwords require about 1,000 times the time and resources to be cracked.

Windows admins would do well to audit their networks for any usage of RC4. Given its wide adoption and continued use industry-wide, it may still be active, much to the surprise and chagrin of those charged with defending against hackers.

This story originally appeared on Ars Technica.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 18 December 2025 at 4:30 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

Browser extensions with more than 8 million installs are harvesting complete and extended conversations from users’ AI conversations and selling them for marketing purposes, according to data collected from the Google and Microsoft pages hosting them.

Security firm Koi discovered the eight extensions, which as of late Tuesday night remained available in both Google’s and Microsoft’s extension stores. Seven of them carry “Featured” badges, which are endorsements meant to signal that the companies have determined the extensions meet their quality standards. The free extensions provide functions such as VPN routing to safeguard online privacy and ad blocking for ad-free browsing. All provide assurances that user data remains anonymous and isn’t shared for purposes other than their described use.

A gold mine for marketers and data brokers

An examination of the extensions’ underlying code tells a much more complicated story. Each contains eight of what Koi calls “executor” scripts, with each being unique for ChatGPT, Claude, Gemini, and five other leading AI chat platforms. The scripts are injected into webpages anytime the user visits one of these platforms. From there, the scripts override browsers’ built-in functions for making network requests and receiving responses.

 

 

As a result, all interaction between the browser and the AI bots is routed not by the legitimate browser APIs—in this case fetch() and HttpRequest—but through the executor script. The extensions eventually compress the data and send it to endpoints belonging to the extension maker.

“By overriding the [browser APIs], the extension inserts itself into that flow and captures a copy of everything before the page even displays it,” Koi CTO Idan Dardikman wrote in an email. “The consequence: The extension sees your complete conversation in raw form—your prompts, the AI’s responses, timestamps, everything—and sends a copy to their servers.”

Besides ChatGPT, Claude, and Gemini, the extensions harvest all conversations from Copilot, Perplexity, DeepSeek, Grok, and Meta AI. Koi said the full description of the data captured includes:

• Every prompt a user sends to the AI
• Every response received
• Conversation identifiers and timestamps
• Session metadata
• The specific AI platform and model used

The executor script runs independently from the VPN networking, ad blocking, or other core functionality. That means that even when a user toggles off VPN networking, AI protection, ad blocking, or other functions, the conversation collection continues. The only way to stop the harvesting is to disable the extension in the browser settings or to uninstall it.

Koi said it first discovered the conversation harvesting in Urban VPN Proxy, a VPN routing extension that lists “AI protection” as one of its benefits. The data collection began in early July with the release of version 5.5.0.

“Anyone who used ChatGPT, Claude, Gemini, or the other targeted platforms while Urban VPN was installed after July 9, 2025 should assume those conversations are now on Urban VPN’s servers and have been shared with third parties,” the company said. “Medical questions, financial details, proprietary code, personal dilemmas—all of it, sold for ‘marketing analytics purposes.'”

Following that discovery, the security firm uncovered seven additional extensions with identical AI harvesting functionality. Four of the extensions are available in the Chrome Web Store. The other four are on the Edge add-ons page. Collectively, they have been installed more than 8 million times.

They are:

Chrome Store

• Urban VPN Proxy: 6 million users
• 1ClickVPN Proxy: 600,000 users
• Urban Browser Guard: 40,000 users
• Urban Ad Blocker: 10,000 users

Edge Add-ons:

• Urban VPN Proxy: 1,32 million users
• 1ClickVPN Proxy: 36,459 users
• Urban Browser Guard – 12,624 users
• Urban Ad Blocker – 6,476 users

Read the fine print

The extensions come with conflicting messages about how they handle bot conversations, which often contain deeply personal information about users’ physical and mental health, finances, personal relationships, and other sensitive information that could be a gold mine for marketers and data brokers. The Urban VPN Proxy in the Chrome Web Store, for instance, lists “AI protection” as a benefit. It goes on to say:

Our VPN provides added security features to help shield your browsing experience from phishing attempts, malware, intrusive ads and AI protection which checks prompts for personal data (like an email or phone number), checks AI chat responses for suspicious or unsafe links and displays a warning before click or submit your prompt.

On the privacy policy for the extension, Google says the developer has declared that user data isn’t sold to third parties outside of approved use cases and won’t be “used or transferred for purposes that are unrelated to the item’s core functionality.” The page goes on to list the personal data handled as location, web history, and website content.

Koi said that a consent prompt that the extensions display during setup notifies the user that they process “ChatAI communication,” “pages you visit,” and “security signals.” The notification goes on to say that the data is processed to “provide these protections,” which presumably means the core functions such as VPN routing or ad blocking.

The only explicit mention of AI conversations being harvested is in legalese buried in the privacy policy, such as this 6,000-word one for Urban VPN Proxy, posted on each extension website. There, it says that the extension will “collect the prompts and outputs queried by the End-User or generated by the AI chat provider, as applicable.” It goes on to say that the extension developer will “disclose the AI prompts for marketing analytics purposes.”

All eight extensions and the privacy policies covering them are developed and written by Urban Cyber Security, a company that says its apps and extensions are used by 100 million people. The policies say the extensions share “Web Browsing Data” with “our affiliated company,” which is listed as both BiScience and B.I Science. The affiliated company “uses this raw data and creates insights which are commercially used and shared with Business Partners.” The policy goes on to refer users to the BiScience privacy policy. BiScience, whose privacy practices have been scrutinized before, says its services “transform enormous volumes of digital signals into clear, actionable market intelligence.”

It’s hard to fathom how both Google and Microsoft would allow such extensions onto their platforms at all, let alone go out of their way to endorse seven of them with a featured badge. Neither company returned emails asking how they decide which extensions qualify for such a distinction, if they have plans to stop making them available to Chrome and Edge users, or why the privacy policies are so unclear to normal users.

Messages sent to both individual extension developers and Urban Cyber Security went unanswered. BiScience provides no email. A call to the company’s New York office was answered by someone who said they were in Israel and to call back during normal business hours in that country.

Koi’s discovery is the latest cautionary tale illustrating the growing perils of being online. It’s questionable in the first place whether people should trust their most intimate secrets and sensitive business information to AI chatbots, which come with no HIPAA assurances, attorney-client privilege, or expectations of privacy. Yet increasingly, that’s exactly what AI companies are encouraging, and users, it seems, are more than willing to comply.

Compounding the risk is the rush to install free apps and extensions—particularly those from little-known developers and providing at best minimal benefits—on devices storing and transmitting these chats. Taken together, they’re a recipe for disaster, and that’s exactly what we have here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 18 December 2025 at 4:28 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

In a highly technical report on the Project Zero issue tracker, it can be seen that security researcher James Forshaw discovered an elevation of privilege (EoP) bug in Windows 11's Insider Preview releases. This issue was present in the Administrator Protection feature that is an upcoming Windows 11 capability that enables just-in-time elevation privileges only when needed through Windows Hello and an isolated admin token.

However, during their investigation, Forshaw discovered that Administrator Protection has a flaw that allows a process with low privileges to hijack a UI access process which can further be used to gain administrator privileges. The researcher reported this vulnerability privately to Microsoft on August 8, which meant that the company had until November 6 to fix it. After receiving an extension for this deadline, the Redmond tech giant was able to deliver a patch on November 12, also thanking Forshaw for his contribution in CVE-2025-60718.

Although the matter was considered closed, Forshaw recently reopened the issue, stating that the patch is incomplete and it does not mitigate the flaw fully. As a result, the security bug has been made public, following radio silence from Microsoft.

While the flaw is now public knowledge, it is worth noting that it's not something you should be sitting in constant fear of. It is a local privilege escalation attack, which means that an attacker needs to have physical access to the PC in order to run arbitrary code and exploit it. Furthermore, Administrator Protection is only available on select Windows 11 Insider builds and needs to enabled manually anyway for it to take effect. As such, the pool of potentially affected customers is quite small at this point. That said, it is important that Microsoft further investigates Forshaw's findings and patches them ahead of the eventual general availability of Administrator Protection in Windows 11.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 17 December 2025 at 5:21 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

The lawsuits target Sony, Samsung, LG, and China-based companies Hisense and TCL Technology Group Corporation. Attorney General Ken Paxton's office also highlighted "serious concerns" about the two Chinese companies being required to follow China's National Security Law, which could give the Chinese government access to U.S. consumers' data.

According to complaints filed this Monday in Texas state courts, the TV makers can allegedly use ACR technology to capture screenshots of television displays every 500 milliseconds, monitor the users' viewing activity in real time, and send this information back to the companies' servers without the users' knowledge or consent.

Paxton's office described ACR technology as "an uninvited, invisible digital invader" designed to unlawfully collect personal data from smart televisions, alleging that the harvested information then gets sold to the highest bidder for ad targeting.

"Companies, especially those connected to the Chinese Communist Party, have no business illegally recording Americans' devices inside their own homes," Paxton said.

"This conduct is invasive, deceptive, and unlawful. The fundamental right to privacy will be protected in Texas because owning a television does not mean surrendering your personal information to Big Tech or foreign adversaries."

Spokespersons for Sony, Samsung, Hisense, and TCL were not immediately available for comment when contacted by BleepingComputer earlier today.

An LG spokesperson told BleepingComputer that, "As a matter of policy, LG Electronics USA does not generally comment on pending legal matters such as this."

Almost a decade ago, in February 2017, Walmart-owned smart TV manufacturer Vizio paid $2.2 million to settle charges brought by the U.S. Federal Trade Commission and the New Jersey Attorney General that it collected viewing data from 11 million consumers without their knowledge or consent using a "Smart Interactivity feature.

The two agencies said that since February 2014, Vizio and an affiliated company have manufactured and sold smart TVs (and retrofitted older models by installing tracking software remotely) that captured detailed information on what is being watched, including content from cable, streaming services, and DVDs.

According to the complaint, Vizio also attached demographic information (such as sex, age, income, and education) to the collected data and sold it to third parties for targeted advertising purposes.

In August 2022, the FTC published a consumer alert on securing Internet-connected devices, advising Americans to adjust the tracking settings on their smart TVs to protect their privacy.

Update December 16, 12:43 EST: Added LG statement.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 17 December 2025 at 5:20 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

Over the past couple of months, people have reported [1, 2] receiving emails from PayPal stating, "Your automatic payment is no longer active." 

The email includes a customer service URL field that was somehow modified to include a message stating that you purchased an expensive item, such as a Sony device, MacBook, or iPhone.

This text includes a domain name, a message stating that a payment of $1,300 to $1,600 was processed (the amount varies by email), and a phone number to cancel or dispute the payment. The text is filled with Unicode characters that make portions appear bold or in an unusual font, a tactic used to try and evade spam filters and keyword detection.

"http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries, Contact PayPal support at +1-805-500-6377," reads the customer service URL in the scam email.

While this is clearly a scam, the emails are being sent directly by PayPal from the address "service@paypal.com," leading people to worry their accounts may have been hacked.

Furthermore, as the emails are legitimate PayPal emails, they are bypassing security and spam filters. In the next section, we will explain how scammers send these emails.

The goal of these emails is to trick recipients into thinking their account purchased an expensive device and scare them into calling the scammer's "PayPal support" phone number.

Emails like these have historically been used to convince recipients to call a number to conduct bank fraud or trick them into installing malware on their computers.

Therefore, if you receive a legitimate email from PayPal stating your automatic payment is no longer active, and it contains a fake purchase confirmation, ignore the email and do not call the number.

If you are concerned that your PayPal account was compromised, log in to your account and confirm that there was no charge.

How the PayPal scam works

BleepingComputer was sent a copy of the email from someone who received it and found it strange that the scam originated from the legitimate "service@paypal.com" email address.

Furthermore, the email headers indicate that the emails are legitimate, pass DKIM and SPF email security checks, and originate directly from PayPal's "mx15.slc.paypal.com" mail server, as shown below.

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b="AvY/E1H+";
       spf=pass (google.com: domain of service@paypal.com designates 173.0.84.4 as permitted sender) smtp.mailfrom=service@paypal.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Received: from mx15.slc.paypal.com (mx15.slc.paypal.com. [173.0.84.4])
        by mx.google.com with ESMTPS id a92af1059eb24-11dcb045a3csi5930706c88.202.2025.11.28.09.14.49
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Nov 2025 09:14:49 -0800 (PST)

After testing various PayPal billing features, BleepingComputer was able to replicate the same email template by using PayPal's "Subscriptions" feature and pausing a subscriber.

PayPal subscriptions are a billing feature that lets merchants create subscription checkout options for people to subscribe to a service for a specified amount. 

When a merchant pauses a subscriber's subscription, PayPal will automatically email the subscriber to notify them that their automatic payment is no longer active.

However, when BleepingComputer attempted to replicate the scam by adding text other than a URL to the Customer Service URL, PayPal would reject the change as only a URL is allowed.

Therefore, it appears the scammers are either exploiting a flaw in PayPal's handling of subscription metadata or using a method, such as an API or legacy platform not available in all regions, that allows invalid text to be stored in the Customer service URL field.

Now that we know how they generate the email from PayPal, it's still unclear how it's being sent to people who didn't sign up for the PayPal subscription.

The mail headers show that PayPal is actually sending the email to the address "receipt3@bbcpaglomoonlight.studio," which we believe is the email address associated with a fake subscriber created by the scammer.

This account is likely a Google Workspace mailing list, which automatically forwards any email it receives to all other group members. In this case, the members are the people the scammer is targeting.

This forwarding can cause all subsequent SPF and DMARC checks to fail, since the email was forwarded by a server that was not the original sender.

When BleepingComputer contacted PayPal to ask if this issue was fixed, they declined to comment and shared the following statement instead.

"PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving scam tactics," PayPal told BleepingComputer.

"We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance."

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 15 December 2025 at 3:22 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

Smart TVs can feel like a dumb choice if you’re looking for privacy, reliability, and simplicity.

Today’s TVs and streaming sticks are usually loaded up with advertisements and user tracking, making offline TVs seem very attractive. But ever since smart TV operating systems began making money, “dumb” TVs have been hard to find.

In response, we created this non-smart TV guide that includes much more than dumb TVs. Since non-smart TVs are so rare, this guide also breaks down additional ways to watch TV and movies online and locally without dealing with smart TVs’ evolution toward software-centric features and snooping. We’ll discuss a range of options suitable for various budgets, different experience levels, and different rooms in your home.

Our best recommendation

This is a dumb TV guide, but first, let’s briefly highlight the best recommendation for most people: Take your TV offline and plug in an Apple TV box.

Your best option.

Credit: Jeff Dunn

An Apple TV lets you replace smart TV software with Apple’s cleaner tvOS, and it’s more intuitive than using most smart TVs and other streaming devices. Apple’s tvOS usually runs faster and more reliably, and it isn’t riddled with distracting ads or recommendations. And there’s virtually no learning curve for family members or visitors, something that can’t always be said for DIY alternatives.

Critically, Apple TV boxes are also an easy recommendation on the privacy front. The setup process makes it simple for anyone to ensure that the device is using relatively minimal user tracking. You’re likely to use an Apple TV box with the Apple TV app or with an Apple account, which means sending some data to Apple. But Apple has a better reputation for keeping user information in-house, and Apple TV boxes don’t have automatic content recognition (ACR).

For more information, read my previous article on why Apple TVs are privacy advocates’ go-to streaming device.

Differing from other smart TV alternatives in this guide (such as a laptop), you don’t have to worry about various streaming services’ requirements for streaming in 4K or HDR with an Apple TV. But you still have to make sure your display and HDMI cable are HDCP 2.2-compliant and that you’re using HDMI 2.0 or better if you want to watch 4K or HDR content. You could even connect network-attached storage (NAS) to your Apple TV box so you can stream files from the storage device.

Plus, using a smart TV offline means you’ll have access to the latest and greatest display technologies, which is generally not the case for dumb TVs.

Things to keep in mind

One common concern about using smart TVs offline is the fear that the TV will repeatedly nag you to connect to the Internet. I’ve seen some reports of this happening over the years, but generally speaking, this doesn’t seem to be expected behavior. If you can’t find a way to disable TV notifications, try contacting support.

You may want your offline TV to keep LAN access so you can still use some smart TV features, like phone mirroring or streaming from a NAS. In this case, you can use your router (if supported) to block your TV’s IP address from connecting to the Internet.

And Google TV users should remember to set their TV to “basic TV” mode, which lets you use the TV without connecting to the Internet.

Dumb TVs are endangered

Buying a TV that doesn’t connect to the Internet is an obvious solution to avoiding smart TV tracking and ads, but that’s much easier said than done.

Smart TV OSes help TV-makers stay afloat in an industry with thin margins on hardware. Not only do they provide ad space, but they also give OS operators and their partners information on how people use their TVs—data that is extremely valuable to advertisers. Additionally, mainstream acceptance of the Internet of Things has led many people to expect their TVs to have integrated Wi-Fi. These factors have all made finding a dumb TV difficult, especially in the US.

Dumb TVs sold today have serious image and sound quality tradeoffs, simply because companies don’t make dumb versions of their high-end models. On the image side, you can expect lower resolutions, sizes, and brightness levels and poorer viewing angles. You also won’t find premium panel technologies like OLED. If you want premium image quality or sound, you’re better off using a smart TV offline. Dumb TVs also usually have shorter (one-year) warranties.

Any display or system you end up using needs HDCP 2.2 compliance to play 4K or HDR content via a streaming service or any other DRM-protected 4K or HDR media, like a Blu-ray disc.

Best ways to find a dumb TV

Below are the brands I’ve identified as most likely to have dumb TVs available for purchase online as of this writing.

Emerson

I was able to find the greatest number of non-smart TVs from Emerson. Emerson is a Parsippany, New Jersey, electronics company that was founded in 1948.

As of this writing, Emerson’s dumb TV options range from 7-inch portable models to 50-inch 4K TVs. Its TVs are relatively easy to get since they’re sold directly and through various online retailers, including Amazon, Home Depot, Best Buy, and, for some reason, Shein.

Westinghouse

Another company still pushing non-smart TVs is Westinghouse, a Pittsburgh-headquartered company founded in 1886. In addition to other types of electronics and home goods, Westinghouse also has an industrial business that includes nuclear fuel.

Westinghouse’s dumb TVs max out at 32 inches and 720p resolution, but some of them also have a built-in DVD player. You can find Westinghouse’s dumb TVs on Amazon. However, Westinghouse seems to have the most dubious reputation of these brands based on online chatter.

Sceptre

Sceptre, a Walmart brand, still has a handful of dumb TVs available. I’ve noticed inventory dwindle in recent months, but Walmart usually has at least one Sceptre dumb TV available.

Amazon search

Outside the above brands, your best bet for finding a non-smart TV is Amazon. I’ve had success searching for “dumb TVs” and have found additional results by searching for a “non-smart TV.”

Projectors

For now, it’s not hard to find a projector that doesn’t connect to the Internet or track user activity. And there are options that are HDCP 2.2-compliant so you can project in 4K and HDR.

Things to keep in mind

Projectors aren’t for everyone. They still require dim rooms and a decent amount of physical space to produce the best image. (To see how much space you need for a projector, I recommend RTINGS’ handy throw calculator.)

The smart-tech bug has come for projectors, too, though, and we’ve started seeing more smart projectors released over the past two years.

Computer monitors

If you want a dumb display for watching TV, it’s cheaper to buy a smart TV and keep it offline than it is to get a similarly specced computer monitor. But there are benefits to using a monitor instead of a dumb TV or an offline smart TV. (Of course, this logic doesn’t carry over to “smart monitors.”)

When it comes to smaller screens, you’ll have more options if you look at monitors instead of TVs. This is especially true if you want premium features, like high refresh rates or quality speakers, which are hard to find among TVs that are under 42 inches.

Monitor vendors are typically more forthcoming about product specs than TV makers are. It’s hard to find manufacturer claims about a TV’s color gamut, color accuracy, or typical brightness, but a computer monitor’s product page usually has all this information. It’s also easier to find a monitor with professional-grade color accuracy than a TV with the same, and some monitors have integrated calibration tools.

Things to keep in mind

Newer and advanced types of display technologies are rarer in monitors. This includes OLED, Mini LED, and Micro RGB. And if you buy a new monitor, you’ll probably need to supply your own speakers.

A computer monitor isn’t a TV, so there’s no TV tuner or way to use an antenna. If you really wanted to, you could get a cable box to work with a monitor with the right ports or adapters. People are streaming more than they’re watching broadcast and cable channels, though, so you may not mind the lack of traditional TV capabilities.

Digital signage

Digital signage displays are purpose-built for displaying corporate messages, often for all or most hours of the day. They typically have features that people don’t need for TV watching, such as content management software. And due to their durability and warranty needs, digital signage displays are often more expensive than similarly specced computer monitors.

Again, it’s important to ensure that the digital signage is HDCP 2.2-compliant if you plan to watch 4K or HDR.

Things to keep in mind

But if you happen to come across a digital signage display that’s the right size and the right price, is there any real reason why you shouldn’t use it as a TV? I asked Panasonic, which makes digital signage. A spokesperson from Panasonic Connect North America told me that digital signage displays are made to be on for 16 to 24 hours per day and with high brightness levels to accommodate “retail and public environments.”

The spokesperson added:

Their rugged construction and heat management systems make them ideal for demanding commercial use, but these same features can result in higher energy consumption, louder operation, and limited compatibility with home entertainment systems.

Panasonic’s representative also pointed out that real TVs offer consumer-friendly features for watching TV, like “home-optimized picture tuning, simplified audio integration, and user-friendly menu interfaces.”

If you’re fine with these caveats, though, and digital signage is your easiest option, there isn’t anything stopping you from using one to avoid smart TVs.

What to connect to your dumb TV

After you’ve settled on an offline display, you’ll need something to give it life. Below is a breakdown of the best things to plug into your dumb TV (or dumb display) so you can watch TV without your TV watching you.

Things to keep in mind

If you’re considering using an older device for TV, like a used laptop, make sure it’s HDCP 2.2-compliant if you want to watch 4K or HDR.

And although old systems and displays and single-board computers can make great dumb TV alternatives, remember that these devices need HDMI 2.0 or DisplayPort 1.2 or newer to support 4K at 60 Hz.

What to connect: a Phone

Before we get into more complex options for powering your dumb TV, let’s start with devices you may already own.

It’s possible to connect your phone to a dumb display, but doing so is harder than connecting a PC. You’d need an adapter, such as a USB-C (or Lightning) Digital AV Adapter.

You can use a Bluetooth mouse and keyboard to control the phone from afar. By activating Assistive Touch, I’ve even been able to use my iPhone with a mouse that claims not to support iOS. With an extra-long cable, you could potentially control the phone from your lap. That’s not the cleanest setup, though, and it would look odd in a family room.

Things to keep in mind

If your phone is outputting to your display, you can’t use it to check your email, read articles, or doomscroll while you watch TV. You can fix this by using a secondary phone as your streaming device.

If you’re using a phone to watch a streaming service, there’s a good chance you won’t be watching in 4K, even if your streaming subscription supports it. Netflix, for example, limits resolution to 1080p or less (depending on the model) for iPhones. HDR is supported across iPhone models but not with Android devices.

Screen mirroring doesn’t always work well with streaming services and phones. Netflix, for instance, doesn’t support AirPlay or Android phone casting. Disney+ supports Chromecast and AirPlay, but AirPlay won’t work if you subscribe to Disney+ with ads (due to “technical reasons“).

What to connect: A laptop

A laptop is an excellent smart TV alternative that’s highly customizable yet simple to deploy.

Most mainstream streaming providers that have dedicated smart TV apps, like Netflix and HBO Max, have PC versions of their apps. And most of those services are also available via web browsers, which work much better on computers than they do on smart TVs. You can also access local files—all via a user interface that you and anyone else watching TV is probably familiar with already.

With a tethered laptop, you can quickly set up a multi-picture view for watching two games or shows simultaneously. Multi-view support on streaming apps is extremely limited right now, with only Peacock and dedicated sports apps like ESPN and MLB TV offering it.

A laptop also lets you use your dumb TV for common PC tasks, like PC gaming or using productivity software (sometimes you just want to see that spreadsheet on a bigger screen).

Things to keep in mind

Streaming in 4K or HDR sometimes comes with specific requirements that are easy to overlook. Some streaming services, for example, won’t stream in 4K on certain web browsers—or with any web browser at all.

Streaming services sometimes have GPU requirements for 4K and HDR streaming. For example, to stream Netflix in 4K or HDR from a browser, you need Microsoft Edge and an Intel 7th Generation Core or AMD Ryzen CPU or better, plus the latest graphics drivers. Disney+ doesn’t allow 4K HDR streaming from any web browsers. Streaming 4K content in a web browser might also require you to acquire the HEVC/H.265 codec, depending on your system.

If 4K or HDR streaming is critical to you, it’s important to check your streaming providers’ 4K and HDR limits; it may be best to rely on a dedicated app.

If you want to be able to comfortably control your computer from a couch, you’ll also need to invest in some hardware or software. You can get away with a basic Bluetooth mouse and keyboard. Air mice are another popular solution.

The WeChip W1 air mouse.

Credit: WeChip/Amazon

If you don’t want extra gadgets taking up space, software like the popular Unified Remote (for iOS and Android) can turn your phone into a remote control for your computer. It also supports Wake-On-LAN.

You may encounter hiccups with streaming availability. Most streaming services available on smart TVs are also accessible via computers, but some aren’t. Many FAST (free ad-supported streaming television) services and channels, such as the Samsung TV Plus service and Filmrise FAST app and channel, are only available via smart TVs. And many streaming services’ apps, including Netflix and Disney+, aren’t available on macOS. If you’re using a very old computer, you might run into compatibility issues with streaming services. Netflix’s PC app, for example, requires Windows 10 or newer, and if you stream Netflix via a browser on a system running an older OS, you’re limited to SD resolution.

And while a laptop and dumb display setup can keep snooping TVs out of your home, there are obviously lots of user tracking and privacy concerns with web browsers, too. You can alleviate some concerns by researching the browsers you want to use for watching TV.

What to connect: A home theater PC

For a more permanent setup, consider a dedicated home theater PC (HTPC). They don’t require beefy, expensive specs and are more flexible than smart TV platforms in terms of software support and customization.

You can pick a system that fits on your living room console table, like a mini PC, or match your home’s aesthetics with a custom build. Raspberry Pis are a diminutive solution that you can dress up in a case and use for various additional tasks, like streaming games from your gaming PC to your TV or creating an AirPlay music server for streaming Spotify and other online music and local music to AirPlay-compatible speakers.

The right accessories can take an HTPC to the next level. You can use an app like TeamViewer or the more TV-remote-like Unified Remote to control your PC with your phone. But investing in dedicated hardware is worthwhile for long-term and multi-person use. Bluetooth keyboards and mice last a long time without needing a charge and can even be combined into one device.

Logitech’s wireless K400 combines a keyboard with a touchpad.

Credit: Logitech

Other popular options for HTPC control are air remotes and the Flirc USB, which plugs into a computer’s USB-A port to enable IR remote control. Speaking of USB ports, you could use them to connect a Blu-ray/DVD player or gaming controller to your HTPC. If you want to add support for live TV, you can still find PCIe over-the-air (OTA) tuner cards.

The Pepper Jobs W10 GYRO Smart Remote is a popular air remote for controlling Windows 10 PCs.

Credit: Pepper Jobs

With the right software, an HTPC can be more useful to a household than a smart TV. You probably already have some apps in mind for your ideal HTPC. That makes this a fitting time to discuss some solid software that you may not have initially considered or that would be helpful to recommend to other cord cutters.

If you have a lot of media files you’d like to easily navigate through on your HTPC, media server software, such as Plex Media Server, is a lifesaver. Plex specifically has an app streamlined for HTPC use. The company has taken some criticism recently due to changes like new remote access rules, higher prices, and a foray into movie rentals. Although Plex is probably the most common and simplest media server software, alternatives like Jellyfin have been gaining popularity lately and are worth checking out.

Whichever media server software you use, consider pairing it with a dedicated NAS. NAS media servers are especially helpful if you want to let people, including those outside of your household, watch stuff from your media library at any time and without having to keep a high-power system turned on 24/7.

You can stream files from your NAS to a dumb TV by setting up a streaming system—such as a Raspberry Pi, Nvidia Shield, or Apple TV box—that connects to the dumb display. That device can then stream video from the NAS by using Network File System or the Infuse app, for example. 

What to connect: An antenna

Nowadays, you can watch traditional, live TV channels over the Internet through over-the-top streaming services like YouTube TV and Sling TV. But don’t underestimate the power of TV antennas, which have improved in recent years and let you watch stuff for free.

This year, Horowitz Research surveyed 2,200 US adults and found that 19 percent of respondents were still using a TV antenna.

If you haven’t checked them out in a while, you might be surprised by how sleek bunny ears look now. Many of the best TV antennas now have flat, square shapes and can be mounted to your wall or windowsill.

Mohu’s Leaf antenna. Bye, bye, bunny ears.

Credit: Mohu

The best part is that companies can’t track what you watch with an antenna. As Nielsen said in a January 2024 blog post:

Big data sources alone can’t provide insight into the viewing behaviors of the millions of viewers who watch TV using a digital antenna.

Antennas have also gotten more versatile. For example, in addition to local stations, an antenna can provide access to dozens of digital subchannels. They’re similar to the free ad-supported television channels gaining popularity with smart TVs users today, in that they often show niche programming or a steady stream of old shows and movies with commercial breaks. You can find a list of channels you’re likely to get with an antenna via this website from the Federal Communications Commission.

TV and movies watched through an antenna are likely to be less compressed than what you get with cable, which means you can get excellent image quality with the right setup.

You can also add DVR capabilities, like record and pause, to live broadcasts through hardware, such as a Tablo OTA DVR device or Plex DVR, a subscription service that lets antenna users add broadcast TV recordings to their Plex media servers.

A diagram of the 4th Gen Tablo’s ports.

Credit: Tablo

Things to keep in mind

You’re unlikely to get 4K or HDR broadcasts with an antenna. ATSC 3.0, also known as Next Gen TV, enables stations to broadcast in 4K HDR but has been rolling out slowly. Legislation recently proposed by the FCC could further slow things.

In order to watch a 4K or HDR broadcast, you’ll also need an ATSC 3.0 tuner or an ATSC 3.0-equipped TV. The latter is rare. LG, for example, dropped support in 2023 over a patent dispute. You can find a list of ATSC 3.0-certified TVs and converters here.

Realistically, an antenna doesn’t have enough channels to provide sufficient entertainment for many modern households. Sixty percent of antenna owners also subscribe to some sort of streaming service, according to Nielsen.

Further, obstructions like tall buildings and power lines could hurt an antenna’s performance. Another challenge is getting support for multiple TVs in your home. If you want OTA TV in multiple rooms, you either need to buy multiple antennas or set up a way to split the signal (such as by using an old coaxial cable and splitter, running a new coaxial cable, or using an OTA DVR, such as a Tablo or SiliconDust’s HDHomeRun).

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 13 December 2025 at 4:03 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

The first signs of this issue appeared in a Notepad++ community forum topic, where a user reported that Notepad++'s update tool, GUP.exe (WinGUp), spawned an unknown "%Temp%\AutoUpdater.exe" executable that executed commands to collect device information.

According to the reporter, this malicious executable ran various reconnaissance commands and stored the output into a file called 'a.txt.'

cmd /c netstat -ano >> a.txt
cmd /c systeminfo >> a.txt
cmd /c tasklist >> a.txt
cmd /c whoami >> a.txt

The autoupdater.exe malware then used the curl.exe command to exfiltrate the a.txt file to temp[.]sh, a file and text-sharing website previously used in malware campaigns.

As GUP uses the libcurl library rather than the actual 'curl.exe' command and does not collect this type of information, other Notepad++ users speculated that the user had installed an unofficial, malicious version of Notepad++ or that the autoupdate network traffic was hijacked.

To help mitigate potential network hijacks, Notepad++ developer Don Ho released version 8.8.8 on November 18th, so that updates can be downloaded only from GitHub.

As a stronger fix, Notepad 8.8.9 was released on December 9th, which will prevent updates from being installed that are not signed with the developer's code-signing certificate.

"Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted." reads the Notepad 8.8.9 security notice.

Hijacked update URLs

Earlier this month, security expert Kevin Beaumont warned that he heard from three orgs that were impacted by security incidents linked to Notepad++.

"I've heard from 3 orgs now who've had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access." explained Beaumont.

"These have resulted in hands on keyboard threat actors."

The researcher says that all of the organizations he spoke to have interests in East Asia and that the activity appeared very targeted, with victims reporting hands-on reconnaissance activity after the incidents.

When Notepad++ checks for updates, it connects to https://notepad-plus-plus.org/update/getDownloadUrl.php?version=<versionnumber>. If there is a newer version, the endpoint will return XML data that provides the download path to the latest version:

<GUP>
<script/>
<NeedToBeUpdated>yes</NeedToBeUpdated>
<Version>8.8.8</Version>
<Location>https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.8.8/npp.8.8.8.Installer.exe</Location>
</GUP>

Beaumont speculated that Notepad++'s autoupdate mechanism might have been hijacked in these incidents to push malicious updates that grant threat actors remote access.

"If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the <Location> property," explained Beaumont.

"Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources," continued the researcher.

However, Beaumont noted that it is not uncommon for threat actors to use malvertising to distribute malicious versions of Notepad++ that install malware.

Notepad++'s security notice shares the same uncertainty, stating that they are still investigating how the traffic is being hijacked.

"The investigation is ongoing to determine the exact method of traffic hijacking. Users will be informed once tangible evidence regarding the cause is established," reads the security notice.

The developer states that all Notepad++ users should upgrade to the latest version, 8.8.9. They also noted that since v8.8.7, all official binaries and installers are signed with a valid certificate, and users who previously installed an older custom root certificate should remove it.

BleepingComputer contacted Notepad++'s developer on December 3rd with questions about the incidents but did not receive a reply.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 12 December 2025 at 12:17 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

According to the ICO, the incident stemmed from two interconnected breaches starting in August 2022.

The first breach occurred in August 2022, when a hacker compromised a LastPass employee's laptop and accessed portions of the company's development environment.

While no personal data was taken during this incident, the attacker was able to obtain the company's source code, proprietary technical information, and encrypted company credentials. LastPass initially believed the breach was contained because the decryption keys for these credentials were stored separately in the vaults of four senior employees.

However, the following day, the attacker targeted one of those senior employees by exploiting a known vulnerability in a third-party streaming application, believed to be Plex, which was installed on the employee's personal device.

This access allowed the hacker to deploy malware, capture the employee's master password using a keylogger, and bypass multi-factor authentication using an already MFA-authenticated cookie.

Because the employee used the same master password for both personal and business vaults, the attacker was able to access the business vault and steal an Amazon Web Services access key and a decryption key.

These keys, combined with the previously stolen information, allowed the attackers to breach the cloud storage firm GoTo and steal LastPass database backups stored on the platform.

Customer data stolen in breach

Personal information stored in the stolen database included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," explained LastPass CEO Karim Toubba at the time.

"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

The ICO claimed that the attacker did not decrypt customer password vaults, as LastPass' "Zero Knowledge architecture" does not know or store the master passwords used to decrypt vaults, and they are known only to customers.

However, LastPass previously warned that the security of encrypted vaults depended on the strength of a customer's master password, advising that weaker passwords be reset.

"Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password," reads a LastPass support bulletin about the cyberattack.

This is because GPU-powered brute-force attacks can crack weak master passwords used to encrypt vaults, allowing threat actors to gain access to them.

Some researchers claim this already occurred, stating their research indicates LastPass vaults with weak passwords were decrypted to conduct cryptocurrency theft attacks.

Password security tips

Information Commissioner John Edwards said that while password managers remain a critical tool for security, companies offering such services must ensure access controls and internal systems are hardened against targeted attacks.

He emphasized that LastPass customers had a reasonable expectation that their personal information would be protected and that the company failed to meet this obligation, leading to the penalty announced today.

The ICO encourages organizations to review their device security, remote work risks, and access restrictions.

Customers should also make sure they are using strong, complex passwords, which LastPass recommends be at least 12 characters and include upper- and lowercase letters, numbers, symbols, and special characters.

However, in attacks like these, where increased computational power and offline cracking can occur, it is safer to use a master password of at least 16 characters [1, 2] or a long multi-word passphrase to secure highly sensitive information, such as password vaults.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 12 December 2025 at 4:03 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug).

"One of the malware's primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API," Daniel Stepanic, principal security researcher at Elastic Security Labs, said.

"This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens."

REF7707 is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023, per Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec attributed the hacking group to a five-month-long intrusion targeting a Russian IT service provider.

The exact initial access vector used to deliver NANOREMOTE is currently not known. However, the observed attack chain includes a loader named WMLOADER that mimics a Bitdefender's crash handling component ("BDReinit.exe") and decrypts shellcode responsible for launching the backdoor.

Written in C++, NANOREMOTE is equipped to perform reconnaissance, execute files and commands, and transfer files to and from victim environments using the Google Drive API. It's also preconfigured to communicate with a hard-coded, non-routable IP address over HTTP to process requests sent by the operator and send the response back.

"These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00)," Elastic said. "The URI for all requests use /api/client with User-Agent (NanoRemote/1.0)."

Its primary functionality is realized through a set of 22 command handlers that allow it to collect host information, carry out file and directory operations, run portable executable (PE) files already present on disk, clear cache, download/upload files to Google Drive, pause/resume/cancel data transfers, and terminate itself.

Elastic said it identified an artifact ("wmsetup.log") uploaded to VirusTotal from the Philippines on October 3, 2025, that's capable of being decrypted by WMLOADER with the same 16-byte key to reveal a FINALDRAFT implant, indicating that the two malware families are likely the work of the same threat actor. It's unclear as to why the same hard-coded key is being used across both of them.

"Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads," Stepanic said. "This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE."

Source

As Microsoft explains, this mitigates a high-severity PowerShell remote code execution vulnerability (CVE-2025-54100), which primarily affects enterprise or IT-managed environments that use PowerShell scripts for automation, since PowerShell scripts are not as commonly used outside such environments.

The warning has been added to Windows PowerShell 5.1, the PowerShell version installed by default on Windows 10 and Windows 11 systems, and is designed to add the same secure web parsing process available in PowerShell 7.

PowerShell will alert you that, without precautions, scripts contained in web pages downloaded using the "Invoke-WebRequest' cmdlet could execute on your system. By default, if you press 'Enter' or select 'No,' the operation will be canceled, and PowerShell will suggest rerunning the command with the '-UseBasicParsing' parameter for safer processing.

When choosing 'Yes,' PowerShell will parse the page using the older method (full HTML parsing), allowing the content and embedded scripts to load as before. In short, selecting 'Yes 'means you accept the risk, while choosing 'No' stops the action to protect your system.

"Windows PowerShell 5.1 now displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters," Microsoft explains in a Tuesday advisory.

"This prompt warns that scripts in the page could run during parsing and advises using the safer -UseBasicParsing parameter to avoid any script execution. Users must choose to continue or cancel the operation."

After you install the KB5074204 update, IT admins will see the following confirmation prompt warning of script code execution risks:

Security Warning: Script Execution Risk
Invoke-WebRequest parses the content of the web page. Script code in the web page might be run when the page is parsed.
      RECOMMENDED ACTION:
      Use the -UseBasicParsing switch to avoid script code execution.
      Do you want to continue?
			```

For additional details, see [KB5074596: PowerShell 5.1: Preventing script execution from web content](https://support.microsoft.com/help/5072034).

To avoid having their automation scripts hang until manual confirmation, admins are advised to update their scripts to use the UseBasicParsing safe parameter explicitly.

It's also important to note that in PowerShell, the 'curl' command is aliased to the Invoke-WebRequest cmdlet, so you will also see these new warnings when running scripts invoking curl commands.

"Most PowerShell scripts and commands that use the Invoke-WebRequest command will continue to work with little or no modification," Microsoft noted.

"For example, scripts that only download content or work with the response body as text or data are not affected and require no changes."

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 10 December 2025 at 1:32 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

As spotted on X, a ChatGPT Plus user casually asked a normal question about Windows BitLocker. While the AI answered the question, it also recommended shopping at Target for groceries.

Now, groceries or home food are clearly not related to BitLocker, but the "Shop for home and groceries" bubble still appears, and it's quite fair to assume that it's an ad.

However, an OpenAI executive argues that this is not “not an ad” but an app recommendation from a pilot partner, and that the company wants app suggestions to appear more “organic” inside ChatGPT.

"We've launched apps from some of our pilot partners since DevDay, including Target, and have been working to make the discovery mechanism for apps more organic inside ChatGPT," Daniel McAuley wrote in a post on X.

"Our goal is that apps augment the ux when relevant to a conversation, and we're still working on it. Anyone can build apps using the apps SDK, and we plan to open submissions and the app directory soon," he explained.

For most people, it still looks and feels like an ad. You see a brand logo, a short shopping message, and a call-to-action, inside a paid product, even though you never asked about shopping or Target.

ChatGPT is automatically pushing a commercial suggestion into an answer, just like how recommendation appear in the Windows 11 Start menu, and still defending it.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 8 December 2025 at 11:09 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

Friday, the EU slapped X with a €120 million fine (about $140 million) for violating the Digital Services Act (DSA). It was the first time that a company had been hit with a penalty for running afoul of the law. Elon Musk responded with his trademark tact and professionalism by posting “Bullshit” on X in response to the announcement from the European Commission. But that wasn’t the end, because just a day later Nikita Bier, X’s head of product, accused the Commission of abusing an exploit to boost the reach of the announcement and responded by shutting down its ad account.

According to Bier, the Commission had not used its ad account since 2021, but used a post format explicitly reserved for ads in its announcement of the fine against X. He claims that the Commission posted “a link that deceives users into thinking it’s a video and to artificially increase its reach.” (For the record, the post itself includes a video.)

The seemingly retaliatory revocation of the European Commission’s ad account is unlikely to materially change things for either X or the EU. If, as Bier claims, the Commission has not used its ad account since 2021, holding it hostage is unlikely to give X any leverage. And, while it can appeal the decision, X is currently still on the hook for the sizable fine. Plus, it must provide details for how it plans to address the “deceptive” use of verified checkmarks in the next 60 days, or face additional penalties.

We’ve reached out to the Commission for comment and will update if we hear back.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 8 December 2025 at 11:08 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

As reported on by TheRegister, a user operating under the name ShadyPanda began uploading harmless extensions in 2018. These early versions behaved like standard tools, which helped build trust over seven years. Once the install base grew into the millions, the extensions received malicious updates that turned them into surveillance tools. Koi Security uncovered the activity while analysing extension behaviour and later confirmed the scale of the incident in its report.

The extensions were positioned as productivity add-ons, and some even earned featured and verified status on both Chrome and Edge. More than 4.3 million users were affected across the two browsers. One of the main examples, Clean Master, had over 200,000 installs on its own.

Another extension, WeTab, along with several others from the same publisher, reached more than 3 million installs across Edge and Chrome.

The threat is now removed, but users should still review their browsers

The reset function in Winaero Tweaker injects legacy binary values (static 9pt Segoe UI) into the Windows 11 Registry Keys. This legacy data conflicts with Windows 11's native Accessibility subsystem by overriding the Text Size scaling and rendering the UI illegible on high-DPI displays.

If you manage to muck up your system settings, the Redditor reports that manually deleting the injected registry values does not fully resolve the issue, with the font face bring broken entirely, forcing a system-wide fallback to Arial. While unconfirmed, the Redditor thinks that the app might inject hidden dependencies elsewhere, perhaps FontSubstitutes, that survive cleanup.

To restore their Windows 11 back to a fully normal state, RemarkableOil451 had to perform a full system restore. While the OP didn't realize it at the time, as it was later mentioned in the comments, there is a way to fix the issue without a full system restore.

Apparently, you can do the following steps to get your system back to normal:

•     Delete the HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics key via Registry Editor.
•     Go into Windows Settings, Display, and set the scaling to an arbitrary value (e.g., 175%).
•     Sign out and sign back in to force the OS to "recompute" the default values.
•     Then restore the original scaling.

If you are using Winaero Tweaker then, be sure not to restore the defaults as you'll end up with extra work on your hands, though, it's not as catastrophic as needing to do a system restore. To be honest though, if you are not happy with your system screwing up, perhaps using a tweaker to make unofficial changes isn't the best idea.

Source

Recently, Google launched Nano Banana Pro, its most powerful image model to date.

The model is likely trained on millions of websites and videos, which explains why it’s one of the best tools for generating realistic images.

It’s also very capable at creating infographics, and Google has been promoting that feature on X (formerly Twitter), especially for recipe-related posts.

In one such promotion, Google’s NotebookLM account shared an “infographic recipe card” for Classic Buttery Herb Stuffing, presented as a cozy “family recipe” you could generate with AI

After the post went live, X user Nate Hake compared the card to a stuffing recipe from the blog HowSweetEats and found that it was strikingly identical.

As the screenshot shows, the ingredients list and structure closely matched the original post.

Hake argued that the AI didn’t “think” but likely scraped the recipe word-for-word, ran it through Google’s model, and turned it into a cutesy card.

“Google has crossed the rubicon into publishing AI summaries that do not even link to the source websites at all. And they are doing this in clear violation of these websites’ posted terms of use,” Hake, who tracks AI slop, told BleepingComputer.

"This incident shows how Google is trying to leverage its Search monopoly into a monopoly on answers themselves. Whereas Google used to send clicks to websites who put in the hard work of creating content, with AI it increasingly is just scraping content, republishing that content in AI summary form, and sending fewer and fewer clicks to the original creators," Nate Hake explained.

After getting called out on X, Google has now quietly deleted the NotebookLM post.

However, the company is not alone in facing criticism for its AI promotions, as Microsoft recently pulled an X post as well after a Copilot feature failed to work in the ad itself.

Google is planning to monetize AI-generated answers on search

If you thought Google was building these tools to fuel AI slop and not its ad revenue, then you are in for a shock.

Google has already started testing ads in AI mode within the answers. These ads appear along with the citations, and you might not even realise if they're organic links or ads.

In a statement to BleepingComputer, Google later confirmed it was testing ads in AI mode as part of an experiment that has been going on for months.

However, Google is not the only company preparing ads in AI answers.

OpenAI, which currently dominates the AI market among consumers, is also experimenting with ads in ChatGPT.

Ads within ChatGPT could be highly customised, and influence buying behaviour significantly compared to Google ads.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 2 December 2025 at 4:00 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

With perfect forward secrecy (PFS), messages sent on Session will be protected, even if your long-term key or device is compromised. When Session gets PFS, it will generate new session keys for new messages so that if one key gets compromised, your other messages stay secure.

The company decided not to support perfect forward secrecy in its current Session Protocol for the sake of simplicity and decentralization, but it raised concerns in the privacy community.

Another big item in the new protocol is post-quantum cryptography messaging. This helps to future-proof message security against 'harvest now, decrypt later' (HNDL) attacks by quantum computers. As a bit of background, HNDL attacks are where an adversary vacuums up encrypted messages and keeps them until a time in the future when quantum computers are capable of decrypting them.

Quantum computing developments have been coming on in leaps and bounds recently, and by the mid-2030s, experts claim we could have useful quantum computers. While PQC won't protect encrypted messages already collected, the feature will protect new messages.

Finally, the protocol will bring improved linked device management via the introduction of unique per-device keys that enhance device identification and control. In the current version of the protocol, a compromised device with access to the long-term key allows attackers to link new devices to the account without the user's knowledge.

The new Session Protocol is still undergoing design. As the work becomes more mature, a more detailed specification will be released in 2026 for scrutiny by the community and security researchers.

While it will be good when Session gets this new protocol upgrade for user security, Session says that it is important to note that none of these attacks are currently practical. It also said that it has not seen any evidence of any such attacks on the Session network, but still understands the concerns people have raised.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 2 December 2025 at 4:00 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

A Teams update will now report on your whereabouts, so your boss can find you. “When users connect to their organization’s Wi-Fi," Microsoft says, "Teams will automatically set their work location to reflect the building they are working in.” Clearly, if you’re not connected to your company Wi-Fi, it will show that as well.

The better news is the update is delayed. When I first reported on this in October, we expected it to start rolling out in December. But it’s now delayed and you can relax through the holidays. Microsoft now says “rollout starts January 2026.”

So, the days are numbered for virtual backgrounds masking the sofa, the bedside table or the Caribbean beach that’s really behind you. It won’t work any more.

Windows Central describes this as "a productivity booster, meaning you’ll no longer have to manually look for your counterparts at the office or even give them a call; you can easily pinpoint their location via Teams as long as they are connected to the office’s WiFi network.” I’m not sure people will see it that way. But time will tell.

This follows Microsoft’s rollout earlier this year of “your workplace presence in Teams automatically being set to the building level.” It will be “will be off by default,” but it’s for admins not you to “decide whether to enable it and require end-users to opt-in.”

Windows Reports says that “once released, it will be available for Teams users on both Windows and Mac worldwide.” There is literally no escape.

Good luck, everyone. You may need it.

Source

A VPN or Virtual Private Network is a tool used to improve your security when online. It creates a secure, encrypted connection between your device and a server run by the VPN provider. Besides using strong encryption, your IP address is replaced by the IP address of the server you are connected to. As a result, your online journey can't be tracked. You can also choose the location of the server you connect to allowing you access to different versions of websites. For example, using a VPN, you can trick a website into thinking that you are accessing it from another country and see content not available to read in your country.

Using a VPN can reduce your download and upload data speeds

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 1 December 2025 at 4:20 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

RIP Matrix

The type of data compromised in the attack includes full names, genders, physical addresses, phone numbers, and email addresses, and could be used in phishing attempts.

The incident was first disclosed on September 29, when the company was forced to suspend production and shipping operations due to a cyberattack.

At the time, Asahi stated that it saw no evidence of customer data having been accessed by unauthorized actors. A few days later, though, the company confirmed that it suffered a ransomware attack and that data had been stolen.

The disclosure was followed by Qilin ransomware claiming the intrusion and alleging to have 27GB of data from Asahi. The hackers published samples of exfiltrated files on their data leak site to prove their claims.

A press release from the company Asahi states that the following categories of individuals have been impacted:

• 1,525,000 customers who contacted Asahi’s customer service centers (Breweries, Drinks, Foods).
• 114,000 external contacts who received congratulatory or condolence telegrams from Asahi.
• 107,000 current and retired employees and 168,000 family members of those employees.

Asahi notes that the types of data exposed vary per category. For customers, it may include name, gender, physical and email address, and phone number; but for employees, it may also include dates of birth and gender.

The company underlines that no payment card information was exposed in the incident. A dedicated contact line has been established for affected parties to receive answers about the exposed personal data.

According to Asahi’s CEO, Atsushi Katsuki, the company is still in the process of restoring impacted systems, two full months after the initial compromise.

“We are making every effort to achieve full system restoration as quickly as possible, while implementing measures to prevent recurrence and strengthening information security across the Group,” stated Katsuki

“Regarding product supply, shipments are resuming in stages as system recovery progresses.”

The preventative measures to be implemented include redesigned communication routes, tightened network controls, restrictions on external internet connections, upgrades of threat-detection systems, security audits, and redesigned backup and business-continuity plans.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 30 November 2025 at 3:14 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of October): 5,009

RIP Matrix