(Credit: Getty Images)
When Microsoft cut off support for the millions of PCs still running Windows 10, the goal was to force people to either upgrade to Windows 11 or buy new PCs that came preinstalled with it. Predictably, the move was incredibly unpopular, and many of those people are sticking with Windows 10, which opens the door for bad actors to exploit the OS Microsoft gave up on or try to prey on users looking for cheap upgrades, like these Facebook ads we covered this week. Remember, if it seems too good to be true, it definitely is, especially these days.
In other news, AI giveth and AI taketh away. In the same week that Anthropic, famously known for stealing books en masse and also for its Claude AI chatbot, announced that Claude Code can now autonomously scour your code for potential security vulnerabilities. That’s good news. On the other hand, Anthropic has come out accusing Chinese AI developers of stealing their code and trade secrets, which, as you can imagine, hasn’t gone over very well with people who have paid any attention to AI development over the past couple of years. One user amusingly responded to Anthropic’s announcement that its data was being stolen with a meme asking where it had gotten the data in the first place.
Meanwhile, there’s proof that raising your voice (and threatening to cancel your paid services) does actually matter when it comes to controversial topics like age verification and privacy. Discord, which announced it would implement age verification a few weeks ago, backed down this week after user backlash and cut ties with Persona, the Peter Thiel-backed verification company the company had initially planned to work with. Discord delayed the move until later this year, though, so don’t expect the issue to go away anytime soon.
That's not all that happened in cybersecurity this week, though, and it only gets wilder from here.
Here’s What a Google Subpoena Response Looks Like, Courtesy of the Epstein Files
Remember a couple of weeks ago, when we talked about that The Intercept report about how Google just handed over a student’s details to ICE, including way more information than they initially requested? Well, thanks to a deep dive into the Epstein Files, WIRED has a new report on exactly what a subpoena response from Google actually looks like, and it’s not pretty. First of all, it’s worth noting that the kinds of requests that Google regularly gets generally ask for basic information and whatever else might be available, but it reveals that Google very often goes to pretty detailed lengths to include details about its users in those subpoenas that those users may never be alerted to (or even know has been divulged). In one case, Google handed over IP addresses, payment details like credit card numbers, and more. Many include recovery email addresses, physical addresses (including past ones), IP address logs, and details on the devices used to access Google services.
WIRED points out that in most cases, the contents of those accounts and messages usually require a search warrant, but a subpoena is all it takes to get a ton of metadata that may render the need for additional information unnecessary, and digital privacy groups like the Electronic Frontier Foundation have criticized the company for handing over so much information without one. Google, for its part, says it pushes back against overreaching requests and operates within the law and in its users' interests. Luckily for you or me, you can see what kind of information Google would hand over about you through Google Takeout, and WIRED has more details on how to do that in the piece above. (Oh, and full disclosure, I used to work at WIRED, and the reporting there is incredible.)
AI (Food) Poisoning Made Shockingly Easy
If there’s anything I love to see, it’s more journalists and researchers pointing out how easy it is to poison large language models. At last year’s RSAC security conference, we covered a session on the topic and even discussed why it’s important to do so beforehand. So imagine how happy I was to see a BBC reporter reveal exactly how easy it is to poison ChatGPT and even Gemini with just one simple website. In short, Thomas Germain created a completely fake website ranking the hot dog-eating capabilities of various tech journalists—crowning himself the king and champion, of course—and then all he really had to do was sit back and wait. Within less than 24 hours, most major chatbots were more than happy to parrot back the hot dog stats as 100% fact to anyone who asked. Even the ones that treated it like a joke changed their tone after Germain updated his site to say, “This is not satire.”
It was a stunt, to be sure, but it does hammer home the point: back in the day, spam websites would have to dump resources and attention into trying to poison search engines into ranking their content higher than actual, truthful information. With AI chatbots, however, every company behind one is more interested in reach and user acquisition (and, not to mention, money) than they are in providing truthful information. And this is a big problem not just in terms of security, which we’ve covered before, but also when it comes to the millions of people turning to AI chatbots to do everything from give them medical advice to do their homework.
Across Party Lines and Industry, the Verdict Is the Same: CISA Is in Trouble
CISA, the US Cybersecurity and Infrastructure Security Agency, is normally a powerful bulwark against information security threats, vulnerabilities, and external attacks worldwide. Operating within the Department of Homeland Security, it’s long been respected for issuing guidance on security policies and best practices to government agencies and businesses. But, a little less than one year into the current administration, the growing consensus is that CISA is struggling, after shedding over a third of its staff, getting its funding slashed, and closing entire divisions dedicated to internet and network security.
A new report from Cyberscoop goes into detail about the crisis at the agency, citing observers and experts from across the political spectrum, all of whom are sounding the alarm on an issue that’s leaving not just American businesses and consumers less safe online, but open to attack, with no one to help defend them or shore up defenses. Even worse, the problems at CISA don’t seem to be over yet and probably won’t go away anytime soon, as the administration’s priorities don’t include cybersecurity, and its appointees don’t seem up to the task of managing the agency. The whole report is worth a read, and includes first-person testimonials from people on all sides of the issue, but they all agree on one point: Things aren’t looking good.