Age verification laws remain the policy approach of choice for politicians seeking an easy win against the perils of big tech, while also avoiding actually doing anything about those perils (aside from funneling money into more digital surveillance, annoying users, and potentially censoring legitimate content online). Now, age verification is coming for your computer, bringing the same privacy concerns with it. A lot of tech policy has this problem: The proposed solution to tech problems ends up creating new, different tech problems.

In better news, Apple may be working on an iOS update that detects when a phone is snatched and automatically locks it. It’s worth mentioning that Apple already has a number of security features to help you lock and protect a lost phone, but if it’s snatched while it’s unlocked, you’re kind of out of luck. This comes on the heels of reports of thousands of iPhone thefts in London, with their owners being blackmailed or threatened into giving the thieves their Apple ID credentials, so the thieves can unlock, wipe, and resell the phones. 

Meanwhile, here on the PCMag security team, we’ve been testing out some interesting hardware. We got our hands on the Flipper Zero not too long ago and showed you some fun things you can do with one. Now that the Flipper One has been announced, we put the two devices head-to-head on specs to see how they stack up. The Flipper One is still a ways off, but it looks to be a much more powerful device, aimed at a different kind of tinkerer, so don’t feel like you’re missing out if you want to try the Flipper Zero now, while you wait.

Finally, we also put two secure Android alternatives to the test: GrapheneOS, a secure Android replacement, and PlugOS, a version of Android that runs on the PlugMate, a device that attaches to your phone via USB-C. They’re different approaches to a similar problem: cleaning up Android and making it the secure, privacy-focused mobile OS many of us have always wanted it to be. 

Now then, let’s see what else is going on in the infosec world this week.

Pentagon Says US Military Personnel Are Reportedly Being Targeted Using Location Data

One problem with advertisers and marketers building a massive surveillance and ad-targeting network over the past few decades is, well, there’s a massive surveillance and ad-targeting network that anyone with enough money to buy access to it can use to target anyone they want. And according to this Reuters story, the Pentagon is starting to get concerned, noting that adversaries are targeting US military personnel using location data and other information that’s easily obtained through, you guessed it, the kinds of tracking that’s become ever-present on the web today. The report notes that things like advertising IDs, location sharing (which is often enabled by default), and even browser fingerprinting (specifically in Google Chrome) have been used to track US forces deployed to active conflict zones. 

Recommended by Our Editors

Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Craigslist Founder Teams Up With a Muppet to Persuade People to Stop Clicking on Scams

This AI Kidnapping Scam Is Every Parent's Worst Nightmare

The warning places the blame both on the Pentagon for not acting quickly enough to protect military personnel and warn them of the dangers of ad tracking and browser fingerprinting, but also notes that the massive location tracking and ad data markets don’t help things much, especially since there are few, if any, checks on who’s buying the data and what it’s being used for. Plus, in the absence of strong privacy regulations here in the US, there’s little authorities can do about the tracking except press lawmakers to take action, since tech companies are unlikely to do anything that will impact their bottom line.

Scammers Pretending to Be Microsoft Had Help From US Executives

Remember those tech support scams, where someone would call claiming to be from Microsoft and say they were calling to fix a nonexistent problem with your computer, which usually ended with them trying to get money, personal data, or both from you? They were a big problem a few years back, and while I’m sure they still exist, they’re less of an issue now that authorities have cracked down on them. But this story on the Malwarebytes blog reveals that the scammers had some surprising help: US-based executives of a call-tracking and analytics company. 

The news was revealed in a court case that concluded last week, in which the former CEO and former CSO of an offshore call-tracking firm both pleaded guilty to selling phone numbers and call infrastructure to the very same scammers. And before you think that maybe it’s just a matter of them not knowing what their customers were doing with the data, sorry: The two actually helped the scammers avoid detection, and gave them tips on how to stay under the radar of authorities, told their sales teams to pursue other groups with similar fraudulent activities, and worst of all, set up their own scam call center to get in on the game. 

The whole story is wild to read, and proof that scams, both online and on your phone, are big business and can make big money. And in any situation where serious money is in play, there’s always someone willing to throw their ethics aside to make big bucks.

AI-Assisted Exploit Development Outpaces Scanner Detection

One thing that’s become apparent as we’ve been covering AI and infosec is that while models like Anthropic’s Mythos make it very easy to find vulnerabilities, it’s still largely up to human beings to fix those flaws and deploy patches and updates to lock down their systems. That puts defenders and developers on the back foot, because it’s easy to poke holes and find ways in to exfiltrate data, but much harder to protect it, and AI isn’t helping on that front. 

This excellent piece at Dark Reading dives into the issue, and gets to the heart of what I think a lot of security professionals (and journalists, like myself) are thinking about the current moment: That while there’s no shortage of buzzy headlines about how many dozens or hundreds of vulnerabilities these new AI models find, the quiet, laborious work of actually fixing them can’t exactly be vibe coded away. And the accelerated timetables involved here, where an adversary’s AI may identify issues and exploit them faster than you can fix them, is a very real problem that security professionals will have to deal with in the coming months and years.