Coming shortly. Researchers say they've uncovered an in-the-wild phishing operation that "effectively bypasses any protections that a FIDO key grants." As I will explain, this isn't the case. The research misunderstands what's occurring in the attacks. More to follow.

Interesting article reporting that Android will soon give Gemini broadened access to phones and the apps they run, even when Gemini has not been turned on. Article gos on to say people who don't want this should "open the Gemini app from your Android device" and turn off each app extension. Sounds simple enough, but I'm not finding any Gemini app installed on my pixel. Can anyone help me figure out what precisely people must do too keep Gemini off of their android devices?

Tuta

How to disable Gemini on Android, Gmail, Chrome, Photos, & Google apps. Opt out of AI tracking now! | Tuta

First Android, now Gmail, Photos, Drive an more: Google is allowing Gemini AI access to all your data – even your emails, photos, calls, and text...

Ubuntu is now allowing users to disable security mitigations Intel has baked into its GPU components. People are claiming the setting provides up to a 20% boost in performance. I'm still trying to understand more about the mitigations, but they appear to involve defending against Spectre-based attacks. Is this wise? On the one hand, I'm not aware of a single Spectre-based attack in the wild. On the other hand, you're leaving yourself potentially exposed. Thoughts

Disabling Intel Graphics Security Mitigations Can Boost GPU Compute Performance By 20% - Phoronix

While not talked about as much as the Intel CPU security mitigations, Intel graphics security mitigations have added up over time that if disabling...

Found in the wild: 2 Secure Boot exploits. Microsoft is patching only 1 of them.

Ars Technica

Found in the wild: 2 Secure Boot exploits. Microsoft is patching only 1 of them.

The publicly available exploits provide a near-universal way to bypass key protections.

Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

Ars Technica

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.

Signal Messenger is warning that Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds, poses a risk to its users. Effective immediately, the Windows Desktop version will by default block the ability of Windows to screenshot the app. Of course, Microsoft provides no API to disable Recall from screenshotting specific apps, so Signal is getting creative. They are invoking a digital rights management API that blocks the screenshotting of copyrighted material.

Signal Messenger

By Default, Signal Doesn't Recall

Signal Desktop now includes support for a new “Screen security” setting that is designed to help prevent your own computer from capturing scree...

Folks, there is 0 evidence that Steam passwords have been breached. Unless and until credible evidence occurs, please do NOT urge people to change their login credentials and please do NOT boost other people's toots doing the same. Creating unjustified anxiety about a non event does a disservice to us all. Please boost for visibility.