Matteo / @[email protected]

Wow!!! 🙏🏿

Hundreds of millions of actively-used iPhones and iPads are now at risk of being hacked through exploit tools that have been made available on Github. For anyone not using the latest iOS 26 software, it's time to update ASAP. “This is bad. They are way too easy to repurpose. I don’t think that can be contained anymore. So we need to expect criminals and others to start deploying this," one security expert at @IsMyPhoneHacked told us. spr.ly/6019B6wNcx

Good reporting by @lorenzofb to confirm what we reported as a theory last week: That the highly sophisticated iPhone hacking toolkit known as Coruna, found in the hands of Russian spies and now criminal hackers, is an out-of-control US-government-funded creation. techcrunch.com/2026/03/09/an-…

Google has identified an iOS exploit kit named Coruna. 5 full exploit chains, 23 vulnerabilities, documentation in native English, modular architecture. Full professionalism. It must have cost millions of dollars. Who built it? Google doesn’t say, but the evidence points to US government tools. The kit also contains components previously used in a cyber operation that Russia attributed to the NSA. Coruna traveled. First, an anonymous “company client”, then used by a Russian cyber espionage group, which hid the code on Ukrainian websites inside a visitor-counter script, delivering it only to selected users from a specific geolocation. Later a financially motivated actor “operating from China” deployed it (infecting over 42,000 devices). The malware added to the ready-made kit was lower quality than the original suggesting the tools were acquired and modified by someone else. One US government subcontractor, Peter Williams, just received a 7-year prison sentence for selling tools to Russian broker Operation Zero. The US government spent millions on a tool that now steals cryptocurrency. A good return on investment, just not for themselves. One more detail: Coruna did not attack devices with Lockdown Mode enabled.​​​​​​​​​​​​​​​​ cloud.google.com/blog/topics/th…

Verification: "Any other platform to confirm you’re still you?"

I am quoted in this article that I recommend anyone read. Always useful advice . Prepare & prxatice before you need it. Get ready, stay ready.

Another gem, here is all you ever wanted to know about Itanium C++ ABI exception handling and how its implemented in Linux C++ binaries maskray.me/blog/2020-12-1…

Two years ago, a Norwegian researcher skeptical that pulsed-energy weapons could do damage to human brains — aka “Havana syndrome” — built a device and tested it on himself. It didn’t go well. Someone from FFI, perhaps? washingtonpost.com/national-secur…

Apple’s new iPhone security feature limits cell networks from collecting precise location data, but appears to have very limited support in the U.S. at the moment. Here’s to hoping all the big carriers get on board too. techcrunch.com/2026/01/29/app…

New court record from the FBI details the state of the devices seized from Washington Post reporter Hannah Natanson: phone was on w/Lockdown Mode; personal laptop was off; work laptop was on w/Touch ID; several Signal chats used disappearing messages. storage.courtlistener.com/recap/gov.usco…

I helped design and implement the secure tip line at the New York Times in 2016. Who can access what, when, where, and how is just as important as the specific apps, tools, and settings that are used. nytimes.com/2017/03/02/ins…

I read dozens of articles about Claude and Anthropic every day. It’s rare to find a piece as thoughtful as this one by @ARozenshtein on Claude’s Constitution. lawfaremedia.org/article/the-mo…

I show how malicious Claude Code skills can spread across infrastructure. Approve one skill → it gets shell access → copies itself to every host in your SSH config. Skills are code. Treat them that way. blog.lukaszolejnik.com/supply-chain-r…

This is why @emilymbender and @alexhanna say to name the specific thing being discussed rather than calling it "AI". Right now, ChatGPT is bucketed under the same term as a model trained to translate a specific language into another and is carefully trained on curated data.

Again, wildly different things, tasks, techniques, subspecialties being lumped into "AI" and being conflated with each other, doesn't help. Different types of models vs techniques to train them vs tasks they're supposed to accomplish, all bucketed under "AI", is misleading. 🧵

I can NOT WAIT for this! Today, 6PM ET Wednesday November 19th, 2025 at @wework #Harlem hosted by Harlemverse x @cryptoharlem . Let's go!

@timnitGebru DOH! 🤦🏿‍♂️:( so many missed opportunities to talk about how these things really work, the real harms they create today/yesterday, as well as potential mitigations. So happy you exist @timnitGebru !

CBS 60 minutes: how to go from journalism to AI Hype marketing—as—a—service. Deepmind will cure cancer & Anthropic is teaching “models to be good” ❤️ Not the massive theft, environmental costs & toxic outputs discussed. Mainstream media is killing itself no one else to blame.

@RachelTobac I will tell everyone to get "politely paranoid". Keep up the great work Rachel, keeping the masses safe with factual education and demonstration!

In the past quarter, I've had 6 orgs I work with mention to me that they're dealing with a live Zoom/Teams call deepfake impersonating an Executive to staff asking for a wire transfer or a password. This attack method is growing right now. Make sure your team knows to catch it.