Cybersecurity & Privacy
Unwary Chinese Hackers Hardcoded Credentials into Backdoors Researchers discovered a Chinese nation-state threat actor, dubbed GopherWhisper, that carelessly hardcoded command and control credentials into backdoors written in the Go programming language. The group used platforms like Slack and Discord for C2 communications, with researchers recovering over 9,000 messages that revealed details about the attackers’ environment and activities.
TunnelCrack is not new — but it is still worth understanding
I am sharing this because, even though TunnelCrack is not new, I think many people will still find it interesting. It is one of those security stories that says something bigger than the headline itself. In this case, the real lesson is not about a brand-new exploit. It is about an old assumption many people still make about VPNs.
The Art of the Gray Man: How to Travel Smart, Stay Safe, and Experience More of the World
“Travel is fatal to prejudice, bigotry, and narrow-mindedness.”
— Mark Twain
Travel changes how we see the world.
It exposes us to new cultures, unfamiliar environments, and perspectives that challenge our assumptions. But the moment you leave home, one fundamental reality shifts:
You are playing an away game.
Different social norms. Different systems. Different risks.
You do not need to be paranoid when you travel.
You need to be deliberate.
Security professionals often use a concept known as the gray man. The philosophy is simple: blend into your environment so completely that you never attract attention in the first place.
The goal is not to hide.
The goal is to be so unremarkable that no one remembers you.
Most criminals are not looking for confrontation. They are looking for opportunity — someone distracted, uncertain, or visibly out of place.
The gray man approach simply removes that opportunity.
EmDash challenges the way WordPress has been secured
Cloudflare has introduced EmDash as a spiritual successor to WordPress. That is the headline. The more important issue is the architecture behind it.
For years, WordPress has balanced flexibility and scale against a plugin model built on a high degree of trust. That trade-off helped make it the dominant publishing platform on the web. It also contributed to one of its most persistent security weaknesses.
CodeWall says it hacked McKinsey’s AI platform. Here’s what holds up — and what doesn’t.
This reflects my personal assessment of publicly available reporting and CodeWall’s published blog post. I was not involved in the testing, I do not have access to McKinsey’s internal facts or forensic findings, and my views should be read as commentary and opinion rather than statements of verified fact.
A security startup called CodeWall claims its autonomous agent compromised McKinsey’s internal AI platform, Lilli, within two hours and gained unauthenticated read-write access to a production database containing tens of millions of consultant conversations. The vulnerability appears credible. The claimed scope of impact is not fully evidenced. The primary CodeWall post is here: codewall.ai/blog/how-… Independent reporting by Jessica Lyons in The Register is here: www.theregister.com/2026/03/0…
Your encrypted email is a neon sign: applying the grey man principle to digital privacy
Every security blog, podcast and YouTube channel gives you the same advice. Use ProtonMail. Switch to Signal. Route everything through Tor. Encrypt your hard drive. The message is always the same: encrypt everything and you will be safe.
I have spent more than 25 years in cybersecurity. I have built intelligence platforms for government agencies and I run security operations for a global enterprise. And I am going to tell you something most privacy guides will not: by following that advice to the letter, you may be making yourself a target instead of protecting yourself.
The "Stein Standard": What the OpenAI ruling means for privacy and discovery
On Jan. 5, 2026, U.S. District Judge Sidney Stein affirmed a significant discovery order requiring OpenAI to produce 20 million de-identified ChatGPT conversation logs to plaintiffs in the consolidated copyright litigation involving The New York Times and other publishers.
As security and privacy professionals, we often warn about “Shadow AI” and data leakage. This ruling makes those risks concrete. Here is a balanced analysis of what happened and what it means for Canadian organizations.
NYC mayoral inauguration bans Flipper Zero, Raspberry Pi devices The NYC mayoral inauguration has specifically banned Flipper Zero and Raspberry Pi devices from the event. While many common items like weapons and large bags are prohibited, these two specific tech devices were singled out, causing confusion as laptops and phones remain allowed.
French authorities investigate AI ‘undressing’ deepfakes on X French authorities are investigating AI-generated deepfakes on X after hundreds of women and teens reported non-consensual sexually explicit images created using the Grok chatbot. This investigation is part of an existing probe into X, with potential penalties including prison time and fines.
New GlassWorm malware wave targets Macs with trojanized crypto wallets The GlassWorm malware has launched a new wave targeting macOS developers by distributing trojanized crypto wallets through malicious VSCode extensions on the OpenVSX registry. This campaign, which now also targets Keychain passwords, attempts to replace legitimate hardware wallet applications with malicious versions, though this specific functionality is currently failing.
Hackers claim to hack Resecurity, firm says it was a honeypot Hackers claiming to be the “Scattered Lapsus$ Hunters” allege they breached Resecurity and stole sensitive data, but Resecurity states the accessed systems were a honeypot containing fake information designed to monitor the attackers. The cybersecurity firm claims it collected extensive intelligence on the threat actor’s tactics and infrastructure, which has been shared with law enforcement.
US Action in Venezuela Provokes Cyberattack Speculation The United States launched an armed attack on Venezuela, involving explosions in Caracas and the removal of its president, with Cyber Command involvement. While a grid outage occurred, it remains unclear if a cyberattack was the cause, though the US has previously used cyber warfare and may have crippled Venezuela’s oil infrastructure with a cyberattack weeks prior.
GitHub - fabriziosalmi/nis2-public: Automated NIS2 Directive compliance scanning and reporting tool The nis2-public GitHub repository provides an automated NIS2 Directive compliance scanning and reporting tool. It features comprehensive security checks, multiple report formats (HTML, JSON, Markdown), and easy Docker deployment, with options for Prometheus and Grafana integration.
Thousands of ColdFusion exploit attempts spotted during Christmas holiday During the Christmas 2025 holiday, thousands of exploit attempts were detected targeting Adobe ColdFusion vulnerabilities. A single threat actor, operating from Japan-based infrastructure, was responsible for approximately 98% of the observed attack traffic, exploiting over 10 ColdFusion CVEs from 2023-2024.
The State of Blocking: A Guide to Ad Blockers on iOS & iPadOS
For years, “system-wide” ad blocking on iPhone typically meant a trade-off: the most aggressive options relied on a local, device-level tunnel (often presented as a VPN). It worked, but it could add operational friction — especially for anyone who also needs a corporate VPN.
In 2026, the platform story is materially better, but it is not magical.
Two Apple capabilities matter most:
- Encrypted DNS (DoH/DoT) configured at the OS level: mature, stable, and broadly useful for cutting tracking across the device — with important precedence rules when a full VPN is active.
- iOS 26 URL filtering (NEURLFilter): a meaningful architectural shift, but best viewed as an emerging foundation that is not yet universally available to consumer-grade ad blockers.
If you want the simplest answer: use a Safari content blocker for Safari, and use DNS filtering for cross-app tracking reduction. Treat “VPN-style” blockers as a power option when you explicitly need their added capabilities.
The ‘Delete’ Button Is a Lie: A Canadian’s Guide to AI Data Retention
When you hit “delete” on a conversation with ChatGPT or Gemini, you likely expect it to vanish. In reality, that data often enters a digital limbo—accessible to the provider for 30 days, three years, or even seven years for certain safety-classifier metadata, depending on the fine print you didn’t read.
For paid subscribers, the assumption of privacy is dangerous. While corporate “Team” and “Enterprise” plans typically offer stronger contractual controls (including training restrictions and admin-managed retention), “Pro” and “Plus” users are frequently treated as consumers with slightly better perks, not better privacy.
South Korea to require facial recognition for new mobile numbers | The Record from Recorded Future News South Korea will mandate facial recognition for new mobile numbers starting March 23 to combat scams and identity theft, requiring a real-time comparison between ID photos and users’ faces. This policy aims to prevent the activation of phones registered under false or stolen identities.
Cyber spies use fake New Year concert invites to target Russian military | The Record from Recorded Future News A cyberespionage group known as Goffee is targeting Russian military personnel and defense organizations with phishing lures, including fake concert invitations and official letters, to deploy a backdoor called EchoGather. While the group is believed to be pro-Ukrainian and has been active since at least 2022, the success and specific objectives of this latest campaign remain unclear.
Managing agentic AI risk: Lessons from the OWASP Top 10 | CSO Online The OWASP Top 10 for Agentic AI provides a framework to address the growing security risks associated with agentic AI adoption, offering practical guidance, threat taxonomies, and mitigation strategies for CISOs. While the list is immediately useful, some areas like detailed mitigation steps and attack likelihood require further development.
The “Double-Blind” Signal: A Security Analysis of Phreeli Wireless
In the final weeks of 2025, a new entrant in the American telecommunications market, Phreeli, made an audacious design claim: it aims to know as little about its customers as possible. Launched on Dec. 4, 2025, by Nicholas Merrill — the internet service provider owner who spent a decade fighting a PATRIOT Act-era gag order — Phreeli is a mobile virtual network operator (MVNO) designed to decouple legal identity from cellular activity.
As a security professional, I approach “privacy-first” claims with inherent scepticism. After a technical deep dive into Phreeli’s architecture and launch documentation, here is an objective analysis of where this service succeeds — and where the physics of cellular technology still create unavoidable risks.