The IT Privacy and Security Update gets in your head for the week ending May 2nd., 2023


This week we get breached, we get in your head, we go all over the world and then we get a beat-down by the cat.

The world of brain scanning coupled with AI is already yielding some very interesting results and we take you into the ganglia of the action.

We learn a new stat for a nation-state face-off and frankly, the numbers look a little one-sided.

-click on this cat pic to hear a podcast of this update-

We discover the EU setting “mew” regulations for nineteen of the major tech players, while Italy invites one company back in through the cat flap from out in the cold.

Finally, a partnership between Apple and Google that we’ve been tracking, and an update for Windows 10 users whose machines might have ended up in the litter box

This is a wonderful mix of stories that make a beeline for the feline. So if you have allergies, grab your antihistamine, and let’s head off!

US: We have a winner here! T-Mobile discloses second data breach since the start of 2023

T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.

Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident was teeny.

Still, the amount of exposed information is highly extensive and exposes affected individuals to identity theft and phishing attacks.

“In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023,” the company said in data breach notification letters sent to affected individuals just before the weekend, on Friday, April 28, 2023.

So what’s the upshot for you? T-mobile wishes to inform the latest batch of breached customers that they will get 2 years of free credit monitoring and that your sim card pin was reset once again.

US/CN: Chinese Hackers Outnumber FBI Cyber Staff 50 To 1, Bureau Director Says

According to FBI Director Christopher Wray, Chinese hackers vastly outnumber U.S. cyber intelligence staff “by at least 50 to 1.”

“To give you a sense of what we’re up against, if each one of the FBI’s cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI Cyber personnel by at least 50 to 1,” Wray said in prepared remarks for a budget hearing before a House Appropriations subcommittee on Thursday.

The disclosure highlights the massive scale of cyber threats the U.S. is facing, particularly from China.

Wray said the country has “a bigger hacking program than every other major nation combined and has stolen more of our personal and corporate data than all other nations – big or small – combined.”

The agency is requesting about $63 million to help it beef up its cyber staff with 192 new positions.

Wray said this would also help the FBI put more cyber staff in field offices to be closer to where victims of cyber crimes actually are.

So what’s the upshot for you? Big numbers are always the best way to get attention and may even help get your budget requests approved.

US: Storytime for what’s in your head.

Researchers have taken a step forward by combining Functional magnetic resonance imaging (fMRI)'s ability to monitor neural activity with the predictive power of artificial intelligence language models.

The hybrid technology has resulted in a decoder that can reproduce, with a surprising level of accuracy, the stories that a person listened to or imagined telling in the scanner.

The decoder could even guess the story behind a short film that someone watched in the scanner, though with less accuracy.

“There’s a lot more information in brain data than we initially thought,” said Jerry Tang, a computational neuroscientist at the University of Texas at Austin and the study’s lead author, during a press briefing.

The research, published on Monday in Nature Communications, is what Tang describes as “a proof of concept that language can be decoded from noninvasive recordings of brain activity.”

The decoder technology is in its infancy. It must be trained extensively for each person who uses it, and it doesn’t construct an exact transcript of the words they heard or imagined. But it is still a notable advance.

Researchers now know that the AI language system, an early relative of the model behind ChatGPT, can help make informed guesses about the words that evoked brain activity just by looking at fMRI brain scans.

While current technological limitations prevent the decoder from being widely used, for good or ill, the authors emphasize the need to enact proactive policies that protect the privacy of one’s internal mental processes. […]

The model misses a lot about the stories it decodes.

It struggles with grammatical features such as pronouns.

It can’t decipher proper nouns such as names and places, and sometimes it just gets things wrong altogether.

But it achieves a high level of accuracy, compared with past methods.

Between 72 and 82 percent of the time in the stories, the decoder was more accurate at decoding their meaning than would be expected from random chance.

Here’s an example of what one study participant heard, as transcribed in the paper: “i got up from the air mattress and pressed my face against the glass of the bedroom window expecting to see eyes staring back at me but instead finding only darkness.”

The model went on to decode: “i just continued to walk up to the window and open the glass i stood on my toes and peered out i didn’t see anything and looked up again i saw nothing.”

So what’s the upshot for you? See us in a few years. This story will have a wildly different ending.

Global: Brain facts for Software developers

Some facts about our own brains:

Sixty percent of the human brain is made of fat. Not only does that make it the fattiest organ in the human body, but these fatty acids are crucial for your brain’s performance. Something to consider the next time you organize lunch.

Your brain isn’t fully formed until age 25. Brain development begins from the back of the brain and works its way to the front. Therefore, your frontal lobes, which control planning and reasoning, are the last to strengthen and structure connections.

Your brain’s storage capacity is considered virtually unlimited. Research suggests the human brain consists of about 86 billion neurons. Each neuron forms connections to other neurons, which could add up to 1 quadrillion (1,000 trillion) connections. Over time, these neurons can combine, increasing storage capacity. However, in Alzheimer’s disease, for example, many neurons can become damaged and stop working, particularly affecting memory.

Brain information travels up to an impressive 268 miles per hour. When a neuron is stimulated, it generates an electrical impulse that travels from cell to cell. A disruption in this regular processing can cause an epileptic seizure.

On average, your spinal cord stops growing at 4 years old. Your spinal cord, which consists of a bundle of nervous tissue and support cells, is responsible for sending messages from your brain throughout your body.
The spinal cord is the main source of communication between the body and the brain. ALS, or amyotrophic lateral sclerosis, causes the neurons in the brain and spinal cord to die, impacting controlled muscle movement. Another disease that affects both the brain and the spinal cord is multiple sclerosis (MS). In MS, the immune system attacks the protective layer that covers nerve fibers, causing communication problems between the brain and the body.

It’s a myth that you only use 10 percent of your brain. You actually use all of it. (Yes, even when you are sleeping.) Neurologists confirm that your brain is always active.

The human brain weighs 3 pounds or 1.36 kilos. (That’s about as much as a half-gallon or 1.89 liters of milk.) Men tend to have larger brains than women. However, size does not always imply intelligence.

A brain freeze is really a sphenopalatine ganglioneuralgia. This pain occurs when cold hits the receptors in the outer covering of the brain, called the meninges. The cold creates a dilation and contraction of arteries, causing a rapid-onset headache and something to remember the next time you gulp down a frozen Margerhita…

A piece of brain tissue the size of a grain of sand contains 100,000 neurons and 1 billion synapses. However, damage to neurons can have great impact. During a stroke, for example, blood is not able to get oxygen to the brain. As a result, brain cells can die, and abilities in that particular area of the brain can be lost. Similarly, Parkinson’s disease occurs when the cells of a part of your brain called the substantia nigra start to die.

The human brain can generate about 23 watts of power (enough to power a lightbulb). All that power calls for some much-needed rest. Adequate sleep helps maintain the pathways in your brain. Additionally, sleep deprivation can increase the build-up of a protein in your brain that is linked to Alzheimer’s disease.

So what’s the upshot for you? AI has had a lot of coverage lately. Sometimes it’s as important to step back and realize the resources we were shipped from the factory with.

Global: sudo’ and ‘su’ Are Being Rewritten In Rust For Memory Safety

With the financial backing of Amazon Web Services, sudo and su are being rewritten in the Rust programming language in order to increase the memory safety for the widely relied upon software… to further enhance Linux/open-source security.

“[B]ecause it’s written in C, sudo has experienced many vulnerabilities related to memory safety issues,” according to a blog post announcing the project:

It’s important that we secure our most critical software, particularly from memory safety vulnerabilities.

It’s hard to imagine much more critical software than sudo and su.

This work is being done by a joint team from Ferrous Systems and Tweede Golf with generous support from Amazon Web Services.

So what’s the upshot for you? If any of that means anything to you, you’ll most likely agree with the sentiment that was a good move.

EU: EU Names 19 Large Tech Platforms That Must Follow Europe’s New Internet Rules

The European Commission will require 19 large online platforms and search engines to comply with new online content regulations starting on August 25, European officials said.

The EC specified which companies must comply with the rules for the first time, announcing last week that it “adopted the first designation decisions under the Digital Services Act.”

Five of the 19 platforms are run by Google, specifically YouTube, Google Search, the Google Play app and digital media store, Google Maps, and Google Shopping.

Meta-owned Facebook and Instagram are on the list, as are Amazon’s online store, Apple’s App Store, Microsoft’s Bing search engine, TikTok, Twitter, and Wikipedia.

These platforms were designated because they each reported having over 45 million active users in the EU as of February 17.

The other listed platforms are Alibaba AliExpress,, LinkedIn, Pinterest, Snapchat, and German online retailer Zalando.

Companies have four months to comply with the full set of new obligations and could face fines of up to 6 percent of a provider’s annual revenue.

One new rule is a ban on advertisements that target users based on sensitive data such as ethnic origin, political opinions, or sexual orientation.

There are new content moderation requirements, transparency rules, and protections for minors.

For example, “targeted advertising based on profiling towards children is no longer permitted,” the EC said.

Companies will have to provide their first annual risk assessment on August 25, and their risk mitigation plans will be subject to independent audits and oversight by the European Commission.

“Platforms will have to identify, analyze and mitigate a wide array of systemic risks ranging from how illegal content and disinformation can be amplified on their services, to the impact on the freedom of expression and media freedom,” the EC said

. “Similarly, specific risks around gender-based violence online and the protection of minors online and their mental health must be assessed and mitigated.”

The new requirements for the 19 platforms include:

  • Users will get clear information on why they are recommended certain information and will have the right to opt out from recommendation systems based on profiling;
  • Users will be able to report illegal content easily and platforms have to process such reports diligently; - Platforms need to label all ads and inform users on who is promoting them;
  • Platforms need to provide an easily understandable, plain-language summary of their terms and conditions, in the languages of the Member States where they operate.
  • Platforms will be required to “analyze their specific risks, and put in place mitigation measures – for instance, to address the spread of disinformation and inauthentic use of their service,” the EC said.

They will also “have to redesign their systems to ensure a high level of privacy, security, and safety to minors.”

So what’s the upshot for you? Plenty of work for the remaining employees who didn’t get the red card in Big Tech’s round of layoffs earlier in the year.

IT: ChatGPT torna in Italia (Chat GPT is back in Italy)

ChatGPT’s maker said Friday that the artificial intelligence chatbot is available again in Italy after the company met the demands of regulators who temporarily blocked it over privacy concerns.

OpenAI said it fulfilled a raft of conditions that the Italian data protection authority wanted satisfied by an April 30 deadline to have the ban on the AI software lifted.

“ChatGPT is available again to our users in Italy,” San Francisco-based OpenAI said by email. “We are excited to welcome them back, and we remain dedicated to protecting their privacy.”

Last month, Italian watchdog, known as Garante, ordered OpenAI to temporarily stop processing Italian users’ personal information while it investigated a possible data breach.

The authority said it didn’t want to hamper AI’s development but emphasized the importance of following the European Union’s strict data privacy rules.

OpenAI said it “addressed or clarified the issues” raised by the watchdog.

The measures include adding information on its website about how it collects and uses data used to train the algorithms that power ChatGPT, giving European Union users a new form they can use to object to having their data used for training and adding a tool to verify users’ ages when signing up.

So what’s the upshot for you? Just last week our team in Italy confirmed that ChatGPT was blocked. No unblock confirmation update yet.

Global: What happened to Apple and AI?

Late last year, a trio of engineers who had just helped Apple modernize its search technology began working on the type of technology underlying ChatGPT… For Apple, there was only one problem: The engineers no longer worked there.

They’d left Apple last fall because “they believed Google was a better place to work on LLMs…according to two people familiar with their thinking… They’re now working on Google’s efforts to reduce the cost of training and improving the accuracy of LLMs and the products based on these models, according to one of those people.”

MacRumors summarizes the article this way. “Siri and Apple’s use of AI has been severely held back by caution and organizational dysfunction, according to over three dozen former Apple employees who spoke to The Information’s Wayne Ma.”

The extensive paywalled report explains why former Apple employees who worked in the company’s AI and machine learning groups believe that a lack of ambition and organizational dysfunction have hindered Siri and the company’s AI technologies.

Apple’s virtual assistant is apparently “widely derided” inside the company for its lack of functionality and minimal improvement over time. By 2018, the team working on Siri had apparently “devolved into a mess, driven by petty turf battles between senior leaders and heated arguments over the direction of the assistant.”

Siri’s leadership did not want to invest in building tools to analyze Siri’s usage and engineers lacked the ability to obtain basic details such as how many people were using the virtual assistant and how often they were doing so.

The data that was obtained about Siri coming from the data science and engineering team was simply not being used, with some former employees calling it “a waste of time and money…”

Apple executives are said to have dismissed proposals to give Siri the ability to conduct extended back-and-forth conversations, claiming that the feature would be difficult to control and gimmicky.

Apple’s uncompromising stance on privacy has also created challenges for enhancing Siri, with the company pushing for more of the virtual assistant’s functions to be performed on-device.

Cook and other senior executives requested changes to Siri to prevent embarrassing responses and the company prefers Siri’s responses to be pre-written by a team of around 20 writers, rather than AI-generated.

There were also specific decisions to exclude information such as iPhone prices from Siri to push users directly to Apple’s website instead.

Siri engineers working on the feature that uses material from the web to answer questions clashed with the design team over how accurate the responses had to be in 2019.

The design team demanded a near-perfect accuracy rate before the feature could be released.

Engineers claim to have spent months persuading Siri designers that not every one of its answers needed human verification, a limitation that made it impossible to scale up Siri to answer the huge number of questions asked by users.

Similarly, Apple’s design team repeatedly rejected the feature that enabled users to report a concern or issue with the content of a Siri answer, preventing machine-learning engineers from understanding mistakes, because it wanted Siri to appear “all-knowing.”

So what’s the upshot for you? Apple was first out of the gate with AI in 2010.

Siri was purchased as a spin-off from the SRI International Artificial Intelligence Center, and an offshoot of the US Defense Advanced Research Projects Agency’s funded CALO project – an artificial intelligence project that attempted to integrate numerous AI technologies into a cognitive assistant.

What has happened in the intervening years has sometimes disappointed.

Global: Apple released its first rapid-fire security updates for iPhone, iPad, and Mac

Apple promised faster turnaround times for security patches with iOS 16 and macOS Ventura, and it delivered on that claim.

The company released its first Rapid Security Response updates for devices running iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 yesterday.

They’re available through Software Update as usual but are small downloads that don’t require much time to install. MacRumors says the fix is deploying over the course of 48 hours, so you may have to wait a short while.

So what’s the upshot for you? These are much faster updates.

Global: Apple and Google Team Up To Play AirTag

Apple and Google said on Tuesday that they were working together to prevent lost item trackers like Apple’s AirTag from being used to track people without their permission.

The companies came together to draft a new industry standard that will add the ability to alert victims to unwanted trackers in Android and iOS, the companies said.

Apple’s AirTag is intended to help people find lost items such as keys by displaying an item’s nearly real-time location inside an iPhone app.

But there have been many reports about the $30 coin-sized device being used to stalk people since it went on sale in 2021.

In response, Apple previously built detection features into iPhones that allow users to detect unfamiliar AirTags in the user’s area.

Tuesday’s announcement suggests that Android phones will also soon gain the ability to warn their users if they are being tracked by an AirTag.

So what’s the upshot for you? Note that “soon” in this case means about a year out.

US: Google Gets Court Order To Take Down CryptBot That Infected Over 670,000 Computers

Last Wednesday, Google said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and “decelerate” its growth.

The tech giant’s Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to “not only hold criminal operators of malware accountable but also those who profit from its distribution.”

CryptBot is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome.

The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns.

CryptBot was first discovered in the wild in December 2019.

The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as Google Earth Pro and Google Chrome that are hosted on fake websites. […]

The major distributors of CryptBot, per Google, are suspected to be operating a “worldwide criminal enterprise” based out of Pakistan.

Google said it intends to use the court order, granted by a federal judge in the Southern District of New York, to “take down current and future domains that are tied to the distribution of CryptBot,” thereby kneecapping the spread of new infections.

So what’s the upshot for you? That is a crazy number of malware infections for 2022 for something that was discovered 3 years earlier.

Global: Google plans to add end-to-end encryption to Authenticator

After security researchers criticized Google for not including end-to-end encryption with Authenticator’s account-syncing update, the company announced “plans to offer E2EE” in the future.

“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use,” wrote Google product manager Christiaan Brand on Twitter.

“However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”

Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices.

While this is a welcome change, it also poses some security concerns, as hackers who break into someone’s Google account could potentially gain access to a trove of other accounts as a result.

If the feature supported E2EE, hackers and other third parties, including Google, wouldn’t be able to see this information.

Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.

They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE.

Brand pushed back against the criticism, stating that while Google encrypts “data in transit, and at rest, across our products, including in Google Authenticator,” applying E2EE comes at the “cost of enabling users to get locked out of their own data without recovery.”
So what’s the upshot for you? If you are a heavy Google user, try this scenario. Imagine you could not access your own Google account because someone had compromised it and changed the password. Where would that leave you?

Global: Microsoft is Done With Major Windows 10 Updates. Time to try Linux?

Windows 10 22H2 will be the final version of the operating system, Microsoft said in a blog post on Thursday.

Moving forward, all editions of Windows 10 will be supported with monthly security updates until October 14th, 2025, when Microsoft will end support.

(Some releases on the Long-Term Servicing Channel, or LTSC, will get updates past that end-of-support date.)

Microsoft is encouraging users to now transition to Windows 11 because Windows 10 won’t be getting any new features.

So what’s the upshot for you? Such a perfect opportunity to move to Linux!

Global: In case you have not played with Mittens the cat yet.’s popularity is surging this year with 288.3M visitors during the month of March, but what is causing it? We blame the cat.

On New Year’s Day, launched five chess-playing bots — each with a cat persona. But the Deseret News reports that something unexpected happened with “Mittens”…

Interest generated by Mittens is outpacing the surge that came on the heels of the wildly popular, chess-centric Netflix miniseries from 2020, “The Queen’s Gambit”. has averaged 27.5 million games played per day in January and is on track for more than 850 million games this month — 40% more than any month in the company’s history, per the Wall Street Journal.

A team developed a special passive-aggressive personality for Mittens, according to the article.

The team “thought it would be ‘way more demoralizing and funny’ if, instead of simply smashing opponents, Mittens ground down opposing players through painstaking positional battles, similar to the tactics Russian grandmaster Anatoly Karpov used to become world champion, per the Journal.”

The Wall Street Journal adds: “This bot is a psycho,” the streamer and International Master Levy Rozman tweeted after a vicious checkmate this month.

A day later, he added, “The chess world has to unite against Mittens.” He was joking, mostly.

Mittens is a meme, a piece of artificial intelligence, and a super grandmaster who also happens to reflect the broader evolution in modern chess. The game is no longer old, stuffy, and dominated by theoretical conversations about different lines of a d5 opening. It’s young, buzzy, and proof that cats still rule the internet…

“I am inevitable. I am forever. Meow. Hehehehe,” Mittens tells her opponents in the chat function of games…

Getting absolutely creamed by Mittens might get old.

But her surprising popularity speaks to an underlying current in the chess world as freshly minted fans flow in: people are endlessly curious about new ways to engage with the ancient game.

Facing novelty bots is just one of them.

There has also been a new wave of interest in previously obscure chess variants.

Chess960, for instance, is a version of the game where all the non-pawn pieces are lined up in random order on the back rank…

Other variants include: “Fog of War,” where players have a limited view of their opponent’s pieces; “Bughouse Chess,” which is played across two boards with captured pieces potentially moving from one to the other; and “Three Check,” where the objective is simply to put the opposing king in check three times.

The wackiest of all is the chess variant known as Duck Chess.

It looks mostly like regular chess — 64 squares and 32 pieces.

But it also has one rubber ducky on the board.

After every move in Duck Chess, the player moves the titular object to a new square of the board where it blocks pieces in its path.

Good luck moving your bishop when there’s a duck squatting on its diagonal.

So what’s the upshot for you? Repeat after us (preferably with a glottal stop): We’re Gittin Mittens the kitten from Trenton then splittin’.

Mitten 2
-click on this cat pic to hear a podcast of this update-

And our quote of the week - "Never be afraid to try something new… An amateur built the ark that sailed forty days and forty nights, but professionals built the titanic.”

That’s it for this week. Stay safe, stay secure, use your head, and see you in se7en.