Agentic AI-based services are the new Shadow IT.

@gnomon @hacks4pancakes With respect, all the devs using agentic tools have the best intentions at heart. How is this different?

I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.

Agentic AI-based services are the new Shadow IT. Change my mind.

@renchap @jerry You might be on to something here. There are a vast number of smaller orgs whose websites are getting positively swamped by all kinds of content scraping activity, much of it to build out LLMs. There are real and direct costs, and this is an important and seldom highlighted one.

@adamshostack hard agree. to the point where that's why i don't use it. also, sometimes hard to tell when someone has sent you a private message, especially when there are multiple people on the private message.

ICYMI, from Reuters:

"Democratic Senator Maria Cantwell on Tuesday said Verizon and AT&T are blocking release of key documents about an alleged massive Chinese spying operation that infiltrated U.S. telecommunications networks known as Salt Typhoon and wants their CEOs to appear before Congress to answer questions."

"Cantwell asked both companies to turn over security assessments conducted by Alphabet cybersecurity unit Mandiant. She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon."

"In some cases, hackers are alleged to have intercepted conversations, including between prominent U.S. politicians and government officials. Several lawmakers have described them as the worst telecom hacks in U.S. history."

"Cantwell said Salt Typhoon allowed the Chinese government to "geolocate millions of individuals" and "record phone calls at will," and that the incident targeted almost every American."

https://www.reuters.com/business/media-telecom/senator-says-att-verizon-blocking-release-salt-typhoon-security-assessment-2026-02-03/

Oof. Like an ad for an airline right next to a story about a plane crash. From The New Yorker article:

"It did not help the staff’s morale that Lewis and his team were hobnobbing in Davos, or that Bezos and his wife, Lauren Sánchez, were in Paris for Haute Couture Week. More troubling were reminders that Bezos, who once emblazoned “Democracy Dies in Darkness” on the paper’s masthead, appears to be pursuing a policy of appeasement toward the Trump Administration."

"As the staff awaited the axe, the President and the First Lady celebrated the première of “Melania,” a documentary that Amazon had licensed for forty million dollars and was reported to be spending another thirty-five million to promote. The deal was inked after Bezos had dinner with the Trumps shortly before the Inauguration."

Good coverage from The New Yorker

"The announcement was left to the executive editor, Matt Murray, and human-relations chief Wayne Connell; the newspaper’s publisher, Will Lewis, was nowhere to be seen as the grim news was unveiled. In what Murray termed a “broad strategic reset,” the Post’s storied sports department was shuttered “in its current form”; several reporters will now cover sports as a “cultural and societal phenomenon.” The metro staff, already cut to about forty staffers during the past five years, has been shrunk to about twelve; the foreign desks will be reduced to approximately twelve locations from more than twenty; Peter Finn, the international editor, told me that he asked to be laid off. The books section and the flagship podcast, “Post Reports,” will end. Shortly after the meeting, staffers received individualized e-mails letting them know whether they would stay or go. Murray said the retrenched Post would “concentrate on areas that demonstrate authority, distinctiveness, and impact,” focusing on areas such as politics and national security. This strategy, a kind of Politico-lite, would be more convincing if so many of the most talented players were not already gone."

https://archive.is/YRuaF

The NYT says WaPo is laying off about 30 percent of all employees, including more than 300 of the roughly 800 journalists in the newsroom.

https://www.nytimes.com/2026/02/04/business/media/washington-post-layoffs.html

This makes me sad (been there). From Joe Menn at WaPo: "Most of the Washington Post’s tech reporters were laid off today, including me. I have loved my time at the paper, which is where I wanted to work from age 15. I take some consolation in not being among the survivors who will have to work harder with less for fewer readers. On to better things."

According to the Epstein files, he had a "personal hacker" working for him. The FBI document says Epstein's personal hacker was an "Italian citizen born in Calabria who developed zero-day exploits and offensive cyber tools and sold the tools to governments."

https://www.justice.gov/epstein/files/DataSet%2010/EFTA01683874.pdf

"[Redacted] sold a zero-day to Hebollah. [Redacted] was known as the first person to hack and find vulnerabilities in Blackberries and iOS. He was known for finding Firefox vulnerabilities. [Redacted] former company was acquired by CrowdStrike in fall of 2017 and was currently a vice president there."

"S//NF= was very good at finding vulnerabilities was friends with "old school" European hackers. "Received a trunk of cash from Hezbollah when was in Italy; drove the money to Switzerland and deposited it in another ba [redacted]. [redacted] owned a theater company in California and he used the theater company to launder his zeroday money

"Made six figures from the sale of his zero-days. He sold his tools to United Kingdom GCHQ and provided training to the organization. He also sold his zero-days to a Central African government, as well as Hezbollah for political reasons. The Italian Government asked for help, but [redacted] declined because he felt the Government was incompetent. Calabria was mob-controlled an did not have much loyalty for his birth country.

"[Redacted] sold his exploits to the United States and United Kingdom, but he would not sell to Asian countries because he a is racist. He was also anti-Semitic. [Redacted] was terrified of Russia, however, and would never travel there. He lived in Dubai at one time, and was acquainted with the [redacted] lived in Oman as well. He may have an Iranian and Israeli passport, in addition to his Vatican City passport"

Looks likely the top commenter here is correct about "Epstein's hacker":

https://www.reddit.com/r/cybersecurity/comments/1qsi6ds/informant_told_fbi_that_jeffrey_epstein_had_a/

@fl0und3r So...pass on #fashpass? I like yours better.

Just say no to #fashpass

@farbel Did you try to send to cbp_pra@cbp.dhs.gov? Did you get a bounce?

I feel for anyone in the travel, tourism and hospitality industries, which make up ~ 10M jobs and ~ 3 percent of the nation's GDP. From the U.S. International Trade Administration (trade.gov)

"Inbound international travel to the United States plays a vital role in the Nation’s economy and promotes cultural exchange and understanding. Travel and tourism is the largest single services export for the United States, accounting for 22 percent of the country’s services exports and 7 percent of all exports in 2023. The travel and tourism industry contributed $2.3 trillion to the U.S. economy in 2022 (2.97 percent of the country’s GDP), supporting 9.5 million jobs."

We knew this was coming, but now the clock is running. From Privacy International:

"Yesterday the Trump Administration announced a proposed change in policy for travellers to the U.S. It applies to the powers of data collection by the Customs and Border Police (CBP)."

"If the proposed changes are adopted after the 60-day consultation, then millions of travellers to the U.S. will be forced to use a U.S. government mobile phone app, submit their social media from the last five years and email addresses used in the last ten years, including of family members. They’re also proposing the collection of DNA."

PI linked to and summarized a Federal Register entry describing the proposed requirements:

-All visitors must submit ‘their social media from the last 5 years’

-ESTA (Electronic System for Travel Authorization) applications will include ‘high value data fields’, ‘when feasible’
‘telephone numbers used in the last five years’
-‘email addresses used in the last ten years’
-‘family number telephone numbers (sic) used in the last five years’
-biometrics – face, fingerprint, DNA, and iris
-business telephone numbers used in the last five years
-business email addresses used in the last ten years.

https://www.privacyinternational.org/news-analysis/5713/trump-administration-wants-your-dna-and-social-media

The Federal Register entry says comments are encouraged and
must be submitted (no later than
February 9, 2026) to be assured of
consideration

Federal Register entry: https://www.govinfo.gov/content/pkg/FR-2025-12-10/pdf/2025-22461.pdf

New, from me: Who Operates the Badbox 2.0 Botnet?

The cybercriminals in control of Kimwolf -- a disruptive botnet that has infected more than 2 million devices -- recently shared a screenshot indicating they'd compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.

https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

WaPo reports:

"The FBI executed a search warrant Wednesday morning at a Washington Post reporter’s home as part of an investigation into a government contractor accused of illegally retaining classified government materials."

"The reporter, Hannah Natanson, was at her home in Virginia at the time of the search. Federal agents searched her home and her devices, seizing her phone, two laptops and a Garmin watch. One of the laptops was her personal computer, the other a Washington Post-issued laptop."

"It is exceptionally rare for law enforcement officials to conduct searches at reporters’ homes. Federal regulations intended to protect a free press are designed to make it difficult to use aggressive law enforcement tactics against reporters to obtain the identities of their sources or information."

https://www.washingtonpost.com/national-security/2026/01/14/washington-post-reporter-search/

https://archive.ph/kYFYo

Guardian piece: https://www.theguardian.com/us-news/2026/jan/14/fbi-raid-washington-post-hannah-natanson

@noplasticshower don't call it Microslop!

Can you believe it's been a month already, Windows (ab)users? Yes, that's right, it's Patch Tuesday, or depending on when you're reading this Reboot Wednesday!

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.

https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

#patchtuesday