WaPo reports:

WaPo reports:

"The FBI executed a search warrant Wednesday morning at a Washington Post reporter’s home as part of an investigation into a government contractor accused of illegally retaining classified government materials."

"The reporter, Hannah Natanson, was at her home in Virginia at the time of the search. Federal agents searched her home and her devices, seizing her phone, two laptops and a Garmin watch. One of the laptops was her personal computer, the other a Washington Post-issued laptop."

"It is exceptionally rare for law enforcement officials to conduct searches at reporters’ homes. Federal regulations intended to protect a free press are designed to make it difficult to use aggressive law enforcement tactics against reporters to obtain the identities of their sources or information."

https://www.washingtonpost.com/national-security/2026/01/14/washington-post-reporter-search/

https://archive.ph/kYFYo

Guardian piece: https://www.theguardian.com/us-news/2026/jan/14/fbi-raid-washington-post-hannah-natanson

@noplasticshower don't call it Microslop!

Can you believe it's been a month already, Windows (ab)users? Yes, that's right, it's Patch Tuesday, or depending on when you're reading this Reboot Wednesday!

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.

https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

#patchtuesday

KrebsOnSecurity.com celebrates its 16th anniversary today! A huge “thank you” to all of our readers — newcomers, long-timers and drive-by critics alike. Your engagement this past year here has been tremendous and truly a salve on a handful of dark days. Happily, comeuppance was a strong theme running through our coverage in 2025, with a primary focus on entities that enabled complex and globally-dispersed cybercrime services.

I'll add this spoiler, from the end:

"I am happy to report that the first KrebsOnSecurity stories of 2026 will go deep into the origins of Kimwolf, and examine the botnet’s unique and highly invasive means of spreading digital disease far and wide. The first in that series will include a somewhat sobering and global security notification concerning the devices and residential proxy services that are inadvertently helping to power Kimwolf’s rapid growth."

https://krebsonsecurity.com/2025/12/happy-16th-birthday-krebsonsecurity-com/

I'm going to keep calling out companies that offer to pay me to repost stuff on my site. Especially the AI-backed ones, which seem unusually aggressive in this PR tactic. Who knows, maybe they'll stop sending them to me at least (not holding my breath).

via Hackernews. It really is comical the lengths to which companies will go to avoid being contacted by their customers.

What the fuck is a ‘fuck off contact page?’

"A “fuck off contact page” is what a company throws together when they actually don’t want anyone to contact them at all. They are usually found on the websites of million or billion dollar companies, likely Software-as-a-service (SaaS) companies that are trying to reduce the amount of money they spend on support by carefully hiding the real support channels behind login walls. These companies tend to offer multiple tiers of support, with enterprise customers having a customer success manager who they can call on this ancient device we call phones, whereas the lower-paying customers may have to wrangle various in-app ticket mechanisms. If you solve your own problem by reading the knowledge base, then this is a win for the company. They don’t want to hear from you, they want you to fuck off."

https://www.nicchan.me/blog/the-f-off-contact-page/

This story has it all: enshitification, magic and subcutaneous passwords.

""A magician in Missouri had a kooky idea: implant a computer chip into his hand and then do some fun magic tricks with it. Too bad he forgot the password."

"Moving away from using the gadget as a magic prop, he later tinkered around with the chip by rewriting it with a Bitcoin address and then had it link to an image meme on Imgur, the online image-sharing platform.

“But a few years ago that imgur link went down, and when I went to re-write the chip, I was horrified to realize I forgot the password that I had locked it with,” he said.'

https://futurism.com/future-society/lost-password-chip-magician

New, by me: Is your Android TV streaming box part of a botnet?

"On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers."

The story looks closely at what Superbox is, how it operates, and what it appears to do on the sly. Spoiler: A Censys researcher found that installing the apps that allow these channels to stream enrolls the user's IP in a residential proxy service, and that these devices include powerful network discovery and remote access tools like Tcpdump and Netcat.

Overall, the Superbox is just one brand in an ocean of no-name Android-based TV boxes that are widely available and that either come pre-infected with malware or require malicious apps to use.

https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/

One aspect of this I can't stop thinking about is the example and precedent set by this administration when Musk took over and started joining all these federal databases that had previously been kept separate for about 100+ reasons over time.

Kind of secondary to those alarming developments was the fact that all of the safeguards we put in place to ensure Security 101 things like "need to know access" and audibility were just tossed out the window, and really haven't been observed by this administration since. It's as if the entirety of what they teach you in Security 101, 201, 301, etc, is just a suggestion.

Also, where THE FUCK did this data go? Who has it? How can anyone be sure who does? Is it still being used? How will it be used going forward?

I have quite a few projects I'm super excited to publish in the coming weeks. But honestly, the main thing that's consuming my brain cycles story-wise is a year-end piece about just how badly this administration has fscked our cybers in so many ways.

This won't be a polemical soliloquy. I intend to document all of the specific actions this administration has taken that appear to weaken, redirect, or fully castrate our cyber capabilities. Your assistance would be appreciated (and possibly noted).

New, by me: Mozilla Says It's Finally Done with Two-Faced Onerep

In March 2024, Mozilla said it was winding down its collaboration with Onerep — an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites — after KrebsOnSecurity revealed Onerep’s founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later, however, Mozilla is still promoting Onerep. This week, Mozilla announced its partnership with Onerep will officially end next month.

https://krebsonsecurity.com/2025/11/mozilla-says-its-finally-done-with-two-faced-onerep/

Breathtaking incompetency. It's a feature, not a bug. From WaPo: Justice Dept. acknowledges full grand jury never saw final Comey indictment

"The remarkable admission could threaten the viability of the case against the former FBI director."

https://www.washingtonpost.com/national-security/2025/11/19/comey-trump-abuse-power-hearing/

8 billion followers, huh? Seems legit, lol. Who TF is Todd?

This is pretty wild. Checkout.com got hacked by a group that claims to be Shiny Hunters again. Checkout said in blog post that it would not be extorted by criminals.

"We will not pay this ransom.

Instead, we are turning this attack into an investment in security for our entire industry. We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to support their research in the fight against cybercrime."

Far too many victim firms just pay up, to get back to business as usual asap. Imagine if a fraction of those victims instead paid into a fund for research that actively disrupts these groups.

https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion

They had me at the headline: AI isn’t replacing jobs. AI spending is

"From Amazon to General Motors to Booz Allen Hamilton, layoffs are being announced and blamed on AI. Amazon said it would cut 14,000 corporate jobs. United Parcel Service (UPS) said it had reduced its management workforce by about 14,000 positions over the past 22 months. And Target said it would cut 1,800 corporate roles. Some academic economists have also chimed in: The St. Louis Federal Reserve found a (weak) correlation between theoretical AI exposure and actual AI adoption in 12 occupational categories."

"Yet we remain skeptical of the claim that AI is responsible for these layoffs. A recent MIT Media Lab study found that 95% of generative AI pilot business projects were failing. Another survey by Atlassian concluded that 96% of businesses “have not seen dramatic improvements in organizational efficiency, innovation, or work quality.” Still another study found that 40% of the business people surveyed have received “AI slop” at work in the last month and that it takes nearly two hours, on average, to fix each instance of slop. In addition, they “no longer trust their AI-enabled peers, find them less creative, and find them less intelligent or capable.”

https://www.fastcompany.com/91435192/chatgpt-llm-openai-jobs-amazon

Wrote up some thoughts about the proposed ban on the sale of TP-Link devices in the US.

The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Link’s ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.

https://krebsonsecurity.com/2025/11/drilling-down-on-uncle-sams-proposed-tp-link-ban/

Enjoyed this Techcrunch piece about the new show Pluribus from the creator of Breaking Bad. Fun fact, the star of the new show Rhea Seehorn and I used to study for a statistics class together at GMU. I had such a secret crush back then (okay maybe still a little).

"If you watched all the way to the end of the new Apple TV show “Pluribus,” you may have noticed an unusual disclaimer in the credits: “This show was made by humans.”

"That terse message — placed right below a note that “animal wranglers were on set to ensure animal safety” — could potentially provide a model for other filmmakers seeking to highlight that their work was made without the use of generative AI."

"And just in case the disclaimer wasn’t clear enough, creator Vince Gilligan (best known for “Breaking Bad”) was even more emphatic in a Variety feature story about the show, declaring flatly, “I hate AI.”

"He went on to describe the technology as “the world’s most expensive and energy-intensive plagiarism machine” and compared AI-generated content to “a cow chewing its cud — an endlessly regurgitated loop of nonsense.”

https://techcrunch.com/2025/11/08/breaking-bad-creators-new-show-pluribus-was-emphatically-made-by-humans-not-ai/

Meta, Meta, Meta. So Meta. This Reuters report is 🔥

"Meta is earning a fortune on a deluge of fraudulent ads, documents show"

"Meta projected 10% of its 2024 revenue would come from ads for scams and banned goods, documents seen by Reuters show. And the social media giant internally estimates that its platforms show users 15 billion scam ads a day. Among its responses to suspected rogue marketers: charging them a premium for ads – and issuing reports on ’Scammiest Scammers.’

https://www.reuters.com/investigations/meta-is-earning-fortune-deluge-fraudulent-ads-documents-show-2025-11-06/?utm_source=substack&utm_medium=email

It's my fediversary! Three years ago today I said goodbye to several hundred thousand followers at the nazi bar and joined this community. No regrets! Thanks for making me want to stick around :)

From the Dutch news org de Volkskrant:

"The Dutch intelligence services AIVD and MIVD have started sharing less information with their American partners, according to the heads of the Dutch services. Peter Reesink (MIVD): "It's true that we sometimes stop sharing things." Erik Akerboom (AIVD): "Sometimes you have to consider each case individually : can I still share this information or not?"

"This is the first time that the AIVD and MIVD have acknowledged that developments in the United States, where human rights and the rule of law are under pressure, have consequences for the intelligence relationship. This marks a striking rupture in the decades-long relationship between the Dutch services and American intelligence agencies such as the CIA and NSA."

https://archive.ph/9L0iW#selection-1557.0-1579.365