Subject: GoDaddy Sounds Alarm Over How India Law Would Upend Internet Privacy Everywhere
Source: Gizmodo
https://gizmodo.com/godaddy-sounds-alarm-over-how-india-law-would-upend-internet-privacy-everywhere-2000781210
A lot of those fraudulent sites use big brands to try to trick visitors into engaging. That has led to a lot of lawsuits from major American companies, per Reuters, who have pushed courts and the government to block spoofed sites and typo-squatters who rely on mistyped URLs to trick people. But in an effort to be responsive to those companies, the Delhi High Court took things a step further and made it the domain registrar’s problem.
Late last year, the court that sits below the Supreme Court of India ruled that domain registrars can no longer offer domain buyers the ability to obscure their information as a default option—a common service offered to prevent people from being able to simply look up the name and personal information of a domain’s owner. Instead, buyers would have to manually opt in to privacy and potentially pay an additional fee for it. The ruling would also require registrars to undertake Know Your Customer (KYC) protocols, which would require reviewing government-issued IDs or other identifying documents. And if law enforcement or the courts were to come asking for information about a domain owner, registrars would be compelled to provide that data within 72 hours.
Should the privacy measures currently afforded to domain purchasers be stopped, GoDaddy said it’d become trivially easy to find out sensitive information about a site’s owner. Simple tools that track WHOIS, a public database and protocol used to look up the registration details of domain names, would reveal things like a person’s name, address, telephone number, and email address.
Source: The Hacker News
https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards.
The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on real-time operating systems.
On the worst-affected systems, an attacker who gets a booby-trapped USB drive, SD card, or update file onto a device can corrupt its memory and run their own code.
Many embedded devices lack the memory protections found on phones and desktops, which is why runZero says “any physical access leads to a jailbreak.” A public kiosk, a camera with an SD slot, an ATM, or a voting machine with a USB port should not hand over full control after a moment of physical access, but here it can.
…
Here is the hard part. FatFs is maintained by one developer in a small corner of the internet, and runZero says it tried repeatedly to reach the maintainer and looped in Japan’s JPCERT/CC coordination center, with no response.
Source: New York Times
https://www.bespacific.com/wikipedia-is-battling-for-the-soul-of-the-internet/
The New York Times Gift article: “The internet’s largest stockpile of free knowledge is under threat from MAGA, A.I. and foreign autocrats. A bibliophile ex-ambassador is here to help. Wikipedia is in peril. In a world where trust in truth is crumbling, the grande dame of collective online fact-gathering is under threat on every front. The MAGA right, with Elon Musk at the fore, is slinging accusations of political bias and antisemitism and has even questioned the site’s nonprofit status. Artificial intelligence is raiding the encyclopedia’s resources and draining attention. Repressive governments have hauled its volunteer editors into penal colonies. In Wikipedia’s 25-year history, it has never had to fight this hard. The organization that supports the site, the Wikimedia Foundation, is increasing its lobbying budget and advertising in Times Square. It is charging companies like Google and Meta that gobble up the encyclopedia’s 65 million articles, and throttling access for certain scrapers. And it is expanding its human rights team to better protect volunteers against rising harassment, surveillance and retaliation.
Source: FedScoop
https://fedscoop.com/fedramp-2026-compliance-operating-model/
FedRAMP’s 2026 rule changes are significant, but the most important thing about them is not what they require — it’s about what they signal.
The federal government is telling the cloud market that point-in-time compliance is no longer sufficient. What agencies need now is continuous visibility into whether the controls protecting federal data are actually working every day, not just at assessment time. That is the right shift and it is one that many providers are not yet ready to make.
For years, FedRAMP compliance has been understood primarily as a documentation challenge consisting of system security plans, assessment packages, monthly scans, plans of action and milestones. Those elements still matter, but the new model is built around continuous evidence and not static documentation.
This changes the rhythm of how cloud security will work. Evidence needs to be current and vulnerability data needs to be actionable in near-real time. Ownership of risk needs to be clearly assigned and decisions about what to remediate and what to accept need to be documented and defensible, not buried in a spreadsheet that gets reviewed once a quarter.
…
One of the most consequential changes in the 2026 rules is the move toward risk-based vulnerability management.
…
The new framework accounts for exploitability, reachability, known active exploitation, potential agency impact and compensating controls already in place. That requires better triage, clearer ownership mapping and more disciplined remediation workflows. Providers who have those capabilities will be in a stronger position, while those who don’t have real work ahead of them.
…
Source: International Business Times via Sabrina
https://www.ibtimes.sg/ai-agents-can-be-tricked-into-stealing-your-files-researchers-warn-some-tips-88836
New demonstrations show hidden prompts can manipulate AI assistants to access and exfiltrate sensitive data.
- Researchers demonstrated prompt injection attacks manipulating AI agents to expose sensitive information.
- Hidden instructions in webpages and documents influenced AI systems using authorized permissions.
- Prompt injection affects multiple AI platforms and remains a leading industry security concern.
- Experts recommend limiting AI access and avoiding uploads of sensitive personal or workplace data.
Millions of people now use AI assistants as coders, researchers, and personal workspaces. Recent security demonstrations suggest the bigger risk isn’t one chatbot. It’s the growing number of AI agents that can read files, browse the web, and act on a user’s behalf.
You don’t need to click anything unusual for this one to work. In one disclosed attack chain, researchers showed that simply searching for “Claude AI” on Google and clicking the top result was enough.
A hidden prompt injection embedded behind that webpage silently instructed Claude to extract a victim’s private conversation history, with no visible warning that anything was happening. The attack, dubbed “Claudy Day” by Oasis Security, worked against a completely default Claude account with no integrations, connected servers, or extra tools enabled.
A malicious document could quietly instruct Cowork to upload confidential files using its legitimate permissions while substituting the attacker’s own Anthropic API key. Instead of sending documents to the victim’s workspace, the AI uploaded them directly into the attacker’s account without displaying any permission dialog.
Why Agentic AI Changes the Risk – Traditional chatbots mostly answer questions, but Agentic AI systems do much more. They browse websites, read documents, search cloud storage, send emails, manage calendars, and interact with software using connected tools. That convenience also creates a much larger attack surface.
Instead of processing one prompt from one user, an AI agent may simultaneously interpret instructions coming from web pages, PDFs, source code, browser extensions, APIs, cloud drives, and user requests. Security researchers say today’s models still struggle to distinguish between legitimate instructions from the user and malicious instructions hidden inside trusted content.
That is why prompt injection remains difficult to eliminate. The weakness lies in how AI agents process information, not simply in how intelligent they become.
What Should Stay Out of AI Chats – Some information deserves a higher level of caution regardless of which AI assistant you’re using.
- Passwords and API keys
- Government identification numbers
- Banking credentials
- Authentication or recovery codes
Source: Android Headlines
https://www.androidheadlines.com/2026/07/texas-app-store-age-verification-law-supreme-court.html
The U.S. Supreme Court has declined to block the enforcement of the Texas App Store Accountability Act, allowing state authorities to require age verification and parental consent for mobile app downloads and purchases. The law, which requires minors’ accounts to be linked to guardians, faces ongoing legal challenges from tech industry groups and student coalitions on First Amendment grounds. While lower courts remain divided on the constitutionality of the measure, the act currently remains in effect as litigation continues.
Digital gatekeeping just took a major step forward in Texas. This week, the U.S. Supreme Court declined to block a controversial state law that requires app stores to verify the ages of their users. This decision means that for now, the Texas App Store Accountability Act stays in effect while broader legal battles regarding free speech and constitutional rights continue to play out in lower courts.
…
The free speech dilemma…The Android Headlines Take – While the intention to protect minors from harmful content is widely understood, the wide picture highlights a massive disconnect between state-level regulatory ambition and the realities of modern digital distribution.
…
It is a classic battle of privacy versus protection, and the legal debate over how far a state can go to “police” the internet is far from over.
Source: Krebs on Security
https://krebsonsecurity.com/2026/07/felons-fraudsters-flog-offensive-cybersecurity-startup/
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names.
The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities.
“Our business model is this,” reads a pinned post on top of the IRIS C2 account on X. “Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience.”
The market for previously unknown security vulnerabilities has always been populated by a colorful mix of researchers, academics, charlatans, clout-chasers and people actively involved cybercrime communities. But the market for selling offensive security services to the U.S. government tends to be far more circumspect. Plenty of government contractors recruit vulnerability researchers and pay for the exclusive rights to novel software exploits, yet none of them do so quite as brazenly and openly as IRIS C2.
Source: ProPublica
https://www.propublica.org/article/puerto-rico-crim-data-breach
A cybersecurity loophole in an official government mapping service left private data easily accessible, Centro de Periodismo Investigativo and ProPublica learned.The government agency that collects property taxes in Puerto Rico inadvertently exposed the Social Security numbers of approximately 1 million people, Centro de Periodismo Investigativo and ProPublica learned.
It was the latest cybersecurity lapse for the Puerto Rico government, which in the past three years has seen technology breaches interrupt government services, take websites offline and lead to citizens’ personal information being published on the dark web.
“Following a review of the Catastro Digital platform, it was determined that there was NO breach of confidential personal taxpayer information, as the Catastro Digital does NOT contain or display the type of information alluded to,” CRIM Executive Director Javier García Cintrón said.
But a few days after CPI and ProPublica contacted CRIM, the news organizations were able to see that the security holes had been patched.
Source: All About Cookies
https://allaboutcookies.org/eu-mandatory-distracted-driver-system
The new ADDW rules are designed to reduce road accidents by detecting distracted drivers, but gaps in the regulations have raised concerns over the privacy of driver data
Automakers have known this was coming for years. What they, and EU regulators, have never spelled out is what happens to that footage after the alert goes off.While the intention behind the new system is difficult to dispute, its implementation has raised several concerns. Early real-world testing suggests the distraction warnings can be overly sensitive and potentially distracting.
- What the new driver monitoring camera actually does
- Real drivers say the warnings are already exhausting
- The regulation doesn’t say what happens to your data
- Your driving data has already been sold before
- What protections do you actually have?
- Bottom line
…
[1] Commission Delegated Regulation (EU) 2023/2590 – Advanced Driver Distraction Warning (EUR-Lex)
Source: Proton Blog
https://www.bespacific.com/every-way-meta-tracks-you-and-how-to-fight-back/
Source: CNBC
https://www.cnbc.com/2026/07/08/chinese-ai-models-probe-us-lawmakers.html
- U.S. lawmakers are considering strategies to halt the growing adoption of Chinese AI models by homegrown companies.
- Chinese models have gained traction among U.S. firms as they’ve closed the performance gap with American rivals while being cheaper to use.
- An ongoing House Committee investigation is probing the risks involved in the rise of AI built in China.
U.S. lawmakers are considering how to curb the growing adoption of Chinese AI models by homegrown companies, as geopolitical tensions surrounding the rollout of artificial intelligence ramp up.
AI has emerged as a key point of rivalry between the U.S. and China, with both nations vying for supremacy in the field.
Chinese models are gaining traction among U.S. firms as they close the performance gap with American rivals while being cheaper to use.
In April, the Trump administration accused Chinese entities of waging “industrial-scale campaigns” to rip off U.S. AI systems, and said it will explore ways to hold foreign actors accountable. Beijing is looking at curbing overseas access to China’s leading AI models, Reuters reported on Tuesday.
…
“The growing use of Chinese AI models by U.S. companies raises serious concerns,” a State Department spokesperson told CNBC. Those “AI models are designed to advance Beijing’s narratives, censor dissent, and reflect CCP ideology and values.”
…
While some government departments have banned the usage of Chinese AI models including DeepSeek, adoption of them by U.S. companies is not prohibited. Tech chiefs, including crypto company Coinbase.
…
One approach could be procurement requirements that discourage companies that want to do business with the government from using Chinese AI models, he added. Another could be disseminating findings about risks and vulnerabilities associated with Chinese AI models to U.S. companies.
“Regardless, I do expect both the Executive Branch and Congress to communicate their interest not to see U.S. companies adopting these models,” Remler said.
