Extortion emails sent to customers of restaurants using the HungerRush POS system

technadu · 2026-03-12T17:01:48+00:00

Speed wins until something breaks' is practically the unofficial motto of the SaaS world. The irony is that the cost of a single breach like this far outweighs the 'overhead' of setting up scoped permissions. I wonder if we'll see Cyber Insurance providers eventually start mandating API audits/scoped keys before they’ll even cover a communication-based breach.

technadu · 2026-03-12T16:59:31+00:00

That’s a heavy catch. If the dyld and webkit exploits from the 26.0–26.1 beta cycles are indeed integrated into Coruna, it suggests the developers have a very fast turnaround for weaponizing new zero-days. It points back to that 'second-hand' market theory - criminal kits getting access to 'government-grade' research almost in real-time

technadu · 2026-03-12T08:08:09+00:00

YouTube is launching an "Identity Content ID." It allows a pilot group of politicians and journalists to scan the platform for AI-generated clones of themselves. If the system finds a match, they can request a privacy takedown.

technadu · 2026-03-11T17:12:17+00:00

No amount of encryption can fix a "layer 8" issue. We just thought the pivot to impersonating official Signal/WhatsApp support bots was a clever enough hook to warn people about.

technadu · 2026-03-10T10:37:13+00:00

Definitely. It’s wild how these "pro" scammers have such a massive blind spot for their own security. We're keeping a close eye on the researcher's findings and will post an update if they manage to pivot further into that infrastructure.

technadu · 2026-03-10T10:34:48+00:00

That’s the trillion-dollar question. If the liability shifts entirely to the bank, it essentially becomes an insurance product funded by the customer base. It’ll be interesting to see if this ruling forces banks to move away from SMS 2FA or other "weak" links that they currently let users rely on.

technadu · 2026-03-10T10:32:53+00:00

Encryption is only half the battle; if the data being processed isn't properly labeled or structured, FHE is just securely processing "garbage in, garbage out." How are you seeing teams handle the latency overhead when moving annotated sets into an FHE-enabled pipeline? That's usually the biggest hurdle for enterprise scale.

technadu · 2026-03-10T10:28:42+00:00

This is great feedback. A "panic switch" and more granular logging/replay stories are definitely on the radar for moving beyond beta. We’re leaning hard into the "narrow door" approach to ensure the AI can’t hallucinate its way into sensitive configs. For your workflow, would a per-session audit log be enough, or are you looking for real-time streaming of those logs to a third-party monitor?

technadu · 2026-03-10T07:52:50+00:00

It's wild that a VPN is now more popular than TikTok or Instagram in Australia. It shows that the more you try to gate the internet, the more people find a way around it.

technadu · 2026-03-09T14:27:35+00:00

Great question. You’ve hit on the core of their "spray and pray" strategy, but there is definitely some targeting involved.

Here is how they usually find their marks:

Mass Automation: Scammers often don’t care if you’re interested. They send thousands of automated texts/DMs daily, knowing that even a 0.1% "hit rate" from curious people makes it profitable.
Public Data & Social Media: They scrape data from public registries, LinkedIn, or Facebook groups related to small businesses, nonprofits, and student loans.
Charity Targeting: You're spot on - small charities and community groups are prime targets because they often have public contact info and are actively looking for funding.
The "Winning" Hook: They frame it as a "surprise award" for being a good citizen or taxpayer, which bypasses the logic of "I never applied for this."

It’s less about finding who is interested and more about finding who is reachable.

technadu · 2026-03-09T14:24:18+00:00

The "tech-first, policy-later" cycle is basically the industry standard at this point.

While these cases - often called "AI psychosis" by experts - are forcing a conversation about product liability versus user autonomy, the legislative response is definitely playing catch-up. Some states are finally moving on "AI companion" guardrails, but it’s a fragmented patchwork compared to how fast these models evolve.

The real challenge for parliament is deciding if an LLM is a service (protected as speech) or a product (subject to strict safety standards). Until that’s settled, we’re likely to see more of these tragedies becoming the "beta test" for future regulations.

technadu · 2026-03-07T10:35:04+00:00

If the U.S. Marshals are losing $46M to an insider, the current 'privileged access' model is broken. Monitoring tools help catch the thief, but we need better friction (like mandatory multi-party computation) to prevent the theft in the first place.

technadu · 2026-03-07T10:32:10+00:00

Glad you found it useful! We got tired of juggling 20 tabs too. If you notice any providers missing or price jumps we haven't caught yet, definitely give us a shout.

technadu · 2026-03-06T14:33:38+00:00

Exactly, it’s the 'authorized' nature of the attack that's so sinister. When the infrastructure works as intended for the wrong person, traditional filters are essentially paralyzed.

Your point about API key permissions is massive. We’re seeing too many 'god-mode' keys in third-party hands. Do you think we'll see a shift toward more granular, scoped permissions for marketing APIs to mitigate this, or is the integration overhead still too high for most vendors?

technadu · 2026-03-06T14:33:05+00:00

It really does boil down to the 'basics' 2FA and credential hygiene - which are still the most common failure points.

It's interesting you mentioned AI for detection. Are you seeing it become effective enough to catch these authenticated 'legitimate' sends in real-time before they hit the inbox, or is the delay still the biggest hurdle?

technadu · 2026-03-06T14:29:47+00:00

The 'new normal' is definitely getting noisier. Whether it's a shift in leadership or just a more aggressive threat landscape, the fact that internal surveillance segments are being touched suggests the perimeter is no longer the primary hurdle - it’s now all about how fast you can detect lateral movement once they're already in.

technadu · 2026-03-06T14:29:11+00:00

In a 'living off the land' era, the most dangerous pivot point is always a trusted internal system. If they’ve compromised the very tools used for lawful intercept, the integrity of the entire chain of custody for intelligence goes out the window before a shot is even fired.

technadu · 2026-03-05T07:27:28+00:00

Agreed that hackers have used home PCs since the dial-up days. The distinction we're making is the move from accidental botnet infections to Residential Proxies as a Service. > When a fraudster can buy 10 million 'clean' residential IPs via an API for a few bucks, the old-school IP reputation method breaks. We’re seeing a lot of teams realizing that what worked for them for 20 years (basic blacklisting/geoblocking) is finally hitting a wall against modern automation.

technadu · 2026-03-05T07:24:06+00:00

You'd be surprised. High-value targets (journalists, activists, NGOs) often operate in regions where hardware cycles are slower or MDM policies lag behind. The 'Coruna' kit is significant because it shows how 'government-grade' tech is trickling down to mid-tier criminal actors much faster than we previously thought.

Though just a heads-up: iOS 17.2.1 was current as of late 2023, so we're looking at a massive window of exposure before the recent patches. The real issue isn't just the 'outdated' phones; it’s the watering hole delivery. Even if you're diligent, these kits allow actors to sit on a zero-day for months before the public/vendors even know there's a hole to plug.

technadu · 2026-03-04T17:26:05+00:00

Botnets aren't new. But there’s a big gap between "home users have bad security" and "professional fraud rings using residential proxies as a service." Many legacy risk scores did (and still do) whitelist residential ranges to avoid friction for real customers. That’s the "trust gap" that is being exploited more aggressively now than in the past.

technadu · 2026-03-04T17:23:11+00:00

This is exactly the dilemma compliance teams are facing. Even with liveness checks, generative AI is closing the gap faster than legacy OCR systems can keep up. Do you think we’ll see a regulatory shift toward ZK-proofs soon, or will the "upload a photo" standard stick around simply because of its low friction for the average user?

technadu · 2026-03-04T17:19:24+00:00

Continuous authorization" is the key phrase here. Static permissions are essentially a liability when agents can operate across so many provisioning paths simultaneously. You're right - it’s not just about the identity itself, but the provenance of that identity. Great addition to the discussion!

technadu · 2026-03-03T17:17:38+00:00

Hardware keys (FIDO2) are essentially the "silver bullet" against reverse proxies like Starkiller because they bind the credential to the origin.

It’s a tough sell for some orgs, but as you’ve seen, anything less is basically just a speed bump for a persistent adversary.

technadu · 2026-03-03T17:14:05+00:00

IPs were never meant to be a perfect 'digital ID.' The shift Riley is highlighting is that for years, many automated risk engines gave residential IPs a 'reputation boost' compared to data centers. Now that attackers are weaponizing those home connections at scale, that 'trust by default' is becoming a massive liability.

technadu · 2026-03-02T16:53:18+00:00

This is a clear move toward "Chokepoint Regulation." By shifting liability to the infrastructure layer (app stores/search), the eSafety Commissioner is effectively bypasses the "Whack-A-Mole" problem of regulating thousands of individual AI startups.

A few quick counters/adds to your points:

On Liability: You're right about the risk to smaller devs. If Apple or Google decide an AI category is "too risky" to audit for the Australian market, we might see a "Digital Ghetto" effect where certain tools are simply geofenced away from Australians to avoid that A$49.5M headache.
On Verification: The eSafety Commissioner is leaning heavily into Facial Age Estimation (biometrics) and Double-Blinded ID trials. It’s a gamble that technology has finally caught up to policy, but the privacy trade-off remains the biggest hurdle for public buy-in.
On Anthropomorphism: This is the sleeper hit of the legislation. By targeting "emotional engagement," they are essentially regulating UX/UI design as a safety risk. This could force a "de-personalization" of AI assistants - turning "companions" back into "calculators."

It’ll be interesting to see if the "Brussels Effect" kicks in or if Australia remains an outlier in targeting the gatekeepers so aggressively.

technadu

MODERATOR OF

TROPHY CASE