Meta has been quietly stashing dormant face recognition code on more than 50 million phones, WIRED reported this week, tucked inside the companion app that pairs with its Ray-Ban and Oakley smart glasses. If activated, the feature—known internally as NameTag—would let wearers identify people in front of them by matching captured faces against a biometric gallery sitting on the user’s device. It’s the same kind of technology Meta said it walked away from in 2021, after paying out billions of dollars to settle biometric privacy lawsuits in Texas and Illinois.
Meanwhile, xAI is asking a federal judge to force four people suing the company over Grok-generated deepfake nudes to drop their pseudonyms and litigate under their real names—including one plaintiff who alleges the chatbot was used to fabricate sexual images of her as a child. The plaintiffs say they’d sooner drop the suit than submit to harassment and doxing from Musk’s online supporters. xAI’s lawyers, however, claim that since the deepfakes will remain under seal, there’s “nothing inherently stigmatizing” about naming the people in them.
Google rolled out a new Android feature this week aimed at the wave of AI-powered impersonation scams that help fraudsters spoof a familiar number and clone a person’s voice. Packaged with Google Dialer and shipping to phones running Android 12 or later, it pings the caller’s device for a silent cryptographic handshake. If the call is fake, Android will flag it and strip the contact photo from the screen, but only if both ends are on Google Dialer, which leaves iPhones out of the picture.
WIRED also reported this week that the Manhattan Institute—the same right-wing think tank that engineered the 1990s broken-windows policing and the Trump administration’s anti-DEI push—is now shopping model legislation to turn minor protest-related offenses into felonies under a novel theory it calls “civil terrorism.”
Researchers have detailed a clever new browser side-channel attack called FROST that fingerprints other tabs—and sometimes the apps on your device—by measuring how long it takes to read from a sandboxed file on your SSD. The attack runs entirely in JavaScript and feeds the timing traces through a neural network trained on the I/O signatures of common software. No evidence so far anyone is using it in the wild.
And that’s not all. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.
The supplements known as peptides—chains of amino acids that promise to help those who smear, ingest, or inject them achieve everything from weight loss to skin rejuvenation—have become their own largely unregulated pharmaceutical subindustry. So it figures that their growth is being fueled by cryptocurrency, often sent directly to the Chinese labs that sell these mysterious panaceas.
Crypto-tracing firm Chainalysis this week published an analysis of crypto flows to peptide sellers, a gray market that the company now measures at more than $100 million a year and growing. Chainalysis specifically found that some of the same Chinese labs that were previously selling fentanyl precursors have now switched to manufacturing and selling peptides. The transition, Chainalysis believes, is designed to cash in on the wave of “looksmaxing” hype across social media that has pushed peptide sales—and to avoid the risk of a law enforcement crackdown on opioid manufacturers.
AI can do all kinds of things if you just ask it: Code an app, touch up your photos, or even hack President Barack Obama’s Instagram account. Since Meta announced in March that its account support will be increasingly automated with AI, including for functions like updating your password, hackers found that they could exploit the tool to reset the password and take over accounts of even high-profile users and celebrities. Among the victims, as reported by 404 Media, are Obama, the chief master sergeant of the US Space Force, and makeup chain Sephora. Meta says the issue is now fixed and affected accounts have been secured. But the wave of takeovers illustrates the risks of off-loading security functions to AI—particularly at companies like Meta, which has very publicly touted its all-in approach to adopting AI across the company.
When AI firm Anthropic rolled out its powerful Mythos tool to a select group of organizations for testing, it raised eyebrows by including the US National Security Agency on that initial access list. Mythos, after all, is reportedly capable of finding previously hidden, hackable vulnerabilities in software with alarming speed, raising fears that it could be used for automated mass surveillance and cyberattacks. But the NSA also has a defensive mission, and initial reporting suggested the agency might just be using Anthropic’s tool to find bugs in popular software used by Americans—such as Microsoft’s—with the goal of better securing it. Yet the Financial Times now reports that Anthropic is helping the NSA take its use of Mythos a step further, deploying Anthropic’s own engineers to the agency to help it learn to use the AI tool—including for offensive hacking. The FT couldn’t confirm that Mythos is being used in active hacking operations. But given the growing use of AI for state-sponsored hacking, it would be a surprise if the US is not joining the field of modern-day automated cyberintrusions.
US president Donald Trump has picked Bill Pulte to temporarily act as director of national intelligence. Pulte replaces Tulsi Gabbard, who recently stepped down from the role citing her husband’s health issues. Trump has said he is considering other people for the permanent job, but that confirmation process can take months.
As acting director, Pulte would be responsible for the entire US intelligence community, coordinating 18 different agencies including the Central Intelligence Agency and NSA.