John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Physical Failures: The Tile Tracker Leak and the Security Irony
A hacker breached the Tile/Life360 law enforcement portal using a former employee's stolen credentials. The tool built to help police find your kids became a stalker's dashboard.
Read More
The 2-Minute Defeat: Why the EU's Child Safety App is a Case Study in Security Theater
The EU's high-profile age verification app was cracked in under two minutes by a security consultant. It turns out storing sensitive tokens in an unencrypted local text file is not 'Safe by Design.' Here is what happens when PR outpaces engineering.
Read More
Your Banking Session Just Phoned Temu. Your CSP Allowed It.
A Taboola pixel on authenticated banking pages was redirecting session data to Temu via a single 302. The CSP didn't catch it. It wasn't supposed to.
Read More
The FBI Read Deleted Signal Messages Without Breaking Signal's Encryption
Signal's encryption held. Disappearing messages ran. The FBI still walked into court with Signal message content from a seized iPhone. Here's exactly how, and the one setting that closes the gap.
Read More
Your Ad Data Is a Federal Surveillance Tool. Meet Webloc.
Webloc ingests mobile ad data from 500 million devices and makes it searchable for ICE, the military, and local police. No warrant needed. You probably said yes to it when you tapped Allow on some app.
Read More
LinkedIn's Been Scanning Your Chrome Extensions. All 6,000 of Them.
Research confirmed LinkedIn scans for 6,236 Chrome extensions and fingerprints your browser without telling you. Microsoft says it's for your protection. The extension list says otherwise.
Read More
The Week Toolchain Trust Collapsed, Again
TeamPCP kept hitting developer tooling. AI attack surfaces went from theoretical to exploited. Attackers logged in instead of breaking in. And Iran went after the FBI director's personal inbox.
Read More
The FTC Took on a Data Broker Tracking Abortion Clinic Visits. And Won.
The FTC's settlement with Kochava bans the company from selling sensitive location data and requires deletion of existing records, including data showing visits to abortion clinics, shelters, and rehab centers.
Read More
Europe's Week: Fining Musk's AI, Rejecting Surveillance Powers, and Getting Hacked
In 48 hours, Europe fined xAI's Grok, voted to let CSAM scanning expire, had its Commission cloud breached, and watched its police force get phished.
Read More
Your VPN Might Be Getting You Watched by the NSA Instead of Protected
Six US lawmakers want to know if VPN use can strip Americans of Fourth Amendment protections by making their traffic look foreign to intelligence agencies. Nobody has officially said it isn't happening.
Read More
The Hack That Broke the Promise of Anonymity: 8 Million Crime Tips Stolen from P3 Intel
P3 Global Intel, which powers Crime Stoppers tip lines worldwide, was hacked. 8 million anonymous tips are now in criminal hands. The parent company still hasn't confirmed a thing.
Read More
Regulators on Both Sides of the Atlantic Are Forcing Platforms to Verify Who's Online
Apple rolled out mandatory age verification for all UK iPhone users. The EU opened a formal DSA investigation into Snapchat. The era of anonymous sign-ups is ending, and it's moving faster than most platforms planned.
Read More
New Mexico Handed Meta a $375 Million Jury Verdict on Child Safety. Every State AG Is Watching.
A New Mexico jury just handed Meta its first courtroom defeat over child safety: a $375 million verdict after six weeks of trial. It's not a settlement. It's a proof of concept for state AGs everywhere.
Read More
The FBI Is Buying Your Location Data. No Warrant Required.
FBI Director Kash Patel confirmed the FBI purchases bulk location data from commercial brokers with no warrant. The agency had previously said it stopped. It didn't.
Read More
Proton Mail Helped the FBI Identify an Anonymous Protestor. Here's What That Actually Means.
Proton Mail's encryption worked fine -- it was metadata that gave the anonymous Stop Cop City protestor away, and most users still don't understand the difference.
Read More
Privacy Is Now a $475 Million Business, and That's Kind of a Scandal
Cape raised $100M to protect phones from Stingrays and SS7 attacks; Cloaked raised $375M to hide your identity from data brokers -- together they're a $475 million indictment of the infrastructure that was supposed to protect you.
Read More
Meta Killed Instagram's Encryption and Hired Signal's Founder to Encrypt Its AI in the Same Week
Meta un-defaulted end-to-end encryption on Instagram DMs while partnering with Moxie Marlinspike to encrypt its AI chatbot, revealing exactly where Big Tech's privacy priorities actually land.
Read More
Sears' AI Chatbot Stored 3.7 Million of Your Conversations. Could Be Read Online.
Security researcher Jeremy Fowler found 3.7 million Sears chatbot conversations and 1.4 million audio files sitting wide open online -- including home addresses and appointment times. This one crosses into physical security territory.
Read More
Meta's AI Glasses Are a Privacy Disaster — And Now There's an App to Detect Them
Bruce Schneier called Meta's AI glasses 'a privacy disaster.' A developer built an Android app to detect them nearby. Together, they're the first signs of a consumer counter-response to ambient AI surveillance.
Read More
Europe's Biggest Tech Fines Are Getting Overturned in Court
Amazon just got a $858 million GDPR fine thrown out. Cloudflare is fighting Italy's Piracy Shield. Big Tech's legal teams are now the real counterparty to European regulation.
Read More
The Week Trust Kept Breaking
Iranian wipers, poisoned dev tools, AI agents as attack surfaces, patches that never stopped coming, and a ransomware negotiator working for the bad guys. Trust fell apart in every direction this week.
Read More
DOGE's Data Problem: Why America's Federal Privacy Crisis Is a Cybersecurity Story
DOGE personnel reportedly accessed federal systems holding tax returns, Social Security records, and benefits data without proper audit trails or legal authority. This isn't politics. It's a data governance failure affecting tens of millions of Americans.
Read More
Meta's Killing Instagram Encryption While Bragging About Nuking 11 Million Scam Accounts
Meta's shutting down Instagram's end-to-end encrypted chats in May while touting the removal of 10.9 million scam accounts. Both are real moves. The tension between them says a lot about what kind of security Meta actually cares about.
Read More
CBP Was Tracking Your Phone With Ad Data -- And When Their Own Privacy Officers Said Stop, They Were Fired
CBP bought commercial ad data to track Americans' phones without warrants. When internal privacy officers pushed back on related illegal conduct, they got canned.
Read More
The FBI's Warrant-Free Surveillance Just Hit a New High -- Right as Congress Finally Moves to Stop It
The FBI searched Americans' private communications without a warrant 7,413 times last year, up 34%. A bipartisan bill just landed to require warrants going forward.
Read More
When 'No' Means Nothing: Privacy Erosion from DHS Surveillance to Duolingo Tracking
DHS fired the privacy officers who questioned surveillance orders. Duolingo keeps sending your data to ByteDance after you opt out. Your 'no' doesn't work when nobody's enforcing it.
Read More
AI Agents Have an Infrastructure Problem — and Researchers Just Proved It
MCP protocol flaws, a 38-researcher red team exercise, and LLM-powered deanonymization all landed the same week. AI agent security isn't a future problem. It's a right now problem.
Read More