I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.

Agentic AI-based services are the new Shadow IT. Change my mind.

@aburka I don't think so. It's like always there now

Meanwhile, for the past week, LinkedIn has been showing me some other company's dashboard in my profile.

Lol, most of these impressions were on a post I made about why you maybe shouldn't verify your LinkedIn account.

https://infosec.exchange/@briankrebs/116103192779110422

Bloomberg did some terrific and deep reporting last week on how private equity debt likely contributed to a series of major compromises at Ivanti at the hands of China-backed hacker groups. They touch on several other examples, but it seems like the list could be quite long at this point.

https://www.bloomberg.com/news/features/2026-02-19/vpn-used-by-us-government-failed-to-stop-china-state-sponsored-hackers

https://archive.ph/BkzSX

The guys at the Risky Business podcast have been talking forever about major breaches and code compromises that occurred after various security companies were acquired by private equity firms and loaded with debt. They've argued (correctly, in my book) that when you see this happening with a vendor you use, it's a good signal to find a suitable alternative to whatever that platform does for you.

@celeste Unless I'm missing something, the post I linked to and cited from was published 4 days before yours. It's not about the reported frontend exposure.

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

Thank god Microsoft is shoving Copilot AI crap into everything. One gets the sense this isn't going to be an isolated occurrence. From Bleeping Computer:

"Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information."

https://www.bleepingcomputer.com/news/microsoft/microsoft-says-bug-causes-copilot-to-summarize-confidential-emails/

Security nerds have launched a Gofundme to buy back securityfocus.com, a domain that hosted the Bugtraq site and more than 120,000 links from the National Vulnerability Database that are now dead. Whoops.

"Symantec killed Bugtraq in 2020 and let the domain lapse. Now it's squatted for $175k," writes Jonathan Brossard. "The NVD has 120,000+ broken links pointing there. The security community's memory is being held hostage."

https://www.gofundme.com/f/restore-securityfocus-bugtraq?attribution_id=sl:81e68f4d-14c5-46b5-9543-0d66980203e8&lang=en_AU&ts=1771062583&utm_campaign=man_ss_icons&utm_medium=customer&utm_source=copy_link

Not sure if this matters, but DomainTools says the domain was transferred to Accenture.com, Accenture Global Services Limited in Ireland.

For years we've been told that grand juries in the US are just a rubber stamp for prosecutors (i.e. that they will indict even pork-based comestibles). But increasingly what we're seeing is that grand juries are the last line of defense against an administration that is hellbent on perverting the justice system. From the NYT:

"Federal prosecutors in Washington sought and failed on Tuesday to secure an indictment against six Democratic lawmakers who posted a video this fall that enraged President Trump by reminding active-duty members of the military and intelligence community that they were obligated to refuse illegal orders, four people familiar with the matter said."

"It was remarkable that the U.S. attorney’s office in Washington — led by Jeanine Pirro, a longtime ally of Mr. Trump’s — authorized prosecutors to go into a grand jury and ask for an indictment of the six members of Congress, all of whom had served in the military or the nation’s spy agencies."

"But it was even more remarkable that a group of ordinary citizens sitting on the grand jury in Federal District Court in Washington forcefully rejected Mr. Trump’s bid to label their expression of dissent as a criminal act warranting prosecution."

https://www.nytimes.com/2026/02/10/us/politics/trump-democrats-illegal-orders-pirro.html

@lkanies Yes. Some state schools will provide healthcare coverage for students, including those just taking classes and not pursuing a degree. You basically get insurance under a group health plan run by the school.

One of the more terrifying realities about the prospect of starting your own business in the US is that you quickly learn you are on your own when it comes to finding affordable healthcare. You might even make enough that you don't qualify for any plan that doesn't cost <$30k a year, w/ high deductibles.

I know I've mentioned this before here, but it bears repeating because it came up in a conversation the other day where the small biz owner had no idea. Namely, that depending on where you live, you may qualify for a fairly inexpensive and decent healthcare plan for you and your family just by taking a class at a local university or community college. NB: It may only require a non-degree (non-credit) course. Anyway, something to investigate if you're looking for a way to reduce your healthcare costs.

Edit: Meant to mention that a lot of universities will allow you to take the classes remotely online.

ICYMI, from Reuters:

"Democratic Senator Maria Cantwell on Tuesday said Verizon and AT&T are blocking release of key documents about an alleged massive Chinese spying operation that infiltrated U.S. telecommunications networks known as Salt Typhoon and wants their CEOs to appear before Congress to answer questions."

"Cantwell asked both companies to turn over security assessments conducted by Alphabet cybersecurity unit Mandiant. She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon."

"In some cases, hackers are alleged to have intercepted conversations, including between prominent U.S. politicians and government officials. Several lawmakers have described them as the worst telecom hacks in U.S. history."

"Cantwell said Salt Typhoon allowed the Chinese government to "geolocate millions of individuals" and "record phone calls at will," and that the incident targeted almost every American."

https://www.reuters.com/business/media-telecom/senator-says-att-verizon-blocking-release-salt-typhoon-security-assessment-2026-02-03/

@matt CBP_PRA@cbp.dhs.gov

RE: https://infosec.exchange/@briankrebs/115962508398912420

Last day to submit public comments, officially:

Must-read: How ‘Pink Slime’ Publishers Are Weaponizing FOIA

From Mirada Green and the Tow Center for Digital Journalism:

"Metric Media filed more than nine thousand public records requests last year. It used the data to target Democratic politicians and private citizens."

If you're unfamiliar with Metric Media, they own thousands of local "news" sites that mostly republish drivel until election time rolls around they're all partisan conservative publications masquerading as local news.

"Founded in 2019, Metric has been criticized for jury tampering and tied to pay-for-play political schemes and fake newspapers that land in mailboxes ahead of key elections. Recently, it has focused on obtaining troves of public records. In the past year, an investigation by the Tow Center for Digital Journalism has found Metric filed more than nine thousand Freedom of Information Act requests across all fifty states."

"Many of the requests are for data at the forefront of America’s culture-wars, from allegedly rigged elections to banned books to transgender inmates. With public records in hand, Metric has targeted liberal politicians with negative reporting, criticized the funding of nonprofit organizations, and published personally identifying details about small-town residents who spoke up at school board hearings. Unlike traditional journalism, Metric’s stories do not air dueling perspectives or offer targets a chance to comment."

https://www.cjr.org/tow_center/pink-slime-networks-are-weaponizing-foia.php

This makes me sad (been there). From Joe Menn at WaPo: "Most of the Washington Post’s tech reporters were laid off today, including me. I have loved my time at the paper, which is where I wanted to work from age 15. I take some consolation in not being among the survivors who will have to work harder with less for fewer readers. On to better things."

So, rather than watch the rest of the performers bow out of gigs, he's just going to close it down for construction? Can't wait to see what he does with the place. From WaPo:

"Trump plans to close Kennedy Center for about two years, starting in July. Under the proposal, the Kennedy Center could close on July 4, coinciding with America’s 250th anniversary."

“I have determined that The Trump Kennedy Center, if temporarily closed for Construction, Revitalization, and Complete Rebuilding, can be, without question, the finest Performing Arts Facility of its kind, anywhere in the World,” Trump wrote in a post on Truth Social. “In other words, if we don’t close, the quality of Construction will not be nearly as good, and the time to completion, because of interruptions with Audiences from the many Events using the Facility, will be much longer. The temporary closure will produce a much faster and higher quality result!”

https://www.washingtonpost.com/style/2026/02/01/kennedy-center-trump-closure-construction/