1,6 **million** pull requests with what seem to be injected ads?

https://github.com/search?q=%2FSTART+COPILOT+CODING+AGENT+TIPS%2F&type=pullrequests

https://www.neowin.net/news/microsoft-copilot-is-now-injecting-ads-into-pull-requests-on-github-gitlab/

When we fight, we win

https://www.theregister.com/2026/03/30/github_copilot_ads_pull_requests

Anthropic lost a class action suit for scraping books. Writers can register with Anthropic to be compensated for their pillaging of our copyrights.

The compensation system was AI-coded.

Anthropic can't keep track of our submissions. They don't know who wrote what.

Their customer support is AI-driven. Send a mail! Log in to a nonexistent page! Resubmit and it'll be fine!

This will be fine.   

I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:

🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻‍♂️

The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy

If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.

https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec

SCOOP: Someone has found new samples of the iPhone spyware DarkSword and published them on GitHub, putting millions of iOS users at risk.

A cybersecurity researcher told us that the leaked spyware is "way too easy to repurpose" and "we need to expect criminals and others to start deploying this."

"The exploits will work out of the box," iVerify's Matthias Frielingsdorf said. "There is no iOS expertise required."

http://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/

I just learned that a new release of the decentralized, open source Android (and iOS, but that requires a centralized Apple service) key attestation library warden-supreme has landed. It explicitly supports alternative/custom roots of trust for the attestation chain now and comes with a test for @GrapheneOS keys: https://github.com/a-sit-plus/warden-supreme/blob/development/serverside/roboto/src/test/kotlin/GrapheneOsTests.kt

Nice! That's a good match to our academic research direction on digital identity (https://digidow.eu) - avoiding points of centralization for better resilience (against many types of threats). We'll most probably use this for our prototype Android apps that require or benefit from key attestation guarantees and can't/shouldn't use Play Integrity (e.g., because they only communicate over Tor hidden services with each other, and having a Warden backend included on one side is much easier than coming up with a form of mixnet proxy service for querying central instances while retaining an unlinkability guarantee).

What could possibly go wrong?

The US Federal Reserve (that regulates US banks) is about to reduce the capital adequacy requirement for banks (raised in the wake of the 2008 financial crisis).

Of course, nearly 20 years after the global financial crisis, regulators & bankers may say they've learned the lessons of 2008, but what they really mean is they've (wilfully) forgotten them.

Just one more act bringing a crisis nearer (as if attacking Iran wasn't;t enough)!

#politics #banking
h/t FT