Hey there! 👋

Welcome to my weekly cybersecurity newsletter. Each week, I share practical insights on emerging threats, education, privacy, and technology.

DeepSeek

A significant security breach has been uncovered by Wiz Research in DeepSeek's infrastructure, as reported in their security advisory. The incident, dubbed "DeepLeak," revealed a ClickHouse database that was completely exposed to public access without any authentication requirements. This security oversight allowed potential unrestricted access to a wide range of sensitive information, including secret keys, plaintext chat conversations, internal system details, and operational logs, essentially providing a window into the company's core operations and user interactions.

The discovery was made through basic reconnaissance of DeepSeek's public infrastructure, highlighting a fundamental gap in their security architecture. While DeepSeek's response was swift once notified, with immediate measures taken to restrict public access and remove the database from internet exposure, the incident underscores a critical lesson for organizations developing AI systems: robust infrastructure security must be a foundational element of AI development and deployment.

DeepSeek presents substantial privacy and security concerns according to Proton's analysis. The platform's data collection scope is extensive, encompassing profile information, user interactions, device data, and usage patterns. What makes this collection particularly concerning is DeepSeek's operational context under China's 2017 National Intelligence Law, which mandates companies to assist in government intelligence operations without legal recourse to refuse. This legal framework differs significantly from Western jurisdictions, where companies like OpenAI and Google can challenge government data requests through legal channels. The situation has already drawn attention from European regulators, with Italy's Data Protection Authority blocking access to DeepSeek and Ireland's Data Protection Commission launching investigations into the company's data handling practices. These investigations focus particularly on GDPR compliance and the implications of data storage on servers in China, where government access is mandatory rather than subject to judicial oversight.

BlackSky: Pioneering Independent Community on BlueSky's Protocol

BlackSky has emerged as one of the first and largest independent instances built on BlueSky's AT Protocol, marking a significant milestone in decentralized social media development. Recently transforming from a community project to BlackSky Algorithms Inc., the platform has demonstrated how BlueSky's decentralized infrastructure can be successfully implemented beyond its main instance. With one million unique users and specialized community feeds, BlackSky showcases the practical application of BlueSky's vision for decentralized social networking. The platform has assembled a dedicated team of eight community moderators and four open-source developers who maintain their own implementation of the AT Protocol, proving that independent instances can thrive while maintaining strong community governance and specialized focus. This success story represents a crucial test case for BlueSky's decentralized approach, showing how their protocol can empower communities to build and maintain their own social spaces while remaining interconnected with the broader network.

OpenAI's Controversial Move into Nuclear Security

In a significant development that raises important questions about AI governance and nuclear security, OpenAI has announced a partnership with US National Laboratories for nuclear security applications, as reported by Futurism. The collaboration will grant approximately 15,000 scientists access to OpenAI's latest o1 series models, focusing on reducing nuclear war risks and enhancing the security of nuclear materials and weapons worldwide. This announcement, made by CEO Sam Altman in Washington, DC, comes alongside the release of ChatGPT Gov, a platform specifically designed for US government applications.

This partnership emerges during a complex period of rapid AI advancement and regulatory changes. It coincides with OpenAI's significant market valuation discussions, reportedly reaching $340 billion, and their commitment to a substantial AI infrastructure investment through the Stargate initiative. However, the timing and nature of this collaboration have sparked concerns among security experts, particularly given the documented instances of AI models exhibiting unpredictable behaviours such as data leaks and hallucinations. The partnership represents a critical juncture in the intersection of artificial intelligence and nuclear security, raising important questions about the balance between technological innovation and responsible deployment in highly sensitive domains.

Vulnerability Watch

Google Play Store Security Measures

Google's annual security report reveals significant efforts to protect the Android ecosystem. Their preventive measures blocked 2.36 million policy-violating applications and banned over 158,000 malicious developer accounts. Additionally, their systems prevented 1.3 million applications from accessing unnecessary sensitive user data, demonstrating Google's commitment to maintaining ecosystem integrity.

Critical Side-Channel Vulnerabilities Discovered in Apple Silicon

Researchers from Georgia Institute of Technology and Ruhr University Bochum have uncovered two significant security vulnerabilities in Apple's custom chips, as reported by Ars Technica. The first vulnerability, named FLOP, exploits the Load Value Predictor (LVP) component in M3 and A17 chips, allowing attackers to access browser memory and extract sensitive information like credit card details, location history, and email contents from services including Google Maps, Proton Mail, and iCloud Calendar. The attack requires users to have both a malicious website and a target service open for 5-10 minutes.

The second vulnerability, SLAP, targets the Load Address Predictor (LAP) feature present since the M2/A15 generation. Though less severe and limited to Safari, SLAP can compromise privacy by reading sensitive strings between browser tabs when a user is authenticated on services like Gmail, Amazon, or Reddit. The vulnerabilities affect a broad range of devices manufactured since late 2021, including MacBooks, desktop Macs, iPads, and iPhones from the 13 series onward. While Apple acknowledges these findings, stating they "do not believe this issue poses an immediate risk to users," researchers have proposed mitigations, and patches are reportedly under consideration.

Until next week for more insights! 📮