
I spent most of this week explaining to people that ‘human in the loop’ doesn’t mean what they think it means. It’s not governance. It’s liability assignment with extra steps.
Anyway, here’s what happened whilst we were all pretending AI would solve our problems.
—
MCP 2.0: stateless and chaotic
They’ve fixed the old problems and created six shiny new ones. MCP 2.0 is stateless, which sounds great until your developers start leaking API keys into headers and attackers spawn infinite expensive tasks then vanish. The protocol’s fine. Everything built on it will be a mess.
https://www.securityweek.com/new-enterprise-ready-mcp-specification-brings-new-security-challenges
—
Age verification is surveillance cosplay
Age verification isn’t about protecting children. It’s a surveillance infrastructure dressed in child safety rhetoric, designed to automatically match your words to your real identity so authorities can find you faster. Don’t volunteer that.
https://nonogra.ph/age-verification-is-just-a-precursor-to-attribution-of-speech-06-29-2026
—
Quantum cryptography gets a deadline
We have five years to swap out the cryptography keeping our secrets safe. Or some qubit like that. I don’t fully understand quantum, but I do understand deadlines imposed by executive order, and they’ve never made things calmer.
—
Stop blaming AI for your broken helpdesk
If your service desk is still proving identity by asking things an attacker can find, steal, or convincingly fake, then the process is the vulnerability. Stop blaming AI.
—
The Gentlemen were actually quite sophisticated
The Gentlemen ransomware group found a zero-day in an obscure driver, chained it with kernel exploits, and killed EDR dead before deploying their payload. Sophisticated toolkit work. Slightly admired the engineering, even if the outcome was grim.
—
81 million reasons your Conditional Access doesn’t work
81 million login attempts. 78 compromised accounts. Conditional Access policies that didn’t actually condition anything. The spray attack from LSHIY LLC worked because organisations built security theatre instead of security.
https://www.huntress.com/blog/lshiy-password-spray-attack
—
Everyone’s upset about the wrong bit of the Klue breach
Everyone’s upset about Klue’s breach. They should be upset about Klue’s architecture instead.
—
That’s your lot. If you fancy arguing about what constitutes a vulnerability anymore (does anyone actually know?), hit reply. Otherwise I’ll see you next week when we’ll all be pretending last week’s problems were someone else’s fault.
