For several months, the maintainers of GrapheneOS, an alternative, security and privacy-focused version of Android, had been talking about a partnership with a major manufacturer. On Monday (2nd), at the Mobile Web Congress (MWC), we found out who the partner is: Motorola Mobility.
A critical flaw has been discovered in Notepad (CVE-2026-20841). That once simple Windows editor that only displayed plain text, you know? The one that Microsoft tainted with Markdown (the vector for this flaw), Copilot, and who knows what else? An attacker could place a malicious link in a Markdown file that, when clicked by the victim, would execute code remotely. A fix was made available by Microsoft in routine updates released on Tuesday (10th).
densediscovery.comLiving in 2026 consists of fighting with other people on multiple fronts, which has become normalized as “competition.” This applies to everything and always generates a paradoxical effect: the intensification of our private daily wars worsens everyone's lives.
In the latest edition of the Australian newsletter Dense Discovery, Kai drew attention to the book Trapped: Life under security capitalism and how to escape it, by Setha Low and Mark Maguire.
The authors argue that “security has morphed from an inalienable right into a commodity hoarded by those who can afford it,” stimulated by an industry that continues to invent increasingly invasive gadgets and software under a promise that is never fulfilled. This macabre market no longer generates security; it generates fear:
The more you securitise your life, the more those walls and gates and guards make your life all about fear rather than less about fear. And so, as the fear grows, then you want more security, you buy more gadgets, you support all kinds of policing initiatives.
The paradox appears when you take your head out of the ground. The apparatus, delusional in essence, ultimately makes the world worse for everyone:
“[This creates] a self-fulfilling prophecy of fearful people wanting more security, the state and private sector producing it, only to make the world more fearful for some and poorly protected for others.
I think about this every time I pass walls with electric fences and barbed wire, affluent residential condos, CCTV cameras, and ostensive policing. This means that I have been thinking a lot, and increasingly, about the subject.
malwarebytes.comThe Malwarebytes blog warns of a new wave of compromised browser extensions. The technique used, called steganography, is ingenious:
The use of malicious code in images is a technique called steganography. Earlier GhostPoster extensions hid JavaScript loader code inside PNG icons such as logo.png for Firefox extensions like “Free VPN Forever,” using a marker (for example, three equals signs) in the raw bytes to separate image data from payload.
Newer variants moved to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime. This makes the malicious code much harder for researchers to detect.
A group of researchers found 17 new contaminated extensions in Firefox. They have attractive names, such as “Ads Block Ultimate” and “Youtube Download.”
The focus of malicious actors on browser extensions is understandable. They have privileged access to the most intimate app we use on a daily basis, update automatically, and, with few exceptions, aren’t household names — I believe that extensions are searched for more by purpose than by name. Another problem is the market for buying and selling popular extensions, which change owners with no transparency.
A good way to mitigate damage is to limit yourself to extensions endorsed by browser stores. In Firefox, they have a "Recommended" seal. In Chrome, extensions reviewed by Google get a green “Featured” seal, according to the store's help section. In search results, you can filter them to display only featured extensions.
In the same vein as the “phones that will stop running WhatsApp” beat, Brazilian news sites seem to have found a new evergreen click source for tech desks imported from Forbes’: millions of leaked Gmail passwords.
There is, in fact, a database of that type circulating online, created by an undergraduate student in the United States. Troy Hunt, who runs Have I Been Pwned, a breach repository, analyzed the data and found that “only” 8% of the passwords — about 14 million — are new. That makes sense, given the database was glued together by aggregating entries from multiple sources and prior breaches.
The main takeaway from a story like this isn’t “your Gmail password may have leaked,” but rather that “any of your passwords could leak at any time.” Not to spread alarm, but to encourage awareness of good digital security practices.
Which ones? For this situation, mostly these two:
You can check whether your passwords have leaked by entering your email at Have I Been Pwned. If it shows up, there’s no need to panic: change the password and enable a second authentication factor. Google explains how to do this for Gmail.
Google
via Android Developers Blog
Digital security is what results from balancing defenses with convenience. There’s no point in completely shielding yourself if accessing your private spaces is difficult; on the other hand, an easy-to-remember password (123456, for example) is almost the same as having no password at all.
This Manual has always leaned toward the shielding side, sometimes making situations unnecessarily difficult when a bad outcome (breach, data loss/theft) is unlikely. In 2024, I made a course correction that I promised to share1. Here’s that update.
The “eureka moment” came when I realized there was a third element in that security × convenience equation: the human being protected.
Someone politically exposed or dealing with sensitive third-party data, for example, needs a more robust security apparatus. Someone like me? Not so much.
In this reflection, I changed two things I consider most relevant.
The first was abandoning the YubiKey, a physical cryptographic key used as a second authentication factor. Instead of typing that random six-digit code (TOTP, time-based one-time password) generated by apps like Google Authenticator, I would plug in the YubiKey or tap it with the back of my phone to activate it via NFC. I wrote about YubiKey in June 2021.
Abandoning the YubiKey was motivated more by convenience, or rather the inconvenience of using it, from frustrating scenarios (being out and needing to access a site or app dependent on the key left at home) to more routine ones that add up in frustration (the key being in another room of the house).
TOTPs already provide an extra layer of security that’s good enough for someone who isn’t a target of sophisticated actors — me and probably you. And it’s always with me, on my phone and computer.
The second change was regarding TOTPs. Instead of creating and managing them in a specific app, I migrated them to the password manager.
This change goes against best recommendations, because if the password manager is compromised, the barrier provided by TOTP falls with it. It’s somewhat like having two locks on the door and carrying both keys on the same keychain.
The “accepted risk” here is greater than that of dispensing with the YubiKey. I’m aware and agree to continue.
The lock and key metaphor doesn’t account for a more likely scenario than password manager breach: password leaks by the services themselves. That’s what worries me most. Even in this “all eggs in one basket” arrangement, TOTP would remain useful. With the password but without the random code, my account that had its password leaked would remain secure.
In parallel, passkeys are a new proposal to complement or completely replace passwords and second-factor authentication. I’ve already delved into the subject (April 2024) and revised my opinion a month later. I keep following the technology’s development with genuine interest.
The creator of cURL, Daniel Stenberg, has raised barriers against the avalanche of security reports produced by or with the help of generative artificial intelligence. In addition to the volume, he points out that they are often useless: “We have yet to see a single valid security report made with the help of AI.”
Most of the inappropriate uses of AI were already possible before. What changes with AI is the scale.