blog 2 Minutes

Breach of Confidence

I spent most of this week explaining to people that ‘human in the loop’ doesn’t mean what they think it means. It’s not governance. It’s liability assignment with extra steps.

Anyway, here’s what happened whilst we were all pretending AI would solve our problems.

MCP 2.0: stateless and chaotic

They’ve fixed the old problems and created six shiny new ones. MCP 2.0 is stateless, which sounds great until your developers start leaking API keys into headers and attackers spawn infinite expensive tasks then vanish. The protocol’s fine. Everything built on it will be a mess.

https://www.securityweek.com/new-enterprise-ready-mcp-specification-brings-new-security-challenges

Age verification is surveillance cosplay

Age verification isn’t about protecting children. It’s a surveillance infrastructure dressed in child safety rhetoric, designed to automatically match your words to your real identity so authorities can find you faster. Don’t volunteer that.

https://nonogra.ph/age-verification-is-just-a-precursor-to-attribution-of-speech-06-29-2026

Quantum cryptography gets a deadline

We have five years to swap out the cryptography keeping our secrets safe. Or some qubit like that. I don’t fully understand quantum, but I do understand deadlines imposed by executive order, and they’ve never made things calmer.

https://arstechnica.com/information-technology/2026/06/executive-order-bumps-up-deadline-to-move-off-quantum-vulnerable-crypto

Stop blaming AI for your broken helpdesk

If your service desk is still proving identity by asking things an attacker can find, steal, or convincingly fake, then the process is the vulnerability. Stop blaming AI.

https://api.cyfluencer.com/s/when-hi-it-becomes-a-breach-how-to-defend-against-ai-driven-social-engineering-28238

The Gentlemen were actually quite sophisticated

The Gentlemen ransomware group found a zero-day in an obscure driver, chained it with kernel exploits, and killed EDR dead before deploying their payload. Sophisticated toolkit work. Slightly admired the engineering, even if the outcome was grim.

https://expel.com/blog/not-very-gentlemanly-analyzing-a-zero-day-exploit-used-by-the-gentlemen-ransomware-to-disable-targets-edrs

81 million reasons your Conditional Access doesn’t work

81 million login attempts. 78 compromised accounts. Conditional Access policies that didn’t actually condition anything. The spray attack from LSHIY LLC worked because organisations built security theatre instead of security.

https://www.huntress.com/blog/lshiy-password-spray-attack

Everyone’s upset about the wrong bit of the Klue breach

Everyone’s upset about Klue’s breach. They should be upset about Klue’s architecture instead.

https://api.cyfluencer.com/s/what-the-klue-breach-reveals-about-saas-supply-chain-risk-and-standing-secrets-28287

That’s your lot. If you fancy arguing about what constitutes a vulnerability anymore (does anyone actually know?), hit reply. Otherwise I’ll see you next week when we’ll all be pretending last week’s problems were someone else’s fault.