Technology

https://commet.chat/

@commetchat@fosstodon.org

A business consultant is raising alarms about AI-conducted job interviews after he says a tech company’s evaluation of him drew some concerning conclusions, including criticizing his "habitual" use of Google's Chrome internet browser.

As some companies outsource job interviews to artificial intelligence, rejected candidates can be left wondering what went wrong.

After not hearing back about a job he applied for in Madrid with marketing company Anteriad, Daniel Alvarez, who is based in Spain, decided to find out exactly how the AI judged him.

He obtained a copy of the AI-generated evaluation from Anteriad under the European Union’s General Data Protection Regulation. The company had used a third-party firm called ChattyHiring to conduct the screening interview.

Alvarez, who is not Canadian but lived in Toronto for much of last year, shared the full evaluation and transcript with CBC News. He said he was not impressed by what he found, and doesn't feel companies should use AI interviews in the hiring process.

“It's not a human-to-human interaction when you have, for example, language repair.... I can say something, and depending on your face, I can immediately rephrase it," he said.

"That’s gone in this kind of interaction."

Government by regulation structures how constitutional democracies normally operate. Legislatures and executive agencies enact formal rules that govern conduct, embodying the ideal of government by laws rather than by individuals. Yet regulators also govern through threats of regulation. When public officials seek to alter private behavior, they may warn regulated actors that failure to comply will trigger new or stricter rules. These warnings can achieve regulatory goals without the adoption of formal rules. Because officials often issue such threats in informal, private communications, the practice escapes public scrutiny and challenges the dominant model of democratic rule-making, which assumes open deliberation by accountable institutions. This paper theorizes threats of regulation as a governance device that remains largely invisible to outsiders but offers significant advantages to regulators. Although United States courts attempt to distinguish unlawful coercion from permissible persuasion, they struggle to enforce these boundaries in practice. The paper argues that increasing transparency in routine communications between regulators and corporate actors would reduce the risk of abuse while preserving regulatory effectiveness.

In September last year, Peter Mandelson was fighting to keep his job as British Ambassador to the US after the first raft of revelations about the extent of his friendship with Jeffrey Epstein.

Within hours of the details emerging, an anonymous Wikipedia editor had made changes to Mandelson’s page that distanced him from Epstein and cast him in a sympathetic light. That editor has since been blocked for making undisclosed paid changes.

New details about the relationship between the two – including that Mandelson recommended a villa where Epstein could host his “guests” – have sparked a national scandal in recent weeks and led to pressure on Keir Starmer to step down as prime minister.

But over the course of two days in September, while Mandelson was still in his government job, the mysterious account made a series of edits that either reflected more favourably on him or pushed details of the Epstein scandal under unrelated information.

And when Mandelson was eventually sacked on 11 September, it moved within hours to remove the reason given by the Foreign Office for his dismissal: that Mandelson had told Epstein his 2008 conviction for sex offences was wrong and encouraged him to clear his name.

Study.

Archive.

This investigation surveyed the entire Chrome Web Store, filtering extensions that request sensitive permissions (history, tabs, webRequest, etc.) and we scanned with our method top 32,000 extensions ordered by user count. Using Docker with Chromium behind a man‑in‑the‑middle proxy, we simulated browsing sessions and recorded every outbound request. By correlating request size with URL length we derived a leakage metric (Redp); values ≥ 1.0 indicate definite history exfiltration, while 0.1 ≤ Redp < 1.0 suggest probable leakage.

The pipeline flagged 287 extensions that actively transmit users’ browsing histories. Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ‑String compression, and full AES‑256 encryption wrapped in RSA‑OAEP. Decoding these payloads showed raw Google search URLs, page referrers, user IDs and timestamps being sent to a network of proprietary domains and cloud‑provider endpoints.

We leveraged the leakage further and by browsing URLs of the honeypot in the sandboxed environment we allowed those data to be leaked. Honeypot URLs lured some actors and were accessed by known scraper IPs (Amazon Japan, Google LLC, Kontera), confirming active harvesting pipelines. We applied OSINT to the leaking extensions and managed uncover some actors.

Aggregating install counts gave an exposure of roughly 37.4 million users, representing roughly about 1 % of global Chrome users. The majority of the activity clusters around a handful of actors: SimilarWeb (≈ 10 M users), Alibaba‑related groups, Bytedance, and a cluster of Chinese data‑broker firms. Many extensions appear under reputable brand names (e.g., “SimilarWeb - Website Traffic & SEO Checker”) while others masquerade as utilities such as ad blockers (“Ad Blocker: Stands AdBlocker”) or AI assistants.

Limitations include the inability to see WebSocket or DNS‑tunneled traffic and the fact that some extensions only leak after a privacy‑policy popup is accepted, meaning the 37.4 M is a conservative lower bound.

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.

https://notiziariosicurezza.it/badge-digitale-obbligatorio-guida-completa-per-le-imprese/

Last month, the popular social video app TikTok finalized a deal with investors, including Oracle, to appease a bipartisan bill that called on the app’s Chinese owner, ByteDance, to divest — or be banned in the United States.

The deal launched a frenzy among its US-based users over possible censorship, with some accusing it of taking down footage of ICE agents or restricting searches for words, such as “Epstein.” While TikTok denied these claims, pointing to a “data center power outage,” the app also changed its privacy policy at the time — now allowing it to collect more detailed data on its users, including their precise locations.

That sparked new fears. As The New Republic argues, TikTok’s deal means that agents at Immigration and Customs Enforcement (ICE), whose deportation efforts have been supercharged under the Trump administration, could skip tedious court-ordered data requests and monitor users by buying their data from private data brokers that obtain the info from TikTok directly — a “highly ironic” development, the magazine writes, considering the ByteDance deal was motivated in the first place by fears over Chinese state-sponsored surveillance.

In the days after the US Department of Justice (DOJ) published 3.5 million pages of documents related to the late sex offender Jeffrey Epstein, multiple users on X have asked Grok to “unblur” or remove the black boxes covering the faces of children and women in images that were meant to protect their privacy.

DDoS hit blog that tried to uncover Archive.today founder's identity in 2023. [...] A Tumblr blog post apparently written by the Archive.today founder seems to generally confirm the emails’ veracity, but says the original version threatened to create “a patokallio.gay dating app,” not “a gyrovague.gay dating app.”

https://www.heise.de/en/news/Archive-today-Operator-uses-users-for-DDoS-attack-11171455.html:

By having Archive.today unknowingly let users access the Finnish blogger's URL, their IP addresses are transmitted to him. This could be a point of attack for prosecuting copyright infringements.

LiftKit: UI Framework for Perfectionists LiftKit by Chainlift is an open-source design system based on the golden ratio available for React/Next.js, Webflow, and Figma.

https://www.chainlift.io/liftkit

It's a day with a name ending in Y, so you know what that means: Another OpenClaw cybersecurity disaster.

This time around, SecurityScorecard's STRIKE threat intelligence team is sounding the alarm over the sheer volume of internet-exposed OpenClaw instances it discovered, which numbers more than 135,000 as of this writing. When combined with previously known vulnerabilities in the vibe-coded AI assistant platform and links to prior breaches, STRIKE warns that there's a systemic security failure in the open-source AI agent space.

"Our findings reveal a massive access and identity problem created by poorly secured automation at scale," the STRIKE team wrote in a report released Monday. "Convenience-driven deployment, default settings, and weak access controls have turned powerful AI agents into high-value targets for attackers."

On January 14, 2026, global telnet traffic observed by GreyNoise sensors fell off a cliff. A 59% sustained reduction, eighteen ASNs going completely silent, five countries vanishing from our data entirely. Six days later, CVE-2026-24061 dropped. Coincidence is one explanation.

The pattern points toward one or more North American Tier 1 transit providers implementing port 23 filtering