Hi there!

🛡️ Security & Privacy

• Inaudible sounds hidden in podcasts and videos can silently hijack AI voice chatbots, injecting malicious commands below the threshold of human hearing — a new class of adversarial prompt injection that works in the real world without the victim noticing anything. More
• Microsoft Copilot Cowork is vulnerable to file exfiltration via indirect prompt injection: insecure automatic action approvals for sending Emails and Teams messages allow attackers to steal files from your workspace without any explicit user confirmation. More
• macOS Tahoe 26.5 patches 79 CVEs — the largest kernel-bug count in a single Apple update, including CVE-2026-28819 (arbitrary code execution at kernel level via Wi-Fi, affects all three macOS versions) and a kernel root-escalation bug (CVE-2026-28952) discovered with the help of Claude. Update now. More
• Your connected car is a rolling surveillance device, collecting biometric data, location, driving habits, and facial expressions — most automakers reserve the right to sell that data, and a new BBC investigation warns things are about to get significantly worse as AI gets embedded deeper into vehicles. More
• Big Tech earns up to $831,000 in lifetime value from each US internet user's data, according to a new Web3 Foundation report — roughly equivalent to two median-priced American homes, all harvested from nominally "free" services. More
• BadHost (CVE-2026-48710): a critical flaw in Starlette — the Python ASGI framework downloaded 325 million times a week — lets attackers bypass path-based auth with a single injected character in the HTTP Host header, exposing FastAPI, vLLM, LiteLLM, and most MCP servers. Patch to Starlette ≥ 1.0.1 immediately. More
• CIFSwitch: a Linux kernel local root vulnerability via forged cifs.spnego upcall disclosed on the oss-sec list, adding to a growing streak of Linux LPE disclosures this month. More
• Shamir's Secret Sharing explained visually by Ente — a beautifully clear breakdown of how threshold cryptography lets any k of n keyholders reconstruct a secret, with no single point of failure. Essential reading for anyone designing resilient secret storage. More

🛸 Tech

• Six search engines worth trying as Google pivots away from links — TechCrunch rounds up the best alternatives now that AI Overviews are replacing the open web as Google's default output. Pairs perfectly with this week's analysis of Google's war on the web. More
• ETH Zurich achieved certifiably perfect randomness for the first time, using a quantum experiment to generate truly unpredictable numbers — a breakthrough with major implications for cryptography and secure key generation. More
• Apple and Google are now actively rewriting your push notifications using on-device AI before they reach you — filtering, summarising, and ranking them — with zero visibility to the sender about what changed or was suppressed. More

🤖 AI

• Anthropic released Claude Opus 4.8, improving on 4.7 across coding, reasoning, and agentic benchmarks; users can now control effort level per task, and fast mode is now 3× cheaper. Claude Code also gains Dynamic Workflows — parallel execution across tens to hundreds of subagents for large-scale problems, with built-in self-verification before output reaches you. More (Opus 4.8) · More (Dynamic Workflows)
• Anthropic also shipped a self-hosted Claude sandbox and a developer security guidance plugin that flags vulnerabilities as you write code — already widely used internally before public release. More
• "Using AI to write better code more slowly" — a refreshing counter-narrative: AI is most valuable not as a slop accelerator but as a thoughtful collaborator that helps you slow down, reason more carefully, and produce higher-quality output than you'd write alone. More
• Domain expertise remains the real competitive moat in the AI era — deep knowledge of your problem domain will always outperform raw AI fluency, because you still need to know whether the model is correct. More

🛠️ Tools

• AudioMass — Free, full-featured, browser-based audio and waveform editor. No install, no account, works entirely in your browser.
• Secluso — Privacy-preserving Raspberry Pi home security camera with end-to-end encryption for self-hosted home surveillance.

🍹 Misc

And because the summer just started, learn how to make an electrolyte drink at home.

📩 Please feel free to share this article with colleagues and friends who will find it valuable.

Thanks for reading!

Have a great day!
Bogdan