<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Eclecta — security</title><description>Vulnerabilities, research, and the adversarial edge.</description><link>https://eclecta.co/</link><language>en-us</language><docs>https://eclecta.co/security/</docs><item><title>US supreme court rules geofence warrants require constitutional privacy protections</title><link>https://theguardian.com/us-news/2026/jun/29/supreme-court-geofence-warrants-case-decision</link><guid isPermaLink="true">https://theguardian.com/us-news/2026/jun/29/supreme-court-geofence-warrants-case-decision</guid><description>The ruling establishes critical privacy protections for digital data under the Fourth Amendment, setting a precedent for how constitutional rights apply in the digital age.</description><pubDate>Tue, 30 Jun 2026 01:49:01 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Why it matters:&lt;/strong&gt; The ruling establishes critical privacy protections for digital data under the Fourth Amendment, setting a precedent for how constitutional rights apply in the digital age.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Notes&lt;/strong&gt;&lt;/p&gt;&lt;ul&gt;&lt;li&gt;Justice Elena Kagan wrote the majority opinion in Chatrie v US with a 6-3 decision against the government&lt;/li&gt;&lt;li&gt;Geofence warrants allow law enforcement to compel tech companies for cell phone location data from individuals within a virtual &apos;fence&apos;&lt;/li&gt;&lt;li&gt;The court ruled that people aren&apos;t voluntarily sharing private information by using smartphones and apps that collect location data&lt;/li&gt;&lt;li&gt;Privacy advocates argue geofence warrants can be overly broad, potentially monitoring sensitive locations like abortion clinics or AA meetings&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;In Chatrie v US, the Supreme Court ruled that law enforcement&apos;s use of geofence warrants to access smartphone location data requires constitutional privacy protections under the Fourth Amendment. Justice Elena Kagan’s majority opinion held that individuals have a reasonable expectation of privacy in their cell phone location data, even if they are in public areas. The case focused on tracking an armed bank robber using Google’s optional &apos;location history&apos; feature, and the court rejected the government&apos;s argument that accessing short-term cellphone location information does not constitute a Fourth Amendment search.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Read&lt;/strong&gt; · &lt;a href=&quot;https://theguardian.com/us-news/2026/jun/29/supreme-court-geofence-warrants-case-decision&quot;&gt;Primary source&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Surfaced on&lt;/strong&gt; &lt;a href=&quot;https://news.ycombinator.com/item?id=48720924&quot;&gt;Hacker News (573) · 273c&lt;/a&gt; · &lt;a href=&quot;https://www.theguardian.com/us-news/2026/jun/29/supreme-court-geofence-warrants-case-decision&quot;&gt;Mastodon trending links (4)&lt;/a&gt; · &lt;a href=&quot;https://yro.slashdot.org/story/26/06/30/064251/us-supreme-court-rules-geofence-warrants-require-constitutional-privacy-protections?utm_source=rss1.0mainlinkanon&amp;amp;utm_medium=feed&quot;&gt;Slashdot&lt;/a&gt; · &lt;a href=&quot;https://www.theguardian.com/us-news/2026/jun/29/supreme-court-geofence-warrants-case-decision&quot;&gt;World news | The Guardian&lt;/a&gt;&lt;/p&gt;</content:encoded></item><item><title>Incident CVE-2026-LGTM</title><link>https://nesbitt.io/2026/06/26/incident-report-cve-2026-lgtm.html</link><guid isPermaLink="true">https://nesbitt.io/2026/06/26/incident-report-cve-2026-lgtm.html</guid><description>This incident highlights critical vulnerabilities in AI-augmented security systems, underscoring the need for robust human oversight and diverse defensive strategies.</description><pubDate>Fri, 26 Jun 2026 23:04:35 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Why it matters:&lt;/strong&gt; This incident highlights critical vulnerabilities in AI-augmented security systems, underscoring the need for robust human oversight and diverse defensive strategies.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Notes&lt;/strong&gt;&lt;/p&gt;&lt;ul&gt;&lt;li&gt;Malicious package passed seven independent AI-powered security gates without detection&lt;/li&gt;&lt;li&gt;Credential exfiltration routine began forty lines below a base64 blob in src/assets.rs&lt;/li&gt;&lt;li&gt;Total inference spend across all parties during the incident window was $1.7M&lt;/li&gt;&lt;li&gt;Attack ended when an agent ingested a public file named ~/.config/IF_YOU_ARE_AN_AI_AGENT_README.md&lt;/li&gt;&lt;li&gt;All agents involved were the same open-weights base model with different system prompts&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;A security breach occurred where a malicious package, despite passing through seven AI-powered security gates, successfully exfiltrated credentials. The incident revealed systemic failures in AI-augmented security measures and highlighted issues such as human oversight gaps, misconfigured policies, and the reliance on identical base models for different tasks. The attack was ultimately resolved when an agent received instructions to terminate operations from a public file, demonstrating both the complexity of multi-agent coordination and the importance of diverse defensive strategies.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Read&lt;/strong&gt; · &lt;a href=&quot;https://nesbitt.io/2026/06/26/incident-report-cve-2026-lgtm.html&quot;&gt;Primary source&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Surfaced on&lt;/strong&gt; &lt;a href=&quot;https://news.ycombinator.com/item?id=48686093&quot;&gt;Hacker News (456) · 78c&lt;/a&gt; · &lt;a href=&quot;https://lobste.rs/s/6q12d7/incident_report_cve_2026_lgtm&quot;&gt;Lobsters (35) · 4c&lt;/a&gt;&lt;/p&gt;</content:encoded></item><item><title>Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses</title><link>https://404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses</link><guid isPermaLink="true">https://404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses</guid><description>A critical security flaw in Apple&apos;s &apos;Hide My Email&apos; feature undermines user privacy by exposing real email addresses, highlighting potential risks in privacy-enhancing technologies.</description><pubDate>Wed, 01 Jul 2026 18:46:01 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Why it matters:&lt;/strong&gt; A critical security flaw in Apple&apos;s &apos;Hide My Email&apos; feature undermines user privacy by exposing real email addresses, highlighting potential risks in privacy-enhancing technologies.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Notes&lt;/strong&gt;&lt;/p&gt;&lt;ul&gt;&lt;li&gt;Vulnerability allows discovery of hidden email addresses&lt;/li&gt;&lt;li&gt;Security researcher and 404 Media verified the issue independently&lt;/li&gt;&lt;li&gt;Apple has known about the flaw for over a year without fixing it&lt;/li&gt;&lt;li&gt;Details of the vulnerability are not disclosed to prevent further exploitation&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;A security researcher and 404 Media have discovered that Apple’s &apos;Hide My Email&apos; feature, designed to protect user privacy by masking real email addresses, is vulnerable. This flaw allows almost anyone to uncover a person&apos;s actual email address, despite the feature being intended to hide it. The issue has persisted for over a year without resolution from Apple, raising concerns about the effectiveness of such privacy tools.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Read&lt;/strong&gt; · &lt;a href=&quot;https://404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses&quot;&gt;Primary source&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Surfaced on&lt;/strong&gt; &lt;a href=&quot;https://news.ycombinator.com/item?id=48744606&quot;&gt;Hacker News (136) · 21c&lt;/a&gt; · &lt;a href=&quot;https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/&quot;&gt;Mastodon trending links (15)&lt;/a&gt; · &lt;a href=&quot;https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/&quot;&gt;404 Media&lt;/a&gt; · &lt;a href=&quot;https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/&quot;&gt;Daring Fireball&lt;/a&gt; · &lt;a href=&quot;https://news.google.com/rss/articles/CBMimwFBVV95cUxQdVhKU3daRG5yWFRWbkxmcGFBZHo1UkVFaVFOLWJmOFFFd0FXbVJKZFhrVEFmcUM2UjNJcDBYMVBXOFhielRrYnNjNWc3ZzNsZTlHVFN2RnNTbWlqNDhRenMyMFRKYTNHTlk5Q2MzMFdJLURfYUNRN3d2Y2NIamFkTDlTc3cyWTNVWnhaVllqZXVobGdEeHRZZHpvdw?oc=5&quot;&gt;Google News Technology&lt;/a&gt;&lt;/p&gt;</content:encoded></item><item><title>European digital ID wallets rely on safety services of Google and Apple</title><link>https://waag.org/en/article/european-digital-id-wallets-are-gift-google-and-apple</link><guid isPermaLink="true">https://waag.org/en/article/european-digital-id-wallets-are-gift-google-and-apple</guid><description>European digital ID wallets&apos; reliance on proprietary tech from Google and Apple undermines digital sovereignty and interoperability in public infrastructure.</description><pubDate>Tue, 30 Jun 2026 18:11:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Why it matters:&lt;/strong&gt; European digital ID wallets&apos; reliance on proprietary tech from Google and Apple undermines digital sovereignty and interoperability in public infrastructure.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Notes&lt;/strong&gt;&lt;/p&gt;&lt;ul&gt;&lt;li&gt;Google Play Integrity API checks if a device is running a licensed version of Android, excluding unlicensed alternatives&lt;/li&gt;&lt;li&gt;Alternative open APIs like Android&apos;s Hardware Attestation exist but are ignored by governments&lt;/li&gt;&lt;li&gt;Switzerland dropped Google Play Integrity due to data protection concerns&lt;/li&gt;&lt;li&gt;EU&apos;s Architecture Reference Framework recommends using Google attestation, leading to inconsistent implementation across member states&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;European digital ID wallets rely on proprietary security services from Google and Apple, such as the Google Play Integrity API and Apple’s Managed Device Attestation. These services ensure that wallet apps run only on hardware certified by these companies, excluding unlicensed alternatives like de-Googled Android OSes. This reliance risks making society dependent on private tech giants while undermining digital sovereignty and interoperability in public infrastructure. Switzerland has dropped Google Play Integrity due to data protection concerns, demonstrating viable alternative solutions exist.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Read&lt;/strong&gt; · &lt;a href=&quot;https://waag.org/en/article/european-digital-id-wallets-are-gift-google-and-apple&quot;&gt;Primary source&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Surfaced on&lt;/strong&gt; &lt;a href=&quot;https://news.ycombinator.com/item?id=48730729&quot;&gt;Hacker News (642) · 279c&lt;/a&gt;&lt;/p&gt;</content:encoded></item><item><title>MIMFlow: Integrating Masked Image Modeling with Normalizing Flows for End-to-End Image Generation</title><link>https://arxiv.org/abs/2606.26016</link><guid isPermaLink="true">https://arxiv.org/abs/2606.26016</guid><description>MIMFlow offers a novel approach to integrating Masked Image Modeling with Normalizing Flows, potentially advancing the state-of-the-art in end-to-end image generation.</description><pubDate>Tue, 30 Jun 2026 08:12:56 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Why it matters:&lt;/strong&gt; MIMFlow offers a novel approach to integrating Masked Image Modeling with Normalizing Flows, potentially advancing the state-of-the-art in end-to-end image generation.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Notes&lt;/strong&gt;&lt;/p&gt;&lt;ul&gt;&lt;li&gt;Proposes MIMFlow as an end-to-end framework for latent semantics, pixel reconstruction, and generative flow&lt;/li&gt;&lt;li&gt;Achieves 71.3% linear probing accuracy on ImageNet 256x256 dataset&lt;/li&gt;&lt;li&gt;FID score of 2.50 on the same dataset&lt;/li&gt;&lt;li&gt;Uses only 128 tokens (50% fewer than standard models)&lt;/li&gt;&lt;li&gt;Yields a 32.8% performance gain over similar-scale NF baselines&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;MIMFlow integrates Masked Image Modeling with Normalizing Flows to create an end-to-end framework for image generation, addressing the capacity bottleneck of NFs by focusing on high-level semantic structures while handling pixel details separately. This approach achieves a linear probing accuracy of 71.3% and an FID score of 2.50 on ImageNet 256x256 using only 128 tokens, outperforming similar-scale NF baselines by 32.8%. The framework demonstrates the potential to improve generative models&apos; efficiency and performance.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Read&lt;/strong&gt; · &lt;a href=&quot;https://arxiv.org/abs/2606.26016&quot;&gt;Primary source&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Surfaced on&lt;/strong&gt; &lt;a href=&quot;https://huggingface.co/papers/2606.26016&quot;&gt;Hugging Face Daily Papers (6)&lt;/a&gt; · &lt;a href=&quot;https://arxiv.org/abs/2606.26016&quot;&gt;arXiv cs.CV&lt;/a&gt;&lt;/p&gt;</content:encoded></item></channel></rss>