Face it. The A.I., Privacy, and Security Weekly Update for the Week Ending July 14th. 2026

 Episode 300


In this week's update

UK shops are about to call the police on you within four seconds of you walking through the door - and you don't have to do anything wrong first.

A GitHub account sat completely silent for 19 months, then woke up and dropped a working mass-exploit kit within minutes - and age on the internet is not the same as trust.

Fifty-five percent of Americans have quietly stopped posting on social media - and the reason isn't what the platforms want to admit.

Recruiters say they can't find workers. New graduates say they can't find jobs. The economy says both of them are right - and AI is not actually the villain in this one.

Applied AI engineering is becoming one of the hottest jobs in tech, and the skill that matters most is not writing clever prompts - it's building report cards for AI that catch the model when it quietly does something dangerous.

The Pentagon opened a paid cybersecurity apprenticeship that requires no degree, no experience, and no prior skills - and 70,000 people showed up within days.

Russian intelligence didn't hack into military networks to spy on NATO supply convoys - they just looked through the security cameras of ordinary homes with default passwords.

The US and China are fighting an AI war on two fronts simultaneously: American companies are secretly using Chinese models to cut costs, and Chinese teams are running millions of fake conversations with American AI to steal what makes it work.

Cloudflare has stopped asking you to click the traffic lights. Now it just watches your mouse move - for your entire visit - and decides from there.

This week's stories are united by a single uncomfortable observation: the systems we built for convenience keep turning into systems of surveillance, and the systems we built for security keep being the ones we forgot to secure. Some of this week is alarming. Some of it is genuinely useful. All of it is worth understanding. 

Let's face it.


UK: Alarm over launch of facial recognition in UK shops that instantly alerts police 

Live facial recognition is quietly becoming part of the shopping experience in the UK.

Facewatch, a company already used by more than 100 retailers, including Sainsbury's and Spar, is rolling out a system that can alert police within seconds if someone on a watchlist walks into a participating store.

Supporters say it helps stop repeat offenders before crimes happen and gives retail workers an extra layer of protection.

Privacy advocates see it very differently. They argue the technology moves society closer to a world where people are scanned first and questioned later.

Groups including Liberty and the Open Rights Group warn that facial recognition can make mistakes, has shown bias in some deployments, and lacks meaningful oversight when used by private companies.

The debate is happening because retail crime is rising, and stores are looking for new ways to respond. 

Facewatch says its system identifies known repeat offenders and can notify police in about four seconds.

Critics counter that walking into a store is not a crime, and they worry people could be treated as suspects before doing anything wrong.

This is bigger than shoplifting. It is another sign that facial recognition is moving from airports and police investigations into everyday life.

Once these systems become normal in stores, they are likely to appear in more places where people work, shop, and socialize unless lawmakers set clear boundaries.

So what's the upshot for you? 

Your face is becoming as trackable as your mobile. 

If privacy matters to you, start paying attention not just to what apps collect about you, but also to what the cameras already know every time you walk through the front door.

US: A GitHub Account Slept for Nineteen Months, Then Woke Up to Drop a One-Click Mass-Exploit Kit 

A GitHub account that had been completely silent for 19 months suddenly sprang to life and, within minutes, published a one-click exploit kit targeting a critical flaw in Progress Kemp LoadMaster.

The vulnerability, tracked as CVE-2026-8037, is a remote code execution bug that attackers are already exploiting in the wild. Researchers spotted the activity almost immediately, but it is a reminder of just how quickly cybercriminals move once a weakness becomes public.

What makes this story interesting is not just the exploit. It is the account itself. Dormant accounts can build trust simply because they have existed for a long time without raising suspicion. Then, when they finally become active, they can spread malware, exploits, or malicious code before anyone realizes something is wrong.

That is becoming a familiar tactic across software supply chain attacks. For businesses running affected LoadMaster systems, the message is simple. Patch immediately if you have not already. 

Once public exploit code is available, the race changes from 'Could this happen?' to 'How fast can someone scan the internet and find me?' That window can shrink from weeks to hours.

There is also a broader lesson here. Age is not a trust signal online. An old GitHub account, a long-standing social media profile, or a familiar email address can all be hijacked or repurposed. 

Reputation is useful, but verification still matters.

The smartest habit you can develop is to be suspicious of anything that suddenly wakes up after a long silence.

So what's the upshot for you? 

In cybersecurity, the quietest account in the room sometimes has the loudest surprise waiting for you.

US: Why 55% of Americans Stopped Posting On Social Media 

For years, social media has trained us to share everything. Breakfast. Vacations. Random thoughts. Now the pendulum has swung the other way. A new survey found that 55 percent of Americans post less than they did five years ago, and only 10 percent say they're posting more.

People are not necessarily leaving social media. They're just getting a lot quieter.

The reasons are easy to understand. Feeds that once showed friends and family are now packed with ads, algorithm-picked videos, political arguments, and AI-generated junk. More than half of respondents said maintaining an online presence feels like work instead of fun.

Many are tightening their privacy settings, sharing with smaller groups, or simply choosing not to post at all. Privacy is a huge driver. More than half of those surveyed said concerns about how their data is collected and used make them think twice before sharing. Others pointed to harassment, anxiety, and the feeling that every post is permanent and open to judgment. Younger adults reported the highest levels of stress and were the most likely to delete apps altogether.

The biggest shift is that social media is becoming less social. 

People are still scrolling, but they're interacting less and watching more. The internet has evolved from a place where friends talked to each other into a place where algorithms compete for your attention. That changes not only what you see, but whether you feel like saying anything at all.

So what's the upshot for you? 

Every post becomes part of your digital reputation, but every post you don't make is one less piece of free intelligence for advertisers, scammers, employers, and AI models. Sometimes the smartest status update is the one you never publish.

US: Why Recruiters Can't Find Workers and New Grads Can't Find Jobs (It's Not AI) 

The easy explanation is to blame AI for today's tough job market. The harder truth is that AI is only part of the story. Economists say a much bigger problem is brewing. America is running out of workers. Birth rates are down, immigration has slowed, baby boomers are retiring, and fewer people are entering the workforce.

At the same time, employers say many graduates simply are not showing up with the skills they need. That leaves us with a strange situation. Recruiters complain they cannot fill open positions, while new graduates complain nobody will hire them. The jobs exist, but too often the skills employers want and the skills applicants have do not line up.

Industries like manufacturing, healthcare, engineering, and semiconductor production are already feeling the squeeze.

Companies are also becoming pickier. After years of rapid hiring, many are slowing down and looking for candidates who can contribute immediately with less training. That makes entry-level jobs harder to land, even though the long-term outlook points to a shortage of qualified workers.

The result is a hiring market that feels broken from both sides of the interview table. The good news is that this is a skills problem, not a people problem.

The workers who keep learning, earn certifications, build portfolios, and can demonstrate real experience are likely to stand out as demand continues to grow. Degrees still matter, but practical skills increasingly close the deal.

So what's the upshot for you? 

Stop worrying about competing with AI and start making yourself the person employers cannot replace, because the best time to become scarce is before everyone else figures out they should.

Global: How to Become an Applied AI Engineer 

Applied AI engineering is quickly becoming one of the hottest jobs in tech, but it is not just software engineering with an AI model bolted on.

Traditional developers build systems that behave predictably. AI engineers build around models that can produce different answers to the same question. That changes the job from writing perfect code to measuring whether the AI consistently makes good decisions.

The biggest skill is building 'evaluations,' or evals. Think of them as report cards for AI. They don't just check whether the AI got the right answer. 

They also examine how it got there. An AI that processes an invoice correctly but quietly changes a bank account along the way is still a dangerous AI. Good AI engineers measure both the result and the path.

The next challenge is something called harness engineering. 

The AI model is only one piece of the puzzle. Engineers must build everything around it, including the tools it can use, the information it can access, the memory it needs, and the guardrails that prevent costly mistakes. In many companies, this supporting framework is far more important than the AI model itself.

Things become even more complicated when multiple AI agents work together. One agent may research, another may plan, and another may execute. Suddenly, the problem starts looking less like AI and more like managing a team where everyone can accidentally step on each other's toes. Techniques borrowed from decades of distributed computing help keep agents from overwriting data, repeating actions, or making decisions based on outdated information.

So what's the upshot for you? 

The future of AI engineering is not about writing clever prompts. It is about designing reliable systems that can safely manage unpredictable intelligence. The people who learn to measure, control, and coordinate AI will be far harder to replace than the people who simply know how to ask it questions.

US: Pentagon's New Paid Cyber Apprenticeship Draws 70,000 Applicants in Just Days 

The Pentagon just proved something many people in cybersecurity have suspected for years. The problem is not a lack of interest. It is a lack of opportunity.

Its new paid Cyber Registered Apprenticeship Program attracted more than 70,000 inquiries within days of opening, despite offering a modest salary and requiring participants to work in person around Washington, D.C.

What makes the program stand out is what it does not require. Applicants do not need a college degree or previous cybersecurity experience. They only need to be at least 18, be a U.S. citizen, and qualify for a security clearance. Over 12 months, participants receive training, mentoring, certifications, and real-world experience that can lead to government cyber careers.

The overwhelming response highlights a bigger shift in hiring. Employers, especially the federal government, are beginning to value demonstrated skills and aptitude over traditional credentials. It is also an acknowledgment that the old requirement of needing experience before getting your first job has become a barrier to filling critical cybersecurity positions.

So what's the upshot for you? 

Cybersecurity is no longer a niche career for computer science graduates. The demand is real, and organizations are finally creating on-ramps for people willing to learn. The best time to build skills is before everyone else notices the door has opened. Once the line hits 70,000 people, you are no longer chasing opportunity. You are racing the crowd.

RU: Russia Hacks Doorbell Cameras to Spy on NATO Bases 

Russian intelligence has apparently found a surprisingly simple way to gather military intelligence.

According to Dutch intelligence agencies, hackers compromised internet-connected security cameras and smart doorbells positioned near military bases and transportation routes used to move weapons headed for Ukraine. Instead of breaking into secure military systems, they looked through the digital front windows of ordinary homes and businesses.

Investigators say many of the cameras were easy targets because they still used default passwords, outdated software, or weak security settings. Once inside, the attackers could watch military convoys, identify transportation patterns, and collect valuable intelligence without ever setting foot near a base.

It is a reminder that even low-cost consumer technology can become part of a much larger geopolitical story.

The operation shows us the growing problem with the Internet of Things. Millions of connected devices are installed with convenience in mind, but security often comes second. Doorbells, baby monitors, and security cameras can all become unexpected entry points if owners never change passwords or install firmware updates.

So what's the upshot for you? 

Most of us will never have military equipment rolling past our front door, but the lesson still applies. Every connected device is another computer on your network, and attackers only need one weak link. 

If you cannot remember the last time you updated your smart camera or changed its password, today is a good day to fix that. The smartest spy gadget in your house should not be the one you bought yourself.

CN/US: The Two-Front AI War Between the US and China - Inside the Boardroom and Behind the Firewall 

https://www.yahoo.com/news/politics/articles/the-covert-us-china-battle-to-make-chatbots-leak-their-secrets-090000095.html

The AI rivalry between the United States and China is playing out on two fronts simultaneously this week - one visible, one hidden - and the boundaries are blurring fast.

On the visible front, US lawmakers are probing American companies for quietly adopting Chinese AI models in their products. 

The House Committee on Homeland Security and the House Select Committee on China have sent letters to companies, including Cursor and Airbnb, citing concerns about censorship, security risks, and ideological alignment with the Chinese Communist Party. 

'The growing use of Chinese AI models by U.S. companies raises serious concerns,' a State Department spokesperson told CNBC. 

While some government agencies have banned Chinese models outright, no law prevents private companies from using them. 

The uncomfortable reality driving adoption is cost: domestic models are often more expensive, and for a startup choosing between a pricey American option and a capable, cheap Chinese one, the spreadsheet wins. Cursor, which is being acquired by SpaceX for $60 billion, built its Composer 2 model using Kimi, developed by the Chinese company Moonshot AI.

On the hidden front, researchers and intelligence teams on both sides are waging a quieter battle to extract the secrets inside AI models themselves. 

These attacks are known as prompt leakage or prompt extraction - instead of hacking servers, attackers craft careful conversations designed to coax AI systems into revealing their hidden system prompts, internal rules, and design details. 

Whoever understands how a rival's best model was built gains a shortcut: copy the valuable design ideas, identify weaknesses, or improve competing systems without starting from scratch. 

Researchers have found that many commercial AI applications remain surprisingly vulnerable to these techniques. 

The stakes are enormous because an AI model's internal architecture and training approach are now as valuable as source code or a patent portfolio.

What connects both fronts is the same underlying tension. 

AI capability has become a proxy for geopolitical power, and the competition is fierce enough that the rules - legal, ethical, and technical - are being tested simultaneously from both directions.

So what's the upshot for you? 

The smartest questions before deploying any AI are no longer just 'Does it work?' and 'What does it cost?' They are: Who built it? Where does my data go? What secrets am I handing it? And what happens if the rules change tomorrow? 

Asking those questions before you hit Enter may save you far more than the money you saved by picking the cheapest model.

Global: Cloudflare Precursor Watches Your Mouse and Keyboard to Decide If You Are Human 

Cloudflare has a new way to spot bots, and it is far more clever than the old 'click every traffic light' approach. Instead of checking whether you're human just once when you arrive at a website, its new Precursor system quietly watches how you interact throughout your entire visit.

The idea is simple. A bot might fake one convincing action, but acting like a real person for several minutes is much harder.

The system looks at patterns rather than content. It pays attention to things like mouse movements, scrolling, typing rhythm, and whether your browser behaves like a real person would. It is looking for inconsistencies that humans rarely produce but automated software often does.

Cloudflare says it is measuring behavior, not recording what you type.

Why now? Because bots have become remarkably good at beating traditional defenses like CAPTCHAs. According to Cloudflare, automated traffic now makes up about 57 percent of all web requests, meaning bots are generating more internet activity than people.

That shift is forcing security companies to move from one-time identity checks to continuous behavioral analysis.

For most of us, this could mean fewer annoying CAPTCHA puzzles while making life much more difficult for scammers, scrapers, and automated attackers. It also reflects a broader trend where websites are increasingly judging behavior instead of relying on passwords or a single security checkpoint.

So what's the upshot for you? 

As AI gets better at pretending to be human, your online reputation will increasingly be defined by how you behave, not what boxes you can click. The easiest way to stay on the right side of that equation is simple. Act like a human, because the bots are working overtime trying to do the same.


To round it all up.

Facewatch is about to put a four-second police alert on every shopper with a prior record walking into a Sainsbury's - no crime required, no human reviewer in the loop, and a documented history of misidentifying innocent people. When private companies become automated extensions of law enforcement, the accountability gap doesn't just matter to civil libertarians - it matters to anyone who has ever been wrongly identified by software.

A GitHub account aged 19 months in silence, built up the appearance of legitimacy, then dropped a working exploit kit in minutes - proving that in the supply chain era, old and trusted are two very different things. Check your dependencies, audit who publishes the packages you rely on, and treat a long-dormant account that suddenly goes active as a red flag, not a reassurance.

Fifty-five percent of Americans are posting less on social media, driven by privacy concerns, algorithmic exhaustion, and the creeping sense that everything published stays published forever. That instinct is healthy - every post is data, every platform is a data broker, and silence is sometimes the most strategic choice you can make.

The job market paradox - recruiters who can't find workers, graduates who can't find jobs - isn't an AI story, it's a skills story, and the resolution favors people who keep building practical capability regardless of what their diploma says. The workers who will be hardest to replace are the ones making themselves indispensable right now, before the shortage becomes obvious to everyone.

Applied AI engineering is becoming a discipline in its own right, and its core skill isn't prompting - it's measurement: knowing not just whether the AI got the right answer but whether it got there safely and consistently. If you're building anything that puts AI in the path of a real business decision, the eval is the product, not the model.

The Pentagon's cyber apprenticeship drew 70,000 applicants in days by removing the catch-22 that has kept talented people out of cybersecurity for a generation - no degree required, no experience required, just aptitude and citizenship. The lesson for every employer in the field is that the talent shortage is partly a gatekeeping problem, and the organizations that solve it first will have the deepest benches.

Russia didn't need to breach a military network to watch NATO supply convoys - it just logged into the doorbells of homes nearby, most of which still had default passwords. Every IoT device you own is a potential intelligence platform for someone else, and the fix is ten minutes and a firmware update, not a security budget.

The US-China AI rivalry is being fought on two fronts at once: American companies quietly adopting Chinese models to cut costs, and Chinese teams running millions of fake AI conversations to extract the design secrets that make American models work. Before you deploy any AI in your business, ask who built it, where your data goes, and what your exposure looks like if the geopolitical ground shifts - because in this race, the technology you chose last quarter may already be a policy problem.

Cloudflare is replacing the CAPTCHA with continuous behavioral surveillance - watching your mouse, your scrolling, and your typing rhythm for the duration of your visit - because bots now make up 57 percent of all web traffic and have gotten too good at clicking the right boxes. The trade-off is real: fewer friction points for humans in exchange for more behavioral data continuously collected, and how comfortable you are with that trade depends on how much you trust who's doing the collecting.

This week's stories trace a single arc: the systems we built for convenience - doorbells, social platforms, AI models, browser sessions - have quietly become infrastructure for surveillance, geopolitical competition, and law enforcement, often without the people using them knowing it happened. The common thread isn't technology. It's assumption: the assumption that the device you installed is just doing what you bought it for, that the AI you're using is just answering your questions, that the account you trust has always been what it appears. This week's challenge is the same one it always is, but it's worth saying plainly: verify what you assume. The systems that most urgently need your scrutiny are almost always the ones that feel the most familiar. 


And that brings us to our quote of the week, from Bruce Schneier, one of the most respected voices in cybersecurity - 'Security is not a product, but a process.'

Schneier said this decades ago, but this week made his point with unusual force. Russia's most effective intelligence tool wasn't a novel zero-day - it was a default password on a doorbell. The CAPTCHA system that has protected the web for years is being retired, not because it failed dramatically but because the process of continuous behavioral verification has proven more reliable. The GitHub exploit kit that dropped this week didn't exploit a new vulnerability - it exploited the assumption that a quiet account is a safe account. In each case, the failure was treating security as a fixed state rather than an ongoing practice. The invitation from Schneier, and from this week, is to pick one thing in your environment you set up and haven't touched since, and go process it.


That’s it for this week.  Stay safe, stay secure and… keep your face covered!  See you in se7en!





Comments