Snippings

xxx

Fears of a plot by Russia to sabotage Britain’s energy pipelines means families should pack a 72-hour ‘survival kit’, security advisers have warned.

From: Brits should prepare a 72 hour ‘survival kit’ as Putin plots to sabotage gas pipelines and cause mass blackouts, warn spies | Daily Mail Online.

I can’t help but notice that the survival kit shown includes identity, but not money.

xxx

Authentication 
MCP does not currently define a standard authentication mechanism for how clients authenticate with servers, nor does it provide a framework for how MCP servers should securely manage and delegate authentication when interacting with third-party APIs. Authentication is currently left up to individual implementations and deployment scenarios. In practice, MCP’s adoption so far seems to be on local integrations where explicit authentication isn’t always needed.

A better authentication paradigm could be one of the big unlocks when it comes to remote MCP adoption. From a developer’s perspective, a unified approach should cover:

Client authentication: standards methods like OAuth or API tokens for client-server interactions
Tool authentication: helper functions or wrappers for authenticating with third-party APIs
Multi-user authentication: tenant-aware authentication for enterprise deployments
Authorization 
Even if a tool is authenticated, who should be allowed to use it and how granular should their permissions be? MCP lacks a built-in permissions model, so access control is at the session level — meaning a tool is either accessible or completely restricted. While future authorization mechanisms could shape finer-grained controls, the current approach relies on OAuth 2.1-based authorization flows that grant session-wide access once authenticated. This creates additional complexity as more agents and tools are introduced — each agent typically requires its own session with unique authorization credentials, leading to a growing web of session-based access management.

From: A Deep Dive Into MCP and the Future of AI Tooling | Andreessen Horowitz.

xxx

xxx

Malta’s illegal identity card scandal, linked to government agency Identità, continues to stir political uproar in the country.
The oppositional Nationalist Party (PN), one of the two major political parties in Malta, has accused the Labour Party-led government of playing down the scale of the ID racket which allowed ineligible individuals to obtain Maltese IDs in return for bribes.

From: Malta’s ID card racket stirs political strife | Biometric Update.

xxx

xxx

Britain’s biggest banks, technology and telecoms companies have pledged to step up efforts to share live fraud data, as calls grow for the government to take stronger leadership in coordinating the fight against online scammers.

From: Banks and tech groups commit to live data-sharing in UK fraud clampdown.

xxx

April 8th is an interesting day in the world of computer security because OpenSSL 3.5 is released today. It is a big deal because it use post-quantum cryptography methods:

ML-KEM (FIPS 203) — Module Lattice-Based Key Encapsulation Mechanism (FIPS 203). This is a PQC standard for Key Exchange.

ML-DSA (FIPS 204) — Module Lattice-Based Digital Signature Algorithm. This is a PQC standard for digital signatures, and it uses the Dilithium signature method.

SLH-DSA (FIPS 205) — Stateless Hash-Based Digital Signature Algorithm. This is a PQC standard for digital signatures and uses the SPHINCS+ signature method.

As Professor Bill Buchanan points out, this means that web servers and other applications will be able to protect themselves against quantum computin. As OpenSSL is the most widely used library for cryptography this release will support the replacement with ECDH with ML-KEM, and RSA and ECDSA with ML-DSA.

xxx

The UK must recognise payments as part of its strategic infrastructure, similar to energy or food security. Ensuring resilience against geopolitical disruptions requires coordinated efforts between the public and private sectors.

Open banking has made significant strides, but considerable work remains to establish it as a standalone payments ecosystem. Addressing commercial incentives, consumer protections, product ubiquity, and cross-border acceptance will be essential to build a resilient, self-sufficient infrastructure capable of withstanding external pressures.

If successful, open banking could emerge as a resilient backbone for the UK’s financial ecosystem, reducing dependency on US-dominated networks and creating a robust, homegrown payments infrastructure.

From: Can open banking stand alone as the UK’s payment infrastructure?.

xxx

xxx

The banking industry’s effort to fight check fraud is likely to benefit from President Donald Trump’s order to the Treasury Department to stop issuing paper checks for federal disbursements and to transition to digital payments.

From: Treasury’s halt of paper checks likely to reduce fraud | American Banker.

xxx

xxx

Earlier this year, employees at online diaper seller Coterie noticed customers arriving from an intriguing new source—ChatGPT.

Coterie, like most brands, asks its customers how they heard about the company after they make a purchase. The typical answer is word of mouth. But in recent months, some shoppers started crediting their purchase to OpenAI’s popular artificial intelligence chatbot, which added real-time search features last fall, making it a more important source of inspiration for shoppers—and of business for retailers.

From: AI Search Is New Arms Race for Retailers — The Information.

xxx

xxx

Microsoft has unveiled an upgraded version of its artificial intelligence assistant that remembers user preferences and take actions on their behalf, as the tech group takes on rivals building AI-infused products designed to attract millions of consumers.

The Seattle-based group at an event on Friday to mark its 50th anniversary announced a personalised “Copilot” that develops a “memory” and can recall important details, such as family birthdays and hobbies.

From: Microsoft unveils AI assistant with ‘memory’.

xxx

xxx

Walton said he and other merchants he talks to have tried to influence AI search results, including posting frequently about their brands on Reddit, a popular forum site. Reddit, a major source of training data for AI companies, inked a content licensing deal last year with OpenAI. Reddit and OpenAI didn’t respond to requests for comment.

AI search optimization startups such as Profound, which launched less than a year ago with $3.5 million from investors including Khosla Ventures, are pitching services they say can help brands crack the AI search mystery.

From: AI Search Is New Arms Race for Retailers — The Information.

xxx