Your Phone's Getting Attacked, Your Apps Are Backdoored, and Infrastructure Is Just Falling Over

---

The internet had a bad week. Not the kind where a service goes down for four hours and everyone jokes about it on Twitter. The kind where you realize the foundation you’re standing on has termites.

Let me walk you through what actually happened.

The Daemon Tools Disaster

Someone backdoored Daemon Tools—a disk-mounting utility that’s been around since 2002 and has millions of installations. This wasn’t a zero-day. This wasn’t some researcher finding a bug in obscure code. A supply chain attack compromised the software directly, and it sat there for a month before anyone noticed.

Think about that timeline. Thirty days. Millions of machines potentially running malicious code delivered through what looked like a legitimate update from a legitimate vendor.

Daemon Tools occupies a weird space in the ecosystem. It’s the kind of utility that dies-hard Windows power users download, that IT departments might have scattered across their networks, that you don’t think about once it’s installed. It’s invisible infrastructure. Which makes it perfect for this kind of attack.

The supply chain attack playbook has been refined over the last decade. SolarWinds in 2020 showed us the blueprint. CCleaner in 2017 showed us it could happen to even moderately well-known tools. And yet we keep doing the same thing: trusting that the software we download hasn’t been compromised at the source. We’ve built elaborate defenses at every other layer—firewalls, endpoint detection, intrusion prevention—but we still basically ask users to trust that their vendor hasn’t been hacked.

I don’t have a solution here. That’s the honest part.

Photo by ready made / Pexels

Toronto Gets Spammed Into Submission

Police in Toronto arrested a crew running SMS blasters—sending malicious text messages to thousands of people. The cops called it the “first known instance” in Canada.

Let me translate what this means: someone built infrastructure to send unsolicited SMS at scale and filled it with malicious payloads, and Canadian law enforcement had never seen it happen before. Not that it hadn’t happened. That they hadn’t caught anyone.

SMS blasting is ancient technology. The fact that this is newsworthy in 2024 because it’s the first arrest tells you something bleak: we’ve spent fifteen years hardening email (DKIM, SPF, DMARC), but text messages are basically undefended. Your phone still treats incoming SMS like it comes from the phone company. It doesn’t verify the sender. It doesn’t filter based on reputation. It just… displays it.

This is like discovering someone’s been stealing mail from your mailbox for years and being shocked when a postal worker finally catches them.

Firefox Getting Torn Apart by Machine Learning

Here’s the one that actually made me sit up: Anthropic built something called Mythos that’s been finding high-severity bugs in Firefox by analyzing the code. Not by fuzzing it. Not by traditional auditing. By using machine learning to understand the code semantically and spot where things go wrong.

Mozilla security researchers are using it. They’re finding real vulnerabilities. Critical ones.

This is the part of AI that doesn’t get covered because it’s not flashy—it’s just depressing to security teams. You can’t hire enough humans to audit massive codebases. You can’t hire fast enough to stay ahead of the attack surface. But an AI system that reads your code and identifies vulnerabilities? That scales. That’s the kind of asymmetry that keeps CISOs awake.

The flip side: if Anthropic can do this, so can someone with darker intentions. We’re now in a world where the security researcher and the attacker have the same tools.

Photo by UMA media / Pexels

Infrastructure Just Cracking at the Seams

Ubuntu’s infrastructure went down for more than a day. Not the Ubuntu servers where your applications run. The infrastructure that serves the Ubuntu project itself. The package repositories. The download mirrors. The backbone that thousands of systems depend on to get updates.

A day is a long time in modern infrastructure. Imagine asking every Ubuntu user to just… wait. Can’t update. Can’t patch. Can’t deploy anything new.

This connects to the Daemon Tools situation in an unsettling way. If you can’t trust your update infrastructure to stay up, and you can’t trust that when it comes back up the updates haven’t been compromised, you’re basically running blind. You’re choosing between the risk of staying unpatched and the risk of downloading something malicious.

That’s not actually a choice. That’s just losing.

Google’s Betting the Farm on Health AI (Again)

Meanwhile, Google’s launching Gemini health coach at $9.99 a month and a new screenless Fitbit called Whoop-like Fitbit Air with 24/7 heart rate monitoring and A-fib alerts.

I mention this not because it’s catastrophically important but because it’s instructive about where the industry’s attention is. The company with arguably the most security incident experience on the planet is doubling down on consumer health hardware and AI advisors while the rest of the ecosystem is basically on fire.

Google’s doing this because there’s actual money there. Health data is valuable. Health subscriptions are sticky. And if you own the device, the service, and the AI, you own the customer.

Just watch where that data flows when the next breach happens.

What’s Actually Happening Here

Strip away the individual incidents and you’re looking at a security posture that’s held together by habit and hope.

We’ve outsourced critical infrastructure (package repos, cloud platforms, update systems) to companies that have maybe 90% uptime goals. We’ve standardized on software from vendors who get compromised and don’t realize it for a month. We’ve built applications in languages and frameworks where finding vulnerabilities requires machine learning to keep up with the complexity. And we’re putting increasingly sensitive health data onto internet-connected devices made by the same companies managing our search engines.

My read is this doesn’t get better until someone very large gets hurt very publicly. I’m not hoping for it. I’m just observing that every security improvement in the last twenty years came after some watershed moment—Heartbleed in 2014, SolarWinds in 2020, Log4Shell in 2021. We don’t patch the roof until it’s raining inside.

The truly dangerous part? The people building the next generation of attacks are using the same Mythos-like tools that Mozilla’s researchers are using. The gap between offense and defense isn’t closing. It’s just that now both sides have better telescopes.

What I’m Watching

• Ubuntu infrastructure recovery timeline. Watch if they publish a postmortem that actually explains what happened and how they’ll prevent >4 hour outages. If it’s vague corporate apologizing, you’ll know they don’t have real answers. If they commit to specific SLA improvements by Q3 2024, they’re serious.

• Daemon Tools patch adoption rates. Security firms will track how many machines actually update beyond the compromised version. If it’s below 60% in six weeks, we’ve got a silent infection problem on an enormous scale. That tells you everything about corporate patching discipline.

• Mozilla’s Mythos bugs getting exploited in the wild. Set a calendar reminder for August 2024. If the vulnerabilities Anthropic found haven’t been exploited by then, the attacker community is slower at converting research to attacks than we think. If three of them show up in breach reports by then, we know the asymmetry is worse than it looks.

• Whether Google’s health data gets breached before the end of 2024. Not because I think it will—Alphabet’s security infrastructure is actually strong. But because if it does, we’ll learn exactly how seriously they’re taking biometric data protection when it conflicts with their data monetization playbook.