This panopticon makes frequent stops for children

Five Cyber Stories - May 31, 2026 - Issue 010

Welcome to the tenth edition of Five Cyber Stories!

Given Memorial Day on Monday and the shorter week, this week's newsletter is a bit more brief. But I'm still sharing some fascinating stories about mass surveillance via school buses, the cybersecurity job market (plus the job market in general), and more.

Before we get rolling, here's a quick link to subscribe if this newsletter was shared with you.

Next stop, cyber stories.

If school buses had eyes...

Reporting from 404 Media's Joseph Cox

Looking both ways: The technology firm BusPatrol brands itself as the “leading provider of school bus stop-arm enforcement solutions”, installing cameras on school buses that are connected to AI systems. These cameras record anyone who illegally passes a school bus. According to the company, the cameras deter unsafe driving and keep kids safer. The company even plays a role in ticketing offenders. But BusPatrol may be expanding its capabilities. This past week, 404 Media's Jospeh Cox wrote that the company is planning to turn school buses into automatic license plate readers (A.L.P.R.'s). In addition to scanning the license plates of those breaking the law, this plan would have school buses scanning and documenting the location of every vehicle passing the bus – even if the vehicle was passing legally.

Next stop, mass surveillance: Last week, I wrote a piece on why I believe the U.S. needs a standardized digital privacy law. It's stories like this that underscore my thinking on this topic. Although BusPatrol says their program is "...violater funded..." and there is "...no up front costs to school districts...", I'm reminded of the common saying, "If something is free, you are the product." We should all be asking what (or who) is the product in this case.

Data brokers triangulate the troops ($)

Reporting by Wired's Dell Cameron

A concerned Congress: Sen. Ron Wyden (of Wyden Siren fame, for those in the know) along with thirteen other members of Congress sent a DoD official a letter asking why foreign adversaries or other enemies are able to purchase sensitive data about active duty troops from data brokers. Maybe most alarming is this has been known for approximately 10 years ($).

National digital privacy law (still) not found: At my most optimistic, maybe (just maybe) Congress' concern over this vulnerability is a sign that our electeds are taking digital privacy seriously, even if only on a case by case basis.

In-person hacking

Reporting from Cyberscoop's Matt Kapko

In office exploits: The F.B.I. is warning that a social engineering group called Silent Ransom Group is stealing data from law firms according to Cyberscoop's Matt Kapko. The hackers usually try to remotely gain access to their victims' computers, then resorting to tricking people into physically letting them into offices to infiltrate networks. The attacks have mostly targeted law firms, which makes sense given that law firm's data can be highly sensitive. Silence Ransom Group is thought to be Russian in origin. Some cybersecurity researchers have speculated that gig workers may be playing a role in the hacks.

“It’s kind of like a Doordash person that delivers Arby’s ,” [Recorded Future Chief Information Security Officer Allan] Liska said. “You know you’re doing really bad things to people, but you know what, they’re paying you to deliver.”

The physical dimensions of cybersecurity: The modern office worker has to wade through no shortage of trainings, including those (sometimes tedious) security trainings. But attacks like this underscore the ways that cybersecurity threat groups are increasingly targeting white collar workers, particularly those who handle sensitive information, making those trainings a necessary part of the corporate experience. It also showcases that strong physical security can be just as important as more stereotypical/digital forms of cybersecurity.

The cybersecurity job market

Reporting from the The New York Times' Kate Conger

Searching for cybersecurity execs: Though pessimism about the job market abounds these days, not so if you're an exec with cybersecurity experience. The New York Times's Kate Conger reports that some headhunter firms are turning potential clients away because there isn't enough talent for them to hire. The announcement — and subsequent fears — about Anthropic's Mythos model have apparently driven the quest for skilled execs. Some security workers have sought to up-skill on AI related credentials to become more attractive to employers.

Keywords: While this is a great example of cybersecurity affecting the non-digital world (i.e. people's jobs), I thought some of the anecdotes in Kate Conger's reporting about the job market could be applicable to anyone and everyone searching for a job.

"Brian Gaudenti, a security engineer, left his job detecting and investigating cyberthreats at a large tech company in November. Despite more than a decade of experience in the field, he initially struggled to find a new gig.

But at a cybersecurity conference in March, he noticed that other engineers were using A.I. tools to write code, a practice called vibecoding . He used A.I. to make music, web apps and software, and added those projects to his portfolio. Demonstrating his A.I. chops helped him find a new job last month building out an A.I. start-up’s security team.

'People who are not doing that and waiting for their old jobs to reappear, they’re not going to find them again,” he said. “I don’t think there’s going to be a net loss in jobs, but people are going to have to adapt what their next job is going to be, 100 percent.'"

Who dunnit?

Reporting from TechCrunch's Lorenzo Franceschi-Bicchierari and The Record's Alexander Martin

Shhhhhh: Microsoft appears real upset at a security researcher. Meanwhile, the cybersecurity community seems just as mad at Microsoft. Lorenzo Franceschi-Bicchierari at TechCrunch reports that a security researcher with the alias "Nightmare Eclipse" is publishing the bugs without coordinating with Microsoft after a breakdown in their relationship.

The Record's Alexander Martin reports that Nightmare Eclipse had previously written, "...no amount of money will stand between me and my determination against Microsoft." Also according to Martin, "The researcher threatened a further release on July 14 — the date scheduled for Microsoft's Patch Tuesday — warning they would 'make sure your bones are shattered that day.'"

Microsoft has responded with what some have felt is an "over the top" response:

Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.

Old wounds: As I've been reading in Nicole Perlroth's This Is How They Tell Me The World Ends (which I'm still reading), bug bounties, or the process of rewarding security researchers for discovering vulnerabilities, wasn't always an industry norm. Researchers had to fight for both recognition and compensation for their role in helping a business secure its software. To employ a cliche, the idea behind bug bounty programs is that a carrot – a reward for flagging a bug – is often more effective than the stick – a thinly veiled corporate threat.

In this story, it seems that many researchers are worried that Microsoft is choosing the stick. Security focused YouTuber, LowLevel, wrote in a newsletter (sorry, no available link) that some threads on X (formerly known as Twitter) have started with the hashtag #MeTooMSRC to share frustrations about the software giant.

Katie Moussouris, who reportedly helped Microsoft start its bug bounty program, told TechCrunch this "'...will only result in security researchers distrusting Microsoft.'"

The article goes on:

Moussouris warned that the consequences of security researchers losing trust with Microsoft could result in a chilling effect of fewer people coming forward to report bugs, 'making it less safe for all of us.'"

Wrapping Up

I have just a couple other recommended stories this week. First up, one I've already read. TechCrunch's Zack Whittaker writes how highly sensitive personal info was leaked by a private U.K. website selling help to obtain U.K. visas. This story has bigger implications for the age-verification trend that I hope to write about in a future issue.

Also, here are two stories that I plan on reading over the weekend: