Episode 3 – The Stryker Kill Switch Catastrophe

IMPORTANT DISCLAIMER: Transcripts are auto-generated and may contain inaccuracies or differ from the spoken content.

She ready to roll.

Let me mute my devices before takeoff. Got to buckle up.

Muting now, sir.

How’s it going? Oh god. This is episode three now. Are we getting the hang of this? I don’t know.

No.

I have no idea. Hopefully somebody’s still listening. Maybe no one. That’s fine, too.

I guess I don’t really care, and that’s just okay.

Welcome back to SquaredCast. This is episode three, recorded on March 13th, 2026. Hisense TVs are now showing unskippable full-screen ads when you try to switch HDMI inputs, even though you already paid for the TV. Valve is getting sued over loot boxes again. And game developers from around the world are bailing on GDC, gaming’s biggest annual conference, because they’re afraid to enter the United States. I can’t say I blame them. And in the deep dive, we’re going long on the Stryker hack. One kill switch, 200,000 devices wiped. Iranian hacktivists didn’t need malware or a zero-day exploit. They just logged into a button that was already there. Plus, we’ve got the build log to get into. As always, show notes and sources are at squaredcast.com. If you want to support us and get bonus content, our Patreon starts at two bucks a month. Link’s in the show notes. Let’s get into it.

The Rundown (News)

Hisense TVs and Unskippable Ads

Okay, so you bought a TV. You own it. You figure you own it. You paid for it. You should own it. But now you’ve got a TV that’s showing you unskippable full-screen ads when you try to switch from your PlayStation to your cable box. Come on. That’s what Hisense owners across Europe have been dealing with, and the backlash is exactly as loud as you’d expect.

Tom’s Hardware broke the story wide open on March 11th. People have been getting served unskippable ads during basic functions like switching through HDMI inputs, powering the TV on, navigating to the home screen, and even changing channels. These aren’t banner ads tucked into a menu. These are full-screen video ads interrupting the most fundamental things you can do on a television. The behavior reportedly appeared through a firmware update pushed after purchase, meaning people who bought these TVs had no idea this was coming. Even users who had every ad-related setting disabled were still affected. Great.

And this isn’t a new problem. The earliest complaints trace back to 2022, when a Reddit user flagged ad replacements in the input selection menu. Hisense has given an official response, but it actually made things worse. The company claimed the situation was “exclusive to a spot task performed in the Spanish market, meant to evaluate certain advertising formats linked to free content within the platform itself.” They repeated three times that the ads did not prevent users from “using their devices normally.” That line has become a point of mockery in the tech community. If sitting through a commercial to access your own gaming console counts as normal, the definition of ownership has shifted under our feet.

The geographic spread of complaints doesn’t really line up with a limited Spanish test. Reports come from the UK, Germany, and other markets. One detail that should raise every red flag: users who contacted Hisense support, provided their TV’s unique device ID, and had the ads disabled remotely. That means Hisense has server-side ad delivery. They can turn it on or off whenever they feel like it, per device. It’s just flipping a switch on their end, and they can decide who to serve ads to and who to leave alone. The obvious concern is what else can they push to your TV without your consent, or even your knowledge.

Yeah. The government-funded Norwegian Consumer Council published a report on February 27th calling out the “ituification” of digital products, citing practices where product quality is degraded after sale to serve commercial interests. That word fits right here. The Texas Attorney General filed a series of lawsuits in 2025 against Hisense and four other manufacturers — Sony, Samsung, LG, and TCL — over their use of automatic content recognition technology built into smart TVs, which takes a snapshot of whatever is on your screen every 500 milliseconds and sends it to a remote server.

The community advice is blunt: change your DNS settings, disconnect the TV from the internet entirely, or use an external streaming device and never touch the built-in smart features. There’s a growing “dumb TV” movement on forums, and cases like this are the reason. But none of that changes the core problem. You paid for the hardware, and the manufacturer is degrading it remotely while still walking away with your money. Something you paid for, you expect to work as advertised. But now they’re advertising things on the device you bought.

Yeah, I’m not okay with that. Especially if that’s not how it was when it was sold to me. They just added that after the fact. It was never demoed like that. That is false advertising territory right there. I feel like this is a trend that’s not going to be exclusive to Hisense.

Oh yeah, it’s going to happen everywhere. If there isn’t enough pushback, other companies are going to look at what Hisense is doing and say, “Okay. They got away with it. We can too.” If you don’t get in trouble for it, you just keep doing it.

That brings us kind of full circle to some of the stuff we were talking about in the first episode, with ID verification and the platforms enforcing it.

IDMerit Data Exposure

A word of caution before we get into this one. The story you’re about to hear is actively disputed. The company at the center of it says the whole thing is fabricated and tied to an extortion attempt. We want to lay out what’s been reported, what’s been contested, and you can make up your mind from there. Fair enough.

February 2026, Cyber News published a report alleging that a database containing roughly one billion personal identity records — billion with a B; there are only about eight and a half billion people on planet Earth, so that’s one in eight — had been left sitting on the open internet without a password. No hacker needed. No sophisticated exploit required. Just an unprotected database that anyone could access, download, or delete.

Cyber News researchers say they discovered the exposure on November 11th of last year. They believe the database belongs to IDMerit, a California-based digital identity verification company with roughly 26 employees and annual revenue in the range of three to five million dollars. Wow. A smaller ID verification company, but still a problem when you don’t protect your data.

IDMerit provides AI-powered KYC — that’s “know your customer” — tools to banks, fintech platforms, and other financial service companies. These are government ID verification checks that banks and financial apps are legally required to run before letting you open an account or access a financial product. According to the report, IDMerit secured the database the following day after being notified, but public disclosure didn’t arrive until February 18th, 99 days after the fact. They claimed they fixed it the day after it was discovered but didn’t tell anyone it had happened until 99 days later.

Again, a lot of this is alleged. Cyber News uses attribution language in the report, not definitive ownership confirmation. They have not published verifiable proof tying the database to IDMerit’s production infrastructure. Their article images are AI-generated stock visuals with no real evidence actually being shown. The claimed numbers are staggering — a billion is not a small number — and that’s part of why they’re drawing scrutiny. The broader repository allegedly contained more than three billion total records. Of those, roughly one billion held sensitive, personally identifiable information spanning 26 different countries and totaling about a terabyte of data.

How do you not notice a missing terabyte of data? Well, if it’s true — we don’t know that it is. Give them the benefit of the doubt.

All right, all right, I’ll take a breath. The United States reportedly had the most exposed records at over 203 million. Mexico followed with 124 million. The Philippines, Germany, Italy, and France were also listed as heavily impacted. Here’s where the scale gets hard to square with the source. IDMerit is a small company serving niche crypto platforms. Critics have pointed out that 203 million US records would imply roughly 75 to 80 percent of every KYC-eligible American adult passed through this single provider’s system. Italy was assigned 53 million records against a total population of about 59 million, which would mean 98 percent national coverage including infants. Mexico’s implied coverage reached around 95 percent. These proportions are unusual for a mid-tier verification vendor.

The data reportedly included full legal names, home addresses, dates of birth, national ID numbers, phone numbers, email addresses, gender information, telecom metadata, and KYC verification logs. IDMerit pushed back hard on this reporting. The company issued a statement saying, “IDMerit does not own, control, or store consumer data or the underlying data maintained by the independent data sources.” So they’re saying nothing happened, no one got breached. But the dispute goes further than a standard corporate denial. IDMerit alleges that the whole incident is an extortion attempt. In a later statement, the company said, “We requested a security incident report from the ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.”

Cyber News says it received the findings independently and found them legitimate. So we have two competing narratives. On one side, a security research outlet with a published track record, corroborated by secondary reporting from Tom’s Guide. On the other side, a company alleging fabrication and extortion. No one has confirmed that criminals actually downloaded the data.

If the exposure is real, the type of data involved makes it especially damaging. National ID numbers, unlike passwords or credit card numbers, can’t be rotated or changed. If your Social Security number or government-issued identification details are exposed, you’re stuck with that risk permanently. With this data in hand, attackers could launch account takeovers, targeted phishing campaigns, credit fraud, and SIM swap attacks — which occur when someone tricks your phone carrier into transferring your number to a SIM they control, letting them bypass any two-factor setup you might have. The data was structured, which makes searching through it dramatically easier than if it were just a raw dump. No regulatory authority has publicly announced an investigation.

Regardless of who’s telling the truth, the systemic problem remains. KYC requirements are expanding. Financial services, crypto platforms, and now social networks are all demanding government IDs to verify users — Discord, yes — and every one of those verification workflows creates another centralized collection of this data that may or may not be exposed at some point, especially when companies hold on to it longer than they should. Just assume that they have it. You should always assume that.

The takeaway here is kind of grim. Just assume your data is already out there. Identity theft monitoring and credit freezes are the bare minimum. I strongly recommend everybody go out and do that right now, and then save those unlock codes and PIN numbers in a safe location that nobody else can get to. There are so many breaches it seems like every day, and you just never know when you personally are going to be hit by one.

Valve Loot Box Lawsuits

Valve’s getting sued over loot boxes again.

Well, this isn’t their first lawsuit. It’s certainly not going to be their last. Valve, the company and operators of the Steam platform, which I’m sure a lot of people have heard of. In late February, New York Attorney General Letitia James sued Valve Corporation over the loot box mechanics in Counter-Strike, Dota 2, and even Team Fortress 2. James called them “quintessential gambling” and said Valve has made billions luring players — many of them teenagers or younger — into paying for the chance to win a rare virtual item. Two weeks later, a nationwide class action lawsuit landed in Washington state making nearly identical claims. Valve’s public response to the New York lawsuit was essentially: see you in court.

The New York complaint, filed on February 25th in the Supreme Court of the State of New York, alleges Valve has operated an illegal gambling enterprise in violation of the state constitution and penal law. Those are fighting words. The AG’s office describes the loot box opening process in Counter-Strike as resembling a slot machine with “an animated spinning wheel that eventually rests on a selected item.” Those items are purely cosmetic, but they carry real monetary value. One Counter-Strike skin reportedly sold for over one million dollars in 2024. It’s also important to know these are tradable on Steam’s community market, but the money you get from selling them is only added to your Steam wallet, meaning you can only put that money back into the Steam platform.

The overall Counter-Strike skin market hit a six billion dollar market cap in October 2025 before crashing by at least two billion after a Valve update made certain rare items easier to obtain. Letitia James did not mince words. “Valve has made billions of dollars by letting children and adults alike illegally gamble for the chance to win valuable virtual prizes. These features are addictive, harmful, and illegal.” The complaint accuses Valve of knowingly operating unlawful gambling through its loot box system, alleging the system was “carefully engineered to extract money from consumers, including children, through deceptive casino-style psychological tactics.”

The Hagens Berman complaint lays out the mechanics: earn a locked loot box by playing, pay roughly two dollars and forty-nine cents for a key to unlock it, receive a randomly selected item that is usually worth pennies but occasionally worth hundreds or thousands. The lawsuit argues these boxes use the same psychological techniques as casino games, describing “spinning wheel animations, near-miss visuals, and variable ratio reinforcement schedules designed to keep players spending.” The proposed class covers all US consumers who purchased a loot box key or paid to open a loot box in Counter-Strike — which used to be called CS:GO before it became Counter-Strike 2 — and extends to Dota 2 and Team Fortress 2, which share the same loot box mechanics. They seek treble damages, meaning triple the actual damages as a penalty, and full disgorgement of Valve’s gains, meaning Valve would have to hand back the money it made off all of this.

Both lawsuits zero in on children. The New York complaint cites research from the Massachusetts Department of Public Health showing that children introduced to gambling by age 12 are four times more likely to develop a gambling problem as adults. Hagens Berman’s statement on the class action was blunt: “Valve knew children were on the other end of these transactions. We believe they rigged the game to extract more money from them.”

This is not the first time loot boxes have attracted regulatory attention. In January 2025, the FTC fined Cognosphere, developer of Genshin Impact, twenty million dollars for deceiving children and other players about the odds and cost of its loot box system. The Valve lawsuit represents an escalation. The New York case is the first time a state attorney general has gone after a major game publisher on constitutional gambling grounds.

Valve finally broke its silence on March 11th with a public statement on Steam. The company compared its loot boxes to buying packs of physical trading cards and emphasized that the items are optional and cosmetic. On the question of item transferability, Valve pushed back: “Transferability is a right we believe should not be taken away and we refuse to do that.” Valve said it had been “working to educate the AG’s office about its systems since early 2023.”

It’s worth noting that Valve appears to be making preemptive moves in some markets. The official Counter-Strike 2 account announced on March 6th that German players would receive an X-Ray Scanner item, which lets players see what’s inside a container before opening it. France has had the same feature since 2019. Whether that model expands further likely depends on how the pending lawsuits play out.

GDC 2026 and International Developer Concerns

The Game Developers Conference has been the global game industry’s annual gathering since 1988. Every March, tens of thousands of developers, publishers, and industry professionals converge on San Francisco’s Moscone Center — this year rebranded as the GDC Festival of Gaming and running March 9th through 13th. A lot of those people just didn’t show up.

International developers started announcing publicly in January that they wouldn’t be attending. The reasons stack up in a specific order: “European and Canadian games industry professionals are giving multiple reasons for not attending GDC this year. The most common reason given is that San Francisco is unpleasant and expensive. Next is protest at the US government’s aggression toward their countries. Third is concern about being forced to share their social media communications. Fourth is personal safety concerns with regards to border control and immigration officials.”

By the time the conference opened, the absences were impossible to ignore. Emilio Copala, the executive director of the Godot Foundation — that’s the nonprofit behind Godot, one of the most widely used open-source game engines — gave the quote that became a rallying cry: “I honestly don’t know anyone who is not from the US who is planning on going to the next GDC. We never felt super safe, but now we are not willing to risk it.”

The fears aren’t hypothetical. Audio director Niha Patel from Pomplamoose Games described being singled out at the US border during GDC 2025: “The agent at the border was very intrusive. I lied and said that I did not have American clients.” French-Lebanese creative director Nathalie Ferez said that “citizens getting arrested by border control over their views on the US is not something I would like to test for myself.”

I sympathize with those guys. I don’t travel much, especially outside of the country, but I am very conscious of how invasive those border searches can be.

Yeah. Rami Ismail, the Dutch-Egyptian indie developer and longtime industry figure who co-founded Vlambeer, captured how far the chill has spread. He advised any prospective international visitor to “cancel, genuinely cancel,” and told anyone who insisted on going to “not speak a single word to law enforcement outside of requesting your lawyer” and to “know your embassy or consulate details by heart” because “you have to assume your phone might be taken.” And that is absolutely true — knowing where your consulate or embassy is is a good idea anywhere you travel. On the broader pattern, he put it bluntly: “It used to be bad. Now my white friends are being treated like I used to be.”

A New Zealand-based publisher pulled their entire cohort, citing confidentiality agreements that prevent them from handing over device passcodes at the border. Newsweek’s on-the-ground reporting, published March 10th, confirmed the mood. The piece described “a low, persistent hum of anxiety in the halls” and said “conversations drift toward the same uneasy conclusion: the video game industry is no longer sustainable in America, and the international figures who once defined GDC’s global identity are simply not here.”

The timing makes this hit harder. GDC’s own 2026 state-of-the-industry report, which surveys more than 2,300 professionals, found that 28 percent of respondents had been laid off in the past two years, rising to 33 percent for US-based developers. 74 percent of surveyed students said they’re concerned about their future job prospects, and 87 percent of educators either expect negative impacts on student placement or are already seeing them. Over half of game industry professionals now say generative AI is having a negative impact on the industry, up from 30 percent just a year ago.

This is the backdrop against which developers are deciding whether to risk a trip to a country where they might get detained, searched, or profiled at the border. For many, the math just doesn’t work. The industry is already adapting. Publishers are shifting sensitive meetings to Gamescom in Cologne, Nordic Game in Malmö, and other international venues where colleagues don’t face immigration hurdles. One industry figure told MobileGamer.biz that GDC 2026 “could be the last GDC of its kind.”

That’s just a sad story all around. GDC has been around for a long time, and there have been a lot of games that came out of that conference that might not have happened otherwise — people gathered in one spot, talking to each other, exchanging ideas. A lot of stuff wouldn’t have happened without that conference. It’s unfortunate that we’ve gotten to a point where people are willing to just skip it.

YouTube Ad Revenue Milestone

The last story we’ve got: YouTube is now the world’s largest media company, and it’s celebrating by making your TV unwatchable.

YouTube pulled in 40.4 billion dollars in advertising revenue in 2025. That number, estimated by financial research firm Moffett Nathanson and reported by the Hollywood Reporter, is more than Disney, NBCUniversal, Paramount, and Warner Bros. Discovery made in ad revenue combined. One platform built on other people’s content now out-earns four of Hollywood’s biggest studios put together. Moffett Nathanson crowned YouTube “the new king of all media” and now values the platform at between 500 and 560 billion dollars, far ahead of Netflix’s 49 billion dollar market cap.

So how is YouTube celebrating becoming the largest media company on the planet? By rolling out thirty-second unskippable ads on every TV in your house. Google confirmed on March 2nd that “30-second non-skip ads are now available globally on connected TVs.” The format replaces the previous pattern of two consecutive 15-second ads with a single 30-second spot that cannot be skipped. Some markets are reportedly already testing 60-second unskippable spots.

The same week Moffett Nathanson declares YouTube the biggest media company in the world, Google makes free YouTube on your television meaningfully worse. Google reported that 67 percent of viewers say they hate the change. The platform has also been cracking down on ad blockers, limiting comments and video descriptions for users caught using them and introducing persistent ad banners on mobile devices. The message is clear: pay for Premium or sit through the ads. Users report stacked unskippable ads totaling up to four minutes of forced viewing during a single session. The experience now mirrors the cable TV commercial breaks that drove people to cut the cord in the first place.

Nielsen’s January 2026 media distributor gauge shows YouTube captures 12.5 percent of all TV viewing in the US, up from 10.8 percent a year ago and well ahead of second-place Disney at 11.9 percent. Creators get a 55 percent cut of ad revenue on standard videos, which means the platform functions as both the broadcaster and the ad network. There is no middleman. There’s just Google sitting between the creator and the viewer, deciding how many ads you see and how long you have to watch them before you get to the thing you actually came for.

It’s not even just a problem of ads being annoying. I think a lot of ads that end up on YouTube are actually really harmful — for products that are definitely going to make you sick. There are so many AI-generated ads out there that some people actually believe. Ads in general are bad not just because they’re annoying, but because they’re so misleading all the time. I really hate that. They’re not even accurate. Like even for mobile game ads — a lot of those are, “Oh yeah, this is gameplay,” and then you actually download the game and it’s nothing like what was shown. Not even close.

Generated trailers for some dumb mobile game. You know, all of this reminds me of a cyberpunk-dystopian ad-filled future where everything you see around you is essentially an ad, constantly. That’s what’s happening. Every screen, boom, ad. If it’s not off, it’s got an ad on it.

I hate the future. Let me go back.

The Deep Dive: The Kill Switch

Who Is Stryker?

All right, let’s get into the deep dive. Stryker Corporation. They are a Fortune 500 medical tech company headquartered in Michigan. They make hip and knee replacements, spinal implants, surgical navigation systems, robotic surgery platforms, LifePak defibrillators, hospital communication systems, neurosurgical devices — the gamut. They do so much. They reported 25 billion dollars in global sales last year, and they employ roughly 56,000 people across 61 countries. Their products in some way interface with approximately 150 million patients every year. So: big company, big deal.

What Happened

The first signs hit just after midnight Eastern time on March 11th, 2026. By 3:30 a.m., it was over. Mass remote wipe commands swept through Stryker Corporation’s global Microsoft environment, factory resetting Windows laptops, corporate phones, and employees’ personal devices all at once. When workers tried to log in that morning, they found the Handala logo plastered across Stryker’s Entra login page.

One employee’s spouse posted to Reddit: “My wife had three Stryker-managed devices wiped around 3:30 a.m. EDT. Their Entra login page was defaced with the Handala logo, and it’s still up as of this post.”

Handala, a hacktivist group that multiple threat intelligence firms have linked to Iran’s Ministry of Intelligence and Security, claimed credit for the attack. In a Telegram manifesto, they said they had wiped more than 200,000 systems, servers, and mobile devices, extracted 50 terabytes of data, and forced offices in 79 countries to shut down. Workers across the US, Australia, and India reported being locked out of all systems. People resorted to WhatsApp and personal messaging to coordinate. That same evening, Stryker confirmed the attack to Fast Company, saying it was “experiencing a global network disruption to our Microsoft environment as a result of a cyberattack,” with no indication of ransomware or malware. Operations continued to be disrupted, including “order processing, manufacturing, and shipping.” As of March 13th, there is no timeline for full restoration.

How They Did It

Here’s the thing. The attackers didn’t deploy custom malware. They didn’t exploit a zero-day vulnerability. They didn’t even need to install anything. They gained access to Microsoft Intune — which is a tool I’ve actually learned and used as part of my studies — that lets IT departments manage every device in a company from a single web dashboard, including the ability to remotely erase them. They used that platform’s own built-in remote wipe feature to factory reset the company’s entire global device fleet.

Brian Krebs broke the technical details first. A trusted source with knowledge of the attack told Krebs on Security: “The perpetrators in this case appear to have used Microsoft Intune to issue a remote wipe command against all connected devices. When a device enrolls in Intune, the operating system establishes a trust relationship. It obeys management commands, including factory reset, immediately and without question.”

Several Entra ID roles carry the authority to issue those wipe commands, including Global Administrator, Intune Administrator, and Help Desk Operator. Get one of those credentials and you have the kill switch for the whole fleet. The precise method of initial access hasn’t been publicly confirmed. Check Point Research documented Handala’s typical playbook: credential phishing, brute force attacks on VPN infrastructure, and buying initial access through underground criminal services.

Google Cloud’s Mandiant division published research in 2024 specifically warning about Intune abuse, demonstrating how compromising a single Entra ID service principal could lead to full global administrator takeover. The researchers explicitly recommended enabling multi-admin approval for Intune operations. The fact that the wipe commands executed without any apparent second administrator check strongly suggests Stryker did not have this control enabled.

Shieldworks’ post-incident analysis put it plainly: “That is not a zero-day exploit. That is not cutting-edge malware. That is logging in to a legitimate enterprise platform with stolen admin credentials and pushing a button that was already there.” Microsoft’s cloud platform was not compromised. The attackers gained access to Stryker’s tenant administrator credentials and used legitimate Intune remote wipe capabilities to factory reset devices. The failure was in Stryker’s credential management and privileged access controls, not in the Microsoft platform itself. Microsoft, of course, declined to comment.

The Real-World Impact

Stryker isn’t some random vendor, as we’ve already established. It’s foundational infrastructure for the American healthcare system. The company holds roughly 29 percent of the global knee implant market and 24 percent of the hip implant market. A healthcare professional at a major US university medical system told Krebs on Security: “This is a real-world supply chain attack. Pretty much every hospital in the US that performs surgeries uses their supplies.” That person confirmed they were already unable to order surgical supplies normally sourced through Stryker.

The most acute clinical disruption hit Maryland’s emergency medical services on March 11th. Maryland’s Institute for Emergency Medical Services Systems sent a statewide notification: Stryker’s LifeNet electrocardiogram transmission system was “nonfunctional in most parts of the state.” LifeNet transmits pre-hospital EKGs from ambulances directly to receiving hospitals, allowing cardiac catheterization teams to mobilize before the patient arrives. For STEMI patients — a type of heart attack where every minute of delay causes permanent heart muscle damage — LifeNet is the difference between an activated cath lab and a cold start.

The Mako robotic surgery platform, LifePak defibrillators, and Vocera communication systems were reportedly not directly impacted because they operate independently of Stryker’s corporate Microsoft environment. But with order processing, manufacturing, and shipping all offline, the pipeline of orthopedic implants, spinal devices, trauma instruments, and surgical consumables is stalled.

Who Is Handala?

The name Handala comes from an iconic Palestinian cartoon character — a ten-year-old refugee boy drawn with his back turned to the viewer. The group adopted it in late 2023 and has since become the most active Iran-linked hacktivist persona in the current conflict. Calling them “activists” is generous. The threat intelligence community’s attribution is unusually unified. Palo Alto Networks Unit 42, Microsoft, CrowdStrike, and Secureworks all track Handala as an online persona of Void Manticore, a destructive operations unit affiliated with MOIS — Iran’s Ministry of Intelligence and Security, essentially their version of the CIA.

Palo Alto Networks Unit 42 published a threat brief calling Handala “the most prominent Iranian hacktivist persona currently active in the conflict” and confirmed the Stryker operation “reportedly involved the exploitation of identity through phishing and administrative access through Microsoft Intune.” Unit 42 cautioned that hacktivist groups often exaggerate their reach.

The comparison to Iran’s most famous cyber operation puts the scale in perspective. The 2012 Shamoon attack wiped 30,000 systems at Saudi Aramco using custom malware. It was considered the most destructive cyberattack in history at the time. Stryker’s reported 200,000 device figure, even if inflated, suggests an order-of-magnitude increase in destructive capacity — achieved not through more sophisticated malware, but by weaponizing the victim’s own management tools.

Stryker was likely selected for two specific connections. First, in 2019, the company acquired OrthoPace Limited, an Israeli orthopedic device company headquartered in Israel, for up to 220 million dollars. Second, Stryker holds a 450 million dollar Defense Logistics Agency contract modification awarded in July 2025 to supply patient monitoring systems and capital equipment to the US military through 2030.

The broader escalation happened fast. Within hours of strikes on February 28th, over 60 pro-Iranian hacktivist groups mobilized. Iran physically struck three AWS data centers in the UAE and Bahrain on March 1st. NBC News characterized the Stryker attack as the first significant cyberattack by an Iran-linked group on a major American company since the war started.

BYOD and Personal Devices

The detail that has resonated most with ordinary people — not just IT professionals — is what happened to employees who enrolled personal phones in Stryker’s mobile device management system. This policy, called BYOD or “bring your own device,” is the practice of using your personal phone for work. Their personal devices were wiped right alongside corporate ones. Photos, contacts, banking apps, two-factor authentication apps — all gone.

A Stryker employee in Australia posted on Reddit: “Have lost all personal data from personal devices that were enrolled and now unable to access emails and Teams.” Tom’s Hardware compiled Reddit accounts of employees “unable to log into their accounts because their two-factor authentication has been wiped from their phones.” Stryker sent an internal message telling employees to urgently remove “Intune Company Portal, Teams, and VPN from any personal devices that hadn’t already been hit.”

Friendly reminder: back up your two-factor backup codes. This is really serious. If you lose the device that the two-factor code is on, you better have a backup somewhere. Otherwise, you might be screwed. This is a prime example of that in action.

Forrester raised an even more alarming possibility in its post-incident analysis. If the attackers exfiltrated data before wiping, “this could mean that anything from personal photos to bank statements on your device were extracted.” Also, because of the level of control that MDM platforms have on managed endpoints, it’s possible that website access tokens and digital certificates could also have been extracted.

The technical solution already exists and has for years. Modern MDM platforms support containerization. Android Enterprise work profiles and iOS user enrollment create encrypted work partitions on personal devices. Personal data stays separate. A selective wipe removes only the corporate container, leaving personal photos, texts, and apps untouched. Whether Stryker had this configured hasn’t been explained publicly.

The takeaway for anyone who has enrolled a personal phone in an employer’s MDM is uncomfortable but straightforward. As Shieldworks put it: “If you enroll personal devices in corporate MDM, employees need to understand in plain language that the company retains the legal and technical ability to factory reset their personal device, and that in a security incident, that wipe may happen without warning.” In Stryker’s case, that warning came at 3:30 in the morning.

That is it. That is the last bit there.

Oh god, just phenomenal. Phenomenal stuff.

A disaster. I’m assuming we’ll probably hear more about this as time goes on. This is going to take a while to fix. Even with backups, all of those devices — 200,000 devices — need to be restored, rebuilt, whatever. It’s really, really not good.

The Build Log

That covers the news and the deep dive. I know what I want to talk about in the build log, but feel free to go first if you want. I’ve been talking for a while.

Chris V: Unreal Engine and Texture Maps

Nothing’s really changed since the previous episode. I’m still working on the same thing. I used a software called GIMP to do something specifically for that project, which I personally thought I was never going to be able to do — but then I did.

You did? Yes, you did.

GIMP is an image editing program. It’s free, but it’s a pretty powerful one, and I ended up using it to combine a color texture map with an opacity map. Textures can have various components — there can be an opacity map or maybe even a translucent one. What I was dealing with specifically was foliage for ivy. It did have an opacity map, and sometimes it’s not lined up in a way that looks nice. By successfully combining the separate opacity map to the color into one image, the parts that are supposed to be translucent are actually translucent. The mesh itself without the textures is a very blocky-looking model, and you hide the excess blockiness with the opacity map. And then you only show what the end result should look like.

So what I did is: take that top image, the base color, import that as one layer. Take the opacity map, import that as a separate layer. Then push the base color on top so it’s the top layer. Right-click on the base color layer and add a layer mask. Then simply copy the opacity map and put it into that new layer mask. I needed the black areas to be transparent, so I select that, and then we have the end result — the stems, the leaves, all of that. The rest of it is gone. That’s really all you have to do: add a layer mask and mash the two together.

That’s always nice when you learn something and get it figured out. Get that little boost, you know.

Yeah. This is important because there were a lot of other meshes with textures that I got rid of because I didn’t know how to fix some of the problems with the opacity or translucent stuff. I’ve gotten rid of a lot of things where I was like, “Oh well, I’m never going to be able to fix this. I’m never going to be able to use GIMP and fix this.” But I did it with this one, and now I’m thinking about all this other stuff I could have used as well. If I had just done this process with those ones that needed it, I could have used them.

It is what it is. It’s okay. Now I know. I have the knowledge.

You got it. It looks great. I think you’re really on to something here. Everybody should check out the show notes for actual images of what we’re talking about here. It’s good stuff.

Chris N: Subtoken Auth and Redis Benchmarking

I’ve been building out a new back-end system for the token validation work and then measuring it to make sure everything performs to a reasonable standard. For anyone who is unaware, I’m building a tool called Subtoken Auth. It’s a token-based access control system that sits in front of your web services. You create tokens with specific restrictions — like rate limits, or allowed IP addresses, or time windows — and then the application validates every incoming request against those rules before it ever reaches your application. So every time somebody visits a website protected by Subtoken Auth, a validation request fires behind the scenes. We check the token, evaluate any restrictions, and return a pass or fail. That whole round trip needs to be really fast, because if validation is slow, every page load on every site using the application is also going to be slow.

Up until now, all the rate limit tracking lived in the application’s working memory. It’s fast and it’s simple, but it has a limitation. When you run multiple server processes to handle more traffic, each process has its own separate memory. Process one has no idea what process two has counted, and that rate limit of a thousand requests per minute silently becomes a thousand per process. So I built a pluggable system. You flip a config setting and the entire application switches from using that simple local memory cache to using a tool called Redis — a shared, high-speed data store that all your server processes can read and write to simultaneously. When process one records a request, process two sees it instantly. Your rate limit is actually a rate limit.

But the question is: what does that cost you in speed? The in-memory backend is really fast. The core operation takes about 711 nanoseconds — that’s less than a millionth of a second. Through Redis, that same operation takes about 334 microseconds, which is roughly 470 times slower in isolation. The full end-to-end validation takes just under one millisecond with the in-memory backend and just over one millisecond with Redis. That round trip adds about two-tenths of a millisecond to the total. Nobody’s going to notice the difference.

Here’s where it gets interesting, though. I ran scaling benchmarks. Single process in memory: 2,260 requests per second. A single process with Redis: 1,533 requests per second — about 32 percent slower. Two processes with Redis: 2,395 requests per second, meaning we just exceeded that single-process in-memory ceiling. At four processes, we can get 3,922 requests per second. With six processes, we get over 5,000 requests per second. Nearly linear scaling: double the processes, roughly double the throughput.

The story is clear. In-memory is faster per request, but it’s like a single-lane road. Redis charges like a small toll per trip, but it opens up all the lanes at the same time. For most people running Subtoken Auth, in-memory is the right default. For anyone who needs to scale, Redis is there, and the numbers prove that it actually works.

I just wanted to talk about that because it’s the kind of nuance and technical information you only get when you really dig into the numbers and performance. There’s also a saying that premature optimization is the root of all evil. Well, what counts as premature? The whole thing is kind of a difficult question to answer if you can’t answer what “premature” means. So I’m doing it right now — just making sure that things are as fast as they need to be and getting that out of the way, so that when the time comes, every bit of functionality will already be in place.

Good stuff.

The Plug

That’s it for the build log. Time for plugs. You already plugged yours — technically did the combo build-log-plus-plug there. I’ve got a YouTube video to plug. It’s called “The AI Book That’s Freaking Out National Security Advisers.” It’s an explainer based on a book called If Anyone Builds It, Everyone Dies — basically talking about the idea that if anyone succeeds in building a superintelligent AI, we’re all dead. The one thing that really sets this video apart is the production quality. It’s exceptional. It’s the kind of video that makes you wonder what the budget was, because it looks so well done. It’s a little long, but I think the subject matter is worth your time. Serious people are taking the book seriously. It’s a serious video. I think everybody should watch it. Pretty cool.

Any final thoughts, sir? No, that’s about it. We could plug our links here. We have a Patreon at patreon.com/squaredcast. We also have a website at squaredcast.com. If you want to support what we’re doing, you should check out the Patreon. You can get bonus episodes, project builds, music from the archive, and a whole lot more, starting at just two dollars a month. We appreciate you being here, and we’ll see you next week. See you on the flip side.