YouTube officially announced that its in-app video sharing and messaging feature is now rolling out to the US, UK, Brazil, and Singapore, bringing the total number of supported countries to 40.

The feature is available to users aged 18 and older who are logged into a YouTube channel. The rollout is gradual, so it may not appear in your app immediately.

How to DM on YouTube?

Once the feature is enabled for you, a messaging icon appears in the top right corner of the app. You can also share any video or Short directly from the Share button while watching.

The catch is that starting a conversation is not as simple as searching for someone. You have to send an invite link first, and that link must go out through a third-party app like WhatsApp, iMessage, or SMS. The other person then accepts the invite and gets added to your YouTube contacts. This extra step is designed to prevent spam and unwanted messages.

Once connected, you can send text messages freely, react to content in real time, unsend messages by long-pressing them, delete entire conversations, and block or report contacts if needed. The only media you can share inside the chat is YouTube content, including videos, livestreams, and Shorts. No images, GIFs, or files allowed.

Why is YouTube bringing messaging back now?

YouTube had a direct messaging feature in 2017, but it was quietly killed off in 2019. Now, it’s back once again in a much bigger way.

The feature has already been available in over 30 European countries since March 2026. YouTube says the positive response from countries where the feature was already live drove the decision to expand. Recently, the platform also added three new podcast features, but they are only for Premium subscribers.

Earlier this year, FIFA named YouTube a preferred partner for experiencing the World Cup 2026. On Wednesday, the next step in this partnership was announced, with the inaugural YouTube FIFA Creator Cup. It’s an exhibition match that’ll feature popular content creators from the platform, as well as athletes and celebrities. It’ll take place in New York City on July 12, ahead of the FIFA World Cup Final.

The Creator Cup is the latest step in FIFA’s moves to broaden soccer’s appeal through creator-involved content, potentially reaching the platform’s digital audience. The creators, athletes and celebrities competing in the match will be announced closer to the date.

Being a FIFA preferred partner means YouTube will, for the first time ever, broadcast unique World Cup-themed coverage — including the ability for viewers to stream the first 10 minutes of each game live on approved creators’ channels. 

The roster of approved creators includes: Anwar Jibawi, Ara y Fer, Ashley Alexander, Celine Dept, Courtreezy, Deestroying, Haley Kalil, Horchata Soto, Howieazy, Jeenie Weenie, Jenny Hoyos, Jesser, Kelly Wakasa, Kika Kim, KYLECTRIX, Kwak Yoongy, Max the Meat Guy, Neagle, Noor Stars, The Sidemen, Sonrixs, TokaiOnAirRYO, Viniblogger and Zhong.

According to the platform, these creators have collectively amassed more than 350 million subscribers, all specializing in different content niches from sports analysis to food features, social challenges and travel videos. This means you’ll have an array of options to choose from for unique programming featuring your favorite YouTube personalities, all while still getting your World Cup fix.

A YouTube spokesperson didn’t immediately respond to our request for further comment.

Algorithms. Beauty filters. Endless scrolling.

The case over “social media addiction” against Meta and Google in a California courtroom ultimately came down to these elements, legal experts say, and what a jury found was negligence on social media companies’ part when designing apps where tweens and teens would come to spend roughly one-fifth of their day.

Joseph McNally, former federal prosecutor and director of Emerging Torts and Litigation at McNicholas & McNicholas in California, says jurors agreed with the novel legal argument that Meta and Google were negligent in their design of Instagram and YouTube, respectively, contributing to the mental health problems of the plaintiff. Parent companies of Snapchat and TikTok settled with the plaintiffs before the trial.

McNally and other experts tell EdSurge the verdict will affect thousands of similar cases and influence how tech companies roll out their features — and that the legal tussle over where liability falls when it comes to youth mental health isn’t over yet. With the social media giants vowing to appeal, the case could end up before the U.S. Supreme Court.

Email Evidence

The impact left by the presentation of internal company emails was undeniable, McNally says. Internal Meta communications showed that employees raised alarms about the potential harm to teen girls posed by a beauty filter. Documents also showed they knew that users much younger than 13 — the minimum age required for sign up — were on their platforms, he adds.

“They looked the other way because — the plaintiffs argued — they had a long-term benefit, long-term value of hooking those users early,” McNally says. “I think that the emails painted a picture of a company whose own employees were raising concerns about features in the product, and the plaintiff effectively used those emails to show that they knew about the risk of the product.”

“Addictive” Design

If Meta and Google had settled, the court wouldn’t have had cause to grapple with the legal question of whether social media companies can be held liable for harm caused by their design. But from the defense’s perspective, tech companies had been solidly protected by Section 230 in the past, explains Princess Uchekwe, corporate attorney and founder of The Chief Counsel in New York. That’s the part of the 1996 Communications Decency Act that shields websites and online platforms from being sued over content posted by users.

Just one day before the California verdict, a New Mexico jury found Meta liable in a $375 million consumer protection lawsuit over its failure to protect children from social media harm on its platforms.

“What the lawyers for the plaintiffs were arguing is, essentially, it’s not the content that we have a problem with,” Uchekwe says, “It’s the fact that when people use your platform, you have implemented certain features that make it almost impossible for people to leave. You can scroll into the bottomless pit of hell on Instagram, and nothing ever tells you, ‘Maybe you should pause.’”

The Appeal of an Appeal

The $6 million in damages is a drop in the bucket for the two social media giants, but McNally says there are potential benefits to appealing the ruling anyway. There are thousands more consumer lawsuits against social media companies around the country, with school districts joining as plaintiffs.

One is that an appellate court might find that the long-time protections that social media companies have relied on should have come into play. The verdict barreled through the defenses raised by Section 230, which protects platforms from claims of harm caused by third-party content. It’s a policy that makes a free and open internet possible.

“[Section] 230 has resulted in the dismissal of hundreds of lawsuits over the years where they would’ve otherwise faced hundreds of millions of dollars in liability,” McNally says. “An appeal [based on] Section 230, which is a federal statute, could make its way up to the Supreme Court, who would have the final word on the scope. [If the] court of appeals remanded it back to the trial court and said, ‘Look, Section 230 applies,’ it would essentially bar these claims [of harm caused by the design].”

Uchekwe says failure to win an appeal could be “almost devastating” for tech companies due to the sheer amount of damages they could have to pay across thousands of similar lawsuits, along with the cost of restructuring how their apps function. That could mean rethinking features like targeted algorithms, the ability to endlessly scroll and notifications that draw users back into the app.

“Not only social media companies,” Uchekwe says, “all tech companies that have implemented things like that, especially if they have children as a base, are going to have to start reconsidering.”

First Amendment Question

There’s also a First Amendment case to be made, McNally adds. Some legal experts, including UC Berkeley law professor Erwin Chemerinsky, argue that the “addictive” algorithms that came under fire during the trial are protected free speech. If that argument succeeds on appeal, it could stop the legal cases arguing product liability in their tracks.

“If the Supreme Court overturned it based on Section 230 and the First Amendment, it’s unlikely there’s going to be a new trial. It would likely be dismissed,” McNally says. “I won’t say that with certainty, but the prospects of dismissal would be pretty good for the defendants.”

Ripple Effect

McNally says the fact that a jury ruled Meta and Google’s app features were “unreasonably unsafe for its users” creates challenges for them in the swaths of similar lawsuits they’re facing. Plaintiffs in those cases still must prove a direct link between the social media companies and the harm they’re alleging.

“I think it’s going to result in some cases probably moving closer to settlement, but in all those cases, I think that the defendants are going to be looking closely at the causation issue,” McNally says. “There’s probably other cases out there where the evidence of causation is not as strong, and those cases may be harder for a plaintiff to get across the finish line.”

Uchekwe predicts that if the verdict sticks, tech companies — especially those with users who are under 18 — will be forced to retool their app features to encourage users to spend less time on their platforms. That could hurt the companies’ ad revenue and their ability to gather data on users.

“Undoing some of those things may decrease their bottom line, but I’m not sure it will do it to the extent that it’s detrimental to their revenue,” Uchekwe says. “If you weigh the benefits of putting these safeguards in for children versus your revenue, I never think that your profit should come at the expense of a generation of people.”

Apple has terminated support for AFP in macOS 27, effectively killing off the Time Capsule. However, affected owners might be able to revive their hardware.

A long-discontinued network storage device, Time Capsules gave Mac users a way to back up over a home network using Time Machine. While the hardware hasn’t been available for quite a few years, support continued up to macOS 26.

However, as warned in macOS Sequoia 15, support for the Apple Filing Protocol, AFP, was being deprecated and removed in a future macOS release. That turned out to be macOS 27, thanks to a notice in macOS 26 warning about the end of support for AirPort Disk and other Time Capsule disks.

This is an issue that affects Time Capsule specifically, as it relies on AFP for its connectivity. While Time Capsule does include support for SMBv1 (Server Message Block), it was only supported in macOS 26 as a deprecated measure.

From macOS 27 onwards, Time Machine will require hardware using SMBv2 or SMBv3. This will mean it will work with modern NAS devices, but not Time Capsules.

Life finds a way

While Time Capsules in their normal state won’t work for Time Machine, there are efforts to try and add the required functionality to the hardware.

A GitHub project we wrote about in April, titled TimeCapsuleSMB, aims to update the outdated SMB layer with a newer one, while keeping Apple’s firmware untouched. This way, Apple’s file sharing stays enabled, so your internal disk, or connected USB ones, keep auto-mounting and working on the forthcoming macOS 27.

Really, it’s a modern Samba build to manage file sharing that’s loaded onto the Time Capsule. It runs Samba 4.24.3 server, advertises itself with Bonjour, and accepts authenticated SMB3 connections.

At that point, assuming the project ever works, you can connect to the server using a normal SMB URL, and then use it for Time Machine backups.

When we first wrote about the project, there were concerns that it was more a proof-of-concept than a full project. However, at the time of publication, there have been many commits to the project, including some that are just hours old.

According to the project’s requirements, you need to use a Mac running macOS 14 or later, or a Linux device on the same local network as the Time Capsule. You also need the password for the Time Capsule, as well as Homebrew, Python 3.9 or later, and smbclient installed locally.

The instructions to install it are quite complex, which puts the project out of reach of the typical user. However, near the top is a “Quick Start” option that relies on just five commands, streamlining the process.

As it stands, Time Machine users have few choices in how they maintain their backups. They could look for an external drive or invest in a NAS, as the most obvious, if expensive, solutions.

But, with a project like TimeCapsuleSMB, there’s a chance of reviving an underappreciated part of Apple’s former product line.

SECURITY

The CEO thought this was the best way to deal with some email issues

PWNED Welcome, once again, to PWNED, the weekly screed where we highlight those who did not do the deed of securing their systems. If someone left their passwords or their access exposed, we will be writing about them here.

Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request.

This week’s terrifying tale of poor security hygiene comes courtesy of Luke Irwin, CEO and principal consultant at Aegis Cybersecurity. He’s been in the industry for more than a quarter of a century and he knows where the bits are buried. 

At one point, Irwin consulted for a company that was a large national facility services organization, a 2,000-employee firm that provided cleaning, security guards, industrial abseiling (cleaning the facade), and other things that other large businesses need to keep their physical plants running smoothly.

The CEO had one very peculiar idea about how to keep his own house in order: he wanted to have access to every one of his employees’ login credentials.

The chief executive had an Excel spreadsheet sitting right on his desktop with a complete list of all the employee usernames and passwords. Let that sink in for a second. One person had all the keys to the castle in a single, easily accessible file.

In any decent security setup, no one in the company has access to anyone else’s password. Even the head of the IT department should not know another employee’s password. I say this as someone who used to work for a company where the IT department would ask you to DM them your password if you had computer problems.

But this company’s CEO wanted the usernames and passwords for reasons I’m sure any of his employees would appreciate: so he could go into their email accounts! He had an experience where one colleague had sent secret information to the entire company via email and he had spent the evening logging into every single account and deleting the message before anyone could see it.

Just in case other messages were sent in error in the future, the CEO wanted the ability to log into all the relevant accounts and delete them himself. Perhaps for the same reason, he would not allow MFA (multi-factor authentication), because that would have kept him out of people’s inboxes. He was adamant even though the company had been the victim of a ransomware incident previously. 

“Despite repeated advice, he held that position for around four months, until we were able to demonstrate that the IT team could remove messages centrally using fairly simple administrative commands, without needing everyone’s password,” Irwin said.

Even after getting rid of the Excel sheet of shame, the boss still refused to turn on MFA and the company subsequently suffered two data breaches involving sensitive client data. 

Unfortunately, this company wasn’t the only one that Irwin worked with where the management had something against MFA. Another client, this one in the medical sector, was opposed to multi-factor authentication because it “made things just a little too hard” for the external consultants they were using to access their systems.

During the time that Irwin worked with that company, they got lucky and no one breached them. But since then, he’s seen signs that their data was available on the dark web. No word on whether they ever switched MFA on.

There’s plenty to learn from Irwin’s two clients, but it’s all pretty obvious. First, don’t let anyone, even administrators or CEOs, have other people’s passwords. If someone has to get into another person’s email account, have IT use administrative access. Second, always enable MFA, preferably MFA with passkeys. ®

Chaotic Eclipse, the security researcher Microsoft threatened with criminal prosecution, has published a seventh Windows zero-day exploit. Called RoguePlanet, it grants attackers SYSTEM privileges on fully patched Windows 10 and 11 machines. The researcher released the proof-of-concept hours after Microsoft shipped its June Patch Tuesday update, which fixed a record 200 vulnerabilities.

RoguePlanet exploits a race condition in Windows Defender’s internal processing logic. Specifically, it is a Time-of-Check to Time-of-Use (TOCTOU) vulnerability. An unprivileged user can redirect a file operation performed by Defender, which runs as SYSTEM, to execute attacker-controlled code at the highest privilege level.

“The exploit is a race condition, so it’s a hit or miss,” the researcher said. “I have managed to get a 100% success rate on some machines while it struggled to work on others.”

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Security firm ThreatLocker confirmed the flaw works and published a video demonstration. “Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described,” said CEO Danny Jenkins. He added that application allowlisting can prevent the exploit from executing.

The proof-of-concept was published on a self-hosted Git repository after the researcher said Microsoft had both GitHub and GitLab repositories hosting earlier work removed. This is part of an escalating dispute. Microsoft invoked its Digital Crimes Unit against the researcher and revoked access to their Microsoft Security Response Center account.

Chaotic Eclipse has disclosed seven zero-days in a matter of months: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and now RoguePlanet. Microsoft’s June Patch Tuesday fixed two of them, GreenPlasma and YellowKey, but the rest remain unpatched. The researcher says the disclosures are retaliation for how Microsoft handled the process.

“They mopped the floor with me and pulled every childish game they could,” the researcher wrote. “I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer.”

The timing is pointed. Microsoft’s June Patch Tuesday was its largest ever, fixing 200 vulnerabilities including 33 rated critical and three publicly disclosed zero-days. Analysts attribute the surge in part to AI-assisted code auditing, which is finding vulnerabilities faster than defenders can patch them. RoguePlanet arriving hours after the record update underscores the gap: even the biggest patch cycle in Microsoft’s history was immediately obsolete for anyone running Windows Defender.