6/
As a result, defender-side agents will likely be better positioned to identify these harder classes of vulnerabilities.
Thatβs why I think LLM-assisted vulnerability discovery ultimately favors defense.
5/
Finding these requires deep context:
how the system is designed, what assumptions were made, and how different pieces interact across the stack.
Defenders naturally have that context.
Attackers usually donβt.
4/
What remains are the harder classes of vulnerabilities:
β’ issues emerging at module boundaries
β’ incorrect assumptions between components
β’ complex system-level behavior rather than a single piece of code
3/
As that happens, the attack surface shifts.
Fewer trivial bugs. More subtle vulnerabilities.
2/
The era of "stupid bugs" resulting in vulnerabilities is ending.
With LLM-assisted analysis, obvious implementation mistakes will get discovered and fixed much faster.
1/
Codex security is now in research preview.
openai.com/index/codex-...
I think models and agents that can help hunt down software vulnerabilities are net positive for defenders.
Happy birthday to all my privacy conscious, but lazy friends who chose Jan 1st as their birthday!πππ
Article title: If AI replaces workers, should it also pay taxes?
Me: We don't want a rebellion sparked by 'Taxation without representation'. Do we?
english.elpais.com/technology/2...
Link back to the top of the thread:
bsky.app/profile/vino...
That said, I am glad that IACR is addressing this "human mistake" by making a "system design change" to a 2-of-3 quorum for the re-run.
www.iacr.org/news/item/27...
#IACR #Cryptography #KeyManagement #InfoSec #OPSEC #Elections
Devices die. Backups fail. People forget. People die. Anyone who has worked with computers (or people) knows this happens.
System design should account for this. I wish IACR took accountability for the design failure rather than blaming the human element.
I am disappointed that IACR is framing the root cause as an "unfortunate human mistake," effectively throwing a distinguished member of the community under the bus.
This is a system design issue. No critical system should have a 3-of-3 quorum requirement.
2. Security is more than cryptography.
Most secure systems fail or get compromised, not due to sophisticated cryptanalytic attacks, but due to implementation and OPSEC issues.
Few lessons to relearn here:
1. Availability is a security requirement. It is just as important as Confidentiality.
While this seems like a truism, it is not uncommon to come across system designs (or even NSA/NIST specs) that contradict this principle.
IACR used #Helios for voting. They configured it such that all 3 trustees need to be present with their share of the private key to tally results.
One trustee lost their share. Now the results are mathematically secureβforever.
The math worked. The encryption held. The process failed.
Cryptography is the art of transforming every problem into a key management problem. Here is a recent case study on this theme, which is a bit on the nose.
The International Association for Cryptologic Research (IACR) is unable to tally their election results because they lost a private key. Ouch!
Attack outcome: If you mess with the ground-based time, you mess with GPS.
This affects everything from your car's driving directions to the guidance systems for precise missiles.
Sources:
www.theregister.com/2025/10/20/c...
www.cert.org.cn/publish/main...
2. GPS Navigation: GPS satellites need perfectly synchronized clocks. They have onboard atomic clocks but rely on ground stations (like NTSC) to correct for timing drifts.
(An interesting source of drift: Relativistic time dilation, because the sats move at ~9,000 mph!)
1. Telecommunications: Cell phone base stations must share a common clock to hand off calls. This is even more vital for low-latency 5G applications.
Attack outcome: If you disrupt the time, you can disrupt the entire communications grid.
Why target a timekeeper? It sounds mundane, but high-precision time is a critical national security asset.
Modern tech relies on nanosecond-level accuracy. If you can mess with time, you can disrupt critical infrastructure.
Here are two key examples:
China alleges the NSA mounted a cyberattack on its National Time Service Center (NTSC), the country's official timekeeper.
The attack reportedly attempted to compromise high-precision timing. Beijing has not stated if the attempt was successful.
(Thread π§΅)
Great work, Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman!
satcom.sysnet.ucsd.edu/docs/dontloo...
While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Lets not take our eyes off the basics.
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
A few researchers from UCSD and UMCP scanned bunch of satellite links, found much of the traffic is not encrypted, and went on to decode them. It's amazing what came out.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
"Almost died on the thruway today when it happened and Iβm glad it didnβt cause a bigger accident with an 18-wheeler behind me being able at the last minute to shift lanes because my Jeep died, locked its hand brake and jolted so hard my face almost ended up in the steering wheel at 70mph."
OTA update to Jeep Wrangler bricks the vehicle. No attack suspected here. Nonetheless, it exposes an often under appreciated attack vector. It is scary how easy it will be for a motivated actor to cause chaos by just bricking stuff en masse.
www.4xeforums.com/threads/wran...
Availability is not antithetical to security and privacy. A well designed security system will meet availability needs.
"The Interior Ministry explained that... the G-Driveβs structure did not allow for external backups. This vulnerability ultimately left it unprotected."
This terrible event is a reminder that "Availability" is a critical goal for security and privacy systems. After all, we are in the risk mitigation business. And losing critical assets is one of the biggest risks a business faces.
koreajoongangdaily.joins.com/news/2025-10...
