New users, on Signal, you can mute chats for a period or permanently. No notifications but you can still see if there are unread messages.
On desktop: in that chat, go to Group Settings, then Notifications. On iPhone: in that chat, click on the name at the top, then go to Sounds & Notifications.
"Life Safety building automation is pretty awesome. π"
Excellent writeup on how MCP future-proofs API integrations ~ @stevemanuel.bsky.social
docs.mcp.run/blog/2025/03...
Our second keynote for Offensivecon 2025 will be Dino Dai Zovi! @ddz.bsky.social
I'll be doing a speaking!
Saw this on the other site but I should comment here:
Can't remember his hacker handle but I think Pad & Gandalf of 8lgm were arrested the same day in 1991.
You may not know it but the entire infosec & software industries owe 8lgm immense gratitude for making vendors accountable for their vulns
Exactly this. We should instead be investing that energy into making authentication in our environment unphishable by making it impossible to give away access to an attacker, even if someone actually wanted to.
I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
NEW: WhatsApp says it has notified 90 victims, including journalists and members of civil society, that they were targeted with spyware made by Paragon.
This is the first time that Paragon is linked to alleged abuse of its products.
techcrunch.com/2025/01/31/w...
Meta says almost 100 journalists and activists were targeted with spyware from Israeli company Paragon Solutions using a zero-click vuln in WhatsApp. If you use an iPhone, enabling Lockdown Mode prevents this from working. www.theguardian.com/technology/2...
π
If you're interested in the history of bug bounties, for reasons, this series I did a few years ago with @k8em0.bsky.social @caseyjohnellis.bsky.social @ddz.bsky.social and many others may be of interest.
duo.com/decipher/law...
I'm really liking the crisp definitions of and boundaries between product engineering, domain engineering, and infra engineering in this.
How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?
There are different privacy concerns and approaches for the training phase of AI as well as for the inference phase of using it. It's a good time to be thinking about what the right approaches are for each.
I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...
+1, security product vendors, services companies, *and* internal teams must always operate under the Hippocratic Oath, "First, do no harm."
So phone metadata *is* actually sensitive and important information? So hard to keep this straight.
We blogged again! This time about our Data Safety Levels framework, which was inspired by the CDC/WHO Biosafety Levels system and Laboratory Biosafety Manuals. Like biological agents, we also don't want sensitive data to be exposed to humans or escape.
code.cash.app/dsl-framework
This is the way ;)
PRF in WebAuthN is going to enable epic things
Fraud is such a broad thing, hard to answer. But I think better forms of digital and cryptographic proofs of selective identity information would help. For example, cryptographic proof of personhood, while still remaining anonymous would help reduce amount of bots and such on social media.
That is true that it is not cool, but the shift to EMV also happened in the US with cardholders not being liable for fraudulent charges by law. I'm not sure what the laws were in AU, but wonder if that was only the situation in EU/UK?
Any plans on supporting Confidential VMs (e.g. AWS Nitro Enclave, AMD SEV-SNP, Intel TDX) w/ TamaGo unikernels?
The way that I think about it is that the systems that I think about the security of have grown larger and more complex. Being Security DRI for Square's EMV launch in 2014 was really educational. True to my roots, I found EMV smartcard parsing mem corruption bugs in our firmware before it shipped :)
Well, in the US, cardholders haven't been liable for fraudulent charges since 1974's Fair Credit Billing Act, which meant issuers owned fraud losses. This created the incentive for the EMV liability shift, which was created by contractual agreements between issuers, acquirers, terminal vendors, etc.
The placement of liability for fraudulent credit card charges onto the issuer incentivized the shift to EMV, so we now have smartcards in our wallets and secure elements on our smartphones.
Contrast this to the security of authn to way more critical things than buying a coffee.
Ever wanted to benchmark RSA key generation but found it too slow and variable, like benchmarking a lottery? No? Just me?
Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen. c2sp.org/CCTV/keygen
Happy New Year(?)!
This Salt Typhoon stuff is insane. The entire FISA surveillance infrastructure has been completely owned by China and literally no part of our telecom infrastructure is safe to use without end-to-end encryption.
Code written with box characters used on old old software to make fake UIs
Youβre still arguing about tabs vs. spaces? May I presentβ¦
