Posts by dangoodin@infosec.exchange
(DIR) Post #AtfzchFh7GnEZtg6LI by dangoodin@infosec.exchange
2025-05-01T22:56:40Z
0 likes, 1 repeats
April was the first full month since I installed my 4.1 kW solar system and accompanying batteries. And just like that, I went from drawing 200-250 kWh per month from the grid to 3 kWh. For the month, I produced 583 kWh, 284 kWh of which I exported 284 kWh to the grid.
(DIR) Post #Au5zOcMqHAN2SvtHYe by dangoodin@infosec.exchange
2025-05-14T16:44:21Z
0 likes, 1 repeats
Folks, there is 0 evidence that Steam passwords have been breached. Unless and until credible evidence occurs, please do NOT urge people to change their login credentials and please do NOT boost other people's toots doing the same. Creating unjustified anxiety about a non event does a disservice to us all.Please boost for visibility.
(DIR) Post #AuIP6Wbnkc8ykHF3fk by dangoodin@infosec.exchange
2025-05-20T19:54:24Z
0 likes, 1 repeats
New from @kimzetter: The United Arab Emirates military is seeking to build out its work in AI by offering high-paying jobs to about 30 former Defense Department workers who resigned last month amid encroachment by the Elon Musk-led Department of Government Efficiency.https://www.zetter-zeroday.com/uae-recruiting-us-personnel-displaced-by-doge-to-work-on-ai-for-its-military/
(DIR) Post #AuKRAh4rMJPqb1rwaO by dangoodin@infosec.exchange
2025-05-21T17:06:22Z
2 likes, 4 repeats
Signal Messenger is warning that Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds, poses a risk to its users. Effective immediately, the Windows Desktop version will by default block the ability of Windows to screenshot the app. Of course, Microsoft provides no API to disable Recall from screenshotting specific apps, so Signal is getting creative. They are invoking a digital rights management API that blocks the screenshotting of copyrighted material.https://signal.org/blog/signal-doesnt-recall/
(DIR) Post #AuKRAmKznkIIuWSOvo by dangoodin@infosec.exchange
2025-05-21T17:07:04Z
0 likes, 0 repeats
Signal writes:"We hope that the AI teams building systems like Recall will think through these implications more carefully in the future. Apps like Signal shouldn’t have to implement “one weird trick” in order to maintain the privacy and integrity of their services without proper developer tools. People who care about privacy shouldn’t be forced to sacrifice accessibility upon the altar of AI aspirations either."
(DIR) Post #Aul5Uam0HlQ9CQtauu by dangoodin@infosec.exchange
2025-06-03T14:19:36Z
2 likes, 3 repeats
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
(DIR) Post #AvlRPqfbWCjQnuSnFQ by dangoodin@infosec.exchange
2025-07-03T16:34:31Z
1 likes, 2 repeats
Interesting article reporting that Android will soon give Gemini broadened access to phones and the apps they run, even when Gemini has not been turned on. Article gos on to say people who don't want this should "open the Gemini app from your Android device" and turn off each app extension. Sounds simple enough, but I'm not finding any Gemini app installed on my pixel. Can anyone help me figure out what precisely people must do too keep Gemini off of their android devices?https://tuta.com/blog/how-to-disable-gemini-on-android#_
(DIR) Post #AwwpfL8lYsHr1h1TY8 by dangoodin@infosec.exchange
2025-08-07T17:49:36Z
1 likes, 1 repeats
A reminder that software makers, hardware makers, cloud services, payment processors, and the like will throw their customers under the bus whenever it suits them. Your payment card, food delivery account, AWS instance, Gmail address -- all can be taken away on a whim for any reason or no reason. These providers are NOT your friend. Make plans now. Have backups in place. Practice self-reliance. Ween yourself off these one at a time.
(DIR) Post #AxidK2ThsaN1CcyEfQ by dangoodin@infosec.exchange
2025-08-30T18:36:31Z
0 likes, 0 repeats
After more than a decade of receiving these sorts of messages, I still never know how to respond in a way that might be remotely helpful.UPDATE it's really disappointing to see how many responses here dismiss or make fun of people with mental illness. These are real people with real families and they're all suffering. There's nothing funny about any of this.
(DIR) Post #AxqeIUc7xEib6VPnu4 by dangoodin@infosec.exchange
2025-09-03T18:50:09Z
1 likes, 1 repeats
People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from Cloudflare. The three improperly issued certs escaped notice for 4 months.https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-1-dns-service-pose-a-threat-to-the-internet/
(DIR) Post #AykWhvk7G4wDLY0VJg by dangoodin@infosec.exchange
2025-09-30T20:44:21Z
0 likes, 0 repeats
The chipmakers say physical attacks aren't in the threat model. Many users didn't get the memo.https://arstechnica.com/security/2025/09/intel-and-amd-trusted-enclaves-the-backbone-of-network-security-fall-to-physical-attacks/
(DIR) Post #AykWhx3IOFsFPJzKqm by dangoodin@infosec.exchange
2025-10-01T00:52:35Z
1 likes, 0 repeats
The takeaway from the Battering RAM attack on SGX and SEV-SNP is this: Trusted enclaves from Intel and AMD don't stand up to supply chain attacks, even low-cost ones that can blend right in with the DIMM itself.
(DIR) Post #AzmtxDv6mri6G701fU by dangoodin@infosec.exchange
2025-10-30T21:37:44Z
0 likes, 0 repeats
People working on post-quantum-proofing vulnerable encryption protocols (and curious onlookers) can find lots of value in this new post from Cloudflare. It discusses the herculean engineering challenges of revamping anonymous credentials that will be broken by a quantum computer. There's a growing need for this kind of privacy (for instance to make digital drivers licenses privacy preserving), which allows individuals to prove specific facts, like they have had a drivers license for more than 3 years, without divulging personal information like their birthday or place of birth. The long and short of of the challeng is that engineers can't simply drop quantum-resistant algorithms into AC protocols that currently use vulnerable ones. Instead, engineers will need to collaborate with standards bodies that build entirely new protocols, largely from scratch. The post goes on to name a few of the most promising approaches.https://blog.cloudflare.com/pq-anonymous-credentials/
(DIR) Post #AzmtxKVUIWNKgg4ACm by dangoodin@infosec.exchange
2025-10-30T21:46:06Z
0 likes, 0 repeats
Also, engineers who work on solving these sorts of problems: Cloudflare has 1,100 open intern slots (not sure why these positions would be intern, but there you are).
(DIR) Post #B0UGI81NFcU5UtJd0C by dangoodin@infosec.exchange
2025-11-21T22:43:13Z
0 likes, 2 repeats
The International Association of Cryptologic Research has cancelled the results of its annual leadership election after an official lost an encryption key needed to unlock results stored in a "hyper-secure election system."https://www.nytimes.com/2025/11/21/world/cryptography-group-lost-election-results.html?unlocked_article_code=1.208._aCi.O706MR3i3l3K&smid=url-share
(DIR) Post #B2FgIOxAJ9NGf5ic0O by dangoodin@infosec.exchange
2026-01-13T16:40:54Z
0 likes, 1 repeats
Moxie Marlinspike—the engineer who set a new standard for private messaging with the creation of the Signal Messenger—is now aiming to revolutionize AI chatbots in a similar way.https://arstechnica.com/security/2026/01/signal-creator-moxie-marlinspike-wants-to-do-for-ai-what-he-did-for-messaging/
(DIR) Post #B2zLEcykUvbmI34ULY by dangoodin@infosec.exchange
2026-02-04T19:01:05Z
0 likes, 0 repeats
Anybody know how feasible it would have been for the WaPo reporter to refuse to provide her biometrics, or intentially sabotage the attempt by, say, using her wrong finger or closing her eyes? She might go to jail, but that's what reporters do to protect sources.
(DIR) Post #B2zLEfcsegtkV5rZB2 by dangoodin@infosec.exchange
2026-02-04T19:41:44Z
0 likes, 0 repeats
@adamshostack How can cops force a journo to open her eyes? Can't she just refuse, or promise to keep her eyes open and then close them at the crucial moment? And what if she uses a finger she hasn't registered? In either case, the device would then require a password. This seems feasible to me, and maybe that's what the WaPo reporter did, but maybe I'm missing something?
(DIR) Post #B2zLEgf2o8Dti5soBk by dangoodin@infosec.exchange
2026-02-04T19:46:58Z
0 likes, 0 repeats
@adamshostack I mean, the journo may be charged, but journos (at least reputable ones) will go to jail to protect sources in other cases.
(DIR) Post #B31Y9cTactd50IMK24 by dangoodin@infosec.exchange
2026-02-05T21:43:38Z
0 likes, 0 repeats
Am I the only journalist who would opt to go to jail rather than provide my biometrics to open a device when raided by law enforcement?