Posts by dangoodin@infosec.exchange
(DIR) Post #AwwpfL8lYsHr1h1TY8 by dangoodin@infosec.exchange
2025-08-07T17:49:36Z
1 likes, 1 repeats
A reminder that software makers, hardware makers, cloud services, payment processors, and the like will throw their customers under the bus whenever it suits them. Your payment card, food delivery account, AWS instance, Gmail address -- all can be taken away on a whim for any reason or no reason. These providers are NOT your friend. Make plans now. Have backups in place. Practice self-reliance. Ween yourself off these one at a time.
(DIR) Post #AxidK2ThsaN1CcyEfQ by dangoodin@infosec.exchange
2025-08-30T18:36:31Z
0 likes, 0 repeats
After more than a decade of receiving these sorts of messages, I still never know how to respond in a way that might be remotely helpful.UPDATE it's really disappointing to see how many responses here dismiss or make fun of people with mental illness. These are real people with real families and they're all suffering. There's nothing funny about any of this.
(DIR) Post #AxqeIUc7xEib6VPnu4 by dangoodin@infosec.exchange
2025-09-03T18:50:09Z
1 likes, 1 repeats
People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from Cloudflare. The three improperly issued certs escaped notice for 4 months.https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-1-dns-service-pose-a-threat-to-the-internet/
(DIR) Post #AykWhvk7G4wDLY0VJg by dangoodin@infosec.exchange
2025-09-30T20:44:21Z
0 likes, 0 repeats
The chipmakers say physical attacks aren't in the threat model. Many users didn't get the memo.https://arstechnica.com/security/2025/09/intel-and-amd-trusted-enclaves-the-backbone-of-network-security-fall-to-physical-attacks/
(DIR) Post #AykWhx3IOFsFPJzKqm by dangoodin@infosec.exchange
2025-10-01T00:52:35Z
1 likes, 0 repeats
The takeaway from the Battering RAM attack on SGX and SEV-SNP is this: Trusted enclaves from Intel and AMD don't stand up to supply chain attacks, even low-cost ones that can blend right in with the DIMM itself.
(DIR) Post #AzmtxDv6mri6G701fU by dangoodin@infosec.exchange
2025-10-30T21:37:44Z
0 likes, 0 repeats
People working on post-quantum-proofing vulnerable encryption protocols (and curious onlookers) can find lots of value in this new post from Cloudflare. It discusses the herculean engineering challenges of revamping anonymous credentials that will be broken by a quantum computer. There's a growing need for this kind of privacy (for instance to make digital drivers licenses privacy preserving), which allows individuals to prove specific facts, like they have had a drivers license for more than 3 years, without divulging personal information like their birthday or place of birth. The long and short of of the challeng is that engineers can't simply drop quantum-resistant algorithms into AC protocols that currently use vulnerable ones. Instead, engineers will need to collaborate with standards bodies that build entirely new protocols, largely from scratch. The post goes on to name a few of the most promising approaches.https://blog.cloudflare.com/pq-anonymous-credentials/
(DIR) Post #AzmtxKVUIWNKgg4ACm by dangoodin@infosec.exchange
2025-10-30T21:46:06Z
0 likes, 0 repeats
Also, engineers who work on solving these sorts of problems: Cloudflare has 1,100 open intern slots (not sure why these positions would be intern, but there you are).
(DIR) Post #B0UGI81NFcU5UtJd0C by dangoodin@infosec.exchange
2025-11-21T22:43:13Z
0 likes, 2 repeats
The International Association of Cryptologic Research has cancelled the results of its annual leadership election after an official lost an encryption key needed to unlock results stored in a "hyper-secure election system."https://www.nytimes.com/2025/11/21/world/cryptography-group-lost-election-results.html?unlocked_article_code=1.208._aCi.O706MR3i3l3K&smid=url-share
(DIR) Post #B2FgIOxAJ9NGf5ic0O by dangoodin@infosec.exchange
2026-01-13T16:40:54Z
0 likes, 1 repeats
Moxie Marlinspike—the engineer who set a new standard for private messaging with the creation of the Signal Messenger—is now aiming to revolutionize AI chatbots in a similar way.https://arstechnica.com/security/2026/01/signal-creator-moxie-marlinspike-wants-to-do-for-ai-what-he-did-for-messaging/
(DIR) Post #B2zLEcykUvbmI34ULY by dangoodin@infosec.exchange
2026-02-04T19:01:05Z
0 likes, 0 repeats
Anybody know how feasible it would have been for the WaPo reporter to refuse to provide her biometrics, or intentially sabotage the attempt by, say, using her wrong finger or closing her eyes? She might go to jail, but that's what reporters do to protect sources.
(DIR) Post #B2zLEfcsegtkV5rZB2 by dangoodin@infosec.exchange
2026-02-04T19:41:44Z
0 likes, 0 repeats
@adamshostack How can cops force a journo to open her eyes? Can't she just refuse, or promise to keep her eyes open and then close them at the crucial moment? And what if she uses a finger she hasn't registered? In either case, the device would then require a password. This seems feasible to me, and maybe that's what the WaPo reporter did, but maybe I'm missing something?
(DIR) Post #B2zLEgf2o8Dti5soBk by dangoodin@infosec.exchange
2026-02-04T19:46:58Z
0 likes, 0 repeats
@adamshostack I mean, the journo may be charged, but journos (at least reputable ones) will go to jail to protect sources in other cases.
(DIR) Post #B31Y9cTactd50IMK24 by dangoodin@infosec.exchange
2026-02-05T21:43:38Z
0 likes, 0 repeats
Am I the only journalist who would opt to go to jail rather than provide my biometrics to open a device when raided by law enforcement?
(DIR) Post #B3tDBybLjLSXhY6hxw by dangoodin@infosec.exchange
2026-03-03T17:58:03Z
0 likes, 1 repeats
Tire pressure "transmissions are sent without any encryption or secure mechanisms and include a unique identifier. This allows anyone with affordable equipment like a low-cost spectrum receiver and a standard off-the-shelf antenna to capture and track them throughout time and space."https://www.securityweek.com/researchers-uncover-method-to-track-cars-via-tire-sensors/
(DIR) Post #B4aZb0oGINJUIduTL6 by dangoodin@infosec.exchange
2026-03-24T16:49:22Z
1 likes, 0 repeats
Wow, TeamPCP is hacking open-source developers faster than we can report on them. The latest (that I'm aware of, anyway) is LiteLLM. They worked with Trivy but didn't bother to change their credentials after Trivy was hacked, despite an ample amount of advice to do so.Folks, if any of you used LiteLLM, now is the time to change your credentials, at an atomic level. Now, as in immediately.https://news.ycombinator.com/item?id=47501729
(DIR) Post #B4aZb656hAl6eKpUn2 by dangoodin@infosec.exchange
2026-03-24T16:49:56Z
0 likes, 0 repeats
For context, please see:https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
(DIR) Post #B4cgthxVh7HlKf19N2 by dangoodin@infosec.exchange
2026-03-25T16:21:10Z
0 likes, 1 repeats
Google is dramatically shortening its deadline readiness for the arrival of Q Day, the point at which existing quantum computers can break public-key cryptography algorithms that secure decades’ worth of secrets belonging to militaries, banks, governments, and nearly every individual on earth.https://arstechnica.com/security/2026/03/google-bumps-up-q-day-estimate-to-2029-far-sooner-than-previously-thought/?comments-page=1#comments
(DIR) Post #B63qMjfEcndlftoqTg by dangoodin@infosec.exchange
2026-05-07T17:12:52Z
0 likes, 1 repeats
Mozilla has provided behind-the-scenes details on the 271 vulnerabilities it discovered with the help of Mythos. Those details include full Bugzilla reports on 12 of the vulnerabilities. I'd be curious for people to look at the reports and hear what they think.https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
(DIR) Post #B649vXEui1XqPBoZzk by dangoodin@infosec.exchange
2026-05-07T19:56:59Z
0 likes, 1 repeats
There's a ton of skepticism over the true value of AI-assisted vulnerability discovery, and with good reason. Maybe the new details Mozilla has revealed don't tip the scales in favor of it being beneficial, but people should at least sift through them in good faith and with an open mind before declaring all of them bullshit.https://arstechnica.com/information-technology/2026/05/mozilla-says-271-vulnerabilities-found-by-mythos-have-almost-no-false-positives/
(DIR) Post #B6KDJkqUZBhxpHji3E by dangoodin@infosec.exchange
2026-05-15T15:15:47Z
0 likes, 0 repeats
Are MP3 players even a thing these days? What are some good brands/models?