Posts by rene_mobile@infosec.exchange
(DIR) Post #At35847Cj0JDId1oQ4 by rene_mobile@infosec.exchange
2025-04-13T08:18:37Z
0 likes, 2 repeats
If you are an #academic in the #US with a position comparable to tenured or associate professor and a solid research track record in a field related to computer science (treat this in a very broad manner) and are interested in relocating to beautiful, liberal, safe, #Austria, then please reach out to me. We'd love to welcome new colleagues in the Austrian academia!A couple of us are collecting profiles to potentially match with organizations that are looking to fund such opportunities. Full caveat: I don't yet have concrete positions confirmed, but am trying to get the funding bodies into position to do so.Please boost!
(DIR) Post #AxIz8ajvodnks0Y2eO by rene_mobile@infosec.exchange
2025-08-18T11:16:56Z
0 likes, 1 repeats
I have now also converted my remaining personal open source Git repositories (those which we don't already host at the institute's #Gitlab instance and which are not forked from or contribution to others) from #Github to #codeberg https://codeberg.org/rmayrGithub was a great improvement to make open source contributions and coordination easier, and it's a shame that the current AI hype drives everything into a single, non-sustainable niche direction... While Github is dependent on Microsoft AI stuff, my repositories are archived and will not see any further changes - I might even delete them altogether.
(DIR) Post #AxKAkhenq5UZyvU6vw by rene_mobile@infosec.exchange
2025-08-19T09:00:58Z
0 likes, 1 repeats
Big congrats to our Austrian CTF team KuK Hofhackerei (https://bsky.app/profile/hofhackerei.at) having scored 9th place at DEFCON on their first try. This was truly a nice cross-university collaboration, and I am proud of all the students having contributed at that level.
(DIR) Post #AxtixD4R4GD5rFCspU by rene_mobile@infosec.exchange
2025-09-05T07:26:46Z
0 likes, 1 repeats
TIL that Microsoft Copilot is now trying to show a "face" with different "emotions". That it's not working right now is not my issue. That MS are even more explicitly trying to trick people into thinking they are having a conversation with an actual person, however, most definitely *is*.Did this "feature" run through an ethics board review? Is the additional emotional deception of users intentional? Who actually wants that sh..?I am getting happier by the day that my current daily driver (#Framework) laptop didn't come with a Windows license and I'm certainly not going to spend any public university funds on buying this manipulatory adware... Whoever sends me documents to edit in the future: if they don't open correctly in #Libreoffice (without the "help" of Copilot), I won't be able to work on them.via @tomwarren.co.ukhttps://fed.brid.gy/r/https://bsky.app/profile/did:plc:fbtvg6jxtdroidfvq5z635xu/post/3lxxlpdy3qs2r
(DIR) Post #Ay1iqR5e6EEoZmDqAC by rene_mobile@infosec.exchange
2025-09-09T09:53:09Z
0 likes, 1 repeats
We (over 50 scientists) have put (yet another) open letter to the EU commission online, detailing while we do not believe anything has changed in the recent iteration of #chatcontrol proposals that would make it any less unsafe: https://csa-scientist-open-letter.org/Sep2025Please boost. Next week there will be (another) decision!CC @signalapp @suka_hiroaki @epicenter_works @xot @bpreneel @carmelatroncoso @cascremers @tho
(DIR) Post #AyL6CSSBqH3CMCKSFE by rene_mobile@infosec.exchange
2025-09-18T11:38:16Z
0 likes, 1 repeats
Microsoft Azure/Cloud/AD considered harmful (twice, again)...Context: https://cyberplace.social/@GossiTheDog/115220941705031025 and https://burn.capital/@Schneier_rss/115213861155394064
(DIR) Post #B0b3kKtSKrNsK1KUN6 by rene_mobile@infosec.exchange
2025-11-25T06:31:09Z
0 likes, 1 repeats
https://xkcd.com/1732/, because it's still true and #COP30 has been, unsurprisingly, another testament to human stupidity. Every single politician who actively sabotaged human survival (again) should stand in front of this graph and explain their actions to a crowd of youths.
(DIR) Post #B0fsB9TQfssL3yyY76 by rene_mobile@infosec.exchange
2025-11-27T14:48:26Z
1 likes, 2 repeats
The Letter — Stop Hacklore!https://www.hacklore.org/letterPlease read. It is good advice.
(DIR) Post #B0vy0IcU2OguUvmHtQ by rene_mobile@infosec.exchange
2025-12-05T08:56:02Z
1 likes, 1 repeats
Today is one of those days again, isn't it?
(DIR) Post #B1pLHjFLXp656tmpNo by rene_mobile@infosec.exchange
2025-12-31T23:38:50Z
0 likes, 0 repeats
Instead of a Happy one, I want to wish everybody a Stable New Year 2026, because we can all use one of those... However, strive to find happiness within. Take care of yourselves and those around you! 🥰
(DIR) Post #B1uUIixvwdyruGzV4q by rene_mobile@infosec.exchange
2026-01-03T12:51:45Z
0 likes, 1 repeats
I admit that, through 2025, I have become an #AI #doomer. Not that I believe the LLM-becoming-sentient-and-killing-humanity self-serving hype bullshit for a second. There are much more concrete impact points that may lead to or greatly accelerate several crises, each of which will actively harm humanity as a whole, and particular groups of people in particular:1. The massive amounts of (dirty) electricity, water, and raw material being wasted on GenAI **will** accelerate the climate crisis, both because of the direct pollution through building new data centers, training, and running the models as well as distracting from other efforts. "AI" will not solve the **climate crisis**. People applying it make it worse.2. Misinformation (aka., lies) is being produced at a scale never seen before. Our liberal democracies are not prepared to deal with that, and we have already seen increasing distrust of science, journalism, and the concept of political compromise. GenAI is fantastic for generating emotionalizing, polarizing, targeted bullshit. It - unsurprisingly - remains terrible at outputting balanced fact and actual novel insight. "AI" (in the form of LLMs) will not help educate the masses to make better decisions. People applying it exacerbate the **political crisis**.3. What started in Gaza will continue in other regions. Idiotic war hawks will inevitably connect the output of "AI" to target selection and direct forms of physical violence - all in the name of "efficiency" in the business of killing people."AI" will not protect our soldiers. Military using it simply kill more people, more quickly.There are actually wonderful use cases for the diverse set of methods currently summarized under the "AI" umbrella, including for scientific discovery. But the current hype around LLMs leaves me with quite a pessimistic outlook. We really, really need to get past the hype and discuss the good use cases rationally and objectively, while stopping to waste insane amounts of resources on those applications that bring much more harm than benefit.
(DIR) Post #B2ZwTpFk4cfnZucsEK by rene_mobile@infosec.exchange
2026-01-23T13:55:21Z
0 likes, 1 repeats
🌮 TACO 🌮 seems to become the standard menu item in Davos.
(DIR) Post #B3oYDHfvQVOwOVue2q by rene_mobile@infosec.exchange
2026-03-01T10:08:45Z
0 likes, 1 repeats
The democratic, liberal, dependable USA that I have known and respected for most of my adult life is dead and will not be revived even after the orange clown stops pretending to be king. It cannot, because the concept of the USA in the world outside its own borders very much depended on soft power, which requires trust. That trust is gone, completely, and probably irrevocably for at least a generation.It saddens me deeply that all the value, all the good that this long-term stability and trust brought to the USA and the world at large is gone as well. My only hope is that others will accept the responsibility and step up to become the new center of trust in international relations. The EU has the potential for that, but not (yet?) the political will to transcend national interests and rhetoric. China has the economic and military potential, but doesn't share the liberal values (yet?). The world is going to change.
(DIR) Post #B4I3MfpRj1Tm4hA3Ae by rene_mobile@infosec.exchange
2026-03-15T15:05:05Z
0 likes, 1 repeats
These aren’t AI firms, they’re defense contractors. We can’t let them hide behind their modelshttps://www.theguardian.com/us-news/ng-interactive/2026/mar/15/ai-defense-warfare-companies> From Gaza to Iran, the pattern is the same: precision weapons, chosen blindness, and dead children. The cost of failing to regulate AI warfare is already too high
(DIR) Post #B4b8iU8h8z4tgclYno by rene_mobile@infosec.exchange
2026-03-24T20:47:14Z
0 likes, 1 repeats
I just learned that a new release of the decentralized, open source Android (and iOS, but that requires a centralized Apple service) key attestation library warden-supreme has landed. It explicitly supports alternative/custom roots of trust for the attestation chain now and comes with a test for @GrapheneOS keys: https://github.com/a-sit-plus/warden-supreme/blob/development/serverside/roboto/src/test/kotlin/GrapheneOsTests.ktNice! That's a good match to our academic research direction on digital identity (https://digidow.eu) - avoiding points of centralization for better resilience (against many types of threats). We'll most probably use this for our prototype Android apps that require or benefit from key attestation guarantees and can't/shouldn't use Play Integrity (e.g., because they only communicate over Tor hidden services with each other, and having a Warden backend included on one side is much easier than coming up with a form of mixnet proxy service for querying central instances while retaining an unlinkability guarantee).
(DIR) Post #B4ujasD19pgUKPGCNk by rene_mobile@infosec.exchange
2026-04-03T08:12:50Z
0 likes, 1 repeats
RE: https://graphics.social/@metin/116335353888270814For anybody (still) using #LinkedIn on a regular basis (and I understand that there are reasons for it), you may want to do that with #Firefox for the moment. At least the extensions scanning seems to be done only on Chrome browsers according to https://browsergate.eu/how-it-works/, even if all the other profiling is probably browser agnostic.I personally take this as an opportunity to ignore that platform completely for the time being. My account will remain as a defense against identity theft, but is fully dormant as of now.
(DIR) Post #B5IRJ9V0zzFPML7JNA by rene_mobile@infosec.exchange
2026-04-14T20:13:41Z
0 likes, 1 repeats
Last Saturday, I was honored and delighted to give the keynote at Grazer Linuxtage #GLT26, a large #Linux event with a lot of history (23 years and counting!) and still a dedicated team behind it.Title: "What can we learn from Android for other embedded Linux systems security?"Slides are available at https://pretalx.linuxtage.at/glt26/talk/J8GCHE/, talk recording at https://media.ccc.de/v/glt26-615-what-can-we-learn-from-android-for-other-embedded-linux-systems-security
(DIR) Post #B5OVgdpzvtH2sU9BGS by rene_mobile@infosec.exchange
2026-04-17T13:40:10Z
0 likes, 1 repeats
RE: https://ec.social-network.europa.eu/@EUCommission/116408720976324749Unfortunately, this is not ready. The current GitHub repository is a start - a (fairly expensive) prototype (https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues). Before any wider rollout, however, this needs to: * stabilize in its feature set (e.g., which form of app/device attestation); * be verified in detail by independent audits - the quick checks done by some security/privacy researchers and developers at the moment do *not* replace a systematic code audit; and * go through interoperability testing with different age credential providers (the Python demo code is certainly not production-ready)as a minimum bar.Of all the different approaches being discussed right now for age assurance (see our open letter at https://csa-scientist-open-letter.org/ageverif-Feb2026), this is the least-bad from a privacy and surveillance point of view. It's one of the few directions that might be acceptable in any shape or form - *if the general political decision is to do this at all* (see the letter for counter arguments that still need to be debated). But rushing it won't help. The privacy and security aspects are nuanced, and hard to get right in apps that should be deployed on a wide variety of Hundreds of Millions of smartphones. Let's settle these important details before announcing it as a "solution".
(DIR) Post #B5ah8EWV4jf3rpuD32 by rene_mobile@infosec.exchange
2026-04-23T14:35:10Z
0 likes, 1 repeats
We have opened a job posting for a (maximum 6 years) post-doc position at JKU Linz (@jkulinz) in networks and security: https://karriere.jku.at/hcm/jobexchange/showJobOfferDetail.do?jobOfferId=8a7ec1e69cf609ed019d24e15bd17c6e&j=&languageChanged=trueIf you'd like to work with us on timely topics like digital identity (very much including EUDI), embedded system security (including Android), software supply chain security (fixing your future xz and trivy dependencies), and/or the related underlying methods and technologies, please feel free to reach out!
(DIR) Post #B6AOPVd5p9MgPF4SUS by rene_mobile@infosec.exchange
2026-05-10T21:35:27Z
1 likes, 1 repeats
Releasing a universal #Linux #kernel #exploit with very little or even no previous time to distribute a patch through distributions is not cool. Doing it on the day before a weekend - on two weekends in a row - is just being an asshole. Looking at you, #CopyFail and #DirtyFrag. You may think it helps your PR, that people will queue to use your cool new AI/agentic/whatever tool because you found the bug. You may think that releasing the full exploit because somebody else was even quicker with "leaking" your cool find makes it right. You're wrong. This is neither responsible nor coordinated disclosure. In security, we've tried to learn the hard lessons on keeping in-production, live systems on a global scale safer. Yes, those bugs have existed for a long time in the kernel source. Yes, other bad actors may already have found them. But you're shining a light on it *and* giving every script kiddie in the world a working exploit to point their mass scans at. That's dangerous. There's a reason why the normal process is to reach out at least to the most widely installed distributions before releasing the bug details publicly. There's a reason why 90 days is a good default - it allows downstream percolation of patches. You can still get the credit. This way, you only create stress for admins.[For a little relief, refer to https://www.tomshardware.com/tech-industry/cyber-security/dirty-frag-exploit-gets-root-on-most-linux-machines-since-2017-no-patches-available-no-warning-given-copy-fail-like-vulnerability-had-its-embargo-broken for a quick mitigation, because updating kernels and rebooting a fleet of hosts just takes time, weekend or not. #HugOps]