New users, on Signal, you can mute chats for a period or permanently. No notifications but you can still see if there are unread messages. On desktop: in that chat, go to Group Settings, then Notifications. On iPhone: in that chat, click on the name at the top, then go to Sounds & Notifications.

"Life Safety building automation is pretty awesome. 👏"

Excellent writeup on how MCP future-proofs API integrations ~ @stevemanuel.bsky.social docs.mcp.run/blog/2025/03...

Our second keynote for Offensivecon 2025 will be Dino Dai Zovi! @ddz.bsky.social

I'll be doing a speaking!

Saw this on the other site but I should comment here: Can't remember his hacker handle but I think Pad & Gandalf of 8lgm were arrested the same day in 1991. You may not know it but the entire infosec & software industries owe 8lgm immense gratitude for making vendors accountable for their vulns

We are destroying software: antirez.com/news/145

Exactly this. We should instead be investing that energy into making authentication in our environment unphishable by making it impossible to give away access to an attacker, even if someone actually wanted to.

I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.

NEW: WhatsApp says it has notified 90 victims, including journalists and members of civil society, that they were targeted with spyware made by Paragon. This is the first time that Paragon is linked to alleged abuse of its products. techcrunch.com/2025/01/31/w...

Meta says almost 100 journalists and activists were targeted with spyware from Israeli company Paragon Solutions using a zero-click vuln in WhatsApp. If you use an iPhone, enabling Lockdown Mode prevents this from working. www.theguardian.com/technology/2...

If you're interested in the history of bug bounties, for reasons, this series I did a few years ago with @k8em0.bsky.social @caseyjohnellis.bsky.social @ddz.bsky.social and many others may be of interest. duo.com/decipher/law...

I'm really liking the crisp definitions of and boundaries between product engineering, domain engineering, and infra engineering in this. How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?

There are different privacy concerns and approaches for the training phase of AI as well as for the inference phase of using it. It's a good time to be thinking about what the right approaches are for each.

I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...

+1, security product vendors, services companies, *and* internal teams must always operate under the Hippocratic Oath, "First, do no harm."

So phone metadata *is* actually sensitive and important information? So hard to keep this straight.

We blogged again! This time about our Data Safety Levels framework, which was inspired by the CDC/WHO Biosafety Levels system and Laboratory Biosafety Manuals. Like biological agents, we also don't want sensitive data to be exposed to humans or escape. code.cash.app/dsl-framework

The placement of liability for fraudulent credit card charges onto the issuer incentivized the shift to EMV, so we now have smartcards in our wallets and secure elements on our smartphones. Contrast this to the security of authn to way more critical things than buying a coffee.

Ever wanted to benchmark RSA key generation but found it too slow and variable, like benchmarking a lottery? No? Just me? Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen. c2sp.org/CCTV/keygen Happy New Year(?)!

This Salt Typhoon stuff is insane. The entire FISA surveillance infrastructure has been completely owned by China and literally no part of our telecom infrastructure is safe to use without end-to-end encryption.

You’re still arguing about tabs vs. spaces? May I present…

The subtle benefit of *minimal* version selection as a systemic damper on software supply chain attacks: "What’s more, the deeper in your dependency tree the library is, the more explicit approvals are required for the library to propagate to your project." matklad.github.io/2024/12/24/m...

The transition from static long-term "credentials" (PAN + CVV) to EMV cryptograms generated by smartcards and the continuing transition for online payments are good case studies for how to devalue data to the point of making attacks on processing infra no longer worthwhile. Human authn must be next.

Honestly, the Let's Encrypt folks don't get nearly enough credit for basically protecting the entire fucking internet, by making it absolute bog standard to encrypt everything. It happened so fast and so many people were skeptical.

An excellent episode on a topic on which I've given some thoughts in my book with similar conclusions: 1️⃣Targeting TikTok in the name of "national security" avoids addressing the structural problems of unregulated personal data and content moderation.

Directory traversal vulnerabilities have plagued software customers for over two decades. It's time for software companies to step up and eliminate this persistent class of coding error entirely. More info here: https://buff.ly/3QpbblJ

A bias can form if folks' primary exposure to Signal (or really any other tool) is through observing malicious uses. I've seen it happen with cryptocurrencies as well. A useful tool will often find itself useful for both beneficial and malicious use-cases. It's as old as discovering fire.

This is disingenuous marketing. Signal chats can't be 'monitored' by anyone not in those chats. Dressing up "joining groups via publicly posted links, then exfiltrating group data" as an offensive 'cybercapability' borders on misinfo, and confuses/scares ppl who rely on Signal for robust privacy.

The best Christmas movies are Three Days of the Condor and The Conversation. 🎥 🍿 Thank you for attending my TED talk.

🧵New paper out on MIDDLEWARE‼️What is it? 3rd party tools that can interact with, in this case, social media platforms, on behalf of users. Maybe to curate your feed in a particular way. Maybe to moderate, labeling & hiding content or users that you don't want to see. www.thefai.org/posts/shapin...

Friends, FBI has responded to my FOIA request for Kevin Mitnick's files, and have made them available to everyone via the FBI public portal here: vault.fbi.gov/kevin-mitnic...

New: Cellebrite is being used as doorway to install malware. Amnesty finds multiple cases where police used Cellebrite to unlock phone; cops then used that access to infect with spyware which takes screenshots, turns on mic, etc, give phone back to target. In Serbia www.404media.co/cellebrite-u...

NEW: police in #Serbia caught unlocking activists phones with #Cellebrite forensic tool & planting spyware. Investigation by Amnesty Tech shows Serbian authorities mixing a repression brew of homegrown + foreign-purchased surveillance & forensic tech.. 1/ securitylab.amnesty.org/latest/2024/...

Huh, liars with "flexible" morality lie, as it turns out.

🔒 While we're working to get web traffic to 100% HTTPS, let’s not stop there. What about text messages, calls, and other protocols? It’s time to think bigger and aim for universal encryption—every byte, every pipe, secured. 🌐💬📞 👉 Read more: https://buff.ly/4iA9i25

Hot off the presses! Our 2nd blog post on how we do app-layer encryption in our back-end services for Cash App: code.cash.app/encryption-u...

We’d like to live in a world where we never have to choose between affording healthcare or groceries this month. And neither does our neighbor (even if we don’t always agree with them). That’s all.

Use Signal. Donate to Signal.

Today we're excited to release Santa v2024.11! github.com/northpolesec... Highlights: 1. Our initial beta for standalone mode: This lets you authorize binaries using TouchID. So you can live in lockdown mode. www.youtube.com/watch?v=Hd4t...

What keeps security leaders up at night? I interviewed 57 CISOs and security leaders to find out. The answers were surprisingly consistent: access management challenges, vulnerability management complexity, and limited SaaS visibility. Read the post: mayakaczorowski.com/blogs/what-s...

“Suing Apple To Force It To Scan iCloud For CSAM Is A Catastrophically Bad Idea”, by @riana.bsky.social. Who could have imagined. www.techdirt.com/2024/08/19/s...

Pleasantly surprised to see a local news segment like this about consumers using end-to-end encrypted messaging. Make sure to also watch the commentary between newscasters at the end. www.yahoo.com/news/u-urges...

My Spotify Wrapped for this year is that I don't use Spotify

In breaking news, water is wet, the sky is blue, and owning/pwning telco infrastructure is valuable for intelligence gathering. It's been a strategic mistake to keep our society vulnerable by fighting e2e encryption rather than embracing it and promoting democratized use of it.

Kendrick x SZA. Pre-sale tickets available for Cash App card holders www.ticketmaster.com/kendrick-lam...

Ahem, [taps the end-to-end encryption sign] "U.S. officials urge Americans to use encrypted apps amid cyberattack that exposed live phone calls"

The irony, it burns. Yes, there are tradeoffs to end to end encryption, but it's wild for the FBI to start agreeing with basically the entire security community that it's an often-necessary security message. www.nbcnews.com/tech/securit...