Where’s Waldo?

Petition to move the winter holidays to July so we can just work through this gray time.

I was stupid enough to buy this new AppleCare One plan for a phone I bought my daughter. Now I learn this only covers the device if it’s connected to the same Apple ID (not family plan). Have to spend Christmas unwinding this and getting a refund, what a drag.

If we can’t solve hallucinations, OpenAI should fund a service to actually write the academic papers that ChatGPT hallucinates.

Watching the HN folks discuss the state of user privacy in 2025 is pretty depressing. news.ycombinator.com/item?id=4630...

Efficient Privacy-Preserving Blueprints for Threshold Comparison (Pratyush Ranjan Tiwari, Harry Eldridge, Matthew Green) ia.cr/2025/2253

If you’re a cryptographer and you got one of these, send me an email.

Imagine it’s 2013 and you see this document from the UK sent back from the future. You’ll assume something went very wrong in that timeline.

I’m sure I should have been vibe coding with a proper IDE rather than copy/paste from an LLM, but man does AI-generated code get confusing and spaghetti after a few fixes. You have to force it to use subroutines or it’ll just produce special case after special case in one massive routine.

1/ Yesterday’s Q2-Q3 Adversarial Threat Report by Meta was interesting in many ways. For us @citizenlab.ca, it was a blast from the past. For the first time, Meta’s investigators attributed what in 2019 we had named Endless Mayfly - a relentless, sophisticated influence op targeting Iran’s enemies.

Europol wants to be able to break end-to-end encryption after court order (dutch article): www-security-nl.translate.goog/posting/9170...

Last week I announced that we're finally killing off RC4 in the Windows Kerberos stack. This has been a long time coming, so much so that we've been working on it for more than a decade, albeit off and on as we sometimes had to target other more pressing issues. What does this mean?

AND FINALLY: UK House of Lords demands client-side scanning of content to check for “viewing of CSAM” https://alecmuffett.com/article/134940 #AgeVerification #ClientSideScanning #OnlineSafety #OnlineSafetyAct #censorship #surveillance #vpn

So I’m on the verge of giving up and just piping my email into an LLM so I don’t have to feel guilty about not being able to read it.

Hey, Microsoft is getting rid of RC4-based NTLM key derivation! www.microsoft.com/en-us/window...

I used the word invariant the other day in conversation and I don’t like myself for it.

I told my son about my first programming project that other people used, a Mac Desk Accessory that could shut down the computer. So he asked ChatGPT if there was any evidence of it left online.

If super-intelligent AI is coming (and we avoid all the bad things), I feel like philosophy is the only degree worth getting. It’s amazing to me that the tech world hasn’t figured that out.

Trying to think of something serious to say about the “cryptographers lose the key for the cryptographer election” story and, mostly, hey: I just love that cryptographers are actually using the weird cryptography! www.nytimes.com/2025/11/21/w...

Keys are hard. www.nytimes.com/2025/11/21/w...

cloudflare's on-duty IT staff bangs on the doors which I have padlocked from the inside as I calmly break open lava lamp after lava lamp and drink the contents

Everything in MPC and ZK comes down to how many sequential multiplications a private computation requires. In (non-interactive ZK) the answer is basically two, whereas in MPC the answer is “many” unless we’re willing to decompose the computation into many rounds.

A wild rumor I heard: US agencies that purchase vulnerabilities have explicitly told their vendors *not* to bring them vulnerabilities in encryption protocols (like Signal or WhatsApp), unless they want those vulnerabilities disclosed/fixed. (Take this with a mountain of salt.)

Mafia governance in action "the only offer on the table was that I needed to resign by 5pm that day or the DOJ would basically rain hell on UVA... If I did not resign that day, I was told that the DOJ would extract/block hundreds of millions of dollars from UVA before they would even negotiate."

Law enforcement: we need to break encryption to get access to Signal to protect the children!! Also law enforcement: for years couldn’t catch a pedophile sex trafficker who used email to coordinate all of his pedophile sex trafficking

The 18y/o asked me how LZW compression worked at dinner tonight and I was like “oh [vague stuff about building a dictionary]” and he was like yeah, obviously but how do they build the dictionary, and I realized for the 6627th time that I know 0.1% of computer science and then our cheesesteak came.

It’s pretty funny that end-to-end encryption is safer from the US government than it’s ever been, and the reason is criminal corruption.

One of the most interesting recent privacy developments is the deployment of big two-hop IP blinding VPNs by companies like Apple and Google. These systems are designed to ensure that even those companies can’t link web requests to IP addresses.

Who named these AirPods.

After initially confirming the project to Tech Radar, Ofcom went silent when pressed on questions about what data was being monitored, what privacy protections were in place or who the company doing it was.

The British government admits it is now monitoring VPNs use by UK residents. Regulator Ofcom has contracted with an AI-powered surveillance service to detect the number of citizens using VPNs to evade the Online Safety Act. The UK tech minister has said a VPN ban is on the table.

Are there any actual AI agents out there that can reliably perform tasks for you?

A staggering statistic: "North American researchers were charged over US$2.27 billion by just two for-profit publishers. The Canadian research councils and the US National Science Foundation were allocated US$9.3 billion in that year." What are we doing?

The Trump administration's cybersecurity policies are indistinguishable from a foreign attack. In many ways they're worse, given they're wrapped in layers of phony operational efficiency.

Imagine how bad things are going to be when these morons actually stumble into AI.

I was brought up in the era of “without random oracles” and so the increasing dependence on weird random oracle stuff in all our crypto really bums me out.

The password has been changed to “Louvre2”, don’t worry

the password to the louvre surveillance server was "louvre" www.thesocialpost.it/2025/11/02/f...

It's one month until Australia's internet will drastically change. Here's what I'm doing to cover it: (PS: I’ve set up a mailing list to send out an email when I have an article come out, instead of than hoping that an algorithm will serve it to you: camwilson.beehiiv.co...)

I remain not panicked about side channel attacks.

Wow hardcover books have become luxury items all of a sudden.

Did Apple push the “make old iPhone batteries die really fast” update this week?

There's no such thing as Fully-Homomorphic Decryption. Anytime you see a system using FHE to compute on your sensitive data, remember: someone has the key. If its not you, do you trust them?

I’m no expert, but it seems like with a little processing you could get a lot of facial information from a thin mask drawn tight against the wearer’s face. Apropos of nothing much.

Good news about chatcontrol: politiken.dk/viden/art106...

The trajectory for digital ID and infrastructure was mainly stagnant for years because of the lack of public demand for it (for obvious reasons). But once governments and businesses saw ways to use it to allegedly prevent fraud and age gate the web, that was a large incentive to roll this out faster

Sure, why require telcos to have cybersecurity plans? www.cybersecuritydive.com/news/fcc-cyb...

The PRF extension is designed to be used for end-to-end encryption. It's a good fit for them! bitwarden.com/blog/prf-web...

what; Passkeys are a web-based authentication scheme, not an encryption scheme

Not to brag, but I’m a two time Test of Time winner now. Ok I’m bragging.