The Trump administration's cybersecurity policies are indistinguishable from a foreign attack. In many ways they're worse, given they're wrapped in layers of phony operational efficiency.

Imagine how bad things are going to be when these morons actually stumble into AI.

I was brought up in the era of “without random oracles” and so the increasing dependence on weird random oracle stuff in all our crypto really bums me out.

The password has been changed to “Louvre2”, don’t worry

the password to the louvre surveillance server was "louvre" www.thesocialpost.it/2025/11/02/f...

It's one month until Australia's internet will drastically change. Here's what I'm doing to cover it: (PS: I’ve set up a mailing list to send out an email when I have an article come out, instead of than hoping that an algorithm will serve it to you: camwilson.beehiiv.co...)

I remain not panicked about side channel attacks.

Wow hardcover books have become luxury items all of a sudden.

Did Apple push the “make old iPhone batteries die really fast” update this week?

There's no such thing as Fully-Homomorphic Decryption. Anytime you see a system using FHE to compute on your sensitive data, remember: someone has the key. If its not you, do you trust them?

I’m no expert, but it seems like with a little processing you could get a lot of facial information from a thin mask drawn tight against the wearer’s face. Apropos of nothing much.

Good news about chatcontrol: politiken.dk/viden/art106...

The trajectory for digital ID and infrastructure was mainly stagnant for years because of the lack of public demand for it (for obvious reasons). But once governments and businesses saw ways to use it to allegedly prevent fraud and age gate the web, that was a large incentive to roll this out faster

Sure, why require telcos to have cybersecurity plans? www.cybersecuritydive.com/news/fcc-cyb...

The PRF extension is designed to be used for end-to-end encryption. It's a good fit for them! bitwarden.com/blog/prf-web...

what; Passkeys are a web-based authentication scheme, not an encryption scheme

Not to brag, but I’m a two time Test of Time winner now. Ok I’m bragging.

Every time I see physical attacks on TEEs, I wish someone would put out a position paper on @hdevalence.bsky.social 's "guy with a glock" model x.com/hdevalence/s...

New incredible detail here: ICE says a match in its facial recognition app Mobile Fortify is a "definitive" determination of a person's status, and that this overrides birth certificates. This is an app ICE is using in the field to scan people www.404media.co/ice-and-cbp-...

Great article about how TEEs are providing much less security than folks believe they will. arstechnica.com/security/202...

More interposer fun, this time with DDR5 memory. Breaking TDX, SGX, SEV and even Nvidia TEEs. Checkout our work at TEE.fail, and get a personally-signed Intel attestation report at @tee.fail.

I know this is an old point, but normally-trained engineers are really bad at imagining how systems can operate outside their design constraints.

This story from @lorenzofb.bsky.social is absolutely wild. Totally worth a read! techcrunch.com/2025/10/21/a...

I spent yesterday outlining my theory to ChatGPT that the NSA totally has a classical discrete log break and “PQC transition” is just cover. chatgpt.com/share/68f705...

A little baffled by European hotel room doors. Isn’t there supposed to be a lock here? Instead there’s a little button that says “privacy”. What does that do?

Malware using cryptocurrency data availability layers for distribution is the new hotness, apparently. We solved censorship-resistant publishing (to some extent) which is pretty fascinating.

Alright, so bear with me here: what if quantum computers are a hoax and the whole PQ transition is just an excuse to finally get rid of MD5.

Southwest’s new coffee stirrers could have maybe used some workshopping.

AT&T Long Lines is one of the most monumental efforts that has zero cultural understanding

New: hackers just doxed hundreds of DHS, ICE, FBI, and DOJ officials. I went through the data. In many cases does look legitimate, sometimes includes residential addresses. “Mexican Cartels hmu [hit me up] we dropping all the doxes wheres my 1m [1 million].” www.404media.co/hackers-dox-...

America.

PENN IS OUT! That means both institutions that signed prior agreements with the administration have said no. We're at 3 rejections. I told y'all once the second one hit yesterday, the clock started for the rest. www.thedp.com/article/2025...

I do get the impression that this book is gonna result in a bunch of Yudkowsky superfans bombing an AI datacenter or something.

Okay here they do have a good point. In chapter 6 (“we’d lose”) they discuss how disembodied superintelligent AI could harm us in the real world. And the basic answer is “LOL Marc Andreessen is so fucking dense he’d probably just give it whatever it wants.” That’s… terrifyingly realistic.

HYPOTHESIS: repeat exposure to the LessWrong discussion boards is functionally indistinguishable from mercury poisoning.

"I don't have anything to hide why should I care about privacy?"

It's been 14 months since the ML-KEM spec was published. age still isn't PQ because it's waiting for trivial details of the HPKE hybrids to stabilize, but they are blocked on the CFRG. The TLS, SSHM, and LAMPS (X.509) IETF WGs are not waiting for CFRG. I just posted a plea for HPKE to do the same.

I’m glad to see more about this Dominion story. www.wired.com/story/scott-...

Scott Leiendecker who acquired Dominion Voting Systems last week vows to make the systems 100% domestically programmed. But Dominion has long had programmers in Serbia & Canada. Does this mean he'll rewrite all code written by foreigners? I took a deep dive into implications of the acquisition

This one's a wild/messy one: Cyber giant F5, which serves most of the Fortune 500, said unknown government hackers had 'long term' access to its network: • stole source code, some customer data • accessed undisclosed vulns in BIG-IP • DOJ allowed F5 to delay public notice citing national security

eclypsium.com/research/pwn... - This is the blog version of the Ekoparty talk I did in 2022; while the Chinese APTs have developed more advanced techniques, a lot of this may still be useful as you deal with the bombshell that dropped today.

DOE's public statements about this say that all the ad hoc committees, including HEPAP, will be replaced by a single committee. As an STS researcher, I am compelled to point out that this overlaps with the Nazi playbook for taking over German physics. My slides about how they did that:🧪⚛️🔭

SCIENCE POLICY NEWS: During Yom Kippur, all the members of the High Energy Physics Advisory Committee (HEPAP), myself included, received a letter thanking us for our service and telling us essentially that the almost 40 yo standing federal advisory committee was no more. ⚛️🧪🔭 Why that matters 🧵

The “age verification” and the “human identification” problem are the same problem. It upsets me to be around people who think they’re working on the first, but don’t understand they’re actually working on the second.

Two great bits of academic attack work this week. The new one allows Android apps to see data displayed on the screen by other apps, including Google Authenticator codes. www.pixnapping.com

I love stuff like this. tosc.iacr.org/index.php/To...

This is amazing research by Nadia Heninger and her co-authors Wenyi Morty Zhang, Annie Dai, Keegan Ryan, Dave Levin and Aaron Schulman. TL;DR a huge number of satellite links over our heads are totally unencrypted. satcom.sysnet.ucsd.edu

So I had a little research idea the other day (and a pretty good idea how to solve it). I figured just for fun I’d toss it to ChatGPT-5-Thinking to see how it would do. I got one of those A/B tests where they show you results from two models, and one of the results figured out the solution.

Germany has agreed to stop ChatControl for now, due to huge amounts of public pressure. Good job! The bad news is that it could come back as soon as December, and the German government has interpreted the feedback as a need to “moderate” the proposal.

This story certainly isn’t making me feel warm and fuzzy. www.cnn.com/2025/10/09/p...