rmhrisk
@rmhrisk.bsky.social
Dropout. Father. I build things. Security, Cryptography, Engineering, Entrepreneurship.
@peculiarventure
+ x-MSFT + x-GOOG ++. Also on @rmhrisk@infosec.exchange and twitter.com/rmhrisk
@peculiarventure
+ x-MSFT + x-GOOG ++. Also on @rmhrisk@infosec.exchange and twitter.com/rmhrisk
Reposted by rmhrisk
NEW: The U.S. Congressional Budget Office was hacked.
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
Congressional Budget Office confirms it was hacked | TechCrunch
The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more tha...
techcrunch.com
November 7, 2025 at 4:38 PM
NEW: The U.S. Congressional Budget Office was hacked.
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
Reposted by rmhrisk
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
November 7, 2025 at 4:57 PM
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
AI can lift human dignity by opening doors to more people and adapting to how we think, letting us focus on what matters. But only if we design it right and keep monitoring its work. 👇
October 25, 2025 at 11:10 PM
AI can lift human dignity by opening doors to more people and adapting to how we think, letting us focus on what matters. But only if we design it right and keep monitoring its work. 👇
Reposted by rmhrisk
Researchers pointed a satellite dish at the sky for 3 years and monitored what unencrypted data it picked up. The results were shocking: They obtained thousands of T-Mobile users' phone calls and texts, military and law enforcement secrets, much more: www.wired.com/story/satell... 🧵👇
Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data
With just $800 in basic equipment, researchers found a stunning variety of data—including thousands of T-Mobile users’ calls and texts and even US military communications—sent by satellites unencrypte...
www.wired.com
October 14, 2025 at 1:03 AM
Researchers pointed a satellite dish at the sky for 3 years and monitored what unencrypted data it picked up. The results were shocking: They obtained thousands of T-Mobile users' phone calls and texts, military and law enforcement secrets, much more: www.wired.com/story/satell... 🧵👇
This morning, a serious WebPKI incident surfaced: a tiny CA misissued certificates for 1.1.1.1 - Cloudflare’s DNS service.
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
September 3, 2025 at 10:23 PM
This morning, a serious WebPKI incident surfaced: a tiny CA misissued certificates for 1.1.1.1 - Cloudflare’s DNS service.
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
Looks like something is up in Whoville. It seems an obscure CA trusted by Microsoft has issued a certificate for 1.1.1.1.
groups.google.com/a/mozilla.or...
groups.google.com/a/mozilla.or...
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020
groups.google.com
September 3, 2025 at 3:42 PM
Looks like something is up in Whoville. It seems an obscure CA trusted by Microsoft has issued a certificate for 1.1.1.1.
groups.google.com/a/mozilla.or...
groups.google.com/a/mozilla.or...
Reposted by rmhrisk
Prof. Michael Specter on practical vulnerabilities in deployed mobile voting systems.
www.youtube.com/watch?v=_BgA...
#VotingVillage
www.youtube.com/watch?v=_BgA...
#VotingVillage
17 Specter -- It's Not Safe Yet; Online Voting in Practice vv25 d2s8
YouTube video by Voting Village @ DEF CON
www.youtube.com
August 21, 2025 at 7:28 PM
Prof. Michael Specter on practical vulnerabilities in deployed mobile voting systems.
www.youtube.com/watch?v=_BgA...
#VotingVillage
www.youtube.com/watch?v=_BgA...
#VotingVillage
Big milestone for email security. CA/Browser Forum just published S/MIME BR v1.0.11. Now with NIST-approved post-quantum algorithms (ML-DSA & ML-KEM). Quantum-resistant S/MIME is here. 👇
August 22, 2025 at 9:31 PM
Big milestone for email security. CA/Browser Forum just published S/MIME BR v1.0.11. Now with NIST-approved post-quantum algorithms (ML-DSA & ML-KEM). Quantum-resistant S/MIME is here. 👇
Building on the great research by Cem Paya and Matthew Ludwigs at River Financial, my new post details how attackers are exploiting fundamental assumptions in Microsoft's code signing.
👇
👇
August 21, 2025 at 11:52 PM
Building on the great research by Cem Paya and Matthew Ludwigs at River Financial, my new post details how attackers are exploiting fundamental assumptions in Microsoft's code signing.
👇
👇
With Authenticode & CA/B Forum–compliant code signing, intent ≠ immunity.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
August 15, 2025 at 4:15 AM
With Authenticode & CA/B Forum–compliant code signing, intent ≠ immunity.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The "Invitation Is All You Need" attack: AI agent poisoned through calendar, executed malicious commands days later.
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
August 15, 2025 at 3:41 AM
The "Invitation Is All You Need" attack: AI agent poisoned through calendar, executed malicious commands days later.
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
One of the best parts of Black Hat is the hallway track.
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
August 10, 2025 at 2:57 AM
One of the best parts of Black Hat is the hallway track.
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
In the 1960s: "Don't have kids, the world will starve." Today: "Don't learn to code, AI will do it all."
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
August 9, 2025 at 8:14 PM
In the 1960s: "Don't have kids, the world will starve." Today: "Don't learn to code, AI will do it all."
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
We build systems to make things easier. But too often, what we call “automation” ends up feeling like digital red tape, frustrating, rigid, and impossible to reason with.
👇
👇
July 25, 2025 at 10:20 PM
We build systems to make things easier. But too often, what we call “automation” ends up feeling like digital red tape, frustrating, rigid, and impossible to reason with.
👇
👇
From dropping tables to jailbreaking GPTs, some kids just never change. Meet Little Bobby Prompts. 😂
July 17, 2025 at 6:25 PM
From dropping tables to jailbreaking GPTs, some kids just never change. Meet Little Bobby Prompts. 😂
The biggest digital identity experiment in U.S. history wasn’t planned; it was a side effect of pandemic-era fraud.
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
July 17, 2025 at 3:38 AM
The biggest digital identity experiment in U.S. history wasn’t planned; it was a side effect of pandemic-era fraud.
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
As a recovering security engineer, I recognize threat modeling anywhere.
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
June 24, 2025 at 11:16 PM
As a recovering security engineer, I recognize threat modeling anywhere.
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
450,000+ certificates are issued every hour across the WebPKI. But raw volume doesn't tell you which CAs actually matter.
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇
June 16, 2025 at 6:07 PM
450,000+ certificates are issued every hour across the WebPKI. But raw volume doesn't tell you which CAs actually matter.
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇
For decades, companies shipped their structure. Now a solo founder with AI agents for product, marketing, development and support can move faster than entire teams. No org chart means no internal drag.
👇
👇
June 16, 2025 at 3:04 PM
For decades, companies shipped their structure. Now a solo founder with AI agents for product, marketing, development and support can move faster than entire teams. No org chart means no internal drag.
👇
👇
A WebTrust seal is often marketed by CAs as a gold star, but in reality, it simply confirms they’ve met the minimum bar. The accounting style audit model was never designed to surface hidden security gaps, and its incentives can even reward looking the other way.
👇
👇
June 15, 2025 at 5:56 PM
A WebTrust seal is often marketed by CAs as a gold star, but in reality, it simply confirms they’ve met the minimum bar. The accounting style audit model was never designed to surface hidden security gaps, and its incentives can even reward looking the other way.
👇
👇
Classic moral hazard problem in internet infrastructure:
Those making critical security decisions don't face the consequences when things go wrong. Meanwhile, 8 billion users bear all the risks.
This misalignment creates predictable problems across any system at scale.
👇
Those making critical security decisions don't face the consequences when things go wrong. Meanwhile, 8 billion users bear all the risks.
This misalignment creates predictable problems across any system at scale.
👇
June 13, 2025 at 12:53 AM
Classic moral hazard problem in internet infrastructure:
Those making critical security decisions don't face the consequences when things go wrong. Meanwhile, 8 billion users bear all the risks.
This misalignment creates predictable problems across any system at scale.
👇
Those making critical security decisions don't face the consequences when things go wrong. Meanwhile, 8 billion users bear all the risks.
This misalignment creates predictable problems across any system at scale.
👇
The future of web trust isn't weaker enforcement. It's making the CPS the living, automated center of CA operations.
Policy must drive practice, not just scramble to document it. The security of 8 billion people depends on it. #WebPKI
groups.google.com/a/mozilla.or...
Policy must drive practice, not just scramble to document it. The security of 8 billion people depends on it. #WebPKI
groups.google.com/a/mozilla.or...
Results of 2025 Roundtable Discussion
groups.google.com
June 7, 2025 at 11:25 PM
The future of web trust isn't weaker enforcement. It's making the CPS the living, automated center of CA operations.
Policy must drive practice, not just scramble to document it. The security of 8 billion people depends on it. #WebPKI
groups.google.com/a/mozilla.or...
Policy must drive practice, not just scramble to document it. The security of 8 billion people depends on it. #WebPKI
groups.google.com/a/mozilla.or...
My kids are going to grow up thinking “Shit My Dad Says” was mostly just t-shirts about cryptography, root access, malware, and accountability in Git.
And… they’ll be right.
And… they’ll be right.
June 5, 2025 at 1:44 AM
My kids are going to grow up thinking “Shit My Dad Says” was mostly just t-shirts about cryptography, root access, malware, and accountability in Git.
And… they’ll be right.
And… they’ll be right.
Mozilla recently hosted a roundtable with CAs and ecosystem stakeholders to discuss improving Web PKI practices.
One surprising takeaway? Some participants argued for less accountability when a CA’s documented promises don’t match what they actually do.
That’s the wrong direction.
👇
One surprising takeaway? Some participants argued for less accountability when a CA’s documented promises don’t match what they actually do.
That’s the wrong direction.
👇
June 5, 2025 at 12:57 AM
Mozilla recently hosted a roundtable with CAs and ecosystem stakeholders to discuss improving Web PKI practices.
One surprising takeaway? Some participants argued for less accountability when a CA’s documented promises don’t match what they actually do.
That’s the wrong direction.
👇
One surprising takeaway? Some participants argued for less accountability when a CA’s documented promises don’t match what they actually do.
That’s the wrong direction.
👇
Reposted by rmhrisk
We need a "slow computing" movement, the digital equivalent of "slow food".
We need to code better, with human care and attention to details, with true understanding of technology, achieving better performance with fewer resources.
We can do more with less if we believe in it.
We need to code better, with human care and attention to details, with true understanding of technology, achieving better performance with fewer resources.
We can do more with less if we believe in it.
May 19, 2025 at 8:27 AM
We need a "slow computing" movement, the digital equivalent of "slow food".
We need to code better, with human care and attention to details, with true understanding of technology, achieving better performance with fewer resources.
We can do more with less if we believe in it.
We need to code better, with human care and attention to details, with true understanding of technology, achieving better performance with fewer resources.
We can do more with less if we believe in it.