rmhrisk
@rmhrisk.bsky.social
Dropout. Father. I build things. Security, Cryptography, Engineering, Entrepreneurship.
@peculiarventure
+ x-MSFT + x-GOOG ++. Also on @rmhrisk@infosec.exchange and twitter.com/rmhrisk
@peculiarventure
+ x-MSFT + x-GOOG ++. Also on @rmhrisk@infosec.exchange and twitter.com/rmhrisk
Short-lived and IP address certificates are now generally available from Let’s Encrypt.
Modern infrastructure no longer has stable hostnames, static IPs, or long-lived trust anchors. Workloads spin up before DNS exists, live briefly, and disappear. Trust has to keep up.
👇
Modern infrastructure no longer has stable hostnames, static IPs, or long-lived trust anchors. Workloads spin up before DNS exists, live briefly, and disappear. Trust has to keep up.
👇
January 16, 2026 at 4:26 PM
Short-lived and IP address certificates are now generally available from Let’s Encrypt.
Modern infrastructure no longer has stable hostnames, static IPs, or long-lived trust anchors. Workloads spin up before DNS exists, live briefly, and disappear. Trust has to keep up.
👇
Modern infrastructure no longer has stable hostnames, static IPs, or long-lived trust anchors. Workloads spin up before DNS exists, live briefly, and disappear. Trust has to keep up.
👇
Enron passed their audits. Wirecard passed their audits. Every distrusted CA passed their audits. Auditors are paid to confirm compliance, not to find problems. When the measure becomes the target - and the measurer is incentivized to pass you - it stops measuring anything.
December 24, 2025 at 8:44 PM
Enron passed their audits. Wirecard passed their audits. Every distrusted CA passed their audits. Auditors are paid to confirm compliance, not to find problems. When the measure becomes the target - and the measurer is incentivized to pass you - it stops measuring anything.
Reposted by rmhrisk
Really big age release coming tomorrow! 🎅🏻
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
GitHub - FiloSottile/age: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability. - FiloSottile/age
age-encryption.org
December 24, 2025 at 12:02 PM
Really big age release coming tomorrow! 🎅🏻
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
PLCs on the internet -> MCP servers on the internet.
Evolution happened. Learning didn’t.
We’re rebuilding ICS - this time with agency!
Evolution happened. Learning didn’t.
We’re rebuilding ICS - this time with agency!
December 23, 2025 at 1:52 AM
PLCs on the internet -> MCP servers on the internet.
Evolution happened. Learning didn’t.
We’re rebuilding ICS - this time with agency!
Evolution happened. Learning didn’t.
We’re rebuilding ICS - this time with agency!
Key Transparency is the unsung hero of E2E encryption, the essential but often overlooked until you're deep in implementation. @FiloSottile's been working on a transparency-log-based approach that's worth your attention: blog.transparency.dev/building-a-t...
Building a Transparent Keyserver
Today, we are going to build a keyserver to lookup age public keys. That part is boring. What’s interesting is that we’ll apply the same transparency log technology as the Go Checksum Database to keep the keyserver operator honest and unable to surre...
blog.transparency.dev
December 19, 2025 at 4:42 PM
Key Transparency is the unsung hero of E2E encryption, the essential but often overlooked until you're deep in implementation. @FiloSottile's been working on a transparency-log-based approach that's worth your attention: blog.transparency.dev/building-a-t...
The GRANITE Act, which tries to rein in extraterritorial overreach in tech regulation, got me thinking.👇
December 5, 2025 at 4:38 AM
The GRANITE Act, which tries to rein in extraterritorial overreach in tech regulation, got me thinking.👇
Attestation, What It Really Proves and Why Everyone Is About to Care unmitigatedrisk.com?p=1114
Attestation, What It Really Proves and Why Everyone Is About to Care | UNMITIGATED RISK
unmitigatedrisk.com
December 3, 2025 at 3:44 AM
Attestation, What It Really Proves and Why Everyone Is About to Care unmitigatedrisk.com?p=1114
Reposted by rmhrisk
NEW: The U.S. Congressional Budget Office was hacked.
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
Congressional Budget Office confirms it was hacked | TechCrunch
The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more tha...
techcrunch.com
November 7, 2025 at 4:38 PM
NEW: The U.S. Congressional Budget Office was hacked.
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
@doublepulsar.com found that the cause may be an unpatched Cisco ASA firewall. I asked CBO about that but it did not respond to the question.
techcrunch.com/2025/11/07/c...
Reposted by rmhrisk
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
November 7, 2025 at 4:57 PM
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
AI can lift human dignity by opening doors to more people and adapting to how we think, letting us focus on what matters. But only if we design it right and keep monitoring its work. 👇
October 25, 2025 at 11:10 PM
AI can lift human dignity by opening doors to more people and adapting to how we think, letting us focus on what matters. But only if we design it right and keep monitoring its work. 👇
Reposted by rmhrisk
Researchers pointed a satellite dish at the sky for 3 years and monitored what unencrypted data it picked up. The results were shocking: They obtained thousands of T-Mobile users' phone calls and texts, military and law enforcement secrets, much more: www.wired.com/story/satell... 🧵👇
Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data
With just $800 in basic equipment, researchers found a stunning variety of data—including thousands of T-Mobile users’ calls and texts and even US military communications—sent by satellites unencrypte...
www.wired.com
October 14, 2025 at 1:03 AM
Researchers pointed a satellite dish at the sky for 3 years and monitored what unencrypted data it picked up. The results were shocking: They obtained thousands of T-Mobile users' phone calls and texts, military and law enforcement secrets, much more: www.wired.com/story/satell... 🧵👇
This morning, a serious WebPKI incident surfaced: a tiny CA misissued certificates for 1.1.1.1 - Cloudflare’s DNS service.
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
September 3, 2025 at 10:23 PM
This morning, a serious WebPKI incident surfaced: a tiny CA misissued certificates for 1.1.1.1 - Cloudflare’s DNS service.
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
👇
Looks like something is up in Whoville. It seems an obscure CA trusted by Microsoft has issued a certificate for 1.1.1.1.
groups.google.com/a/mozilla.or...
groups.google.com/a/mozilla.or...
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020
groups.google.com
September 3, 2025 at 3:42 PM
Looks like something is up in Whoville. It seems an obscure CA trusted by Microsoft has issued a certificate for 1.1.1.1.
groups.google.com/a/mozilla.or...
groups.google.com/a/mozilla.or...
Reposted by rmhrisk
Prof. Michael Specter on practical vulnerabilities in deployed mobile voting systems.
www.youtube.com/watch?v=_BgA...
#VotingVillage
www.youtube.com/watch?v=_BgA...
#VotingVillage
17 Specter -- It's Not Safe Yet; Online Voting in Practice vv25 d2s8
YouTube video by Voting Village @ DEF CON
www.youtube.com
August 21, 2025 at 7:28 PM
Prof. Michael Specter on practical vulnerabilities in deployed mobile voting systems.
www.youtube.com/watch?v=_BgA...
#VotingVillage
www.youtube.com/watch?v=_BgA...
#VotingVillage
Big milestone for email security. CA/Browser Forum just published S/MIME BR v1.0.11. Now with NIST-approved post-quantum algorithms (ML-DSA & ML-KEM). Quantum-resistant S/MIME is here. 👇
August 22, 2025 at 9:31 PM
Big milestone for email security. CA/Browser Forum just published S/MIME BR v1.0.11. Now with NIST-approved post-quantum algorithms (ML-DSA & ML-KEM). Quantum-resistant S/MIME is here. 👇
Building on the great research by Cem Paya and Matthew Ludwigs at River Financial, my new post details how attackers are exploiting fundamental assumptions in Microsoft's code signing.
👇
👇
August 21, 2025 at 11:52 PM
Building on the great research by Cem Paya and Matthew Ludwigs at River Financial, my new post details how attackers are exploiting fundamental assumptions in Microsoft's code signing.
👇
👇
With Authenticode & CA/B Forum–compliant code signing, intent ≠ immunity.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
August 15, 2025 at 4:15 AM
With Authenticode & CA/B Forum–compliant code signing, intent ≠ immunity.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The "Invitation Is All You Need" attack: AI agent poisoned through calendar, executed malicious commands days later.
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
August 15, 2025 at 3:41 AM
The "Invitation Is All You Need" attack: AI agent poisoned through calendar, executed malicious commands days later.
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
AI agents persist memory across sessions, and static credentials become persistent threats.
👇
One of the best parts of Black Hat is the hallway track.
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
August 10, 2025 at 2:57 AM
One of the best parts of Black Hat is the hallway track.
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:
1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator
👇
In the 1960s: "Don't have kids, the world will starve." Today: "Don't learn to code, AI will do it all."
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
August 9, 2025 at 8:14 PM
In the 1960s: "Don't have kids, the world will starve." Today: "Don't learn to code, AI will do it all."
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.
👇
We build systems to make things easier. But too often, what we call “automation” ends up feeling like digital red tape, frustrating, rigid, and impossible to reason with.
👇
👇
July 25, 2025 at 10:20 PM
We build systems to make things easier. But too often, what we call “automation” ends up feeling like digital red tape, frustrating, rigid, and impossible to reason with.
👇
👇
From dropping tables to jailbreaking GPTs, some kids just never change. Meet Little Bobby Prompts. 😂
July 17, 2025 at 6:25 PM
From dropping tables to jailbreaking GPTs, some kids just never change. Meet Little Bobby Prompts. 😂
The biggest digital identity experiment in U.S. history wasn’t planned; it was a side effect of pandemic-era fraud.
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
July 17, 2025 at 3:38 AM
The biggest digital identity experiment in U.S. history wasn’t planned; it was a side effect of pandemic-era fraud.
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
As a recovering security engineer, I recognize threat modeling anywhere.
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
June 24, 2025 at 11:16 PM
As a recovering security engineer, I recognize threat modeling anywhere.
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
Lawyers do it constantly - they're security engineers for text.
So why does legal AI treat them like secretaries?
👇
450,000+ certificates are issued every hour across the WebPKI. But raw volume doesn't tell you which CAs actually matter.
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇
June 16, 2025 at 6:07 PM
450,000+ certificates are issued every hour across the WebPKI. But raw volume doesn't tell you which CAs actually matter.
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇
Matthew McPherrin recently shared Mozilla's Firefox telemetry data showing actual CA usage vs the Certificate Transparency issuance numbers I usually track.
👇