Dino A. Dai Zovi
@ddz.bsky.social
Reposted by Dino A. Dai Zovi
New users, on Signal, you can mute chats for a period or permanently. No notifications but you can still see if there are unread messages.
On desktop: in that chat, go to Group Settings, then Notifications. On iPhone: in that chat, click on the name at the top, then go to Sounds & Notifications.
On desktop: in that chat, go to Group Settings, then Notifications. On iPhone: in that chat, click on the name at the top, then go to Sounds & Notifications.
March 30, 2025 at 12:23 PM
New users, on Signal, you can mute chats for a period or permanently. No notifications but you can still see if there are unread messages.
On desktop: in that chat, go to Group Settings, then Notifications. On iPhone: in that chat, click on the name at the top, then go to Sounds & Notifications.
On desktop: in that chat, go to Group Settings, then Notifications. On iPhone: in that chat, click on the name at the top, then go to Sounds & Notifications.
"Life Safety building automation is pretty awesome. 👏"
I’m at a #starbucks in a mall, and they accidentally burned my chocolate chip cookie, opening the toaster send smoke everywhere.
The building smoke detectors trigger which kicks on the air handlers to go to maximum to clear any smoke, which also triggers curtains to drop from key ceiling […]
The building smoke detectors trigger which kicks on the air handlers to go to maximum to clear any smoke, which also triggers curtains to drop from key ceiling […]
Original post on defcon.social
defcon.social
March 30, 2025 at 3:43 PM
"Life Safety building automation is pretty awesome. 👏"
Reposted by Dino A. Dai Zovi
Excellent writeup on how MCP future-proofs API integrations ~ @stevemanuel.bsky.social
docs.mcp.run/blog/2025/03...
docs.mcp.run/blog/2025/03...
MCP: The Differential for Modern APIs and Systems | 🤖
<div style={{
docs.mcp.run
March 30, 2025 at 10:57 AM
Excellent writeup on how MCP future-proofs API integrations ~ @stevemanuel.bsky.social
docs.mcp.run/blog/2025/03...
docs.mcp.run/blog/2025/03...
Reposted by Dino A. Dai Zovi
Our second keynote for Offensivecon 2025 will be Dino Dai Zovi! @ddz.bsky.social
March 25, 2025 at 6:18 PM
Our second keynote for Offensivecon 2025 will be Dino Dai Zovi! @ddz.bsky.social
I'll be doing a speaking!
Our second keynote for Offensivecon 2025 will be Dino Dai Zovi! @ddz.bsky.social
March 30, 2025 at 3:06 PM
I'll be doing a speaking!
Reposted by Dino A. Dai Zovi
Saw this on the other site but I should comment here:
Can't remember his hacker handle but I think Pad & Gandalf of 8lgm were arrested the same day in 1991.
You may not know it but the entire infosec & software industries owe 8lgm immense gratitude for making vendors accountable for their vulns
Can't remember his hacker handle but I think Pad & Gandalf of 8lgm were arrested the same day in 1991.
You may not know it but the entire infosec & software industries owe 8lgm immense gratitude for making vendors accountable for their vulns
March 17, 2025 at 10:59 PM
Saw this on the other site but I should comment here:
Can't remember his hacker handle but I think Pad & Gandalf of 8lgm were arrested the same day in 1991.
You may not know it but the entire infosec & software industries owe 8lgm immense gratitude for making vendors accountable for their vulns
Can't remember his hacker handle but I think Pad & Gandalf of 8lgm were arrested the same day in 1991.
You may not know it but the entire infosec & software industries owe 8lgm immense gratitude for making vendors accountable for their vulns
Reposted by Dino A. Dai Zovi
We are destroying software: antirez.com/news/145
We are destroying software - <antirez>
antirez.com
February 8, 2025 at 2:48 PM
We are destroying software: antirez.com/news/145
Exactly this. We should instead be investing that energy into making authentication in our environment unphishable by making it impossible to give away access to an attacker, even if someone actually wanted to.
I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
February 8, 2025 at 6:12 PM
Exactly this. We should instead be investing that energy into making authentication in our environment unphishable by making it impossible to give away access to an attacker, even if someone actually wanted to.
Reposted by Dino A. Dai Zovi
I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
February 8, 2025 at 7:21 AM
I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
Reposted by Dino A. Dai Zovi
NEW: WhatsApp says it has notified 90 victims, including journalists and members of civil society, that they were targeted with spyware made by Paragon.
This is the first time that Paragon is linked to alleged abuse of its products.
techcrunch.com/2025/01/31/w...
This is the first time that Paragon is linked to alleged abuse of its products.
techcrunch.com/2025/01/31/w...
WhatsApp says it disrupted a hacking campaign targeting journalists with spyware | TechCrunch
The Meta-owned company said the campaign was linked to Israeli spyware maker Paragon.
techcrunch.com
January 31, 2025 at 3:16 PM
NEW: WhatsApp says it has notified 90 victims, including journalists and members of civil society, that they were targeted with spyware made by Paragon.
This is the first time that Paragon is linked to alleged abuse of its products.
techcrunch.com/2025/01/31/w...
This is the first time that Paragon is linked to alleged abuse of its products.
techcrunch.com/2025/01/31/w...
Reposted by Dino A. Dai Zovi
Meta says almost 100 journalists and activists were targeted with spyware from Israeli company Paragon Solutions using a zero-click vuln in WhatsApp. If you use an iPhone, enabling Lockdown Mode prevents this from working. www.theguardian.com/technology/2...
WhatsApp says journalists and civil society members were targets of Israeli spyware
Messaging app said it had ‘high confidence’ some users were targeted and ‘possibly compromised’ by Paragon Solutions spyware
www.theguardian.com
January 31, 2025 at 7:38 PM
Meta says almost 100 journalists and activists were targeted with spyware from Israeli company Paragon Solutions using a zero-click vuln in WhatsApp. If you use an iPhone, enabling Lockdown Mode prevents this from working. www.theguardian.com/technology/2...
Reposted by Dino A. Dai Zovi
If you're interested in the history of bug bounties, for reasons, this series I did a few years ago with @k8em0.bsky.social @caseyjohnellis.bsky.social @ddz.bsky.social and many others may be of interest.
duo.com/decipher/law...
duo.com/decipher/law...
Lawyers, Bugs, and Money: When Bug Bounties Went Boom
Bug bounties have grown from a niche idea to encourage independent security research into a massive business and a legitimate career path for bug hunters in less than 15 years. This is the story of th...
duo.com
January 22, 2025 at 11:26 PM
If you're interested in the history of bug bounties, for reasons, this series I did a few years ago with @k8em0.bsky.social @caseyjohnellis.bsky.social @ddz.bsky.social and many others may be of interest.
duo.com/decipher/law...
duo.com/decipher/law...
I'm really liking the crisp definitions of and boundaries between product engineering, domain engineering, and infra engineering in this.
How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?
How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?
I've extracted the thesis of my new book into a short blog post (with images!). If you've ever seen an engineering team slow down over time this is for you: jackdanger.com/technical-co...
Technical Coherence | Jack Danger
Software development slows down over time.
I wrote a whole book to help leaders reverse this slowdown and the central point of the book is a process any engineering leader can apply.
I call this proce...
jackdanger.com
January 19, 2025 at 4:19 PM
I'm really liking the crisp definitions of and boundaries between product engineering, domain engineering, and infra engineering in this.
How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?
How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?
There are different privacy concerns and approaches for the training phase of AI as well as for the inference phase of using it. It's a good time to be thinking about what the right approaches are for each.
I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...
Let’s talk about AI and end-to-end encryption
Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see t…
blog.cryptographyengineering.com
January 18, 2025 at 4:27 PM
There are different privacy concerns and approaches for the training phase of AI as well as for the inference phase of using it. It's a good time to be thinking about what the right approaches are for each.
Reposted by Dino A. Dai Zovi
I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...
Let’s talk about AI and end-to-end encryption
Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see t…
blog.cryptographyengineering.com
January 17, 2025 at 3:43 PM
I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...
+1, security product vendors, services companies, *and* internal teams must always operate under the Hippocratic Oath, "First, do no harm."
January 18, 2025 at 4:17 PM
+1, security product vendors, services companies, *and* internal teams must always operate under the Hippocratic Oath, "First, do no harm."
Reposted by Dino A. Dai Zovi
So phone metadata *is* actually sensitive and important information? So hard to keep this straight.
FBI Has Warned Agents It Believes Hackers Stole Their Call Logs
FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the ...
www.bloomberg.com
January 16, 2025 at 7:24 PM
So phone metadata *is* actually sensitive and important information? So hard to keep this straight.
We blogged again! This time about our Data Safety Levels framework, which was inspired by the CDC/WHO Biosafety Levels system and Laboratory Biosafety Manuals. Like biological agents, we also don't want sensitive data to be exposed to humans or escape.
code.cash.app/dsl-framework
code.cash.app/dsl-framework
Data Safety Levels Framework: The foundation of how we look at data in Block
Block uses the Data Safety Levels (DSL) Framework to evaluate data sensitivity.
code.cash.app
January 16, 2025 at 10:00 PM
We blogged again! This time about our Data Safety Levels framework, which was inspired by the CDC/WHO Biosafety Levels system and Laboratory Biosafety Manuals. Like biological agents, we also don't want sensitive data to be exposed to humans or escape.
code.cash.app/dsl-framework
code.cash.app/dsl-framework
The placement of liability for fraudulent credit card charges onto the issuer incentivized the shift to EMV, so we now have smartcards in our wallets and secure elements on our smartphones.
Contrast this to the security of authn to way more critical things than buying a coffee.
Contrast this to the security of authn to way more critical things than buying a coffee.
January 1, 2025 at 4:12 PM
The placement of liability for fraudulent credit card charges onto the issuer incentivized the shift to EMV, so we now have smartcards in our wallets and secure elements on our smartphones.
Contrast this to the security of authn to way more critical things than buying a coffee.
Contrast this to the security of authn to way more critical things than buying a coffee.
Reposted by Dino A. Dai Zovi
Ever wanted to benchmark RSA key generation but found it too slow and variable, like benchmarking a lottery? No? Just me?
Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen. c2sp.org/CCTV/keygen
Happy New Year(?)!
Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen. c2sp.org/CCTV/keygen
Happy New Year(?)!
Benchmarking RSA Key Generation
RSA key generation is conceptually simple, but extremely tricky. Even benchmarking involves math: we generated a stable but representative “average case” instead of using the ordinary statistical appr...
words.filippo.io
December 31, 2024 at 2:20 PM
Ever wanted to benchmark RSA key generation but found it too slow and variable, like benchmarking a lottery? No? Just me?
Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen. c2sp.org/CCTV/keygen
Happy New Year(?)!
Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen. c2sp.org/CCTV/keygen
Happy New Year(?)!
Reposted by Dino A. Dai Zovi
This Salt Typhoon stuff is insane. The entire FISA surveillance infrastructure has been completely owned by China and literally no part of our telecom infrastructure is safe to use without end-to-end encryption.
December 29, 2024 at 9:50 AM
This Salt Typhoon stuff is insane. The entire FISA surveillance infrastructure has been completely owned by China and literally no part of our telecom infrastructure is safe to use without end-to-end encryption.
Reposted by Dino A. Dai Zovi
You’re still arguing about tabs vs. spaces? May I present…
December 25, 2024 at 6:37 PM
You’re still arguing about tabs vs. spaces? May I present…
The subtle benefit of *minimal* version selection as a systemic damper on software supply chain attacks:
"What’s more, the deeper in your dependency tree the library is, the more explicit approvals are required for the library to propagate to your project."
matklad.github.io/2024/12/24/m...
"What’s more, the deeper in your dependency tree the library is, the more explicit approvals are required for the library to propagate to your project."
matklad.github.io/2024/12/24/m...
Minimal Version Selection Revisited
In this post, I want to highlight one aspect of Go-style minimal version selection that I have
missed completely at first. Maybe you missed it too?
matklad.github.io
December 25, 2024 at 3:48 PM
The subtle benefit of *minimal* version selection as a systemic damper on software supply chain attacks:
"What’s more, the deeper in your dependency tree the library is, the more explicit approvals are required for the library to propagate to your project."
matklad.github.io/2024/12/24/m...
"What’s more, the deeper in your dependency tree the library is, the more explicit approvals are required for the library to propagate to your project."
matklad.github.io/2024/12/24/m...
The transition from static long-term "credentials" (PAN + CVV) to EMV cryptograms generated by smartcards and the continuing transition for online payments are good case studies for how to devalue data to the point of making attacks on processing infra no longer worthwhile. Human authn must be next.
In general you should always prefer Apple/Google pay or similar services whenever possible, or contactless credit cards. These payment methods work in a way where's usually not any reusable information to steal, whereas if someone gets your credit card number and CVV, they can reuse it elsewhere.
December 25, 2024 at 3:27 PM
The transition from static long-term "credentials" (PAN + CVV) to EMV cryptograms generated by smartcards and the continuing transition for online payments are good case studies for how to devalue data to the point of making attacks on processing infra no longer worthwhile. Human authn must be next.