Peter C
@peterc.ollins.me
Pinned
Peter C
@peterc.ollins.me
· Mar 27
Access: A New Portal for Managing Internal Authorization
We’ve created a new internal portal for staff to manage their permissions. Built with security, transparency, and ease of use in mind, it’s now open source for anyone to use! In this article, we’ll di...
discord.com
Very excited to announce our open-sourcing of Access!
Access is a centralized portal for Discord employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs
Access is a centralized portal for Discord employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs
Reposted by Peter C
my latest investigation for @consumerreports.org is based on months of reporting and 60+ lab tests of leading protein supplements
we found that most protein powders and shakes have more lead in one serving than our experts say is safe to have in a day (🧵)
www.consumerreports.org/lead/protein...
we found that most protein powders and shakes have more lead in one serving than our experts say is safe to have in a day (🧵)
www.consumerreports.org/lead/protein...
Protein Powders and Shakes Contain High Levels of Lead - Consumer Reports
CR tests of 23 popular protein powders and shakes found that most contain high levels of lead.
www.consumerreports.org
October 14, 2025 at 4:37 PM
my latest investigation for @consumerreports.org is based on months of reporting and 60+ lab tests of leading protein supplements
we found that most protein powders and shakes have more lead in one serving than our experts say is safe to have in a day (🧵)
www.consumerreports.org/lead/protein...
we found that most protein powders and shakes have more lead in one serving than our experts say is safe to have in a day (🧵)
www.consumerreports.org/lead/protein...
Reposted by Peter C
Workday discloses "third-party CRM" breach... most likely their Salesforce account
blog.workday.com/en-us/protec...
blog.workday.com/en-us/protec...
Protecting You From Social Engineering Campaigns: An Update From Workday
blog.workday.com
August 17, 2025 at 5:25 PM
Workday discloses "third-party CRM" breach... most likely their Salesforce account
blog.workday.com/en-us/protec...
blog.workday.com/en-us/protec...
Reposted by Peter C
Exciting! MLS e2ee messaging with fingerprints in Bluesky bios (to prevent silent bindings) and pre-keys in PDS.
Kinda wish the key was published in the DID document though, especially if one day plc.directory will become a tlog. (Basically free KT!)
www.germnetwork.com/blog/integra...
Kinda wish the key was published in the DID document though, especially if one day plc.directory will become a tlog. (Basically free KT!)
www.germnetwork.com/blog/integra...
July 28, 2025 at 6:09 PM
Exciting! MLS e2ee messaging with fingerprints in Bluesky bios (to prevent silent bindings) and pre-keys in PDS.
Kinda wish the key was published in the DID document though, especially if one day plc.directory will become a tlog. (Basically free KT!)
www.germnetwork.com/blog/integra...
Kinda wish the key was published in the DID document though, especially if one day plc.directory will become a tlog. (Basically free KT!)
www.germnetwork.com/blog/integra...
Reposted by Peter C
New from 404 Media: we spoke to the researcher who found hackers can remotely trigger brakes on American trains. Says was ignored for years, DHS confirmed. "All of the knowledge to generate the exploit already exists on the internet, AI could even build it for you." www.404media.co/hackers-can-...
Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
“All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you,” the researcher told 404 Media.
www.404media.co
July 15, 2025 at 2:04 AM
New from 404 Media: we spoke to the researcher who found hackers can remotely trigger brakes on American trains. Says was ignored for years, DHS confirmed. "All of the knowledge to generate the exploit already exists on the internet, AI could even build it for you." www.404media.co/hackers-can-...
Reposted by Peter C
Just to clear up some misinfo, a BGP hijack was not the cause of Cloudflare DNS going down today.
At 21:51 UTC, Cloudflare (AS13335) withdrew both 1.1.1.0/24 and 1.0.0.0/24 for an unknown reason.
I suspect AS4755 was always announcing 1.1.1.0/24, when CF went away, it leaked a bit (%2).
At 21:51 UTC, Cloudflare (AS13335) withdrew both 1.1.1.0/24 and 1.0.0.0/24 for an unknown reason.
I suspect AS4755 was always announcing 1.1.1.0/24, when CF went away, it leaked a bit (%2).
July 15, 2025 at 12:14 AM
Just to clear up some misinfo, a BGP hijack was not the cause of Cloudflare DNS going down today.
At 21:51 UTC, Cloudflare (AS13335) withdrew both 1.1.1.0/24 and 1.0.0.0/24 for an unknown reason.
I suspect AS4755 was always announcing 1.1.1.0/24, when CF went away, it leaked a bit (%2).
At 21:51 UTC, Cloudflare (AS13335) withdrew both 1.1.1.0/24 and 1.0.0.0/24 for an unknown reason.
I suspect AS4755 was always announcing 1.1.1.0/24, when CF went away, it leaked a bit (%2).
Reposted by Peter C
Activision has pulled a Call of Duty game after multiple reports of PC players having their computers hacked. An old insecure version of the game was reportedly uploaded to the Microsoft Store 😬 www.theverge.com/news/702255/...
Activision pulls Call of Duty game after PC players are hacked
Call of Duty: Remote Code Execution
www.theverge.com
July 9, 2025 at 9:35 AM
Activision has pulled a Call of Duty game after multiple reports of PC players having their computers hacked. An old insecure version of the game was reportedly uploaded to the Microsoft Store 😬 www.theverge.com/news/702255/...
Reposted by Peter C
Today’s unsigned, unexplained #SCOTUS ruling clearing the way for removals of migrants to third countries without any additional process is a disaster—not just on the merits, but because of the government misbehavior that it not only refuses to punish, but effectively rewards.
Me, via “One First”:
Me, via “One First”:
161. The Court's Disastrous Ruling in the Third-Country Removal Case
The majority did not just greenlight an especially odious immigration policy without any explanation; it did so in a case in which the government defied the district court—twice—with no consequence.
www.stevevladeck.com
June 23, 2025 at 9:59 PM
Today’s unsigned, unexplained #SCOTUS ruling clearing the way for removals of migrants to third countries without any additional process is a disaster—not just on the merits, but because of the government misbehavior that it not only refuses to punish, but effectively rewards.
Me, via “One First”:
Me, via “One First”:
Reposted by Peter C
Here's something I am very excited about: Photosynthesis! 🌱☀️
A proposal to have CAs run transparency logs and make X.509 certificates out of Merkle Tree inclusion proofs.
This is similar to how CT would have worked in an ideal world, and it solves the problem of PQC sizes in logs and handshakes.
A proposal to have CAs run transparency logs and make X.509 certificates out of Merkle Tree inclusion proofs.
This is similar to how CT would have worked in an ideal world, and it solves the problem of PQC sizes in logs and handshakes.
[TLS] Photosynthesis, an update to Merkle Tree Certificates
Photosynthesis combines the Static CT API with the ideas in Merkle Tree Certificates.
mailarchive.ietf.org
June 20, 2025 at 7:11 PM
Here's something I am very excited about: Photosynthesis! 🌱☀️
A proposal to have CAs run transparency logs and make X.509 certificates out of Merkle Tree inclusion proofs.
This is similar to how CT would have worked in an ideal world, and it solves the problem of PQC sizes in logs and handshakes.
A proposal to have CAs run transparency logs and make X.509 certificates out of Merkle Tree inclusion proofs.
This is similar to how CT would have worked in an ideal world, and it solves the problem of PQC sizes in logs and handshakes.
Reposted by Peter C
this is actually how my cursed Online brain read the post
August 21, 2023 at 2:50 AM
this is actually how my cursed Online brain read the post
Reposted by Peter C
A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange.
Coinbase breach tied to bribed TaskUs support agents in India
A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange.
www.bleepingcomputer.com
June 3, 2025 at 5:18 PM
A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange.
Reposted by Peter C
Most engineers aren’t taught how to write secure code or catch threats after deploy.
Detection engineering used to be limited to experts. Now anyone can do it with prompts, Goose, and the Panther MCP server. 💪
block.github.io/goose/blog/2...
Detection engineering used to be limited to experts. Now anyone can do it with prompts, Goose, and the Panther MCP server. 💪
block.github.io/goose/blog/2...
Democratizing Detection Engineering at Block: Taking Flight with Goose and Panther MCP
A comprehensive overview of how Block leverages Goose and Panther MCP to democratize and accelerate security detection engineering.
block.github.io
June 2, 2025 at 10:07 PM
Most engineers aren’t taught how to write secure code or catch threats after deploy.
Detection engineering used to be limited to experts. Now anyone can do it with prompts, Goose, and the Panther MCP server. 💪
block.github.io/goose/blog/2...
Detection engineering used to be limited to experts. Now anyone can do it with prompts, Goose, and the Panther MCP server. 💪
block.github.io/goose/blog/2...
Reposted by Peter C
New, by me: Compliance startup Vanta said it's fixing a bug that exposed some customer data to other Vanta customers.
One Vanta customer told us that they were notified that some of their data was pulled out of their Vanta instance "into other customers’ instances."
One Vanta customer told us that they were notified that some of their data was pulled out of their Vanta instance "into other customers’ instances."
Vanta bug exposed customers' data to other customers | TechCrunch
The compliance company said the customer data exposure was caused by a product change.
techcrunch.com
June 2, 2025 at 5:18 PM
New, by me: Compliance startup Vanta said it's fixing a bug that exposed some customer data to other Vanta customers.
One Vanta customer told us that they were notified that some of their data was pulled out of their Vanta instance "into other customers’ instances."
One Vanta customer told us that they were notified that some of their data was pulled out of their Vanta instance "into other customers’ instances."
Reposted by Peter C
Our latest investigation…
‼️ Hidden Bear: The GRU hackers of Russia's most notorious kill squad
As The Insider discovered, Unit 29155, the Kremlin’s most notorious black ops squad, also fielded a team of hackers that tried to destabilize Ukraine before Russia’s full-scale invasion.
As The Insider discovered, Unit 29155, the Kremlin’s most notorious black ops squad, also fielded a team of hackers that tried to destabilize Ukraine before Russia’s full-scale invasion.
Hidden Bear: The GRU hackers of Russia’s most notorious kill squad
Russian GRU Unit 29155 is best known for its long list of murder and sabotage ops, which include the Salisbury poisonings in England, arms depot explosions in Czechia, and an attempted coup d’etat in ...
theins.press
May 31, 2025 at 9:13 PM
Our latest investigation…
Reposted by Peter C
I'm often asked if I'll redo the 2019 quantum factoring estimate. Denser storage by yokes, smaller magic factories by cultivation, slimmer approx arithmetic by Chevignard et al… surely the cost is lower now?
Yes, it's lower now.
security.googleblog.com/2025/05/trac...
arxiv.org/abs/2505.15917
Yes, it's lower now.
security.googleblog.com/2025/05/trac...
arxiv.org/abs/2505.15917
May 23, 2025 at 1:25 PM
I'm often asked if I'll redo the 2019 quantum factoring estimate. Denser storage by yokes, smaller magic factories by cultivation, slimmer approx arithmetic by Chevignard et al… surely the cost is lower now?
Yes, it's lower now.
security.googleblog.com/2025/05/trac...
arxiv.org/abs/2505.15917
Yes, it's lower now.
security.googleblog.com/2025/05/trac...
arxiv.org/abs/2505.15917
Reposted by Peter C
SCOOP: In Feb, federal agencies "lost" many #FOIA requests but you probably had no idea. It turns out that the FOIAs disappeared due to an "insider threat attack" by 2 employees at a software company who were previously convicted of hacking into the State Dept
🧵
🎁 www.bloomberg.com/news/article...
🧵
🎁 www.bloomberg.com/news/article...
Probe Found Security Lapses Led to US Contractor’s Data Breach
Failures in cybersecurity practices at a software company that helps federal agencies manage investigations and FOIA requests allowed two convicted hackers to delete databases, according to internal d...
www.bloomberg.com
May 21, 2025 at 1:17 PM
SCOOP: In Feb, federal agencies "lost" many #FOIA requests but you probably had no idea. It turns out that the FOIAs disappeared due to an "insider threat attack" by 2 employees at a software company who were previously convicted of hacking into the State Dept
🧵
🎁 www.bloomberg.com/news/article...
🧵
🎁 www.bloomberg.com/news/article...
Reposted by Peter C
New: Docker Hardened Images 🔐
✅ Non-root by default
✅ SLSA Level 3 compliant
✅ SBOMs, VEX, provenance — all signed
✅ Built-in to Docker Hub
👉 http://spklr.io/63323CAqR
#Docker #DevSecOps #SoftwareSupplyChain #Containers #CloudNative #DockerHardenedImages
✅ Non-root by default
✅ SLSA Level 3 compliant
✅ SBOMs, VEX, provenance — all signed
✅ Built-in to Docker Hub
👉 http://spklr.io/63323CAqR
#Docker #DevSecOps #SoftwareSupplyChain #Containers #CloudNative #DockerHardenedImages
May 19, 2025 at 1:12 PM
New: Docker Hardened Images 🔐
✅ Non-root by default
✅ SLSA Level 3 compliant
✅ SBOMs, VEX, provenance — all signed
✅ Built-in to Docker Hub
👉 http://spklr.io/63323CAqR
#Docker #DevSecOps #SoftwareSupplyChain #Containers #CloudNative #DockerHardenedImages
✅ Non-root by default
✅ SLSA Level 3 compliant
✅ SBOMs, VEX, provenance — all signed
✅ Built-in to Docker Hub
👉 http://spklr.io/63323CAqR
#Docker #DevSecOps #SoftwareSupplyChain #Containers #CloudNative #DockerHardenedImages
Reposted by Peter C
DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage's archive server micahflee.com/ddosecrets-p...
May 19, 2025 at 4:54 PM
DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage's archive server micahflee.com/ddosecrets-p...
Reposted by Peter C
Time to update microcode on your Intel processors (gen >9)
new speculative prediction bug lets you capture /etc/shadow with 99% reliability. They didn't make anything like it work on AMD or ARM, yet...
comsec.ethz.ch/research/mic...
www.intel.com/content/www/...
github.com/intel/Intel-...
new speculative prediction bug lets you capture /etc/shadow with 99% reliability. They didn't make anything like it work on AMD or ARM, yet...
comsec.ethz.ch/research/mic...
www.intel.com/content/www/...
github.com/intel/Intel-...
Branch Privilege Injection: Exploiting Branch Predictor Race Conditions – Computer Security Group
comsec.ethz.ch
May 13, 2025 at 4:56 PM
Time to update microcode on your Intel processors (gen >9)
new speculative prediction bug lets you capture /etc/shadow with 99% reliability. They didn't make anything like it work on AMD or ARM, yet...
comsec.ethz.ch/research/mic...
www.intel.com/content/www/...
github.com/intel/Intel-...
new speculative prediction bug lets you capture /etc/shadow with 99% reliability. They didn't make anything like it work on AMD or ARM, yet...
comsec.ethz.ch/research/mic...
www.intel.com/content/www/...
github.com/intel/Intel-...
Reposted by Peter C
Despite misleading marketing, Israeli company TeleMessage, used by Trump officials, can access plaintext chat logs. My findings are based on TM SGNL's source code, and they are corroborated by hacked data micahflee.com/despite-misl...
Despite misleading marketing, Israeli company TeleMessage, used by Trump officials, can access plaintext chat logs
Despite their misleading marketing, TeleMessage, the company that makes a modified version of Signal used by senior Trump officials, can access plaintext chat logs from its customers.
In this post I ...
micahflee.com
May 6, 2025 at 8:00 PM
Despite misleading marketing, Israeli company TeleMessage, used by Trump officials, can access plaintext chat logs. My findings are based on TM SGNL's source code, and they are corroborated by hacked data micahflee.com/despite-misl...
Reposted by Peter C
Reposted by Peter C
TeleMessage, the Israeli company that makes the modified Signal app used by Trump officials, was hacked. “I would say the whole process took about 15-20 minutes,” the hacker said micahflee.com/the-signal-c...
The Signal Clone the Trump Admin Uses Was Hacked
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
micahflee.com
May 4, 2025 at 10:05 PM
TeleMessage, the Israeli company that makes the modified Signal app used by Trump officials, was hacked. “I would say the whole process took about 15-20 minutes,” the hacker said micahflee.com/the-signal-c...
Reposted by Peter C
Reposted by Peter C
🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.
He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords
Media's coverage wasn't detailed enough so I dug into his testimony:
He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords
Media's coverage wasn't detailed enough so I dug into his testimony:
April 18, 2025 at 12:10 AM
🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.
He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords
Media's coverage wasn't detailed enough so I dug into his testimony:
He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords
Media's coverage wasn't detailed enough so I dug into his testimony:
Reposted by Peter C
Turning the Security Flywheel
This post explores the "flywheel" concept and its application to security, demonstrating how to create self-reinforcing cycles that improve effectiveness.
www.philvenables.com/post/turning...
This post explores the "flywheel" concept and its application to security, demonstrating how to create self-reinforcing cycles that improve effectiveness.
www.philvenables.com/post/turning...
March 8, 2025 at 3:44 PM
Turning the Security Flywheel
This post explores the "flywheel" concept and its application to security, demonstrating how to create self-reinforcing cycles that improve effectiveness.
www.philvenables.com/post/turning...
This post explores the "flywheel" concept and its application to security, demonstrating how to create self-reinforcing cycles that improve effectiveness.
www.philvenables.com/post/turning...
Reposted by Peter C
New details on the ByBit/Safe{Wallet} breach, and uhhh wow, some really silly blunders on the DPRK side. They still succeeded which is the most upsetting part of all of this. Let's bully some threat actor tradecraft! A🧵
x.com/safe/status/...
x.com/safe/status/...
Safe.eth on X: "Investigation Updates and Community Call to Action" / X
Investigation Updates and Community Call to Action
x.com
March 6, 2025 at 5:21 PM
New details on the ByBit/Safe{Wallet} breach, and uhhh wow, some really silly blunders on the DPRK side. They still succeeded which is the most upsetting part of all of this. Let's bully some threat actor tradecraft! A🧵
x.com/safe/status/...
x.com/safe/status/...