Data Safety and Information Security

Test of time passed

How a privacy researcher proved a politician wrong, and how she created the first ever definition of anonymity in the process.

Cloudflare identifies high-risk top-level domains, with .motorcycles ranking No. 1 among the most abused TLDs.

Learn how a Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena in this real-world phishing case.

Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy…

What is Sender Policy Framework (SPF)? Sender Policy Framework (SPF) is a technical standard designed to provide a layer of protection against fraudulent

When performing a penetration test (pen test) on an application, especially one where the functionality relies on XML parsing in the backend, it's

AI agents are now hacking computers. They’re getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale. This is going to change everything. Over the summer, hackers proved the concept, industry institutionalized it, and criminals operationalized it. In June, AI company XBOW took the top spot on HackerOne’s US leaderboard after submitting over 1,000 new vulnerabilities in just a few months. In August, the seven teams competing in DARPA’s AI Cyber Challenge ...

Have you ever seen articles about how hackers stole data from major platforms using external applications? This type of data breach often exploits a

The Making of Digital Identity - From Trust to Proof: The Birth of Digital Authentication (1950s-1960s)

Securing the software supply chain requires more than building hardened images. Learn why DIY often fails and what it takes to maintain secure images at scale.

Visa isn't centralized. Instead, it's a trust framework that lets thousands of participants interoperate. First-person identity brings that same model to digital identity, enabling not one

How law enforcement and private parties can access your information without your knowledge, and what you can do about it.

The latest data breaches are a regular topic in the news. Raising awareness about the prevalence and severity of the issue, as well as how the financial impact on the business can be limited is what we contribute with this article.

Today’s world requires us to make complex and nuanced decisions about our digital security. Evaluating when to use a secure messaging app like Signal or WhatsApp, which passwords to store on your smartphone, or what to share on social media requires us to assess risks and make judgments accordingly. Arriving at any conclusion is an exercise in threat modeling. In security, threat modeling is the process of determining what security measures make sense in your particular situation. It’s a way to think about potential risks, possible defenses, and the costs of both. It’s how experts avoid being distracted by irrelevant risks or overburdened by undue costs...

The first six chapters of my new book, Dynamic Authorization: Adaptive Access Control, are now available in Manning’s Early Access Program. The book explores why authorization is still misunderstood, and how new tools like Cedar enable secure, flexible systems that also improve employee and customer experience.

For years, a European TLD ran their DNSSEC toolchain without incident. Everything “just worked.” Updates were rare, and no one touched the setup. Then their only DNSSEC expert left. What looked like stability turned out to be fragility. The system wasn’t resilient — it was dependent on one person’s

A look at vulnerable AI servers, especially self-hosted Ollama, and how to avoid that exposure.

Improving privacy can get overwhelming at first. It's important to move one step at a time, but remain persistent. Good privacy is like good health habits.

Keep applications secure with strong authentication security. Apply actionable steps and learn key takeaways to securing and building apps that elevate identity assurances.

Newgrounds, a gaming forum, has some clever ways for non-intrusively complying with the shambling disaster that is the "UK Online Safety Act". For years, I've been doing something similar to this when generating internal reports on DNA Lounge demographics: e.g., if someone bought a ticket for an 18+ event 5 years ago, they must be at least 23 years old now. Newgrounds: Here is our current ...

Several elliptic curves which Zcash uses in zero knowledge proofs are named after characters from Lewis Carroll: Jubjub, Bandersnatch, Tweddledee, Tweedledum

In Object Oriented programming, identity and behaviour are often conflated. But it can be usefuk to think of them as different concepts.

Encrypting files with passkeys, using the WebAuthn prf extension and the TypeScript age implementation.

In the past few years, governments across the world have rolled out digital identification options, and now there are efforts encouraging online companies to implement identity and age verification

What do you do if it's too early to figure out fail2ban and need to stop crude bot attacks?

Authored by Boyi Wei Most frontier models today undergo some form of safety testing, including whether they can help adversaries launch costly cyberattacks. But many of these assessments overlook a critical factor: adversaries can adapt and modify models in ways that expand the risk far beyond the perceived safety profile that static evaluations capture.  At […]