ORCID
Data Safety and Information Security
Why Lockdown mode from Apple is one of the coolest security ideas ever
Apple intros "extreme" optional protection against the scourge of mercenary spyware.
Microsoft finds Raspberry Robin worm in hundreds of Windows networks
Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.
CISA: Adopt Modern Auth now for Exchange Online
Before Microsoft shutters basic logins in a few months
APT Groups Adopt New Phishing Method. Will Cybercriminals Follow?
APT actors from Russia, China, and India have been observed using the RTF-template injection technique that researchers say is poised for wider adoption.
Hands-off: why you absolutely need offsite cloud backup
Introducing Entitlements: GitHub's open source Identity and Access Management solution | The GitHub Blog
We're excited to announce that we're open sourcing our Identity and Access Management solution: Entitlements.
Implementing a robust digital identity | The GitHub Blog
How can you robustly assert and identify a user’s identity?
QR code malware: keeping yourself and your family safe
It’s you versus the QR code, so how do you know if there it contains malware?
Subversive Trilemma: Why Cyber Operations Fall Short of Expectations
Abstract. Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear. Many expect cyber operations to provide independent utility in both warfare and low-intensity competition. Underlying these expectations are broadly shared assumptions that information technology increases operational effectiveness. But a growing body of research shows how cyber operations tend to fall short of their promise. The reason for this shortfall is their subversive mechanism of action. In theory, subversion provides a way to exert influence at lower risks than force because it is secret and indirect, exploiting systems to use them against adversaries. The mismatch between promise and practice is the consequence of the subversive trilemma of cyber operations, whereby speed, intensity, and control are negatively correlated. These constraints pose a trilemma for actors because a gain in one variable tends to produce losses across the other two variables. A case study of the Russo-Ukrainian conflict provides empirical support for the argument. Qualitative analysis leverages original data from field interviews, leaked documents, forensic evidence, and local media. Findings show that the subversive trilemma limited the strategic utility of all five major disruptive cyber operations in this conflict.
How to Store an SSH Key on a Yubikey
Posted on 2022-05-27
How the Saitama backdoor uses DNS tunnelling
A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor.
OAuth Security in a Cloud Native World
Outlining how my thinking has evolved after working with various cloud deployment types and integrating security into many kinds of apps.
US cyber boss wants software patches to be like car recalls
Adds infosec regulation coming to more industries but with a light touch, more collaboration
Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission (USENIX Security'22)
Does GraphQL Introduce New Security Risks?
GraphQL is a friendly alternative to REST APIs. But there are some security repercussions of adopting GraphQL developers need to know.
Linux Security Study Reveals When, How You Patch Matters
Computer security only happens when software is kept up to date. That should be a basic tenet for business users and IT departments. Apparently, it isn’t. At least for some Linux users who ignore installing patches, critical or otherwise.
Removing the stigma of a CVE | The GitHub Blog
Do you worry that a CVE will hurt the reputation of your project? In reality, CVEs are a tracking number, and nothing more. Here's how we think of them at GitHub.
Pluralistic: 20 Apr 2022 – Pluralistic: Daily links from Cory Doctorow
The Problem With Security
Making security every team’s problem and recruiting those most interested to formalize their involvement is a solid cultural approach.
Can we solve the zero-day threat once and for all? No, but here’s what we can do
This online session shows you what constant vigilance should look like
First Malware Running on AWS Lambda Discovered
Amazon Web Services (AWS) Lambda, serverless computing's poster child, is over seven years old and only now has experienced the first malware specifically targeting Lambda, Denonia
How QR codes work—and what makes them dangerous
While QR codes hold significantly more data than bar codes, they are also more prone to phishing attacks.
How to Build a Zero-Trust Culture
When few developers see security it as their responsibility, how do you build a culture to support a zero trust strategy in your organization? #security #DevSecOps #zerotrust
The Ukrainian War, PKI, and Censorship
PKI has created a global trust framework for the web. But the war in Ukraine has shone a light on its weaknesses. Hierarchies are not good architectures for building robust, trustworthy, and stable digital systems.
Identity problems get bigger in the metaverse
We contain multitudes that each want a different login
The Future of Security
Surveying Your Cybersecurity Landscape
Researcher uses 379-year-old algorithm to crack crypto keys found in the wild
It takes only a second to crack the handful of weak keys. Are there more out there?
.jpeg?width=350&height=&ar=&mode=&format=avif&dpr=2)
Provisional Authenticity and Functional Privacy
Provisional authenticity and confidentiality can help us manage the trade offs between privacy and authenticity to support online accountability along with functional privacy.
Software Supply Chain Security: Tearing Down the Silos
Both application and infrastructure security are required to keep a cloud native system safe. A single solution can integrate both to foil hackers. #DevSecOps #security