⚠️ How SMS 2FA Destroys Authentication Logic

A recent experience while changing my account info reminded me why relying on telecom routing for security is an absolute nightmare, and why the infosec community needs to kill off SMS authentication for good.

🚩 Battle.net SMS 2FA Failure and Security Theater:

I attempted to log into Battle.net using a phone number I had legitimately owned for months, assuming I had added to my alt profile when I switched to that number. Instead of asking for a secondary 2FA, the platform sent an SMS code, accepted it, and provided me access to a complete stranger's account.

🚩 The Architectural Flaw:

The platform's backend treated a single SMS verification token not as a supplementary second factor, but as a primary identity credential. Because a stranger had left my number on their account months prior, the system assumed current possession of the SIM trumped all other security metrics.

🏳 The Legal Reality of Intent:

From a legal standpoint (like the CFAA), navigating into an account this way lacks the malicious intent required for criminal unauthorized access (Mens Rea); it's an accidental entry caused entirely by broken corporate infrastructure. But the fact that a user can simply input their own phone number and inadvertently hijack a stranger's digital life without a single exploit is a staggering failure of AppSec logic.

✅ The Solution:

SMS is not identity proof. It is a highly volatile, easily routed carrier token. If a platform allows SMS to override or bypass a standard password barrier without out-of-band verification (like a mandatory email confirmation), it isn't secure.

Stop letting telcos act as your root of trust. Switch to cryptographic hardware standards like NFC Yubikeys or standard TOTP apps.

#CyberSecurity #Infosec #MFA #SecurityTheater #AppSec #Yubikey #CFAA #Hacking

New: "Sticking their heads out above the parapets" — the first qualitative study of researchers' lived experiences of legal risk, by Sunoo Park & Daniel R. Thomas (USENIX Security 2026). 36 researchers, 130 incidents, three decades. The CFAA and UK Computer Misuse Act chill good-faith research; it names disclose.io as part of the fix. Read it + catch the talk:
https://blog.disclose.io/above-the-parapets-the-chilling-effect-finally-has-receipts/
#infosec #CFAA #vulndisclosure
Above the Parapets: The Chilling Effect Finally Has Receipts

The first qualitative study of researchers' lived experiences of legal risk: Sunoo Park and Daniel R. Thomas (USENIX Security 2026) on how overbroad anti-hacking law chills good-faith security research — and why it names disclose.io as part of the fix.

Running With Scissors - The Disclose.io Blog

Hey #lawFedi:

How many ways besides libel can a false statement, whether on its own, or in combination with something else, be made to constitute civil or criminal offence? (What suffices to constitute fraud? negligent misrepresentation? breach of contract or warranty? tortuous interference? perjury? etc.…?)

Suppose a rudimentary open-source #DRM were to be implemented in web servers and web browsers (or a web-browser add-on), such that the key to the TPM comprises proof of the user's agreement to and utterance of legal statements to the effect that they're not using "generative AI" (plagiarism synthesis) to interact with the site, will not use it during that interaction, and will not allow any #genAI software to access information from it or disclose that information to any entity that would? Suppose the ToS for the site were to require that perfunctory DRM.

Would there be a way to exploit #DMCA1201 and/or the #CFAA to make it an offence (whether a crime, or a viable cause to sue) to bypass that DRM in order to interact with the website?

Maybe @lessig or #EbenMoglen (anyone know him?) could draft something, to do to AI, through inversion of intent of those laws, as #copyleft to #copyright?

@mgeist Would those laws correspond approximately to CMA §41 and to §342 of the Criminal Code?

価格比較の犯罪化――Amazonによる「サイバー犯罪」の定義拡張の試みは何をもたらすのか

https://fed.brid.gy/r/https://p2ptk.org/ai/5558

Amazon이 Perplexity Comet을 막은 이유, “사용자 허락”만으론 부족했다

Amazon이 Perplexity Comet AI 에이전트에 대한 예비 금지 명령을 받아냈습니다. 사용자가 동의해도 플랫폼 허가 없이는 AI 에이전트가 접근할 수 없다는 새로운 법적 기준이 등장했습니다.

https://aisparkup.com/posts/10080

TOTAL FIRE BAN DECLARED

VICTORIA — A Total Fire Ban (TFB) has been declared for the Mallee, Northern Country, North Central and North East fire weather districts tomorrow, Thursday January 8, 2026.

VicNews
I would like to believe that if the US federal government weren't completely fucked up right now then OpenAI and the other AI parasites with a nexus in the US would have been criminally charged by now with violating the #CFAA by actively circumventing the crawling protections added recently to websites specifically to block them.
Alas, the government is too busy engaging in vindictive prosecution of #Trump's enemies who aren't actively bribing him.
#infosec #AI
Ref: https://darmstadt.social/@claudius/115436859378534835
Claudius 🎃 (@[email protected])

@[email protected] AI companies crawl our websites. We ask that they stop by using the industry standard robots.txt AI companies ignore those rules. We start blocking the companies themselves with conventional tools like IP rules. AI companies start working around those blocks. We invent ways to specifically make life harder for their crawlers (stuff like Anubis). AI companies put considerable resources into circumventing that, too. This industry seriously needs to implode. Fast.

darmstadt.social

Jon Prosser przegapia termin – Apple kontynuuje proces bez jego udziału

Sąd Okręgowy Północnej Kalifornii przyjął wniosek Apple o rozpoczęcie postępowania przeciwko Jonowi Prosserowi bez jego reprezentacji.

YouTuber, znany z przecieków o produktach Apple, nie złożył w terminie odpowiedzi na pozew dotyczący wycieku danych z wewnętrznych narzędzi firmy.

Apple pozwało Prosssera i Michaela Ramacciottiego w lipcu, zarzucając im ujawnienie tajemnic handlowych oraz złamanie ustawy o oszustwach komputerowych (CFAA). Według pozwu, Ramacciotti miał włamać się na tzw. Development iPhone należący do byłego pracownika Apple, Ethana Lipnika, a następnie przekazać dane Prosserowi.

Prosser miał wykorzystać te materiały do stworzenia filmów na YouTube, w których ujawnił elementy nowego projektu interfejsu – Liquid Design, wprowadzonego później w iOS 26. Apple twierdzi, że Prosser zarobił na publikacji poufnych informacji dzięki przychodom z reklam.

Co dalej?

Prosser nie zareagował na pozew w wyznaczonym terminie, dlatego sąd uznał tzw. default, co pozwala Apple kontynuować sprawę bez jego udziału. Ramacciotti uzyskał natomiast przedłużenie terminu do 17 października.

Prosser może jeszcze wnioskować o uchylenie decyzji, jeśli udowodni tzw. „usprawiedliwione zaniedbanie”, jednak brak reakcji jego prawników budzi wątpliwości co do dalszej obrony.

Jeśli sytuacja się nie zmieni, sąd może wydać wyrok zaoczny na korzyść Apple.

Jon Prosser nie pęka. Pozwany przez Apple, odpowiada przeciekiem na temat iPhone’a 17 Pro

#Apple #CFAA #ios26 #JonProsser #LiquidDesign #procesApple #przeciekiApple #tajemnicehandlowe #technologia #wyciekiApple #YouTubeLeaks

Correct me if I'm wrong, US #lawfedi, but I'm pretty sure @404mediaco is right that every case of of the landlords accessing the (prospective) tenants' workplace logins is a #CFAA violation, because employees are not legally entitled to authorize the landlord to log into the employers' systems, so the landlords are exceeding their authorized access.

#uslaw #cybercrime

Ryanair’s CFAA Claim Against Booking.com Has Nothing To Do with Actual Hacking

The Computer Fraud and Abuse Act (CFAA) is supposed to be about attacks on computer systems. It is not, as a federal district court suggested in Ryanair v. Booking.com, applicable when someone uses valid login credentials to access information to which those credentials provide access. Now that the...

Electronic Frontier Foundation