About trans rights:

They're a wedge issue. If you think it's okay to deprive trans people of the right to exist in the public sphere then you're saying human rights are conditional and/or can be withdrawn. Which puts you on a slippery slope to no human rights for anyone.

When you trace the roots of the modern anti-trans movement they boil down to some combination of bigotry and billionaire bullshit— the oligarchs think rights are for the rich.

So: trans-rights are human rights. No exceptions.

As you may know, Africa is big. The continent comprises 54 countries with extensive linguistic, cultural, and political variation. This can make it difficult to create communities of practise and enable the type of information sharing that are seen in other parts of the world.

In the past two years, the FIRST Africa Regional Liaison (ARL) initiative has directly supported 1,210 cybersecurity professionals, delivered more than 50 targeted initiatives across 33 countries, and maintained sustained engagement with at least 70 Computer Security Incident Response Teams (CSIRTs).

Lawrence Mulchiwa and Eric Akumiah are FIRST's Africa Liaisons and they have told their story in a blog. And it's a big story for a big place.

https://go.first.org/yGL7s

I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:

🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻‍♂️

The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy

If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.

https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec

Just Announced for BSides Luxembourg 2026!
𝗞𝗘𝗬𝗡𝗢𝗧𝗘: 𝗜𝗗𝗘𝗡𝗧𝗜𝗧𝗬 𝗦𝗘𝗖𝗨𝗥𝗜𝗧𝗬 𝗝𝗨𝗦𝗧 𝗘𝗫𝗣𝗟𝗢𝗗𝗘𝗗 - Wendy Nather (@wendynather )

As identity ecosystems evolve, some challenges never quite get solved—delegation being one of them. But now, the stakes are higher than ever. With the rapid rise of non-human identities that don’t fit traditional system or application roles, organizations are facing a new layer of complexity. Even if you’re not actively using these “agents” yet, they’re already becoming part of the broader digital environment. The question is no longer if—but how you’ll manage them. It’s time to start making deliberate decisions about identity, access, and control in this expanding landscape.

Wendy Nather ( @wendynather ) is a strategist, research director, and former CISO with over 40 years of experience in IT operations and security. Her expertise includes identity and access management, threat intelligence, risk analysis, and security operations, shaped by leadership roles in financial services, government, and industry research.
📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/

#BSidesLuxembourg #IdentityManagement #CyberSecurity #IAM #DigitalIdentity #SecurityLeadership

There's a lot of discourse on Twitter about people using LLMs to solve CTF challenges. I used to write CTF challenges in a past life, so I threw a couple of my hardest ones at it.

We're screwed.

At least with text-file style challenges ("source code provided" etc), Claude Opus solves them quickly. For the "simpler" of the two, it just very quickly ran through the steps to solve it. For the more "ridiculous" challenge, it took a long while, and in fact as I type this it's still burning tokens "verifying" the flag even though it very obviously found the flag and it knows it (it's leetspeak and it identified that and that it's plausible). LLMs are, indeed, still completely unintelligent, because no human would waste time verifying a flag and second-guessing itself when it very obviously is correct. (Also you could just run it...)

But that doesn't matter, because it found it.

The thing is, CTF challenges aren't about inventing the next great invention or having a rare spark of genius. CTF challenges are about learning things by doing. You're supposed to enjoy the process. The whole point of a well-designed CTF challenge is that anyone, given enough time and effort and self-improvement and learning, can solve it. The goal isn't actually to get the flag, otherwise you'd just ask another team for the flag (which is against the rules of course). The goal is to get the flag by yourself. If you ask an LLM to get the flag for you, you aren't doing that.

(Continued)