I’ve been analyzing the current state of "secure" messaging, and my recent tests with Signal have highlighted some persistent vulnerabilities inherent to any stack relying on standard TCP/IP. Even with strong encryption, metadata leakage at the ISP/CDN level and the reliance on kernel-level interfaces like TUN/TAP remain significant privacy bottlenecks.

I’m curious to discuss the feasibility of a user-space only stack built in Rust that completely decouples identity, addressing, and transport to mitigate these leaks. My current architectural hypothesis involves an identity layer using hardware-backed Zero-Knowledge Proofs—via TEE or zkVM—to handle authentication without persistent identifiers or central registries. For addressing and routing, I'm thinking of a minimal RINA overlay where Distributed IPC Facilities (DIF) allow us to route between processes rather than nodes, effectively moving away from traditional IP-based addressing. This would all be wrapped in a "blind" transport, such as Ockam or shadowsocks-rust, to make the traffic indistinguishable from generic noise to any external observer.

I’m still weighing the practical hurdles, especially how to best bridge RINA's recursive logic with a user-space transport like Ockam without requiring root privileges. I'm open to suggestions on alternative technologies or implementations that might achieve this same level of isolation. If anyone has thoughts on the practical hurdles or existing foundations that could be leveraged here, I’d really value your perspective. Definitely feels like there's a lot to dig into.

#Rust #Rustlang #Infosec #Cryptography #Networking #Privacy #DistributedSystems #RINA #ZKP

Signal vs Wire — binary analysis of both APKs (apktool, strings, ELF inspection).

The gap is larger than most people think:

Signal: Rust core (libsignal_jni.so), Kyber-1024 post-quantum hybrid ratchet, SQLCipher for at-rest encryption, SVR with Intel SGX attestation, IME_FLAG_NO_PERSONALIZED_LEARNING (keyboard can't index your messages), zero third-party trackers.

Wire: Kotlin/Ktor, no hardened native core (more accessible to Frida), no SQLCipher (messages extractable in plaintext on rooted devices), no post-quantum, Segment SDK for behavioural telemetry.

But the finding that surprised me most:

Wire APKs from unofficial stores (Uptodown et al.) contain additional tracking workers and ACCESS_SUPERUSER permission requests not present in the official build. Supply chain integrity is not a footnote — it's the threat model.

Conclusion: Signal is the only one of the two suitable for threat models involving physical or administrative device compromise.

soon the full paper

#infosec #AndroidSecurity #Signal #Wire #ReverseEngineering #mobileforensics #supplychain #MASA

Static + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.

Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR — MREnclave verification means even a compromised Signal server can't extract your PIN hash.

But two things stood out:

1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.

2. Certificate revocation endpoints hit http://g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs — without touching message content.

Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.

Soon the full analysis

#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics

"The Invisible Front" — my book on cyberwarfare as a geopolitical pillar is now on Amazon.

The core argument: a well-crafted malware can be more strategically dangerous than a missile. Not hyperbole — the doctrine, the attribution problems, and the asymmetry of cost all point the same direction.

The book covers:
→ Cyberwarfare as modern geopolitical instrument — not a side channel, a primary front
→ Why attribution is the hardest problem and why states exploit that gap deliberately
→ The asymmetry: a nation-state attack costs thousands, defending against it costs billions
→ How the invisible front interacts with kinetic warfare, sanctions, and information ops

Written for security professionals, policymakers, and anyone trying to understand why the next major conflict will be decided before a single tank moves.

→ https://www.amazon.com/dp/B0GHSFJTVY

#infosec #cyberwarfare #geopolitics #threatintel #nationstate #research #cybersecurity

Released: "Mars Attacks, Venus Hacks" — a book about the people the cybersecurity industry keeps excluding and why that's a critical security failure.

The thesis: the dominant model of infosec is Mars — alpha males, certs, brute-force thinking. It's monoculture. Monoculture breaks.

The real defense is built by:
→ Women in threat intelligence — systemic thinkers who see the pattern before the attack
→ Seniors who remember the iron — you can't understand where the attacker is taking you if you don't know where we came from
→ Hustlers of deprivation — people who learned hacking from hunger, not a bootcamp. Creativity that no certification produces
→ Neurodivergent & fluid identities — sensory pattern recognition that standardized minds simply miss

Security isn't a product. It's not a wall of firewalls. It's an alchemy of diversity.

→ https://www.amazon.com/dp/B0GNGSWY7T

Built a production SOC for my home/mobile infra. Sharing it.

#AEGIS is a unified threat intelligence platform running on a single Linux server:

→ DNS sinkhole (port 53, custom blocklists)
→ Suricata IDS in AF-packet passive mode + ClamAV on filestore
→ Zeek NSM (http, ssl, dns, conn, weird, notice)
→ ModSecurity WAF — OWASP CRS 4.22, full enforcement
→ Fail2Ban + auditd
→ Rust orchestrator aggregating all event sources into one REST/WS API

Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE — passive only. No inline mode that can brick SSH access.

https://aegis.centurialabs.pl

#infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting