Mastodawn

I'm working to aggregate some common questions about #passkeys, both from non-technical and technical perspectives. These will be used in an end user facing site in the future.

Any and all feedback is welcome.

https://forms.gle/wmaydkzmUp2eKfJG7

(also would appreciate some reposts to widen the audience)

#passkey #webauthn #fido

Questions about passkeys

I'm working to aggregate some common questions about passkeys, both from non-technical and technical audiences/perspectives. These will be used on an end user facing resource in the future.

Google Docs

Dan Goodin 9h ago

Can someone explain @filippo's post to me like I'm a 5-year-old?

https://words.filippo.io/128-bits/

Quantum Computers Are Not a Threat to 128-bit Symmetric Keys

There is no need to update symmetric key sizes as part of the post-quantum transition, due to the details of how Grover's algorithm scales. Most authorities agree.

Dan Goodin 3d ago

Transitioning the Internet to post-quantum, especially for digital signatures, is a massive undertaking. By setting a 2029 goal, they are giving themselves some slack. If they target 2035 and miss by 2 years, we are getting uncomfortably close to the danger zone.”

https://arstechnica.com/security/2026/04/while-some-big-tech-players-accelerate-pqc-readiness-others-stay-the-course/

Recent advances push Big Tech closer to the Q-Day danger zone

Here's which players are winning the race to transition to post-quantum crypto.

Ars Technica

Dan Goodin Apr 3

I'm trying to understand a bit more about CVE-2026-33579, the critical vulnerability in OpenClaw. To exploit, an attacker needs low-level paring privilege permissions. How does one acquire such privileges? Can anyone do it? I'm asking because I want to understand what's required for an attacker to exploit.

Feel free to ping me at DanArs.82, or drop an answer here.

Dan Goodin Apr 2

Sophie Schmieg Apr 2

A very nice explainer why "if you're so worried about quantum computers, why haven't they factored 21 yet?" isn't a very convincing argument. Look at the labels of the graph, and how extremely close the various lines are for factoring 21 and 2048 bit numbers. Polynomial scaling remains polynomial, unfortunately, and by the time you can factor 21 you're almost ready to break RSA.

https://bas.westerbaan.name/notes/2026/04/02/factoring.html

Factoring is not a good benchmark to track Q-day

Homepage of dr. Bas Westerbaan, principal research engineer at Cloudflare, working on making the Internet post-quantum secure

Dan Goodin Mar 27

Zack Whittaker Mar 26

For my newsletter and blog ~ this week in security ~ I wrote about meaningful steps you can take to ensure your digital security and privacy while traveling through airports. In this post, you'll find resources to understand the risks you face, and what you can do to protect your data.

Please share! https://this.weekinsecurity.com/security-precautions-to-consider-while-traveling-through-airports/

You can also sign up for my free weekly newsletter (via email or RSS). Out Sundays! https://this.weekinsecurity.com

Security precautions to consider while traveling through airports

As border device searches rise, there are practical steps you can take to protect your devices and data from airport searches.

~this week in security~

Dan Goodin Mar 26

Lorenzo Franceschi-Bicchierai Mar 26

Kaspersky has linked Coruna with Operation Triangulation. This somes a few weeks after we reported that L3Harris Trenchant was the company behind some components of Coruna.

And we also reported that it was possible Coruna was used in Operation Triangulation.

https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/

Coruna: the framework used in Operation Triangulation

Kaspersky GReAT experts look into the Coruna exploit kit targeting iPhones. We discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the Operation Triangulation exploit.

Kaspersky

Dan Goodin Mar 25

Adam Stasiniewicz

Mar 25

@dangoodin @cthos It’s a totally valid question. I remember back when the NSA made a big stink about depreciating SHA-1. Not that many years later, public research came out showing the weaknesses in SHA-1. Lots of people back then wondered what the NSA’s internal research came up with that prompted the rapid depreciation.

Dan Goodin Mar 25

Google is dramatically shortening its deadline readiness for the arrival of Q Day, the point at which existing quantum computers can break public-key cryptography algorithms that secure decades’ worth of secrets belonging to militaries, banks, governments, and nearly every individual on earth.

https://arstechnica.com/security/2026/03/google-bumps-up-q-day-estimate-to-2029-far-sooner-than-previously-thought/

Google bumps up Q Day deadline to 2029, far sooner than previously thought

Company warns entire industry to move off RSA and EC more quickly.

Ars Technica

Dan Goodin Mar 24

I was lucky enough to cover Cindy Cohn's trailblazing work BEFORE she joined @eff . Here's one of several stories I wrote about her when she was still an associate attorney in private practice.