A Gray Jedi Capybara / weirdo geek into socio-technical systems resilience. Part-time #coffee and #Arduino nerd. If you “move fast and break things”, I’m the one who makes you clean up. #devsecops and #securityResearch focused on #appsec and #productSecurity.
Do not bother to follow me if you have anything against LGBTQIA+ folks, I have no patience left
- Security Research Advocate for Checkmarx;
- Managing Principal Consultant for Substance 36 LLC;
Opinions here are mine alone, not necessarily shared by organizations I work with or for
#embedded #espresso #biking #electronics
| blog | https://darrenpmeyer.com/ |
| photos | https://pxlmo.com/darrenpmeyer |
GitHub is at least partly fixing the `pull_request_target` weaknesses, and that's a very good thing. More: https://medium.com/@cx0-darren/github-actions-vs-supply-chain-attacks-using-pull-request-target-6b1569edf503
(And yeah, it's Medium. Seems like the least bad option for low-friction blogging; open to suggestions for alternatives though...)
I don’t understand the argument that “there is no AI bubble because chip prices and demand keep going up”. Like… that’s what a bubble IS: asset prices keep going up without real sustainable demand justifying it.
The demand for the chips is fueled by *speculative* investment in them. The buyers are betting that AI will become profitable enough, soon enough, that investing in that capacity early will make a material difference. But as far as I can tell, that bet isn’t based on anything more concrete than a mix of vibes, hopes, and dreams.
There is, however, a lot for society to gain from the people who want subjugation and slavery and murder knowing that they will be pariahs if they let those thoughts out of their mouth. There’s a lot to gain from everyone around them seeing them greeted with revulsion and shunned.
That, too, is part of free speech. It is the •foundation• of free speech.
This is insane! A few researchers from UCSD and UMCP scanned bunch of satellite links, found much of the traffic is not encrypted, and went on to decode them. It's amazing what came out.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Lets not take our eyes off the basics.
Great work, Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman!
https://satcom.sysnet.ucsd.edu/docs/dontlookup_ccs25_fullpaper.pdf
Good thing there's a weekend coming up - the #defcon Youtube channel has dropped a few hundred #defcon33 videos for your leisurely perusal. Clear your schedule and let the #dc33 Main Stage and Creator Stage Talks wash over your thirsty brain.
https://www.youtube.com/playlist?list=PL9fPq3eQfaaBB9HANwjaTlKFuVhRxkdz2
Even more #dc33 village and music goodness on the way.
As always, enjoy and #passiton.
Is everyone aware of securing the cyber this month? Surely you’re taking advantage of all the free webinars that will show up in your inbox over the next few weeks, right?
This is definitely a great use of everyone’s time
With the help of the local community, I’ll be coordinating a DCG312 meeting on Tuesday 9/2. This is the first meeting in a while so we’ll mostly be getting organized, and doing some impromptu talks/demos.
Details at the link below:
https://dcgchicago.org/dcg312/meetings/2025/08/19/sept-2025-meeting.html
Hey everyone! We have a date and time for our first meeting post DEF CON 33. We’ll be at the Sulzer Regional Library on 9/2/25 from 6-7:30pm. If you’d like to give a talk, present some research, or just show off a cool project be sure to post in speakers so we can coordinate on the agenda.
Willa 
Paul Cantrell
Vinoth (Mobile security)
DEF CON