While I'm a bug fan of second factor authentication for high risk environments, it also comes at a cost due to additional friction.

Can someone explain to me while the EU for the Horizon portal had to create a new dedicated 2FA app that maximises friction? I log into this portal once every 1.5 years. This means I'll likely have to go through the 2FA recovery process every single time.

What's the state of digital sovereignty for our academic landscape?

Inspired by a similar post looking at digital sovereignty of municipalities, I explored what messaging infrastructure universities rely on. Sadly, many have switched to hyper scalars but few large universities keep running their own email infrastructure. Germany, Austria, France does not look too bad and lead by example.

[Note that the assessment is based on a simple MX records comparison against a list of known scalars, I don't yet check SPF records or guesstimate the SMTP software/version, this may be done in a future version.]

Check out the interactive map: https://nebelwelt.net/gannimo/unimx/

🎉 I'm excited to share that I've been appointed to Full Professor, effective today: https://ethrat.ch/en/appointments-march-26/

Looking back, this milestone would not have been possible without the incredible group of students, collaborators, and colleagues I had the pleasure of working with over the past 20 years of research. I'm also grateful for all the collaborators, letter writers, mentors, supporters, and whoever helped and supported us on the way.

The HexHive group has grown into a vibrant group focusing on software and systems security 🔐. Together we have secured over CHF 12M in funding 💰 for the group (including the prestigious ERC Starting Grant and ERC Advanced Grant), published close to 200 papers 📄, with 26 papers at USENIX Security, 13 at Oakland, 12 at NDSS, and 11 at CCS.

But the achievements I value most are not the distinguished paper awards, open source prototypes, or grants. I'm most proud of the people who spent time in my lab. Out of those, I especially cherish the 16 PhD students who have graduated and are now carrying forward the spirit of the HexHive lab: inclusive, collaborative research in software and system security, working together on security challenges that matter.

It was my honor to give a keynote at the FUZZING workshop at #NDSSSymposium today. Under the title From "What The Fuzz?" to "All The Fuzz!", I discussed how fuzzing evolved over time from its origins as random mutation testing over the greybox revolution to fuzzing niches. The key takeaways are that fuzzing matured as a field, coverage-guided feedback was key to its success, and the future is customizing fuzzing to niches where the next breakthroughs will be contextual and semantic.

The slides are available at https://nebelwelt.net/files/26FUZZING-presentation.pdf

Happy to hear any feedback!

It was a pleasure to present Sysphuzz at #NDSSSymposium this year. Our key intuition is that focusing in under-fuzzed areas allows us to discover new bugs even in extensively fuzzed code. We applied this intuition to the Linux kernel by boosting basic blocks that were rarely hit even after years of fuzzing.

The blog post is at: https://nebelwelt.net/blog/2026/0226-sysyphuzz.html