Max Maass 

@[email protected]
475 Followers
134 Following
1.6K Posts

Sr. Security Specialist at iteratec // @seemoo alumni // Member of CCC // Crypto means cryptography.

tfr.

Bloghttps://blog.maass.xyz
GitHubhttps://github.com/malexmave
Pixelfedhttps://pixel.infosec.exchange/@hacksilon
Pronounshe/him
Max Maass 36m ago

RE: https://ohai.social/@dcoderlt/116435674001182181

Can someone explain to me what exactly the security issue is here? The way I understand it:
- The Claude app pre-installs a permission that, if you later install the browser plugin, allows the browser plugin to communicate with the App.
- If you don't have the plugin installed, the permission / bridge does nothing.
- If it didn't do this, and you installed the browser plugin, you would have to give this permission manually for the browser plugin to work (and thus the end result would be the same).

Is this understanding correct? What's the threat model here? Anyone who legitimately installed the browser plugin would also give this permission (and is thus just as vulnerable as if Anthropic had not pre-provisioned something). So - is the threat that someone tricks the browser into installing the browser plugin?

I don't want to defend pre-installing the permission, it's not cool to do that and a violation of consent. But I really don't understand what the real-world security impact is - in which situation are you now more vulnerable than you would realistically be if you either never install the extension or legitimately and knowingly installed the extension and manually gave this consent? But that may be because I don't know enough about how this browser plugin permission stuff works, so, legitimately curious about the background here.

Max Maass 5h ago
hkz14h ago
Ok, I definitely won't go on with my computer kit today.
Max Maass 5h ago
Jonah Aragon 19h ago

RE: https://tldr.nettime.org/@tante/116435835882195004

Can we instead stop ceding all the words that are useful descriptors to the right just because they start using them?

I also have this issue with libertarianism, which should describe a useful political position about liberty from government abuses independently from your views on economic policies, but now just makes you sound like a gun toting nut. This makes it harder to defend against the narrative that everyone on the left is rooting for some authoritarian communist society.

The same goes for many internet memes and sayings that were once universally used, e.g. Pepe the Frog. It is no wonder members of younger generations keep falling to the alt-right, when the right is co-opting all the things they enjoy, and everyone else not only lets them, but actively works to make those popular things be seen as hateful. In this example, the popular idea that Pepe the Frog is a hate symbol stems almost entirely from some uninformed, reactionary article the Clinton campaign posted to try and smear Trump, then got the media to repeat forever.

Max Maass 17h ago
Filippo Valsorda17h ago

There are no technical or compliance reasons to double the size of symmetric keys in response to the threat of quantum computers.

This common misunderstanding of Grover's algorithm risks wasting limited resources that should go towards deploying actually urgent post-quantum algorithms.

https://words.filippo.io/128-bits/?source=Mastodon

Quantum Computers Are Not a Threat to 128-bit Symmetric Keys

There is no need to update symmetric key sizes as part of the post-quantum transition, due to the details of how Grover's algorithm scales. Most authorities agree.

Max Maass 4d ago
dragosr4d ago

Interesting critical analysis of IPv8 Draft...

https://shitwolfymakes.substack.com/p/we-need-to-talk-about-the-ipv8-draft

We Need to Talk About the IPv8 Draft

The Good, The Bad, and the Heinous

wolfy
Max Maass 5d ago
daniel:// stenberg://5d ago

Average number of hours between #curl security reports

Material for a pending presentation

Max Maass 5d ago
Daniel Pomarède5d ago

Capturing the Details of the Moon and the Beauty of Earth

Another magical photography by the Artemis II mission, just released by NASA Johnson...

https://flic.kr/p/2s7AMTQ

#Moon #Earth #Artemis #Artemis2 #Orion #Integrity #OrionIntegrity #spacecraft #NASA #space #news #astrodon #lunar #flyby #lunarflyby #photography #Nikon #NikonD5 #camera #flickr

Max Maass 5d ago
Seth Larson5d ago

Anyone who maintains an #opensource project that accepts vulnerability reports, I highly recommend reading “Brocards for vulnerability triaging” by my friend @yossarian:

#security #oss #vulnerability #supplychain

https://blog.yossarian.net/2026/04/11/Brocards-for-vulnerability-triage

Brocards for vulnerability triage

Max Maass 6d ago
Mark Boszko6d ago

I made a shiny website for my app! #homeassistant

https://busylight.app/

(I know, I know, boring Bootstrap, but it looks nice enough and I was doing it while I got my hair bleached and colored, so I only had a couple of hours)

Busy Light for macOS

Control Home Assistant scenes from your Mac's menu bar. Free and open source.

Max Maass 6d ago
aaron6d ago

RE: https://fosstodon.org/@balloob/116398481380578311

Great stuff! Maybe soon I can use Firefox instead of Chrome to flash #ESPHome firmwares.

(@jensimmons Is Apple’s position on this one still negative?)