| Website | https://markeldo.com |
| GitHub | https://github.com/meldridge |
Google has devised a means for securing HTTPS certificates against quantum computing attacks without massive performance hits stemming from the considerably longer size of data required to be included.
Is anyone following this work?
https://security.googleblog.com/2026/02/cultivating-robust-and-efficient.html
My story from Monday is here:
In short, the attack as originally described simply would not work against a FIDO2-compliant authentication system. Whatever system the researchers analyzed used a non-FIDO2 fallback in the event the user was unable to provide FIDO2-MFA. Calling this a bypass is like saying a door lock is insecure because an intruder could enter through a window. Lots of publications continue even now to say this was a bypass. It wasn't.
I thought I understood the extent to which the broad availability of mobile location data has exacerbated countless privacy and security challenges. That is, until I was invited along with four other publications to be a virtual observer in a 2-week test run of Babel Street, a service that lets users draw a digital polygon around nearly any location on a map of the world, and view a time-lapse history of the mobile devices seen coming in and out of the area.
The issue isn't that there's some dodgy company offering this as a poorly-vetted service: It's that *anyone* willing to spend a little money can now build this capability themselves.
I'll be updating this story with links to reporting from other publications also invited, including 404 Media, Haaretz, NOTUS, and The New York Times. All of these stories will make clear that mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.
https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/
@merill related, is there any way in Entra to identify whether a passkey/FIDO2 Authenticator is hardware bound (like a yubikey or TPM), or software bound like Google Authenticator/iCloud/1Password?
I thought no, but maybe there’s something new in the WebAuthN standard?
@merill while I’m a huge fan of the usability benefit, and this is unquestionably a good thing for regular users…
…it does bother me that we are slinging key material around which was supposed to be hardware-bound.
even before you open up the book labelled "the guy has really skeevy opinions and doesn't know how to keep his mouth shut"
or the large overflowing binder of "people who have left free software because of his behaviour"
there's a quick summary note that says "other free software organizations have broken ties with the fsf because of him"
for someone who kicked up a fuss over sudo it is kinda tragic they're clawing onto power over others despite the consequences
"what's his job" promoting free software and providing a real alternative to proprietary systems
"how's that working out" gcc kept getting forked to stop him sabotaging the project, eventually forcing clang to exist.
"oh" immediately after he stepped down, emacs replaced the default config with something useful over his crufty defaults
"i guess" other people have successfully written microkernels several times over, their secret was not reporting to rms. he is the reason hurd does not work
to be clear, stallman has repeatedly shown that he's not a capable steward of software projects (everything that happened to hurd and gcc), and even less capable as a leader of an organization
even before you get into his toenail eating: he is very bad at his job
if free software is to mean more than a cult of personality, he should be replaced at the fsf, no question
i do not think he is capable or responsible enough to perform the job he gave himself
Dan Goodin
Tom Forsyth
BrianKrebs
tef