| CS Dept Profile | https://cpsc.yale.edu/people/tyler-schroder |
| Personal Blog | https://www.rts2.us/about/ |
| Pronouns | He/Him |
Attached: 1 image NYC Mayoral Inauguration bans Raspberry Pi and Flipper Zero alongside explosives - https://adafruit.com/pi-ban
remember how i said you should turn your radios off when you go out because of privacy reasons, and people complained about losing some slight convenience?
your threat model just changed
The "Bluetooth Headphone Jacking" talk at #39c3 was awesome, too. They reversed a popular SOC that powers Bluetooth earbuds and headphones. They found that (even without being paired to the headphone), they could dump flash and RAM from the device. Then they dumped a bunch of info from the device - e.g. the #Bluetooth address and "master" encryption keys used for the communication with paired devices (e.g. a #phone). Then they impersonated the headphone from their laptop and connected to the phone (pretending to be the headphone). The headphone (or the laptop impersonating the phone) has permissions to do some things on the phone, e.g. accept calls, increase/decrease volume, etc. Then they started recovering access a #WhatsApp account via some account recovery mechanisms. That required some one-time security key which would normally be delivered via SMS, but that could be delivered via phone call as a fallback option, too. Since the phone thought it was connected to the Bluetooth headphone, phone call audio would go to the laptop via Bluetooth. As the cherry on top, they escalated into the victim's #Amazon account. Scary shit. #YouCannotBeParanoidEnough #security
🚨 THE BATTLE BEGINS 🚨
Your favorite year-end contest is back. It’s time to choose who will be this year’s Worst Person In Tech for 2025!
Each day of this week new matchups will drop until we choose the winner on Friday.
🗳️ Cast your ballot: https://twsu.forms.app/worst-person-tech-2025-round-one
New research drop on my blog today.
I’ve been looking at how Microsoft Edge Drop stores and syncs data and found that messages and notes sent through it sit locally in plaintext and quietly replicate across every device signed into that Edge profile.
đźš«No encryption at rest and almost no visibility for enterprise tools.đźš«
MSRC reviewed the write up and classified it as non security impacting but the architectural implications for organisations using Edge with Entra ID and Conditional Access are worth understanding.
If you work in enterprise security or identity driven access control this one is relevant.
Silent Drip is live here:
https://cirriustech.co.uk/blog/silent-drip/
#MicrosoftEdge #SilentDrip #SilentDataLeak #SecurityResearch
Over the last year I've been sharing a framework and mindset for how to perform an investigation as an analyst during Incident Response.
I hope this serves as a great introduction to ADAPT, more to come!
"The top-line takeaway is chilling: sites that are explicitly designed as SPAs, and which have intentionally opted in to metrics measurement around soft-navigations are seeing one (1) soft-navigation for every full page load on average."
Amazing research and analysis as always from @slightlyoff https://infrequently.org/2025/11/performance-inequality-gap-2026/
Embedded in this year's network and device estimates is hopeful news about the trajectory of devices and networks. It has never been easier to deliver pages quickly, but we are not collectively hitting the mark. Indeed, the latest CrUX data shows not even half of origins have passing Core Web Vitals scores for mobile users. Browsers will need to provide stronger incentives. This will be unpopular, but it is clearly necessary.
I wrote up my thoughts on what orgs can learn from the Capita ICO fine for their ransomware incident:
Matt Blaze
Viss
radiationbananas
Paris Marx
G 
Terryn 
Nolan Lawson
Steve Herman
Kevin Beaumont
historic drystone sheep dyke