Words published here do not necessarily reflect views of my employer or any other organization I am affiliated with.
Research and analysis about malware, network forensics, and the intersection of crime with anything that electrons or photons flow through.
Board member of World Cyber Health, the parent organization behind Malware Village and the NO-HAVOC project.
Docent of obsolete technology at @mediaarchaeologylab
Executive director, Elect More Hackers: electmorehackers.com
"By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges." -- Cory Doctorow
| Backup tooter | @threatresearch.bsky.social |
| Threat level | mostly harmless |
The latest episode of 'Where Warlocks Stay up Late" dropped yesterday. Featuring yours truly. The interview goes pretty deep from growing up in Maine, working at Lotus, stories about L0pht you may not have heard before to getting fired from @stake. Probably the most personal interview I have ever given.
holy fucking shit so this is the worst "ai psychosis" story I have read in a while but also is it "ai psychosis" as much as it is "an AI is literally feeding you that you're in the middle of a piece of conspiracy fiction"? https://bsky.app/profile/ckunzelman.bsky.social/post/3mgazir4wu22x
This is bad, and part of what makes it so bad is that this is clearly pulling from *genre* understandings of reality, which the statistical linguistic machine seemingly cannot distinguish from other text included in the training data. Truly an ideology machine where every episode of CSI is true. [contains quote post or other embedded content]
When your company suffers a security breach, the instinct is to say as little as possible. Your legal team wants to limit liability. Your communications team wants to control the narrative. The result is vague, unhelpful disclosures that end up doing exactly the opposite of what they're intended to do.
In a new article published this week on Law.com, EPSD Advisory Board member Melanie Ensign, privacy attorney Michelle Finneran Dennedy and I make the case that vague breach communications don't protect you. They alienate your customers, freeze your pipeline, hand narrative control to third parties, and leave you facing litigation with an already hostile audience.
The lawsuits are coming regardless. What you control is whether you face them with customer trust intact or in tatters.
Read the full article ($): https://www.law.com/corpcounsel/2026/03/01/beyond-liability-how-vague-breach-communications-harm-your-business-and-legal-position/
The lawsuits are coming regardless. Vague communications ensure youβll face them with an alienated customer base and evidence that they prioritize legal cover over helping victims protect themselves. Thatβs a costly combination for any brand.
RE: https://infosec.exchange/@patrickcmiller/116162934900485808
#Colorado is running a bill this session, titled SB26-051 (leg.colorado.gov/bills/SB26-051), which will require "general computing platforms" (laptops and phones) to build a form of locally-stored age attestation into the onboarding process for a new user on the device. The data about the user would then be categorized into one of three age brackets, stored locally, and then passed to various apps/platforms/social media at registration time.
In the bill's committee hearing last week, I and several other people told the bill sponsors that we understand the problem you're trying to solve, but that this is a terrible way to solve it. Many speakers offered to help advise the bill authors on implementing a less fragile, more secure, less susceptible system, but they wouldn't budge. Not a single committee member voted no on a motion to advance the bill to the "committee of the whole" - i.e., the full legislature for a final vote.
The only hope now is for people to reach out to legislators to ask them to vote no on the final bill draft. Otherwise, we're going to get stuck with a really dumb bill that gets signed into law on a "but...think of the children!" appeal, with no hope of being implemented properly.
It's notable that this Apple system would not satisfy the requirements the bill sets up.
#COpolitics #ElectMoreHackers #ageAttestation #childsafety #onlinesafety
Instagram head is on Bloomberg talking about how "the lines will be entirely blurred" between AI and non-AI content.
So now you know how they're going to try and push it - pretending to throw up their hands at content marking, while shoving AI into every content pipe possible.
A new Android malware campaign is using the Hugging Face platform as a repository for thousands of variations of an APK payload that collects credentials for popular financial and payment services.
An AI Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a Gmail Account
https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/?utm_source=flipboard&utm_medium=activitypub
Posted into Security News @security-news-WIRED
Space Rogue
Christine Lemmer-Webber
Nick Selby 
Ian Campbell π΄
Zack Whittaker
BleepingComputer
WIRED