Lightnews — Scholar-powered news

Reposted by Dino A. Dai Zovi

Kendra Albert @kendraserra.bsky.social · Mar 30

New users, on Signal, you can mute chats for a period or permanently. No notifications but you can still see if there are unread messages.

On desktop: in that chat, go to Group Settings, then Notifications. On iPhone: in that chat, click on the name at the top, then go to Sounds & Notifications.

3 13 64

Dino A. Dai Zovi @ddz.bsky.social · Mar 30

"Life Safety building automation is pretty awesome. 👏"

Jeff Moss @thedarktangent.defcon.social.ap.brid.gy · Mar 30

I’m at a #starbucks in a mall, and they accidentally burned my chocolate chip cookie, opening the toaster send smoke everywhere.

The building smoke detectors trigger which kicks on the air handlers to go to maximum to clear any smoke, which also triggers curtains to drop from key ceiling […]

Original post on defcon.social

defcon.social

2

Reposted by Dino A. Dai Zovi

Angie Jones @angiejones.tech · Mar 30

Excellent writeup on how MCP future-proofs API integrations ~ @stevemanuel.bsky.social

docs.mcp.run/blog/2025/03...

MCP: The Differential for Modern APIs and Systems | 🤖

<div style={{

docs.mcp.run

1 8 21

Reposted by Dino A. Dai Zovi

OffensiveCon @offensivecon.bsky.social · Mar 25

Our second keynote for Offensivecon 2025 will be Dino Dai Zovi! @ddz.bsky.social

3 9

Dino A. Dai Zovi @ddz.bsky.social · Mar 30

I'll be doing a speaking!

OffensiveCon @offensivecon.bsky.social · Mar 25

Our second keynote for Offensivecon 2025 will be Dino Dai Zovi! @ddz.bsky.social

2 8

Reposted by Dino A. Dai Zovi

4Dgifts @4dgifts.bsky.social · Mar 17

Saw this on the other site but I should comment here:
Can't remember his hacker handle but I think Pad & Gandalf of 8lgm were arrested the same day in 1991.
You may not know it but the entire infosec & software industries owe 8lgm immense gratitude for making vendors accountable for their vulns

6 9

Reposted by Dino A. Dai Zovi

antirez @antirez.bsky.social · Feb 8

We are destroying software: antirez.com/news/145

We are destroying software - <antirez>

antirez.com

17 63 210

Dino A. Dai Zovi @ddz.bsky.social · Feb 8

Exactly this. We should instead be investing that energy into making authentication in our environment unphishable by making it impossible to give away access to an attacker, even if someone actually wanted to.

Shell @risu.bsky.social · Feb 8

I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.

1 5

Reposted by Dino A. Dai Zovi

Shell @risu.bsky.social · Feb 8

I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.

2 3 10

Reposted by Dino A. Dai Zovi

Lorenzo Franceschi-Bicchierai @lorenzofb.bsky.social · Jan 31

NEW: WhatsApp says it has notified 90 victims, including journalists and members of civil society, that they were targeted with spyware made by Paragon.

This is the first time that Paragon is linked to alleged abuse of its products.

techcrunch.com/2025/01/31/w...

WhatsApp says it disrupted a hacking campaign targeting journalists with spyware | TechCrunch

The Meta-owned company said the campaign was linked to Israeli spyware maker Paragon.

techcrunch.com

1 35 61

Reposted by Dino A. Dai Zovi

evacide @evacide.bsky.social · Jan 31

Meta says almost 100 journalists and activists were targeted with spyware from Israeli company Paragon Solutions using a zero-click vuln in WhatsApp. If you use an iPhone, enabling Lockdown Mode prevents this from working. www.theguardian.com/technology/2...

WhatsApp says journalists and civil society members were targets of Israeli spyware

Messaging app said it had ‘high confidence’ some users were targeted and ‘possibly compromised’ by Paragon Solutions spyware

www.theguardian.com

8 130 190

Dino A. Dai Zovi @ddz.bsky.social · Jan 24

👋

Reposted by Dino A. Dai Zovi

Dennis @dennisf.bsky.social · Jan 22

If you're interested in the history of bug bounties, for reasons, this series I did a few years ago with @k8em0.bsky.social @caseyjohnellis.bsky.social @ddz.bsky.social and many others may be of interest.
duo.com/decipher/law...

Lawyers, Bugs, and Money: When Bug Bounties Went Boom

Bug bounties have grown from a niche idea to encourage independent security research into a massive business and a legitimate career path for bug hunters in less than 15 years. This is the story of th...

duo.com

5 12 32

Dino A. Dai Zovi @ddz.bsky.social · Jan 19

I'm really liking the crisp definitions of and boundaries between product engineering, domain engineering, and infra engineering in this.

How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?

Jack Danger @jackdanger.com · May 9

I've extracted the thesis of my new book into a short blog post (with images!). If you've ever seen an engineering team slow down over time this is for you: jackdanger.com/technical-co...

Technical Coherence | Jack Danger

Software development slows down over time. I wrote a whole book to help leaders reverse this slowdown and the central point of the book is a process any engineering leader can apply. I call this proce...

jackdanger.com

1 10

Dino A. Dai Zovi @ddz.bsky.social · Jan 18

There are different privacy concerns and approaches for the training phase of AI as well as for the inference phase of using it. It's a good time to be thinking about what the right approaches are for each.

Matthew Green @matthewdgreen.bsky.social · Jan 17

I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...

Let’s talk about AI and end-to-end encryption

Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see t…

blog.cryptographyengineering.com

2

Reposted by Dino A. Dai Zovi

Matthew Green @matthewdgreen.bsky.social · Jan 17

I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...

Let’s talk about AI and end-to-end encryption

Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see t…

blog.cryptographyengineering.com

12 85 210

Dino A. Dai Zovi @ddz.bsky.social · Jan 18

+1, security product vendors, services companies, *and* internal teams must always operate under the Hippocratic Oath, "First, do no harm."

Dave Aitel @daveaitel.bsky.social · Jan 18

www.zdnet.com/article/secu...

1 2 3

Reposted by Dino A. Dai Zovi

Kevin Collier @kevincollier.bsky.social · Jan 16

So phone metadata *is* actually sensitive and important information? So hard to keep this straight.

FBI Has Warned Agents It Believes Hackers Stole Their Call Logs

FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the ...

www.bloomberg.com

7 90 440

Dino A. Dai Zovi @ddz.bsky.social · Jan 16

We blogged again! This time about our Data Safety Levels framework, which was inspired by the CDC/WHO Biosafety Levels system and Laboratory Biosafety Manuals. Like biological agents, we also don't want sensitive data to be exposed to humans or escape.

code.cash.app/dsl-framework

Data Safety Levels Framework: The foundation of how we look at data in Block

Block uses the Data Safety Levels (DSL) Framework to evaluate data sensitivity.

code.cash.app

3 5

Dino A. Dai Zovi @ddz.bsky.social · Jan 14

This is the way ;)

1

Dino A. Dai Zovi @ddz.bsky.social · Jan 11

PRF in WebAuthN is going to enable epic things

1 12

Dino A. Dai Zovi @ddz.bsky.social · Jan 10

Fraud is such a broad thing, hard to answer. But I think better forms of digital and cryptographic proofs of selective identity information would help. For example, cryptographic proof of personhood, while still remaining anonymous would help reduce amount of bots and such on social media.

1 1 3

Dino A. Dai Zovi @ddz.bsky.social · Jan 10

That is true that it is not cool, but the shift to EMV also happened in the US with cardholders not being liable for fraudulent charges by law. I'm not sure what the laws were in AU, but wonder if that was only the situation in EU/UK?

Dino A. Dai Zovi @ddz.bsky.social · Jan 6

Any plans on supporting Confidential VMs (e.g. AWS Nitro Enclave, AMD SEV-SNP, Intel TDX) w/ TamaGo unikernels?

1

Dino A. Dai Zovi @ddz.bsky.social · Jan 1

The way that I think about it is that the systems that I think about the security of have grown larger and more complex. Being Security DRI for Square's EMV launch in 2014 was really educational. True to my roots, I found EMV smartcard parsing mem corruption bugs in our firmware before it shipped :)

1 4