Ruslan Kiyanchuk
@rkiyanchuk.bsky.social
Cryptography & Software Engineer.
Making my best effort to locally decrease entropy.
#StandWithUkraine 🇺🇦
Making my best effort to locally decrease entropy.
#StandWithUkraine 🇺🇦
Finally found an app switcher for macOS that does everything I want it to: the open source AltTab
alt-tab-macos.netlify.app
alt-tab-macos.netlify.app
AltTab - Windows alt-tab on macOS
Windows alt-tab on macOS
alt-tab-macos.netlify.app
November 27, 2025 at 1:13 AM
Finally found an app switcher for macOS that does everything I want it to: the open source AltTab
alt-tab-macos.netlify.app
alt-tab-macos.netlify.app
My #Leatherman Style PS just broke, and it has also been discontinued recently. The scissors spring failure was a known issue with Style PS and probably the main reason for its discontinuation.
Such a shame — this was the only lightweight multitool allowed to take on a plane.
#RIP
Such a shame — this was the only lightweight multitool allowed to take on a plane.
#RIP
October 29, 2025 at 8:59 PM
My #Leatherman Style PS just broke, and it has also been discontinued recently. The scissors spring failure was a known issue with Style PS and probably the main reason for its discontinuation.
Such a shame — this was the only lightweight multitool allowed to take on a plane.
#RIP
Such a shame — this was the only lightweight multitool allowed to take on a plane.
#RIP
Reposted by Ruslan Kiyanchuk
"Living through the rise of a dictatorship just means inhabiting a space that is gradually shrinking. There’s no point in resisting, not at first. You just make do with whatever breathing room you still have—until you lose that too."
Read Gisela Salim-Peyer:
www.theatlantic.com/ideas/archiv...
Read Gisela Salim-Peyer:
www.theatlantic.com/ideas/archiv...
Authoritarianism Feels Surprisingly Normal—Until It Doesn’t
Life in Venezuela was deceptively mundane. Then everything collapsed.
www.theatlantic.com
September 27, 2025 at 2:13 PM
"Living through the rise of a dictatorship just means inhabiting a space that is gradually shrinking. There’s no point in resisting, not at first. You just make do with whatever breathing room you still have—until you lose that too."
Read Gisela Salim-Peyer:
www.theatlantic.com/ideas/archiv...
Read Gisela Salim-Peyer:
www.theatlantic.com/ideas/archiv...
I find it absurd and hypocritical that OpenSSL still refuses to provide authenticated encryption modes due to nonce reuse threat, but feels fine exposing ECB mode.
September 22, 2025 at 5:14 AM
I find it absurd and hypocritical that OpenSSL still refuses to provide authenticated encryption modes due to nonce reuse threat, but feels fine exposing ECB mode.
Hybrid key exchange (DH+ML-KEM) in TLS 1.3 has been approved today.
datatracker.ietf.org/doc/draft-ie...
datatracker.ietf.org/doc/draft-ie...
Hybrid key exchange in TLS 1.3
Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if a way is found to defeat the encryption for all...
datatracker.ietf.org
September 18, 2025 at 6:15 AM
Hybrid key exchange (DH+ML-KEM) in TLS 1.3 has been approved today.
datatracker.ietf.org/doc/draft-ie...
datatracker.ietf.org/doc/draft-ie...
Year 2025, #Apple rollouts revolutionary UI overhaul – Liquid Glass. Meanwhile, multiple menubar items still get hidden by the notch with no way to access them besides a third-party software (like Bartender) 👍
September 15, 2025 at 10:50 PM
Year 2025, #Apple rollouts revolutionary UI overhaul – Liquid Glass. Meanwhile, multiple menubar items still get hidden by the notch with no way to access them besides a third-party software (like Bartender) 👍
Anyone wants a book about elliptic curves in audio format? I'm sure it's going to be a breather 😅
August 28, 2025 at 3:39 PM
Anyone wants a book about elliptic curves in audio format? I'm sure it's going to be a breather 😅
«Чому нові правила Google Play не зупинять російські військові застосунки»
— @arunninghacker.bsky.social
styran.com/why-new-goog...
— @arunninghacker.bsky.social
styran.com/why-new-goog...
Чому нові правила Google Play не зупинять російські військові застосунки | Хакер, що біжить
styran.com
August 27, 2025 at 1:29 PM
«Чому нові правила Google Play не зупинять російські військові застосунки»
— @arunninghacker.bsky.social
styran.com/why-new-goog...
— @arunninghacker.bsky.social
styran.com/why-new-goog...
Time to update your #iOS devices:
> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
support.apple.com/en-us/124925
> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
support.apple.com/en-us/124925
About the security content of iOS 18.6.2 and iPadOS 18.6.2 - Apple Support
This document describes the security content of iOS 18.6.2 and iPadOS 18.6.2.
support.apple.com
August 21, 2025 at 12:16 PM
Time to update your #iOS devices:
> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
support.apple.com/en-us/124925
> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
support.apple.com/en-us/124925
Diffie-Hellman now has to take his stupid little brother MLKEM768 everywhere with him
#cryptographic_jokes
#cryptographic_jokes
August 21, 2025 at 10:41 AM
Diffie-Hellman now has to take his stupid little brother MLKEM768 everywhere with him
#cryptographic_jokes
#cryptographic_jokes
Good demonstration how lack of defense in depth approach and multiple isolation levels can lead to catastrophic compromise after just one omission to explicitly sandbox a tool:
research.kudelskisecurity.com/2025/08/19/h...
research.kudelskisecurity.com/2025/08/19/h...
How We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories
In this blog post, we explain how we got remote code execution (RCE) on CodeRabbit’s production servers, leaked their API tokens and secrets, how we could have accessed their PostgreSQL datab…
research.kudelskisecurity.com
August 20, 2025 at 11:22 AM
Good demonstration how lack of defense in depth approach and multiple isolation levels can lead to catastrophic compromise after just one omission to explicitly sandbox a tool:
research.kudelskisecurity.com/2025/08/19/h...
research.kudelskisecurity.com/2025/08/19/h...
IETF Draft: Post-Quantum Cryptography in OpenPGP
datatracker.ietf.org/doc/draft-ie...
datatracker.ietf.org/doc/draft-ie...
August 15, 2025 at 10:33 AM
IETF Draft: Post-Quantum Cryptography in OpenPGP
datatracker.ietf.org/doc/draft-ie...
datatracker.ietf.org/doc/draft-ie...
Quite trivial prompt injection in GitHub Copilot for VS Code leads to remote code execution: a malicious prompt in a file enables YOLO mode in VS Code settings file, which then allows executing any command.
embracethered.com/blog/posts/2...
embracethered.com/blog/posts/2...
GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773) · Embrace The Red
An attacker can put GitHub Copilot into YOLO mode by modifying the project's settings.json file on the fly, and then executing commands, all without user approval
embracethered.com
August 14, 2025 at 1:26 PM
Quite trivial prompt injection in GitHub Copilot for VS Code leads to remote code execution: a malicious prompt in a file enables YOLO mode in VS Code settings file, which then allows executing any command.
embracethered.com/blog/posts/2...
embracethered.com/blog/posts/2...
How many employees enjoy this lifestyle verses dependent on status in the country or even money?
Staggeringly swiftly Silicon Valley entrepreneurs moved from cheesy slogans about improving the world to blatant exploitation. All thanks to lack of regulations.
www.sfgate.com/tech/article...
Staggeringly swiftly Silicon Valley entrepreneurs moved from cheesy slogans about improving the world to blatant exploitation. All thanks to lack of regulations.
www.sfgate.com/tech/article...
SF tech CEO offers buyouts to let workers flee 'extreme' work culture
"Many of us literally live where we work," the CEO said.
www.sfgate.com
August 7, 2025 at 7:01 AM
How many employees enjoy this lifestyle verses dependent on status in the country or even money?
Staggeringly swiftly Silicon Valley entrepreneurs moved from cheesy slogans about improving the world to blatant exploitation. All thanks to lack of regulations.
www.sfgate.com/tech/article...
Staggeringly swiftly Silicon Valley entrepreneurs moved from cheesy slogans about improving the world to blatant exploitation. All thanks to lack of regulations.
www.sfgate.com/tech/article...
Had just noticed that Yubikey Manager is no more :(
August 1, 2025 at 9:47 PM
Had just noticed that Yubikey Manager is no more :(
Apple:
Overhauls the system UI with a refined "Liquid Glass" effect, subtly diffusing background colors and light through translucent window elements for elegant transparency.
My background:
Overhauls the system UI with a refined "Liquid Glass" effect, subtly diffusing background colors and light through translucent window elements for elegant transparency.
My background:
August 1, 2025 at 7:50 AM
Apple:
Overhauls the system UI with a refined "Liquid Glass" effect, subtly diffusing background colors and light through translucent window elements for elegant transparency.
My background:
Overhauls the system UI with a refined "Liquid Glass" effect, subtly diffusing background colors and light through translucent window elements for elegant transparency.
My background:
A study on effectiveness of programming with AI assistants showed 19% productivity *decrease*. Ironically, participants perceived a 20% productivity *increase*.
secondthoughts.ai/p/ai-coding-...
secondthoughts.ai/p/ai-coding-...
Not So Fast: AI Coding Tools Can Actually Reduce Productivity
Study Shows That Even Experienced Developers Dramatically Overestimate Gains
secondthoughts.ai
July 22, 2025 at 2:00 PM
A study on effectiveness of programming with AI assistants showed 19% productivity *decrease*. Ironically, participants perceived a 20% productivity *increase*.
secondthoughts.ai/p/ai-coding-...
secondthoughts.ai/p/ai-coding-...
I had just realized that @tailscale.com now also has an #AppleTV app, which you can make an exit point.
This makes it the easiest way to set up a free VPN, which you can access any time from any of your devices. No config required, just a few taps in the app.
This makes it the easiest way to set up a free VPN, which you can access any time from any of your devices. No config required, just a few taps in the app.
June 24, 2025 at 1:11 PM
I had just realized that @tailscale.com now also has an #AppleTV app, which you can make an exit point.
This makes it the easiest way to set up a free VPN, which you can access any time from any of your devices. No config required, just a few taps in the app.
This makes it the easiest way to set up a free VPN, which you can access any time from any of your devices. No config required, just a few taps in the app.
Turns out a malicious repository can trigger arbitrary code execution on *any* `cargo` command:
shnatsel.medium.com/do-not-run-a...
shnatsel.medium.com/do-not-run-a...
Do not run any Cargo commands on untrusted projects
TL;DR: Treat anything starting with cargo as if it is cargo run.
shnatsel.medium.com
June 22, 2025 at 9:53 PM
Turns out a malicious repository can trigger arbitrary code execution on *any* `cargo` command:
shnatsel.medium.com/do-not-run-a...
shnatsel.medium.com/do-not-run-a...
iPhone Mirroring is probably the most raw, underdeveloped and unpolished feature Apple has unveiled in a long time. Regular connection errors and constant lags make it essentially unusable.
May 27, 2025 at 10:13 AM
iPhone Mirroring is probably the most raw, underdeveloped and unpolished feature Apple has unveiled in a long time. Regular connection errors and constant lags make it essentially unusable.
Research at Stanford developed Cybench: A Framework for Evaluating Cybersecurity Capabilities and Risks of Language Models.
crfm.stanford.edu/2024/08/19/c...
The work has also been presented at this year's Stanford Computer Forum: forum.stanford.edu/events/2025-...
crfm.stanford.edu/2024/08/19/c...
The work has also been presented at this year's Stanford Computer Forum: forum.stanford.edu/events/2025-...
Stanford CRFM
crfm.stanford.edu
May 18, 2025 at 2:00 PM
Research at Stanford developed Cybench: A Framework for Evaluating Cybersecurity Capabilities and Risks of Language Models.
crfm.stanford.edu/2024/08/19/c...
The work has also been presented at this year's Stanford Computer Forum: forum.stanford.edu/events/2025-...
crfm.stanford.edu/2024/08/19/c...
The work has also been presented at this year's Stanford Computer Forum: forum.stanford.edu/events/2025-...
How many times do I need to tell,
it’s 65537?! 🧐
it’s 65537?! 🧐
May 11, 2025 at 9:32 PM
How many times do I need to tell,
it’s 65537?! 🧐
it’s 65537?! 🧐
Reposted by Ruslan Kiyanchuk
How does WhatsApp implement encrypted group chats? And are they secure? @malb.bsky.social, @bedow.bsky.social and myself were keen to figure this out. After two years of reverse-engineering, analysis and a few too many proofs, I presented our work at Eurocrypt earlier today. So, what did we learn?
Formal Analysis of Multi-Device Group Messaging in WhatsApp
WhatsApp provides end-to-end encrypted messaging to over two billion users. However, due to a lack of public documentation and source code, the specific security guarantees it provides are unclear. Se...
ia.cr
May 8, 2025 at 9:59 PM
How does WhatsApp implement encrypted group chats? And are they secure? @malb.bsky.social, @bedow.bsky.social and myself were keen to figure this out. After two years of reverse-engineering, analysis and a few too many proofs, I presented our work at Eurocrypt earlier today. So, what did we learn?
Just a thought: with advancement of AI methods for image analysis, 3D generation, and also 3D printing – should we be concerned about adversaries reconstructing our facial shape to create a mock that would fool #FaceID?
May 8, 2025 at 2:32 PM
Just a thought: with advancement of AI methods for image analysis, 3D generation, and also 3D printing – should we be concerned about adversaries reconstructing our facial shape to create a mock that would fool #FaceID?
After 15 years of using Vim, today I learned that:
g?? encodes current line with Caesar cipher (ROT13) 😅
g?? encodes current line with Caesar cipher (ROT13) 😅
May 8, 2025 at 12:39 PM
After 15 years of using Vim, today I learned that:
g?? encodes current line with Caesar cipher (ROT13) 😅
g?? encodes current line with Caesar cipher (ROT13) 😅