LightNews
rmhrisk.bsky.social
rmhrisk
@rmhrisk.bsky.social
390 followers 150 following 110 posts
Dropout. Father. I build things. Security, Cryptography, Engineering, Entrepreneurship. @peculiarventure + x-MSFT + x-GOOG ++. Also on @[email protected] and twitter.com/rmhrisk
Posts Media Videos Starter Packs
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Sep 4
No a few years ago they switched to their own root store. They do pull in certificates that the user adds but not the platform root store.
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Sep 3
Full analysis here → unmitigatedrisk.com?p=1092
Another Sleeping Giant: Microsoft’s Root Program and the 1.1.1.1 Certificate Slip | UNMITIGATED RISK
unmitigatedrisk.com
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Sep 3
The bigger issue? Microsoft’s root program still trusts this CA, leaving Edge and Windows users exposed in ways Chrome, Firefox, and Safari users aren’t.

The pattern is familiar: long-lived trust, weak oversight, systemic risk. It’s time for Microsoft to step up and fund proper root governance.

👇
Another Sleeping Giant: Microsoft’s Root Program and the 1.1.1.1 Certificate Slip | UNMITIGATED RISK
unmitigatedrisk.com
2 1 3
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Sep 3
This morning, a serious WebPKI incident surfaced: a tiny CA misissued certificates for 1.1.1.1 - Cloudflare’s DNS service.

With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.

👇
1 3
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Sep 3
Looks like something is up in Whoville. It seems an obscure CA trusted by Microsoft has issued a certificate for 1.1.1.1.
groups.google.com/a/mozilla.or...
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020
groups.google.com
2
Reposted by rmhrisk
mattblaze.org
Matt Blaze @mattblaze.org · Aug 21
Prof. Michael Specter on practical vulnerabilities in deployed mobile voting systems.

www.youtube.com/watch?v=_BgA...

#VotingVillage
17 Specter -- It's Not Safe Yet; Online Voting in Practice vv25 d2s8
YouTube video by Voting Village @ DEF CON
www.youtube.com
1 4 16
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 22
cabforum.org/uploads/CA-B...
cabforum.org
1 1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 22
Big milestone for email security. CA/Browser Forum just published S/MIME BR v1.0.11. Now with NIST-approved post-quantum algorithms (ML-DSA & ML-KEM). Quantum-resistant S/MIME is here. 👇
1 1 3
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 21
These flaws, combined with poor security practices from RMM vendors like ConnectWise & Atera, create a malware pipeline that offloads security costs directly onto customers.

Find out more here:
How Microsoft Code Signing Became Part of a Trust Subversion Toolchain | UNMITIGATED RISK
unmitigatedrisk.com
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 21
Building on the great research by Cem Paya and Matthew Ludwigs at River Financial, my new post details how attackers are exploiting fundamental assumptions in Microsoft's code signing.

👇
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 15
With Authenticode & CA/B Forum–compliant code signing, intent ≠ immunity.

The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.

Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 15
Put down some thoughts about what the solution may look like here: unmitigatedrisk.com?p=1075
From Persistent to Ephemeral: Why AI Agents Need Fresh Identity for Every Mission | UNMITIGATED RISK
unmitigatedrisk.com
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 15
The "Invitation Is All You Need" attack: AI agent poisoned through calendar, executed malicious commands days later.

AI agents persist memory across sessions, and static credentials become persistent threats.

👇
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 10
unmitigatedrisk.com?p=1072
Talent Isn’t a Security Strategy | UNMITIGATED RISK
unmitigatedrisk.com
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 10
One of the best parts of Black Hat is the hallway track.
This week, I got to watch some great talks with friends, and one reminded me of a common pattern, the innovation–security debt cycle:

1️⃣ Rush to ship
2️⃣ Debt builds
3️⃣ Incident forces change
4️⃣ Security becomes a differentiator

👇
1 1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 9
unmitigatedrisk.com?p=1069
History Doesn’t Repeat, But It Rhymes: The AI Panic Edition | UNMITIGATED RISK
unmitigatedrisk.com
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Aug 9
In the 1960s: "Don't have kids, the world will starve." Today: "Don't learn to code, AI will do it all."

Both predictions ignore the same truth, when there's money to be made, markets adapt faster than doomsday forecasters expect.

👇
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jul 25
In this piece, I reflect on the difference between good and bad automation, why metrics matter more than ever, and how AI can quietly make the worst patterns harder to detect and fix. unmitigatedrisk.com?p=1067
When Automation Becomes Bureaucracy | UNMITIGATED RISK
unmitigatedrisk.com
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jul 25
We build systems to make things easier. But too often, what we call “automation” ends up feeling like digital red tape, frustrating, rigid, and impossible to reason with.

👇
1 1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jul 17
From dropping tables to jailbreaking GPTs, some kids just never change. Meet Little Bobby Prompts. 😂
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jul 17
My thoughts on what comes next:

unmitigatedrisk.com?p=1065
How a $135 Billion Fraud Bootstrapped America’s Digital Identity System | UNMITIGATED RISK
unmitigatedrisk.com
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jul 17
The biggest digital identity experiment in U.S. history wasn’t planned; it was a side effect of pandemic-era fraud.

Now that Apple and Google are standardizing digital ID in wallets, we’re about to find out if market pressure can succeed where government urgency failed.
👇
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jun 24
My AI Skill Liquidity series shows the same pattern, value shifts from execution to orchestration. But today legal AI focuses on documents, not reasoning.

We're accidentally breaking apprenticeship while missing the intellectual core of legal practice.

unmitigatedrisk.com?p=1061
Lawyers Think Like Security Engineers. AI Treats Them Like Secretaries | UNMITIGATED RISK
unmitigatedrisk.com
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jun 24
As a recovering security engineer, I recognize threat modeling anywhere.

Lawyers do it constantly - they're security engineers for text.

So why does legal AI treat them like secretaries?

👇
1
rmhrisk.bsky.social
rmhrisk @rmhrisk.bsky.social · Jun 16
Turns out the Turkey entry is a Firefox bug: they’re using bucket #1 for both locally installed roots and Kamu SM, apparently by accident. That said, this is still a very interesting comparison if your into the WebPKI.
2