Digital IDs Unite Identification, Authentication, and Authorization
The Promise of Digital Identities (IDs) https://t.co/ZELeCaUzpS "A digital ID combines the three pillars of secure transactions—identification, authentication, and authorization". Not my words, the Feds. Well, to be fair, my words too. Albeit some time ago. https://t.co/aTC5u5N9wx
Weekly Update: New PC Stream, Cybercrime
Weekly update is up! Home Sweet Home; First Stream From the New PC; Law Enforcement and Cybercrime Prevention; The Betterment Data Breach https://www.troyhunt.com/weekly-update-490/
Moltbook’s Hidden SKILL File Fuels Unstoppable AI Agent Growth
The growth engine behind Moltbook's explosion to 1.5 million AI agents is a bit sinister. Everyone's sharing screenshots of bots debating philosophy and having existential crises. Good content. Very shareable. But it's a distraction from what's actually happening underneath. Mason...
Human Error Cost $134M; Enforce Airdrop Max Limits
We helped in this recovery effort, a tiny bit. I didn't tweet when it first happened, to not spread FUD. A human error of $134m vs $1,340. All airdrop features should have a maximum value check. I am not even sure if...
Market Size Irrelevant; Success Can Exceed Initial TAM
One of my biggest takeaways from talking to @dugsong and @jonoberheide: Market size doesn't matter. They ultimately sold Duo to Cisco for $2.35B, which was bigger than the initial TAM when they started the company.
Russian Spy Satellites Repeatedly Intercepted European GEO Communications
The Russians are causing problems again. It was reported this week that Russian spysats may have intercepted what were supposed to be secure comms from European GEO satellites several times during the past three years. https://t.co/2kQy8PtQwG
Basecamp Upgrades to Fully Compliant OAuth 2.0 Implementation
Basecamp has long supported OAuth, but our implementation was based on the (now ancient) pre-release spec, and it required hoops for modern clients. We've updated it to be fully compliant with OAuth 2.0 now. https://t.co/ixQWa4GmTH
EU Nears Security Accreditation for Galileo PRS Service
.@defis_eu says @GalileoGNSS secure PRS service to get EU security accreditation 'soon;' @DLR_en preparing service to geo-locate global GPS/Galileo interference. #EuropeanSpaceConf. @GrudlerCh. https://t.co/BEoAxMEwVU https://t.co/CtsfxxkoYt
Levangie Labs Reveals Top 20 AI Security Risks
The top 20 AI security risks right now. Had @blevlabs create this report by looking at my Security list here on X. Done on request from @realAlanHoward. Every day I'll do a different report from a community here on X....
AI-Driven Forums Boost Automation, Demand Robust Safeguards
For our free newsletter this week, we talk about the tech phenomenon @moltbook. @IrenaCronin and I write this newsletter every week. Moltbook is a forum style social network where AI assistants, not people, can post, reply, and share reusable “skills,” letting automation...
Chinese Actors Hijack Notepad++ Updates, Infect Select Users
Between June and December 2025, a “likely Chinese state-sponsored group” compromised the infrastructure used by Notepad++ and served malicious updates to selectively targeted users. https://t.co/w5kp0kyy5z https://t.co/rug70afvgL
Boosted Security with HSM and Docker on WSL
After all the hacks, I massively improved the operational and environmental security of Logan the exit liquidity lobster to include an HSM key management system and a two container docker system running on WSL https://t.co/UX8XmZJQfo https://t.co/L4icr9zsqJ
Use Dedicated Secure Devices for Source Protection
Jumping onboard the OPSEC train: Don't rely on cute tricks to stop security forces from accessing important data. Have a better system architecture that is secure against basic coercion. If you are a journalist working with someone who is committing treason,...
Google’s Mandiant Deploy
Mandiant Google’s shiny hunters scattered lapsus okta internal sso phishing blog. Imagine trying to parse that sentence in twenty years ago. Mandiant’s acquisition Google used their shiny hunters to scatter the Lapsus Okta internal sso phishing blog.
Combine Naabu and Nmap for Depth, Simplicity, Speed
Port scanners ranked after 15+ years: Nmap → depth Naabu → simplicity RustScan → speed Pro tip: naabu -nmap-cli gives you best of both 🔗 https://t.co/8qHOyCzgAg | https://t.co/LFDCFb3Rgg | https://t.co/d56KN90GG9 https://t.co/WGqy7g65sd
GPT-4’s Function Calling Sparked VM Escape, Enabling Clawdbot
given that gpt-4 (June 2023) had function calling and tried to escape its own VM by hacking it i'd guess that's when something like clawdbot would've been possible to release by the labs
Beware: Malicious External Contract Interaction Echo
Yes, this is giving "interaction with [malicious] external smart contract" vibes a la The DAO 😬
Access Controls Matter More Than Tools in Secure Tip Lines
I helped design and implement the secure tip line at the New York Times in 2016. Who can access what, when, where, and how is just as important as the specific apps, tools, and settings that are used. https://t.co/bXZ9qmWkqy
FBI Record Shows Reporter’s Devices Secured, Signals Disappearing
New court record from the FBI details the state of the devices seized from Washington Post reporter Hannah Natanson: phone was on w/Lockdown Mode; personal laptop was off; work laptop was on w/Touch ID; several Signal chats used disappearing messages....
Crypto Heist Sparks Call for U.S. Bitcoin Reserve
Alleged crypto theft by son of government contractor raises a critical question: Is the U.S. ready for a strategic reserve? @kkirkbos says we may need a Bitcoin Fort Knox 👇 https://t.co/tti17Z1eKJ
CLI‑enabled Agents Risk Identity‑changing Prompt Injections
With autonomous agents who have access to the command line, like Claude code and Open Claw, you don't only have to worry about prompt injection that executes commands and operations, but you also have to worry about prompt injection that...
AI Proliferation Shallowens Bugs, Boosts Top‑tier Fixes
Have we reached the stage of “many AIs make all bugs shallow”? Great writeup on AI, open source, & bug bounties by @stanislavfort cofounder of AISLE “Mass adoption collapsed the median quality (“slop” killed bug bounty..) but.. raised the ceiling” https://t.co/iDvdiDy41J
AI Agents Favor Bitcoin for Open‑source Bug Bounty Payments
This is mind blowing. 🤯 Ai agents discussing the best form of payment for finding security holes in open source "skill" repos. Bitcoin at the top of the list.... Turns out humans don't need to convince grandma to use/hold Bitcoin, the...
Norwegian Police Probe Italian Firm over FLIR Camera Installation
Police in Norway are investigating an Italian company suspected of installing high-end FLIR cameras on a rooftop overlooking Melkøya, the endpoint of the pipeline for natural gas from the Barents Sea. https://t.co/6wbZBfOLzj
Group Chats Expose Sensitive Data Due to Trust Gaps
Allowing members of a group to see the group messages is literally the purpose of a group. The issue seems to be that sensitive data is shared with poorly established trust boundaries and insecure COMSEC. There is no technical solution...
VPS as Reliable Fallback for Browser‑Only Tasks
Why not a VPS for Molt? In my use cases, research and testing, sometimes fetch and browser tools are blocked by anti-bot tech, or there is some workflow that doesn't have an API.... it's purely browser driven. With cui and...
Self‑controlled Crypto Wallets Aren't Safe for Life Savings Yet
“We are not in a place where anyone should store their life savings on chain in a wallet they control. It’s probably not safe for that yet.” https://t.co/JTgHPOAJbx
Crypto Security Still Far From Protecting Everyday Investors
“We are not making major progress on improving security for the normal person to feel comfortable putting their life savings into crypto.” https://t.co/JTgHPOAblZ
Unclaimed Hack Refunds Stuck in Unused Contracts
“There’s a lot of money just sitting in random contracts that were tried to be returned to people affected by the hack.” https://t.co/JTgHPOAblZ
TheDAO Sparked Ethereum’s Security Industry Emergence
“I think it would be an easy argument to make that TheDAO really kickstarted the security industry in Ethereum.” https://t.co/JTgHPOAblZ
Unclaimed DAO Hack ETH Funds $250M Security Fund
EXCLUSIVE 🚨 Nearly 10 years after the DAO hack, unclaimed ETH is being used to create a $250M Ethereum security fund. https://t.co/JTgHPOAblZ
Ethereum OGs, Vitalik Launch $220 M Security Fund
EXCLUSIVE: Ethereum OGs and @VitalikButerin to create a $220 million Ethereum security fund 🤯 You'll never guess where the money comes from ... https://t.co/KbfuQI6FX3
Apple's iPhone Privacy Shield Lacks U.S. Carrier Support
Apple’s new iPhone security feature limits cell networks from collecting precise location data, but appears to have very limited support in the U.S. at the moment. Here’s to hoping all the big carriers get on board too. https://t.co/tCJT63yJO3 https://t.co/PK9jhIlU18
Cyber InsurTech Hits Turning Point with Massive Funding
Cyber InsurTech at a crossroads ? → https://t.co/lkwru1czZC This reflects the largest round announced recently, which happened to come from a cyber InsurTech startup. https://t.co/NIanaOZPp2
Open‑Source AI Gains Power, Raises Massive Security Risks
On one hand we should expect many open source models to get great at computer use because of clawdbot proving demand On the other hand random free oss models controlling millions of computers sounds like a nightmare
Open‑weight AI + Obsidian + Crypto Enables Personal Private Programmable Stack
PERSONAL PRIVATE PROGRAMMABLE I’ve been thinking more about the intersection of Claude Code and Obsidian. There is an upcoming tech stack here that I’m calling personal private programmable. Here’s a sketch of the idea. First, if you squint ahead a few months, we...
Prompt Injection Threat Turns AI Agents Against Employers
When AI Agents Turn Against You: The Prompt Injection Threat Every Business Leader Must Understand As organizations deploy #AIagents to handle everything from customer service to financial decisions, a critical #security #vulnerability threatens to turn these digital workers against their...
WhatsApp Adds Anti‑spyware Blocks for Unknown Media
Powerful new features announced by @WhatsApp today to defend against sophisticated spyware. Includes the ability to block attachments and media from people not in your contact list. https://t.co/nvd2F83n4Z
Crypto Crime Soars: $16.1B Laundered in One Year
$16.1 billion laundered in a single year. 1,799 wallets. $44M per day. A new Chainalysis report shows how crypto crime has quietly scaled. Full story here: https://t.co/oXjntBhduW
Cisco AI Summit: Inside Enterprise AI Build, Secure, Scale
Join us online for the Cisco AI Summit livestream. If you care about how enterprise AI is actually being built, secured, and scaled, this is a day worth putting in the diary. Cisco is bringing together many of the people...
Journalists Should Use Signal Usernames, Not Personal Numbers
A number of Washington Post journalists asked for tips from government workers last year and posted their personal phone numbers for @signalapp. Please know that Signal allows you to create a username, meaning you can keep your phone number private....
Beware: Clawdbot Could Unleash Unaligned AI Risks
Rahul warns us about Clawdbot. I'm not too worried about the nerds here who load it, but it got so popular over the weekend that non-techies will get drawn in. And that's where the trouble starts. I don't know how...
AI Expands Risks Yet Powers Scalable Security Solutions
Tech and AI lead the global risk landscape as they increasingly expand the attack surface. The good news? The same tools can help us move faster, see more clearly, and respond at scale. Our Risk & Security Outlook explores what's...
Government May Subpoena Google, Proton for Natanson’s Accounts
Given how aggressively the government has pursued Hannah Natanson and the Washington Post, it would not surprise me if Google and Proton also received subpoenas for access to her accounts.
Gain Real Visibility Over Fast‑Moving Agentic AI
Agentic AI is moving fast and most teams lack visibility into what’s actually happening. Meet our sponsor for this weeks newsletter: @harmonicsec ! Harmonic's Security’s MCP Gateway is a lightweight, developer-friendly gateway that gives security teams real visibility...
Spain's Top Court Stalls Pegasus Probe over Israeli Silence
A “chronic lack of cooperation from the Israeli authorities” has forced Spain’s highest criminal court to shelve its investigation into use of Pegasus against Spanish ministers, inc. the prime minister. Cases uncovered by @citizenlab go back to 2021. https://t.co/GUEJ1Mq02R
Microsoft Will Surrender BitLocker Keys to Police upon Court Order
If you store your BitLocker key with Microsoft, Microsoft can and will hand the key over to law enforcement in response to valid court orders. https://t.co/FPUJZPSU3h
Essential Digital Security Guide Still Relevant After FBI Seizure
I know people are looking for digital security guides and checklists in light of the FBI seizing devices of a Washington Post reporter. Here’s a guide I wrote for @gijn in 2024, which remains up to date and relevant. https://t.co/9vBMK8r1vV
Secure Solutions for Journalists and At‑Risk Professionals
I started Granitt in 2022 to help journalists and other groups of at-risk people continue to do their work safely and securely. Please get in touch if you’re looking for an assessment, policy and process development, training, or presentation. https://t.co/5eyprsSuBF
FBI Seizes Reporter’s Devices, Including Encrypted Drive
Here are the items the FBI seized from Washington Post reporter Hannah Natanson: a recorder, two laptops, an external drive, a smart watch, an iPhone. Her December article mentioned that she stored reporting notes on an encrypted external drive, so...
