Cem Paya
@randomoracle
@[email protected] Personal opinions “Character is what you tweet when you think no one is following" ex-MSFT/GOOG/ABNB/Gemini
你可能會喜歡
A deeper, more technical dive into a design flaw in the ScreenConnect executable that made it particularly appealing for malicious campaigns. blog.randomoracle.io/2025/06/26/scr… History Case: blog.randomoracle.io/2025/06/16/the…
Now that GDATA also posted about this and cat is out of the bag. Write-up on how ScreenConnect was abusing Microsoft Authenticode signatures in a way that made it ideal for malware to repurpose their installers (previously disclosed to vendor) blog.randomoracle.io/2025/06/26/scr…
1/ 🔥 AI agents are reaching a breakthrough moment in cybersecurity. In our latest work: 🔓 CyberGym: AI agents discovered 15 zero-days in major open-source projects 💰 BountyBench: AI agents solved real-world bug bounty tasks worth tens of thousands of dollars 🤖…
Recent work from River security team and @rmhrisk : how our discovery of bogus "River desktop app" in the wild lead to DigiCert revoking ConnectWise's code-signing certificate and invalidating all existing ScreenConnect binaries on Windows blog.randomoracle.io/2025/06/16/the…
Mangled casings from 2 of those 4 thermonuclear weapons from the Palomares (Spain) broken-arrow incident is on exhibit at the Museum of Nuclear Science & History in Albuquerque. nuclearmuseum.org/see/exhibits/c…
Today in history. “We thought it was the end of the world': How the US dropped four nuclear bombs on Spain in 1966 bbc.com/culture/articl…
Thoughts on ByBit First, the good stuff: impressive response to the hack. I've rarely seen that level of transparency + professionalism in a crisis. Usually you see slow, wishy-washy, lawyer-speak or quick meme-style responses that don't fit the seriousness of the situation. 1/n
Learned a lot about security from @randomoracle @michaelbreu back in the day. Lesson one is anything that can be penetrated will be. Software and hardware, and the practices around them, must be resilient & redundant. Every step must have integrity. No shortcuts.
Safe multisig smart contracts worked fine, and Bybit still got hacked. This is equivalent to a lending market's messing up the configs. Security is just a beast in itself and it can't be reduced to one single factor like smart contract audits. You have to do them all right.
Until October 30, Okta generated "the cache key" by using bcrypt to "hash a combined string of userId + username + password", which allowed full password auth bypass for usernames of 52+ bytes and apparently required only partial knowledge of the password for other long usernames
Okta allowing login bypass for any usernames with 52+ characters is insane Official Security Advisory: trust.okta.com/security-advis…
1988: The Morris worm spread like wildfire and was the first worm to get wide media attention. After its author, Robert Tappan Morris, released his "experiment", it quickly spread and made many of the systems on the Internet unusable - an epoch for security...both good and bad.
🎉 Thrilled by the incredible enthusiasm for our LLM Agents MOOC—12K+ registered learners & 5K+ Discord members! 📣 Excited to launch today the LLM Agents MOOC Hackathon, open to all, with $200K+ in prizes & credits! 🔗 Sign up now: rdi.berkeley.edu/llm-agents-hac… & join us virtually or…
#ECJ upholds the fine of €2.4 billion imposed on @Google for abuse of its dominant position by favouring its own comparison shopping service #competition @EU_Commission 👉 curia.europa.eu/jcms/jcms/Jo2_…
So-called experts: "Tornado Cash is a valuable privacy service used by everyday people for legit purposes" Reality: #delusions #KYCfail coindesk.com/markets/2024/0…
Identity fails With Twitter verified profiles, users at least have some confidence they are following the genuine bloviator/influencer On GitHub still no way to know if that ace developer is really a North Korean stooge/APT operative 🤷🏽
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed. Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities. I then uncovered 25+ crypto projects with…
JD Vance’s dossier would have been safe if the campaign stored it on CouchDB 🤷 thedailybeast.com/trumps-270-pag…
#Clownstrike: "Combining third-rate technology with first-rate lawyers: always ready with a DMCA takedown notice in case anyone dare criticize us" arstechnica.com/tech-policy/20…
The pk.fail service has an open API interface for mass scanning. By today, 7550 unique FW images had been checked, and 534 (7%) contained non-production keys or were exposed to the #PKfail. The detected keys are associated with AMI (majority), Insyde and Phoenix.
"Creating our own bytecode VM for detection rules will be much safer than constantly writing new code for kernel mode 💡" — said someone somewhere at #Clownstrike
It would be a different story if Google allowed GrapheneOS to pass the device and strong integrity levels via the hardware attestation API but added an extra field in the response saying that the OS is GrapheneOS. Apps could go out of the way to ban it if they wanted.
Sign of incompetent vendor: Puts more effort into cease & desist orders against obviously non-infringing parody/satire than improving their weak-sauce technology that caused a global IT outage #Clownstrike #DumpsterFire
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed. Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities. I then uncovered 25+ crypto projects with…
GrapheneOS threatening to sue Google is strange; it is Authy that decided to restrict their app to "genuine" Android devices based on remote attestation Also for perspective: Authy's days are numbered anyway, given that future is passwordless arstechnica.com/gadgets/2024/0…
United States 趨勢
- 1. #wednesdaymotivation 6,463 posts
- 2. Good Wednesday 29.3K posts
- 3. #LoveYourW2025 216K posts
- 4. Jay Jones 58.4K posts
- 5. Hump Day 13.2K posts
- 6. Markey 1,205 posts
- 7. Moulton N/A
- 8. #VxWKOREA 55.6K posts
- 9. #GenV 4,669 posts
- 10. #WednesdayWisdom N/A
- 11. Young Republicans 104K posts
- 12. St. Teresa of Avila 2,421 posts
- 13. And the Word 77K posts
- 14. Tami 5,384 posts
- 15. Voting Rights Act 7,972 posts
- 16. Vision Pro 2,354 posts
- 17. Happy Hump 8,067 posts
- 18. HSBC 1,833 posts
- 19. Raila Odinga 193K posts
- 20. Hobi 38.5K posts
你可能會喜歡
-
Trail of Bits
@trailofbits -
lcamtuf
@lcamtuf -
JP Aumasson
@veorq -
Tanja Lange
@hyperelliptic -
chrisrohlf
@chrisrohlf -
Thomas H. Ptacek
@tqbf -
Jeremiah Grossman
@jeremiahg -
Steve Weis
@sweis -
Ryan Hurst
@rmhrisk -
Juliano Rizzo
@julianor -
Philipp Jovanovic 🇪🇺
@Daeinar -
beist
@beist -
Solar Designer
@solardiz -
Ben Laurie
@BenLaurie -
Chris Valasek
@nudehaberdasher
Something went wrong.
Something went wrong.