Matthew Green

Is End-to-End Encryption Optional For Large Groups? One of the recent topics in Messaging App Discourse is whether it makes sense to prioritize End-to-End Encryption when searching for an alternative to Discord. Who's Saying "No"? I'm going to quote 0xabad1dea here, because she is awesome and explains my "opposition" position better than anyone else: So You Want To Write An Open Source Discord Replacement Things you don’t need:

Is End-to-End Encryption Optional For Large Groups?

One of the recent topics in Messaging App Discourse is whether it makes sense to prioritize End-to-End Encryption when searching for an alternative to Discord. Who's Saying "No"? I'm going to quote 0xabad1dea here, because she is awesome and…

Meta is putting a "Name Tag" feature in Ray-Bans - facial recognition through the glasses' camera. You look at someone, AI tells you who they are.
In an internal document, the company wrote that the timing is good because civil society groups are busy with politics and won't cause problems.

Have a wild Sunday idea to geek out with AI.

Multiple people used Claude/Codex to reverse engineer a game (banteg did Crimsonland and ccccjjjjeeee did SimCity). Point proven. Let's up the difficulty.

Lets see if AI can split open a proprietary radio protocol! Starting now 😅

Claude Desktop Extensions 0-Click RCE Vulnerability Exposes 10,000+ Users to Remote Attacks A new critical vulnerability discovered by security research firm LayerX has exposed a fundamental architectural flaw in how Large Language Models (LLMs) handle trust boundaries.

"The zero-click remote code execution (RCE) flaw in Claude Desktop Extensions (DXT) allows attackers to compromise a system using nothing more than a maliciously crafted Google Calendar event."

Homeland Security Wants Social Media Sites to Expose Anti-ICE Accounts

DHS is being more aggressive than ever targeting anonymous social media accounts that have spoken out against ICE, asking Big Tech to hand over information on users without signed judicial warrants

story w/ @sheeraf.bsky.social

www.nytimes.com/2026/02/13/t...

I’ve been trying to kill the political fundraising texts since Jan 1 by replying “stop”. As suspected, it isn’t working. I need to turn this into a data science project.

EU Commission discloses an attempted cyberattack on its MDM system

ec.europa.eu/commission/p...

All of the charging documents are in the references, as well as local and national news reporting. I took your first comment as sarcasm but it’s worth noting it.

I’m describing a very low bar, since all of the people accused of taking Epstein’s money seem to have failed to clear it. This bar is literally inches from the ground.

A fucking *14 year old* with accusations of dozens more.

Even squinting at this, you can’t make it out as a mistake.

(Scott’s story is not a vague “ick” feeling, by the way. He says someone in his family did the very straightforward Google search, discovered that Epstein was convicted of abusing a child and accused of trafficking others, and told him to run away. Thank god for family.)

I’m posting this based on a comment by Scott Aaronson on his blog. Now to be clear: Scott A. did the Google search and declined Epstein’s money! He’s fine on this. But his view is that nobody would have turned down this guy’s money for moral reasons. Are you kidding me!?

By the time you’re directly communicating with Epstein and soliciting funding, visiting him in prison, visiting his island, flying on his plane — then “I didn’t know” stops working as an excuse. You didn’t take the literally five minutes it requires to Google him? Really!?

There are circumstances where I guess you could get funding from Epstein at a distance (say, he funds a conference and you don’t interact with him directly.) I’m always forgiving of clueless busy academic researchers, because I am one. But come on.

Lot of weird historical revisionism from academics saying “they didn’t know” about Epstein. People, here’s what his Wikipedia page said way back in late 2008. en.wikipedia.org/w/index.php?...

The nice thing about numeric phone passcodes *on iOS* is that they’ll display a numeric keypad. You might have to enter the code initially on an ugly full keyboard, but you’ll see a numeric pad when you unlock.

If you’re worried about your devices: a few basic thoughts.

1. Pick good passcodes. I recommend a 10-digit numeric *random* passcode on your phone. This seems hard to remember, but with a couple of days’ practice it will be effortless.

FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled Lockdown Mode is a sometimes overlooked feature of Apple devices that broadly make them harder to hack. A court record indicates the feature might be effective at stopping third parties unlocking some...

The FBI can’t get into a Washington Post reporter’s phone, in part because it was set to Lockdown Mode. www.404media.co/fbi-couldnt-...

WhatsApp Encryption, a Lawsuit, and a Lot of Noise It’s not every day that we see mainstream media get excited about encryption apps! For that reason, the past several days have been fascinating, since we’ve been given not one but sever…

I wrote a short blog post on the WhatsApp lawsuit, or whatever it is. blog.cryptographyengineering.com/2026/02/02/w...

We spent the last 20 years turning every business professional into a fiddling web form, and I’m ready for AI just to eat it all.

What is the New York Times app doing with 2GB of data on my phone, exactly? Running a CDN?

The way Apple lets you exclude apps from iCloud backup is almost comically terrible UX. You can’t find the option in the app Settings pane; you have to dig into the iCloud Backup pane five layers deep, and then the list is organized by backup size rather than alphabetical.

There’s a lawsuit against WhatsApp making the rounds today, claiming that Meta has access to plaintext. I see nothing in there that’s compelling; the whole thing sounds like a fishing expedition.

Color me skeptical that saving taxpayer money is the real reason for this change that CISA only made after RSAC appointed a Biden official as its CEO.

It’s 2026 and these concerns have been known for years. Microsoft’s inability to secure critical customer keys is starting to make it an outlier from the rest of the industry.

But more broadly, this highlights a fundamental weakness of Microsoft’s design. If MS can easily produce this to law enforcement, then anyone who compromises their cloud infrastructure (and customer service infrastructure, or can forge a plausible LE request) can potentially access that data.

The Washington Post demands government return devices seized in raid of reporter’s home | CNN Business The Post is demanding in court that the federal government return electronic devices it seized during last week’s FBI search of reporter Hannah Natanson’s home.

Once upon a time you could assume (mostly) that any Federal law enforcement agency doing this would be operating within the bounds of the law. Nowadays, who knows. I sure wouldn’t want to be a journalist relying on Bitlocker. www.cnn.com/2026/01/21/m...

The problem with this is that these recovery keys aren’t encrypted end-to-end in a way that Microsoft can’t access. So if law enforcement wants to access your encrypted drive (even without knowing your password) they can just ask Microsoft for the key. And Microsoft will hand it over.

For those who don’t have context, Bitlocker is the built-in hard drive encryption supplied in Windows. This is supposed to protect the data on your machine from being accessed without authorization. In many configurations, Windows will upload a recovery key to your Microsoft cloud account.

Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw The tech giant said providing encryption keys was a standard response to a court order. But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible.

Microsoft is handing over Bitlocker keys to law enforcement. www.forbes.com/sites/thomas...