Adam Shostack :donor: :rebelverified:

a headline showing I wrote the introduction last year

One of the hats I wear is editor for the @defcon Franklin Hackers' Almanack. If you see talks that policymakers should know about, please let me know here, tag me, etc.

I'm already seeing great stuff on voting security, resisting back doors, irresponsible […]

[Original post on infosec.exchange]

Hackers Went Looking for a Backdoor in High-Security Safes—and Now Can Open Them in Seconds Security researchers found two techniques to crack at least eight brands of electronic safes—used to secure everything from guns to narcotics—that are sold with Securam Prologic locks.

Big maker of electronic locks that go in safes is amazingly bad at its job, and so are a lot of the safe-manufacturing companies that use the locks.

https://www.wired.com/story/securam-prologic-safe-lock-backdoor-exploits/

The frenzied activity here at @defcon is just a sight to behold!

The "groundbreaking" NIST report is on... a hackathon where the devs are available?

The dream of the 90s is alive in the media.

"“If the report was published, others could have learned more information about how the [NIST] risk framework can and cannot be applied to a red teaming context,” […]

Tabletop Security Games + Cards The exhaustive list of cybersecurity tabletop games.

If you're at Blackhat and see interesting, physical #cybersecurity games at the business hall, please let me know. I enjoy collecting these games, and they're often limited editions.

https://shostack.org/games

This 40th anniversary special release of #phrack is amazing. If you’re at #blackhat or #defcon you should aim to get one.

This 40th anniversary special release of #phrack is amazing. If you’re at #blackhat or #defcon you should aim to get one.

I mean, other than the preceding quoted list items, and probably much more.

Certainly nothing for any technology company to learn from in any of this.

6) OceanGate’s failure to conduct a detailed investigations after the TITAN experienced mishaps that negatively impacted its hull and components during dives conducted prior to the incident,

7) OceanGate’s toxic workplace environment which used firings of senior staff members and the
looming […]

3) OceanGate’s
excessive reliance on a real-time monitoring system to assess the condition of the TITAN's
carbon fiber hull and then their failure to conduct a meaningful analysis of the data provided by
the system,

4) OceanGate’s continued use of the TITAN after a series of incidents that […]

The Coast Guard has released its investigation report on the Titan submersible implosion.

Sam Bowne & Team - Beginner's Guide to Attacks and Defenses - DCTLV2025 **4-Day Training** **Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive a DEF CON Human Badge with their registration** Name of Training: Beginner's Guide to Attacks and DefensesTrainer(s): Sam Bowne, Elizabeth Biddlecome, Kaitlyn Handelman, and Irvin LemusDates: August 9-

There' still room in our @defcon Training event!

https://training.defcon.org/collections/def-con-training-las-vegas-2025/products/sam-bowne-team-beginners-guide-to-attacks-and-defenses-dctlv2025-4-day-training

BGDon (@BrentD@techhub.social) Attached: 1 image Thanks for the waste Elon! Research quantified in the here and now found that in just six months of operation, DOGE wasted more than $21 billion. https://www.rawstory.com/doge-2673797223/ #Musk #DOGE #Waste #Fail #Efficiency #USGov

This sort of fact oriented analysis has no place on social media!! https://techhub.social/@BrentD/114977128381040020

It’s worth remembering that Boeing moved its HQ and manufacturing from Seattle in the hopes that they could avoid unions. https://mstdn.ca/@Linux/114972413247625181

ChatGPT agent triggers crawls from Bingbot and Yandex ChatGPT agent is the recently released (and confusingly named) ChatGPT feature that provides browser automation combined with terminal access as a feature of ChatGPT—replacing their previous Operator research preview which …

Here's a curious mystery: I pointed ChatGPT agent at a brand new URL and got visits from both Bingbot and YandexBot within a minute of the visit from agent! https://simonwillison.net/2025/Aug/4/chatgpt-agents-agent/

@mmasnick.bsky.social Tesla has also claimed (to the ny times) that Florida has essentially eliminated punitive damages. Is that claim as accurate as the ones covered in the electrek article?

Page logo: SONICWALL Title: Recommended Mitigation Steps. Until further notice, we strongly advise all partners and customers using Gen 7 SonicWall firewalls to take the following actions: **1. Disable SSLVPN Services Where Practical** Callout box: NOTE: All other steps below should still be followed even if disabling SSLVPN is not viable.

So the official SonicWall mitigation leads with "turn it off" ? ooooof.

European Commission (@EUCommission@ec.social-network.europa.eu) Attached: 1 image Have you heard of the 3-30-300 🌳 rule? Everyone should be able to: 🌲 See at least 3 trees from their home 🌳 Have 30% tree canopy cover in their neighbourhood 🍃 Live within 300 meters of a high-quality green space Trees help us cool down our towns in the summer, improve air quality and regulate the water cycle. That’s why The EU Biodiversity Strategy commits to planting at least 3 billion additional trees in the EU by 2030. Learn more ➡️ https://europa.eu/!RGwp7f

Freakin’ Europe really does like rules!

Remember, if you’re a landlord, you need to rebuild your buildings to meet this or pay a fine of 1% of global revenue.

😇 https://ec.social-network.europa.eu/@EUCommission/114947180829111076

This is a really interesting point: We can achieve security despite insecure components, if we know the outcomes we want to achieve.

Voting, which is usually a knot of requirements in tension, is a surprising place for this to emerge.

https://federate.social/@mattblaze/114961899333870131

We can make our elections trustworthy in spite of the inevitable security weaknesses in equipment!

How? By using an architecture that *tolerates* security flaws instead of requiring you to eliminate them. This is called "Software Independence", formalized by Ron Rivest (the R in RSA) about 15 […]

@jik Sendgrid should absolutely do better at managing account close state. And I wonder if they have to keep the card on file for some period because of pci rules?

When I worked as a SGE for the White House ONCD we had to attend mandatory Hatch Act training. I just found my “Social Media Quick Guide” for what is permissible. Nowdays I bet it is quite different.

“I find your lack of font consistency disturbing!”

@JessTheUnstill See, and everyone's complaining about AI! 😂

You wanna know why the US economy hasn't already tipped into a huge depression?

AI.

Literally.

Megatech is throwing so much capital at AI it's legit keeping the economy afloat.

For the #wastewater fans, here is an informative primer on how the nationwide*] #covid #COVID19 wastewater data is collected, and the differences between the CDC's NWSS and WatewaterScan's data systems: [https://pandemics.sph.brown.edu/news/2025-01-23/wastewater-brief. Via Katelyn Jetelina.

[*] […]

“Where we’re going, we don’t need roads!”
#aviation #737 #manufacturing

The last Blue Angels pass was low enough to trigger the rain sensor on my skylight.

Are there sshd state machines? I'm looking for one that covers "root," "running as user" and "spawning shell"*?

I've found https://www.researchgate.net/figure/Abstract-description-of-SSH2-with-Diffie-Hellman-key-exchange_fig2_241880255 and Figure 5 of […]