Well folks, we did it. I have been waiting for this day for almost 10 years. I am proud to announce @Cruise is now running 24/7 across all of San Francisco! This is a pivotal moment for our business. Let me tell you why 👇(1/6)

You'd be hard pressed to find someone in the hacker community that you could have deep tech conversations with & also turn everything they touch into fun. @aloria is a legend that I am privileged to call a friend. We will remember! Photo from 15th anniversary of "Hackers" party.

“Code signing” as sold by CAs is a Microsoft only offering. It doesn’t really belong in CA/Browser Forum at all. Doing so just shunts Microsoft’s responsibility to evolve its own code signing practices to commercial CAs. This is problematic for several reasons.

Where else in our lives do we actively create and promote the infrastructure that allows malicious actors scalable and frictionless destruction? Why run AD, which enables scalable ransomware? So that we can automatically deploy EDR to maybe detect (but not stop) that ransomware?

My scooter was stolen last week. Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. Here’s how it all went down:

There's a focus that comes with protecting cryptocurrency. Security theater doesn't play at all, there are real direct consequences for breaches, and you can't keep them a secret. There is real useful innovation happening and the rest of infosec ignores it to their own detriment.

Big congratulations to @brian_armstrong, @FEhrsam and the entire @coinbase team on a monster debut today! Huge moment for crypto. To the moon! 👍🏻🚀🍾🥂🥳🎉🎈🎊

I wrote a smart card token driver for MacOS to interface with identities backed by Secure Enclave

Windows crypto API makes it easy to use keys on hardware eg HSMs Example: ADFS with SAML signing key on AWS CloudHSM v2 (Marvel Nitrox née Cavium) Sometimes showing the key is on an HSM is the hard part 🤷‍♂️ Key container → CSP → certificate → ADFS settings

Common pattern in infosec: 1. Fail at threat modeling (In this case: conflate risks of non-constant time comparison of HMACs vs password hashes) 2. Attempt at "fix" for said "problem" 3. Introduce a more serious & real vulnerability 🤦‍♂️

Alternative view: given that enterprise IT is a market for lemons, it is the buyer responsibility to manage that risk by making sure untrusted vendor code (read: all except a handful such as MSFT/Google/AWS…) is properly sandboxed & contained assuming it *will* fail

My take: if you have the team on-staff to invent ALTS, use that. Otherwise, use mTLS for your service-to-service communication. You should still use other authn/authz mechanisms that are closer to end-to-end, though.

If you know me you already know what I think about this but on the off chance you don’t: NCC Cryptography is legit.

I grew up on software exploitation, but always thought crypto was beyond me. In the ~5 yrs since finding Cryptopals, I’ve found & exploited critical crypto bugs in products like secure messengers, and helped design secure protocols. Thanks @tqbf @spdevlin @marcinw @iamalexalright

This is why using credentials bound to hardware— smart-cards, USB tokens, TPMs— is crucial You can not paste them into Slack or share with another colleague even if you wanted to 🤷‍♂️ 1/2

Twitter, meet Streisand Effect PS: If my account mysteriously disappears from Twitter after this, that is your cue the company is escalating efforts to silence discussion of its internal security features 🤷‍♂️ https://t.co/bBibWyAIv9

Gemini is now the first #crypto exchange to offer support for hardware security keys across both Android and iOS #mobile devices via WebAuthn! Add a hardware #security key to your Gemini account for the strongest level of protection. More on our blog ⬇️

From past experience using a setup like this on Ubuntu 18, here is what can go wrong Setup script seals LUKS key to TPM state including PCR0. https://t.co/perALLt30r Firmware updates change that PCR → TPM key is no longer usable → LUKS partition can not be unsealed

"Hipster cryptography"? Or "not-invented-in-Mountain-View"? Problem is PKCS#11 works just fine & enables a whole host of scenarios besides SSH including VPN, TLS client authentication, disk encryption & S/MIME…