Cat Easdon

When we were first poking the Brix trying to get Red Unlock in 2019, I didn't even dream that a full reverse-engineering framework would be possible! This was a lot of fun - kudos for all your hard work and the great discussions, @borrello_pietro @marv0x90 @_rolicz @misc0110 🙌

The never-ending crypto wars. It's not key escrow, it's not a backdoor, it's not client side scanning: a magical solution will be developed that can only be used by the good guys. April 1.

Here are the details about the AMD Signature verification vulnerability we worked on, Enjoy! bughunters.google.com/blog/542484235…

Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies. They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe. It's OSINT time! 👇

Exited to announce that @bindinghook has partnered with @MunSecConf to launch the AI-Cybersecurity Essay Prize Competition. This effort is intended to open a meaningful debate on the evolving role of Artificial Intelligence in cybersecurity and what it means for Europe’s future.

In Binding Hook’s latest, privacy researcher @Cat_Easdon asks, ‘How can we put into action ethical AI principles that have a societal and political impact within corporate cultures that have no appetite for ‘politics’?’ bindinghook.com/articles-bindi…

Pardon the interruption while every civil liberties advocate points out that they've warned about this for decades👇 Regularly scheduled programming of officials demanding backdoors & making unrealistic promises of safety will return shortly. x.com/KevinBankston/…

Case in point: there's no way to build a backdoor that only the "good guys" can use. When the entire technical community says that the EU's ChatControl legislation + similar pose serious cybersecurity threats, we're not exaggerating for effect.

Join us at ECCRI for the ✨Virtual Research Workshops✨ this fall with a brilliant lineup of speakers tackling how emerging technologies put pressure on the international order and key pillars of democracy, such as human rights and the rule of law! ⚡️📌🗓️

What happens if your CPU gets something wrong? If it wakes up one day and decides 2+2=5? Well, most of us will never have to worry about that. But if you work at a company the size of Google, you do, which is why this paper on "mercurial cores" is so fascinating. What the authors report--and supposedly this is common knowledge at the hyperscalers--is that a couple cores per several thousand machines are "mercurial." Due to subtle manufacturing defects or old age, they give wrong answers for certain instructions. These can cause all sorts of impossible-to-diagnose issues. Some rare problems at Google that were traced back to bad CPUs include: - Mutexes not working, causing application crashes - Silent data corruption - Garbage collectors targeting live memory, causing application crashes - Kernel state corruption causing kernel panics What makes CPUs go bad? It's very hard to tell. The authors posit that issues are becoming more frequent as CPUs get more complex, but there aren't solid numbers behind that. There are certainly strong relationships between frequency, temperature, voltage, and bad CPU behavior--most mercurial CPUs only cause problems under very specific conditions, but those conditions vary from CPU to CPU. Age is another source of problems, as older CPUs are more likely to exhibit problems. Bad CPUs are an especially serious problem because they're very hard to detect. If cosmic rays flip bits in storage or on the network, that can be detected through error coding. But there's no analogy for a CPU that allows cheap online verification of its correctness. Instead, the best detection techniques involve monitoring for symptoms. If a core exhibits exceptionally high rates of process crashes or kernel panics relative to its fellows, that's a strong indication something is wrong with it. For the most critical applications, the authors propose triple modular redundancy--redoing each of its computations on three cores and majority-voting a reliable result. More than anything, this paper is a call to action--letting everyone know that CPUs can fail. So now, if you ever find a bug you can't diagnose, you can blame the CPU! 🙂

This strong analysis by Stoller. “It was as if every night Google could break into the offices of WSJ and take its subscriber list, and then go to its own advertising clients and tell them that it could sell them access to Wall Street Journal readers for much cheaper rates.”

Lots of people have the impression that the EU’s AI regulation is reducing innovation. Read the details: it does this: in *critical areas* at a societal level where an AI system hallucinating would have major implications. Law enforcement, employment decisions , border control.

"Data At Work" is a research project from @crackedlabs that dives deep into the use of surveillance and control technology in a variety of workplaces - including workers' own cars and homes: crackedlabs.org/en/data-work 9/

The 3rd 🔶Privacy Threat Modeling Workshop (WPTM) 🔶 will be fully remote and free to attend! 🙌 The program will be a mix of research presentations 🎓, a panel session 💬, updates on the latest developments 💡 in the privacy threat modeling world. And I get to do the keynote 🤩

I want to share some more details about what we found in our investigation into gambling data that are highly relevant to GDPR enforcement and privacy regulation at large. For example, this is how companies share personal data with each other during a bunch of 'cookie syncs'.

Okay, I'm just going to throw this out there, but maybe - just maybe - a vendor having the ability to change every one of their kernel drivers in the field at the same time without any approval from IT/end users is a model we need to reconsider... @CrowdStrike.

I’m mostly blaming law enforcement access for the existence of this data, but I also suspect that marketing and data sales revenue streams played a role in its insecure storage. Making that business illegal should be a national security priority.