-

@TrueSkrillor joins the infosec community with a bang: A new attack class against the SSH protocol!

Announcing SPIQE 2026: 2nd Workshop on Secure Protocol Implementations in the Quantum Era, bringing together researchers and implementers to securely deploy PQC! 📍 Co-located with Euro S&P in Lisbon, Portugal, July 6-10, 2026 spiqe.cool #SPIQE2026 #EuroSP #PQC

FOLLOW US ON BLUESKY! We found a new vulnerability in TLS. It's a variant of the ALPACA attack that bypasses current countermeasures. Relatively low impact - but great insight! Check it out: opossum-attack.com // via bsky.app/profile/ic0nz1…

CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH openwall.com/lists/oss-secu… Allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication. Estimated CVSSv3 of 10.0.

@hot_girl_spring def is only executed once

why is python

Reminder, you must register your Real World Crypto 2025 submission by Friday AoE to have it considered, but you can finalise it until Monday (not AoE!), see submit.iacr.org/rwc2025/deadli… We hear there's a competing S&P deadline and we're nice like that. @RealWorldCrypto @grittygrease

The deadline for getting talk proposals in for @RealWorldCrypto 2025 is about two weeks away... rwc.iacr.org/2025/contribut… Talk proposals are short, so there is no excuse in not putting in a bid to talk about your fave applied crypto thing from the last year.

@kaepora It’s not doing the same thing, though.

The call for presentations of #RuhrSec 2025 is now open! ✅ Bring your expertise to the stage—submit your proposal today! 🎯 👉 ruhrsec.de/2025/cfp.html #cfp #conference #ITSecurityConference #NRW #Bochum #itsecurity #itsicherheit #cybersicherheit

[1/4] If you've ever tried finding timing side channels by actually measuring, you probably know that this can be incredibly frustrating. But it does not have to! While major side-channels are easy to detect, more subtle ones, especially when the measurements are noisy, are not!

@RaphaelWimmer "Sehr geehrte Damen und Herren" ist vermutlich gerade noch ok?

Ah, hab's gefunden. km.bayern.de/download/4-24-…

@BllvSimone Ist der Entwurf wirklich so formuliert, wie der Artikel es beschreibt? news4teachers.de/2024/07/gender…

So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel. This API is not exposed to other sites - only to *.google.com.

@mysk_co Technical details are probably different but in 2022 another electron app, Microsoft Teams, leaked authentication tokens, and Microsoft tried to pull the same defense. Don’t know if they fixed it by now. bleepingcomputer.com/news/security/…

The security bug about storing the encryption key in plain text wasn't considered a bug by Signal in 2018, wasn't considered a bug by Signal's president today, and even demanded responsible disclosure for it. Well, that not bug thing is getting a fix now: #issuecomment-2218845070" target="_blank" rel="nofollow noopener">github.com/signalapp/Sign…

@kaepora „ Signal’s group chat benefits from lesser security guarantees“ voice calls, too. They are just webrtc, lol

@matthew_d_green File download can be easier than RCE, though, e.g. through path traversal bugs (I remember that some jabber clients used to have them back in the days).

Let’s also be clear that while I wouldn’t use Signal Desktop, attacks that require access to your computer as a precondition are not terribly impressive.

I do not, and have never trusted Signal Desktop. Security colleagues sometimes express amazement that I only use Signal on my phone, and I wonder if they might prefer to use Slack.

When registering for IACR Crypto'24, please consider signing up for the Workshop on Attacks in Cryptography 7 (WAC7) on Sunday. Our program is online: wac7.cryptanalysis.fun (modulo some attacks that are too new to be out of their embargo yet).

@RyanPolsley Can you upload gpx files?

@PurnalToon Nice catch! This mask is a common pattern. It's the same in the Classic McEliece reference code (see preprint for how to exploit such a leak: eprint.iacr.org/2023/1536). I wonder if this compiler optimization would be applied there, too.

I recently found an exploitable timing leak in the reference implementation of Kyber (ML-KEM), the soon-to-be NIST standard for post-quantum key encapsulation. Let’s see if you can spot it in the source code - msg is secret:

Citrix warns admins to manually mitigate PuTTY SSH client bug - @serghei bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

@the_aiju The principal author of glibc is Roland McGrath, and he has a personal web page at frob.com, check it out!

why the hell does glibc have a function “memfrob” that xors a memory area with the fixed value 42

Researchers found #vulnerabilities in #PuTTY SSH libraries (v0.68-0.80). Stairwell's research goes further, revealing more potentially at-risk software not in the #NIST advisory. See our report for a full list and a YARA rule to help these vulns: stairwell.com/resources/stai…