Profile avatar
ddz.bsky.social
I drink amari and I know things. $ddz LMDDGTFY: https://duckduckgo.com/?q=dino+dai+zovi NYC/BK
130 posts 1,698 followers 112 following
Regular Contributor
Active Commenter
Posts 23 Comments 25

We are destroying software: antirez.com/news/145

submitted 18 days ago • 18 comments

Exactly this. We should instead be investing that energy into making authentication in our environment unphishable by making it impossible to give away access to an attacker, even if someone actually wanted to.

submitted 17 days ago • 0 comments

NEW: WhatsApp says it has notified 90 victims, including journalists and members of civil society, that they were targeted with spyware made by Paragon. This is the first time that Paragon is linked to alleged abuse of its products. techcrunch.com/2025/01/31/w...

submitted 26 days ago • 1 comment

Meta says almost 100 journalists and activists were targeted with spyware from Israeli company Paragon Solutions using a zero-click vuln in WhatsApp. If you use an iPhone, enabling Lockdown Mode prevents this from working. www.theguardian.com/technology/2...

submitted 25 days ago • 8 comments

If you're interested in the history of bug bounties, for reasons, this series I did a few years ago with @k8em0.bsky.social @caseyjohnellis.bsky.social @ddz.bsky.social and many others may be of interest. duo.com/decipher/law...

submitted 34 days ago • 5 comments

I'm really liking the crisp definitions of and boundaries between product engineering, domain engineering, and infra engineering in this. How much of your security org builds "what any company would need" (infra) vs. "what is unique to this company but shared across the company" (domain) ?

submitted 38 days ago • 0 comments

There are different privacy concerns and approaches for the training phase of AI as well as for the inference phase of using it. It's a good time to be thinking about what the right approaches are for each.

submitted 39 days ago • 0 comments

I wrote a post about how AI will interface with end-to-end encryption. TL;DR maybe not so well! blog.cryptographyengineering.com/2025/01/17/l...

submitted 40 days ago • 13 comments

+1, security product vendors, services companies, *and* internal teams must always operate under the Hippocratic Oath, "First, do no harm."

submitted 39 days ago • 1 comment

So phone metadata *is* actually sensitive and important information? So hard to keep this straight.

submitted 40 days ago • 8 comments

We blogged again! This time about our Data Safety Levels framework, which was inspired by the CDC/WHO Biosafety Levels system and Laboratory Biosafety Manuals. Like biological agents, we also don't want sensitive data to be exposed to humans or escape. code.cash.app/dsl-framework

submitted 40 days ago • 0 comments

The placement of liability for fraudulent credit card charges onto the issuer incentivized the shift to EMV, so we now have smartcards in our wallets and secure elements on our smartphones. Contrast this to the security of authn to way more critical things than buying a coffee.

submitted 56 days ago • 3 comments

Ever wanted to benchmark RSA key generation but found it too slow and variable, like benchmarking a lottery? No? Just me? Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen. c2sp.org/CCTV/keygen Happy New Year(?)!

submitted 57 days ago • 2 comments

This Salt Typhoon stuff is insane. The entire FISA surveillance infrastructure has been completely owned by China and literally no part of our telecom infrastructure is safe to use without end-to-end encryption.

submitted 59 days ago • 29 comments

You’re still arguing about tabs vs. spaces? May I present…

submitted 62 days ago • 163 comments

The subtle benefit of *minimal* version selection as a systemic damper on software supply chain attacks: "What’s more, the deeper in your dependency tree the library is, the more explicit approvals are required for the library to propagate to your project." matklad.github.io/2024/12/24/m...

submitted 63 days ago • 0 comments

The transition from static long-term "credentials" (PAN + CVV) to EMV cryptograms generated by smartcards and the continuing transition for online payments are good case studies for how to devalue data to the point of making attacks on processing infra no longer worthwhile. Human authn must be next.

submitted 63 days ago • 0 comments

Honestly, the Let's Encrypt folks don't get nearly enough credit for basically protecting the entire fucking internet, by making it absolute bog standard to encrypt everything. It happened so fast and so many people were skeptical.

submitted 68 days ago • 19 comments

An excellent episode on a topic on which I've given some thoughts in my book with similar conclusions: 1️⃣Targeting TikTok in the name of "national security" avoids addressing the structural problems of unregulated personal data and content moderation.

submitted 68 days ago • 1 comment

Directory traversal vulnerabilities have plagued software customers for over two decades. It's time for software companies to step up and eliminate this persistent class of coding error entirely. More info here: https://buff.ly/3QpbblJ

submitted 68 days ago • 1 comment

A bias can form if folks' primary exposure to Signal (or really any other tool) is through observing malicious uses. I've seen it happen with cryptocurrencies as well. A useful tool will often find itself useful for both beneficial and malicious use-cases. It's as old as discovering fire.

submitted 69 days ago • 0 comments

This is disingenuous marketing. Signal chats can't be 'monitored' by anyone not in those chats. Dressing up "joining groups via publicly posted links, then exfiltrating group data" as an offensive 'cybercapability' borders on misinfo, and confuses/scares ppl who rely on Signal for robust privacy.

submitted 69 days ago • 18 comments

The best Christmas movies are Three Days of the Condor and The Conversation. 🎥 🍿 Thank you for attending my TED talk.

submitted 70 days ago • 6 comments