a paper explaining some reasons not to trust Matrix. includes pearls like “a homeserver can silently add user to a E2EE group and decrypt all the following messages and that’s not considered a vulnerability”.

Report about software found on North Korean smartphones.

Pen-and-paper secret sharing, looks fun. Don’t know how I would ever use this though.

A paper about choosing “nothing-up-my-sleeve” numbers while having stuff up your sleeve.

gstreamer-plugins-bad includes a NES 6502 emulator, which was vulnerable to RCE.

Review of many different software vulnerabilities caused by obscure undertested (mis-)features.

A modern web browser is the software equivalent of Gabriel’s Horn. Finite volume, but infinite attack surface.

How OpenBSD prohibited all syscalls from unknown locations.

Paper about how IT in healthcare in general and IT security in particular is done by people who don’t actually use it, listing different problems and workarounds that end up being used in the field.

Sacrificing convenience for security leads you to having neither security nor convenience.

tl;dr: /dev/random is obsolete and /dev/urandom is strictly better except in early boot.

In August 2015 the U.S. National Security Agency (NSA) released a major policy statement on the need for post-quantum cryptography (PQC). This announcement will be a great stimulus to the development, standardization, and commercialization of new quantum-safe algorithms. However, certain peculiarities in the wording and timing of the statement have puzzled many people and given rise to much speculation concerning the NSA, elliptic curve cryptography (ECC), and quantum-safe cryptography. Our purpose is to attempt to evaluate some of the theories that have been proposed.

It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.