Key signing parties attempted to establish decentralized trust but they ultimately failed due to poor usability, lack of incentives, and shallow trust models. Verifiable Relationship Credentials (VRCs) provide a modern, peer-to-peer approach that enables actionable, contextual trust built on decentralized identifiers, and secure messaging. First-person identity emerges from direct connections that form relationships, mutual authentication, and portable, verifiable trust.
Listening to Drummond Reed at VRM Day, I was struck by how “first person”—a term that resonates more intuitively than “self-sovereign”—captures the essence of empowering individuals to build digital relationships rooted in personal agency, without intermediaries.
Zero Trust, Least Privilege, and Just-in-Time Access
When dynamic access control with JIT access is thoughtfully implemented, you shift the burden of security from employees to systems that automate protection, making it proactive and intelligent.
IIW XL brought together over 300 participants from 27 countries, highlighting the growing global momentum behind decentralized identity, digital wallets, and agent-based architectures.
Regulating AI Behavior with a Hypervisor - Schneier on Security
Interesting research: “Guillotine: Hypervisors for Isolating Malicious AIs.” Abstract:As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models—models that, by accident or malice, can generate existential threats to humanity. Although Guillotine borrows some well-known virtualization techniques, Guillotine must also introduce fundamentally new isolation mechanisms to handle the unique threat model posed by existential-risk AIs. For example, a rogue AI may try to introspect upon hypervisor software or the underlying hardware substrate to enable later subversion of that control plane; thus, a Guillotine hypervisor requires careful co-design of the hypervisor software and the CPUs, RAM, NIC, and storage devices that support the hypervisor software, to thwart side channel leakage and more generally eliminate mechanisms for AI to exploit reflection-based vulnerabilities. Beyond such isolation at the software, network, and microarchitectural layers, a Guillotine hypervisor must also provide physical fail-safes more commonly associated with nuclear power plants, avionic platforms, and other types of mission critical systems. Physical fail-safes, e.g., involving electromechanical disconnection of network cables, or the flooding of a datacenter which holds a rogue AI, provide defense in depth if software, network, and microarchitectural isolation is compromised and a rogue AI must be temporarily shut down or permanently destroyed. ...
Here at Trail of Bits we review a lot of code. From major open source projects to exciting new proprietary software, we’ve seen it all. But one common denominator in all of these systems is that for some inexplicable reason people still seem to think RSA is a good cryptosystem to use. Let me save […]
Here’s A Spy Movie-Grade Access Card Sniffing Implant
Some of our devices look like they’re straight out of hacker movies. For instance, how about a small board you plant behind an RFID reader, collecting access card data and then replaying it w…
Microsoft 365 URLs and IP address ranges - Microsoft 365 Enterprise
Summary: Microsoft 365 requires connectivity to the Internet. The endpoints in this article should be reachable for customers using Microsoft 365 plans, including Government Community Cloud (GCC).
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.
If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP). As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished proposals with no active development, no test suite, and no-one looking after it. Which is exactly what you want from a security specification, right?! So let's try to find some edge-cases and…
This Surprisingly Simple Email Trick Will Stop Spam With One Click
Some 320 billion spam emails are sent every day, and 94% of malware is delivered via this medium. What if I were to tell you a surprisingly simple one-click email trick could stop them?
Why Can't We End Spam? Ask An Economist. - JSTOR Daily
Law enforcement recently took out a bot network capable of sending 1.5 billion spam emails a day. So what are the economic incentives—and costs—of spam?
The US Military’s Unsecured UFO Satellites And Their Use By Russia
Something that you generally don’t expect as a North-America-based enthusiast, is to listen in on Russian military communications during their war in Ukraine via WebSDR, or that these communi…