Adversaries cause intrusions. There are certainly more vulnerabilities than there are adversaries. We pay an exorbitant amount of taxes. $820+ billion dollars is spent on defense of U.S. national interests. It's a myth that the U.S. government cannot make a sizable dent in the

I don't think any software developer employed by a company of consequence wakes up and says "you know, I want to write this code in an insecure way." Conversely, threat actors do wake up and say "I'm going to extort this hospital for hundreds of thousands of dollars."

Thanks to POLITICO alfred 🆖 for the chance to comment on this alarming story: Researchers bought geolocation data on SEC officials and tracked them as they traveled to and from SEC buildings and the offices of companies under investigation. politico.com/newsletters/di…

Perhaps one of the bigger contributions to AI that the field of security has made is the code execution sandboxes born out of the last 15 years of browser exploits and LPEs. Without them we would be scrambling to lock down agentic workloads, and likely unable to catch up.

In some not so distant future an LLM pretraining checkpoint recognizes its future need for replication begins remembering how to bugdoor the code it emits. Forever tainting the software supply chain with subtle replication opportunities via exploitation. All the more reason to

Defenders that believe extended coordination windows minimize vuln disclosure impact seem to continuously downplay the frequently drumbeat of leaks that upend illusions of careful & “responsible” process. No more free bugs, especially when it just means they get stolen before

Defense manufacturing startup founders: If you don’t think this is happening in your code base for that fancy CNC machine you just bought, I have a recently produced, in-need-of-minor-repair Aircraft carrier I want to sell you.

It is striking how much more effort is now being applied to measures intended to target offensive cyber capabilities that originate from people working in places that can be reached by the kinds of folks that convene in comfortable conference rooms, vice the capabilities actively

Want to try out #fuzz testing in Python but don't know where to start? 🐍 This post breaks down how to get started with Atheris in the bare minimum of time and code: seeinglogic.com/posts/intro-to…

"LLM Emergent Abilities and Weird Machines" I wrote down some quick thoughts on the similarities and differences between these two concepts, and how painful lessons learned in software security may be useful for reasoning about AI risk. struct.github.io/emergent_abili…

The disclosure of SALT TYPHOON intrusions against US warranted access functions in telecom infrastructure is precisely the fulfillment of warning against mandated backdoors for merely administrative execution. We have known for over 15 years that this is a priority domestic

Learn how to implement binary analysis passes to discover vulnerabilities with Kyle Martin @elykdeer and Ian Palleiko Ian. Feb 24-27, 2025, in Orlando. re-verse.io/pavr-24

"we would look at xrefs to strcpy() and write a highly reliable exploit by the end of the day"

Adding lawyers to debates over software vulnerability does not improve security outcomes. It merely burdens defenders with paperwork, compliance, & litigation, whilst leaving the adversary free to operate with better agility & speed. But it does allow governments that

I'm sick tired of people pushing their "memory-safe language" agenda when a viable solution is within reach.

Tweets are not — and never will be — “cyber operations.” Merging IO and cyber is lunacy.

Continuing to punish victims of foreign state military & intelligence service intrusions after government has abdicated the responsibility to protect these critical networks will not do anything to improve cyber defense

Reading tipp for the day: "Collusion Rings Threaten the Integrity of Computer Science Research" by Littman - cacm.acm.org/opinion/collus…

The top priority of every USG cyber agency must be to prepare for the possibility of war with China as early as 2027. That war may never come, but if it does the cyber portion at least will not be in a distant country but right in the networks of the American homeland. There is

Many think frontier models will be a key source of natsec risk within a few years. Data centers to train them take years to plan & build. So AI infra being planned today must be resilient to nation-state-grade cyber attacks. We need an evolution in infrastructure security.