Google bad ux.
And you'll get your results in Comic Sans.
Try it
jsr
jsr@primal.net
npub1vz03...ttwj
Chasing digital badness at the citizen lab. All words here are my own.
It is a lot easier to celebrate a turn towards dictatorship when you are untethered to historical knowledge.
No amount of centralized power delivers a society with true personal freedom in the long run.
History shows that even when dictatorships perform 'well' on some factors, especially in the short term, they send people into a freedom-robbing labyrinth.
Do you care about personal liberty?
Because in the long run with dictatorships you will lose on having a society that supports freedom, personal rights and liberties and decentralization of knowledge and innovation.
Because dictatorships concentrate power without balance.
Over time as inequalities & unfairness become severe... the rule gets more brittle.
And dictators have to give more favors to the people that help them stay in power. Like economic favors.
People with ambition then need to play into the system and help prop up the dictator if they want to keep their resources.
Even then they are vulnerable to having everything taken.
And for anyone that dares point out increasingly obvious flaws?
Well, most dictatorships invariably slide into repression.
People with new, better ideas that also happen to challenge the dictators entrenched interests? Or those of the dictators necessary economic allies? Family members? Point out corruption?
Co-opted or cut down.
Fueled by massive surveillance.
And the threat of violence.
Because self-censorship scales better than physical coercion on each person.
People see opportunity for personal advantage. Some become informers.
Some delight in the cruelty of seeing people they dislike arbitrarily punished.
And when the strong leader dies? The society can be incredibly unstable as it carries the weight of so many injustices, so many lies.
And for the system to persist? More repression needed.
Vibecoding is super interesting. And powerful.
Coding syntax is getting better. But secure coding isn't keeping pace.
In a test of 100 coding models, 45% of them introduced a serious vulnerability.
For example, in 86% of tests, code wasn't secured against Cross-Site Scripting.
NOW-TERM IMPLICATIONS
This has big implications. Sure, there are the YOLOcoders that ship whole vibecoded apps without thinking about security. Or code review.
Some percentage of their users will get rekt.
If those projects get near high risk users, they are sprinkling knives in the weeds with potential for harm.
BUT BIGGER MODELS = BETTER?
Interestingly, even big fat models aren't massively better with security.
S'EVERYWHERE
My other worry? Vibecoding without security check steps is happening in existing projects / platforms etc.
Even when people say they are coding. Sometimes they be vibecoding.
This sort of thing has already come to tools you use, including to handle your funds & privacy.
Sure secure code writing & review has never been anything near universal, but the scale and speed of new code creation that #vibecoding enables is new.
VULNERABILITY DISCOVERY...ALSO ACCELERATING
ICYMI, vulnerability DISCOVERY is also accelerating a lot faster than secure code creation...
Whole industries are spinning up, including lots of offensive projects.
ME? I #VIBECODE
I love the change in how I create with code. But I think we are in for some really rough times, and the least informed parties are gonna be users. As ever.
In the longer run this problem space also seems to offer paths for AI-driven improvement in secure code creation. But since not everything is accelerating at the same pace, the deltas = harm.
Sauce: 
In a test of 100 coding models, 45% of them introduced a serious vulnerability.
For example, in 86% of tests, code wasn't secured against Cross-Site Scripting.
NOW-TERM IMPLICATIONS
This has big implications. Sure, there are the YOLOcoders that ship whole vibecoded apps without thinking about security. Or code review.
Some percentage of their users will get rekt.
If those projects get near high risk users, they are sprinkling knives in the weeds with potential for harm.
BUT BIGGER MODELS = BETTER?
Interestingly, even big fat models aren't massively better with security.
S'EVERYWHERE
My other worry? Vibecoding without security check steps is happening in existing projects / platforms etc.
Even when people say they are coding. Sometimes they be vibecoding.
This sort of thing has already come to tools you use, including to handle your funds & privacy.
Sure secure code writing & review has never been anything near universal, but the scale and speed of new code creation that #vibecoding enables is new.
VULNERABILITY DISCOVERY...ALSO ACCELERATING
ICYMI, vulnerability DISCOVERY is also accelerating a lot faster than secure code creation...
Whole industries are spinning up, including lots of offensive projects.
ME? I #VIBECODE
I love the change in how I create with code. But I think we are in for some really rough times, and the least informed parties are gonna be users. As ever.
In the longer run this problem space also seems to offer paths for AI-driven improvement in secure code creation. But since not everything is accelerating at the same pace, the deltas = harm.
Sauce: Veracode
We Asked 100+ AI Models to Write Code. Here’s How Many Failed Security Tests. | Veracode
Application Security for the AI Era | Veracode
The EU's Digital Identity Wallet project has a lot of big icks.
Looking at the GitHub for the android Age Verification application feels like chewing rocks.
Like the proprietary attestation baked into a must-use form of identification is absolutely the wrong path...
And while we're at it, recall the rule of thumb: Age Verification either by deliberate or convenient naïveté is almost always a surveillance trojan horse.
Source:
Like the proprietary attestation baked into a must-use form of identification is absolutely the wrong path...
And while we're at it, recall the rule of thumb: Age Verification either by deliberate or convenient naïveté is almost always a surveillance trojan horse.
Source:
GitHub
GitHub - eu-digital-identity-wallet/av-app-android-wallet-ui
Contribute to eu-digital-identity-wallet/av-app-android-wallet-ui development by creating an account on GitHub.
Proton #VPN signups spike1,400% as the UK Online Safety Act rolls out.
Proton says spike is sustained & higher than when France blocked adult content.
Source: https://archive.ph/i2d9W
Source: https://archive.ph/i2d9W
Tea enforced ID & selfie collection. And doxxed their own users.
In other news, the UK Online Safety Act is forcing websites to begin collecting IDs.
This will end, predictably in fresh breaches.
And more harm to users.
In other news, the UK Online Safety Act is forcing websites to begin collecting IDs.
This will end, predictably in fresh breaches.
And more harm to users.
The only way to deal with an unfree world is to become so absolutely free that your very existence is an act of rebellion.
-Attributed to Camus
Your honor, in my defense I was being extremely productive at the time of the crash.
You read dystopian sci-fi as a warning.
These companies found business plans..
Just as there are war hawks that delight in hard talk about military action, there are surveillance-yearners...
For reasons I'll never fully understand the UK politicians aren't just surveillance-permissive.
They delight in the idea.
Pre-crime preventative detention coming soon...
Just as there are war hawks that delight in hard talk about military action, there are surveillance-yearners...
For reasons I'll never fully understand the UK politicians aren't just surveillance-permissive.
They delight in the idea.
Pre-crime preventative detention coming soon...
the Guardian
Tech firms suggested placing trackers under offenders’ skin at meeting with justice secretary
Exclusive: Shabana Mahmood told companies she wanted ‘deeper collaboration’ to tackle prisons crisis
Mass biometric surveillance is a one-way ticket away from democracy.
How it began: "our service helps consumers quickly do X..."
How it's going: "we help business understand consumer behavior..."
Soon: "we're launching a surveillance subsidiary for government customers..."
I prefer the company of people that don't snitch my business to skynet. 
.
.
You can patch software, but you can't patch people.
This is why social engineering will always work.
The human brain is loaded with forever-day vulnerabilities...and attackers are constantly probing.
Sometimes I think that they've developed a more applicable & empirically tested theory of human motivation and cognition than psychologists...
Sometimes tens of thousands of A/B tests a day...
🚨NEW REPORT from us: exposing a new social engineering/hacking tactic.
🇷🇺Russian state-backed hackers successfully compromised a prominent (& professionally paranoid) expert on Russian military operations.
Shocking, right? But the attack is solidly clever & worth understanding. I expect more like it.
ATTACK FLOW
Keir Giles gets a message purporting to be from
U.S. State Dept asking for a consultation.
The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender.
Strong credibility signal to have a bunch of gov ppl on the CC line right?
Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.
So they seem to have just created some fake State Dept staff names and addresses.
INTRODUCING THE DECEPTION
The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.'
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document.
The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them.
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)
REMINDER: WHAT IS AN ASP?
What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.
Some older email clients for example don't. So providers like #Google let users create a special password just for those apps.
There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
SLOW FOOD SOCIAL ENGINEERING
This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.
It's like they know what we all expect from them...and then did the opposite.
Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access.
He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic.
Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original:
Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS*
WHO DID IT?
Enter the Google Threat Intelligence Group w/analysis & attribution.
GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR).
Nice people.
TAKEAWAYS?
Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access.
A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below)
GET SAFER
Do you think you face increased risk because of who you are & what you do?
✅Use Google's free Advanced Protection Program.
Set it up now:
✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them..
READ THE REPORTS
Ours at Citizen Lab: 
Google's Post: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
Other citations:
Our Tainted Leaks report where we walk through how materials got manipulated & leaked after a Russian gov hack: 
Volexity's recent report:
ATTACK FLOW
Keir Giles gets a message purporting to be from
U.S. State Dept asking for a consultation.
The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender.
Strong credibility signal to have a bunch of gov ppl on the CC line right?
Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.
So they seem to have just created some fake State Dept staff names and addresses.
INTRODUCING THE DECEPTION
The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.'
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document.
The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them.
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)
REMINDER: WHAT IS AN ASP?
What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.
Some older email clients for example don't. So providers like #Google let users create a special password just for those apps.
There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
SLOW FOOD SOCIAL ENGINEERING
This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.
It's like they know what we all expect from them...and then did the opposite.
Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access.
He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic.
Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original:
Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS*
WHO DID IT?
Enter the Google Threat Intelligence Group w/analysis & attribution.
GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR).
Nice people.
TAKEAWAYS?
Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access.
A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below)
GET SAFER
Do you think you face increased risk because of who you are & what you do?
✅Use Google's free Advanced Protection Program.
Set it up now: Advanced Protection
Google Advanced Protection Program
The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital a...
✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them..
READ THE REPORTS
Ours at Citizen Lab: The Citizen Lab
Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords - The Citizen Lab
Keir Giles, a prominent expert on Russia, was targeted with a new form of social-engineering attack that leverages App-Specific Passwords. Google l...
The Citizen Lab
Tainted Leaks: Disinformation and Phishing With a Russian Nexus - The Citizen Lab
Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a “leak” to discredit d...
Volexity
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aim...
Searching #Youtube, I ignore content less than 12 months old.
To get past the #GenAI sloplayer.
Like a volcanic explosion.
Except instead of blanketing the world with ash, it's a smothering burden of low value, low-enjoyment, derivative, error-filled content.
Like a volcanic explosion.
Except instead of blanketing the world with ash, it's a smothering burden of low value, low-enjoyment, derivative, error-filled content.
“The Arab writer can be easily killed by their government under the pretext of ‘national security’"
-Turki al-Jasser in 2014, unwittingly predicting how he'd die in 2025.
He was just executed by Saudi Arabia, probably by beheading.
For his posts critical of the government.
He was reportedly tortured while in prison.
Story: 
He was reportedly tortured while in prison.
Story: the Guardian
A Saudi journalist tweeted against the government – and was executed for ‘high treason’
The death of Turki al-Jasser was the first high-profile killing of a journalist since the 2018 murder of Jamal Khashoggi
New: WhatsApp announces that they are adding advertising.
Ugh.
As a researcher working on targeted / 0click attacks (including a few that have been done over WhatsApp..) it's hard to see how this works without opening up a fat new attack surface to be probed.
I'm also worried about the ways that these advertising signals get used for tracking people in new parts of their digital lives.
And it bugs me that it's going to be really hard if not impossible to use WhatsApp in a privacy-first way.
What are your thoughts?
Writeup: 
As a researcher working on targeted / 0click attacks (including a few that have been done over WhatsApp..) it's hard to see how this works without opening up a fat new attack surface to be probed.
I'm also worried about the ways that these advertising signals get used for tracking people in new parts of their digital lives.
And it bugs me that it's going to be really hard if not impossible to use WhatsApp in a privacy-first way.
What are your thoughts?
Writeup: TechCrunch
WhatsApp is adding ads to the Status screen | TechCrunch
After years of not showing any ads, WhatsApp is adding ads to Status updates.
Throwback to the 2010 Mass Homeopathy Overdose that killed scores of skeptics.
Just kidding, they were fine.
I remember getting curious about this & chasing down homeopaths responses.
My favorite went like: 'well of course they survived! They took to much! If they'd only taken less... it could have been really dangerous'
Pic: 
Just kidding, they were fine.
I remember getting curious about this & chasing down homeopaths responses.
My favorite went like: 'well of course they survived! They took to much! If they'd only taken less... it could have been really dangerous'
Pic: Nursing Times
Mass homeopathy 'overdose' protest outside Boots
Supporters of Merseyside Skeptics Society (MSS) have urged high-street chemist Boots to stop stocking the remedies, claiming they are “scientific...
Government surveillance powers are like a ziptie.
Nobody has the incentive to loosen them.
They only ratchet tighter.
Headline that I saw...
This is not something I was tracking.
Source: 
This is not something I was tracking.
Source: I’m the CTO of Palantir. Today I Join the Army.
My father grew up in a mud hut in India. America gave him—and me—a life. Now technologists like me need to give back.