Kevin Backhouse

🎺 🎺 Have *you* developed applications with client-side secrets? It can be a real pain since secret management APIs are different on all platforms. We have released MPSS---a Multi-Platform Secure Signing library. It provides a unified secret management API that is backed by native HSM-powered secret management APIs on different platforms (Windows, macOS, iOS, Android). It also comes with an OpenSSL provider that allows you to use MPSS secrets through the familiar OpenSSL APIs that we all know and love. MPSS is available at https://lnkd.in/ghQ6DtTY. We welcome code contributions from the community and hope you find the library useful. Huge thanks to my amazing collaborator Radames Cruz for making this real.

54

Saw this write-up about a Claude security issue demonstrating prompt injection + file exfiltration risks for Cowork that"a worth reading: https://lnkd.in/dzvWpbuS My thoughts: 1.) Claude Code and Cowork are amazing tools. If we're serious about the future of agents, this requires giving these systems actual agency, e.g. the ability to act outside their sandbox. 2.) But that comes with enhanced risks. Prompt injection was mostly theoretical a year ago. With Cowork automating across your work environment, it's not theoretical anymore. And the attack demoed in the article can happen with zero user approval. 3.) What really surprised me: Anthropic knew about this specific file exfiltration vulnerability before releasing Cowork (it was disclosed months ago in Claude.ai chat). They acknowledged it but didn't fix it; they just added a warning for users to watch for "suspicious actions." That's a buyer-beware approach I didn't expect from them. The experiments I've done with Cowork have been really cool. But using these tools well needs a clear-eyed view of the risks. We all want autonomous agents, but we can't ignore the cracks in the foundation. For folks who are experimenting right now with Cowork, how are you balancing the excitement of the tool with the reality of these risks? #genAI #Anthropic #Claude #promptinjection #AIsafety #cybersecurity #buyerbeware

3

1 Comment

New resource added to FHE.org/resources: "Apple's Deployment of Homomorphic Encryption at Scale" by Rehan Rishi, Haris Mughees, Fabian Boemer, Karl Tarbe, Nicholas Genise, Akshay Wadia, and Ruiyu Zhu. https://lnkd.in/dfUTGGvX Know of an FHE resource that should be shared? Let us know below!

34

4 Comments

We often think of open source software as “freeware.” But behind every widely used library or framework is a maintainer juggling unpaid work, burnout, and community expectations. The reality? Maintaining open infrastructure takes real resources — and the current model isn’t sustainable. The Open Source Security Foundation (OpenSSF), alongside over 20 organizations, just released a joint statement calling for sustainable investment in open infrastructure. Their message is clear: we must move beyond passive reliance and actively support the people and projects that keep open source secure, stable, and thriving. 🔍 Key takeaways: • Open infrastructure is a shared responsibility. • Volunteer-driven maintenance is not a sustainable model. • Organizations must invest in long-term stewardship — financially and operationally. 📢 Whether you're a developer, a tech leader, or a policymaker, now’s the time to ask: How are we supporting the open source foundations we depend on every day? Explore the full joint statement from OpenSSF here: https://lnkd.in/g4KADrY9 #OpenSource #CyberSecurity #DigitalInfrastructure #Sustainability #OpenSSF #TechLeadership #SoftwareStewardshipOpen

7

2 Comments

If you’re worried about double-fetch vulnerabilities in COTS RTOS kernels, then read IsolatOS: Detecting Double Fetch Bugs in COTS RTOS by Re-enabling Kernel Isolation. To appear at NDSS’26. https://lnkd.in/efzMnUSx

19

Regarding the recent Anthropic marketing post in which they claim their LLM has identified 500 high-severity vulnerabilities, I'd like to make you aware of the following exchange on oss-security: https://lnkd.in/dn5nKdRn

261

33 Comments

If you haven't read the reports on the iOS spyware Coruna, I recommend you check out the blogs by Google and iVerify. This could be considered a watershed moment for mobile security. Not only is it the first time that iOS 0-day exploit use has been observed being used by a criminal entity, but it also highlights the proliferation of likely US 0-days in uncontrolled markets, something reminiscent of WannaCry. If you've ever been on the receiving end of one of my mobile threat landscape briefings then I'm sorry, but jokes aside one of the ideas I posited over the last couple years is that the pressure on Israeli / European / US commercial surveillance vendors has driven these entities to align further with NATO to avoid sanctions and negative press. This vacuum creates an opportunity in the mobile 0-day market for entities in Russia and China to corner the market for less ethical government customers, creating a cyber weapons pipeline similar to kinetic arms dealing occuring between these countries that are more aligned geopolitically. Operation Zero is an example of this, a 0-day purchaser backed with funding and support by the Russian government which has been willing to pay up to 20 million USD for mobile exploit chains, and which only sells to non-NATO entities. You may have heard of them in relation to a recent news story regarding the conviction of an L3Harris employee selling multiple exploits to Operation Zero for up to 4 million USD. The exploits in Coruna were used in four campaigns in chronological order: some of the exploits were observed in Operation Triangulation targeting Kaspersky -> government customer of a CSV used them -> Russian APT used them against Ukraine -> Chinese criminal organization used them to target cryptocurrency. This, plus other indicators within the code, points to the stolen L3Harris exploits as the likely start of the spread if we're to speculate, at least IMO. I think this is just the beginning. People are downplaying the exploits due to the fact that they only affect older iOS devices running outdated OSs, but some key takeaways from this story are the framework and the exploit pipeline, regardless of the exploits used in these attacks. Criminal groups and non-NATO aligned APTs now have access to completely inscrupulous brokers that can get them mobile exploit chains, they have an adaptable framework to use new exploits to target iOS devices, and Android likely isn't far behind. All of this in an environment where your average mobile user doesn't have any sort of additional protection on their devices, to include employees for many major companies and governments. Imagine if SLSH (Scattered Lapsus$ Hunters) decides to use this tech, or ransomware groups. I don't think most orgs are prepared for this.

107

4 Comments

I've updated the page for the Encyclopedia of Crash Dump Analysis Patterns, Third Edition, adding all available purchase options https://lnkd.in/gckWeNxe

5

Veracode published the 2026 edition of its long-running State of Software Security report last week. As we have for nearly a decade now, Cyentia Institute provided independent analysis of the massive dataset that spans SAST, DAST, and SCA findings. I'll be sharing some highlights this week, so punch that follow and/or like button to tell The Algorithm that you want to monitor the posts. If you just can't wait for them to roll out, a link to the full report is in the comments.

38

3 Comments

If you need to use software that has undecidable security/saftey properties, should you consider an external (dependency) implementation? I recently posted about specification-only libraries, which sparked a bunch of very healthy dialog. Constructive debate is incredibly important. One point that was very relevant was that certain safety/security properties are undecidable using formal methods. My response was, in that case, I rather use software generated with my tool chain than take an external dependency. Do you have any strong counterpoints?

9

6 Comments

I'd also like to point out Anja Lehmann's insightful presentation on the potential adoption of such privacy tech in the EU Digital ID framework: https://lnkd.in/eiSK3HFJ

1

I was thinking about what could be a second order effect from the #CRA for #opensource developers The CRA does have carve outs that spare individual open source contributors from many of the requirements, but I wonder if we will see those projects receiving requests from companies to provide evidence While the companies using the software are on the hook to track #security #vulnerabilities and evidence like #SBOM, there's nothing stopping those companies from asking an open source developer to help them out, just this once Now multiply this by several thousand and we have a problem I would value thoughts from Roman Zhukov and Daniel Thompson-Yvetot, am I missing something important?

9

23 Comments

I came across a surprising GitHub earlier today 🤖 https://lnkd.in/eZkgXbr5 A frustrated site owner reported that his site was being scraped aggressively with Scrapy, a popular open-source scraping framework. His proposed fixes? – Enforce robots.txt at the framework level – Limit concurrency by default – Require users to insert an email in the user agent If that sounds like trying to stop a freight train with a “Please slow down” sign, that’s because it is 😅 . The maintainers gave the expected response: Scrapy is just a tool. They’re not responsible for how it’s used. If you're seeing abusive traffic, you need to defend your site, not ask bot developers to be nicer 😇 Still, this thread is a great example of how many teams encounter the bot problem for the first time: by surprise, and completely unprepared. They assume bots will follow the rules. That "good behavior" will be enough. That robots.txt is a real deterrent. It’s not. The reality? If your site has anything of value—inventory, PII, login endpoints, limited edition drops, pricing APIs—sooner or later, fraudsters and bot operators will come after it. Scrapers might be the first wave. Next comes credential stuffing, fake account creation, card testing, or abuse of free trials. And they won’t politely identify themselves. They’ll spoof user agents. rotate IPs. Use headless browsers, anti-detect tools, residential proxies. Basic rate limits and blocklists won’t cut it. Hope is not a strategy. Neither is trusting that user agents are honest. If you’re not actively investing in bot detection, you’re not protected. You’re just lucky, for now 🤞

48

2 Comments

It was started with the static honeypots and very basic ELK (Elasticsearch, Logstash, Kibana) base monitoring during 2018 to 2021 with the aim of adaptive and intelligent deception. At 2024 Blockchain integrated and AI driven honeypot make the break throw with its efficient rreal time detection, tamper proof logging along with simple and dynamic deployment. https://lnkd.in/g-aqPmwR

25

At Ghost Security 👻 when we are looking at solving a problem for our customers, I really enjoy it when we can apply LLMs in an augmentation capacity that aims squarely at reducing toil. That is, where the LLMs strengths heavily overlap with tasks that AppSec teams deem high value but weren’t able to be done before because at scale they are too voluminous so they do without. Very interesting things start to happen when AppSec teams stop fighting their tools to get results they can trust across their app fleet and that affords them the time to focus more strategically to pay down risk.

18

4 Comments

If you think Prompt Injection is just a "chat" problem, you’re wrong. The Orca Security research team (<3) just proved you can take over a GitHub repository without ever typing a single word to the AI. I'm so excited to see this research project, which Roi Nisimi led before I left, finally see the light of day. No "ignore previous instructions." No "jailbreaking." No social engineering. The attack is just a "comment" in a GitHub Issue. When a developer opened their IDE to help, the AI read that comment, saw it as a set of commands, and silently handed the attackers the repo's GITHUB_TOKEN. This is the "Compound Risk" of Agentic AI. When you give an AI "hands" (tools, terminal access, tokens) and a "brain" that can't tell the difference between a user's instruction and a piece of data it just read, you've built a Sleeper Agent. If your AI agent can read your Jira tickets, your Slack, or your PRs, an attacker doesn't need to hack you. They just need to "salt" the information the AI is about to process. In reality: We are giving AI "God Mode" permissions while it's still operating on "Open Book" logic. That's an architectural disaster waiting to happen. Stop filtering the chat. Start hardening the architecture.

72

10 Comments