@AlanTudyk ("alan tudyk") retweeted:
@williamlegate ("William LeGate") wrote:
guy who wants to “eradicate” transgender people off the face of this Earth spotted in 4K partying w/ drag queens
@AlanTudyk ("alan tudyk") retweeted:
@williamlegate ("William LeGate") wrote:
guy who wants to “eradicate” transgender people off the face of this Earth spotted in 4K partying w/ drag queens
@AlanTudyk ("alan tudyk") retweeted:
@mehdirhasan ("Mehdi Hasan") wrote:
"Is it too much to ask that we, the US taxpayers, don't fund pogroms abroad?"
My @MSNBC commentary on the settler mob attack on a Palestinian village that was endorsed by a sitting Israeli minister, but described even by an Israeli general as a "pogrom."
@telegram ("Telegram Messenger") wrote:
You can delete any message in 1-on-1 chats for just yourself or for everyone. Telegram users have complete control over their digital footprint – and can make sure nobody spoils the surprise. #TelegramTips
@AnnTelnaes ("Ann Telnaes") wrote:
https://anntelnaes.substack.com/p/celebrating-women-who-tell-our-stories?utm_source=twitter&sd=pf
@33mhz ("Querelle de Brestine-Boubilie") retweeted:
@MercuryBD ("Stefan Trifunović") replied to a tweet by @MercuryBD:
Also here's the before and after spaceship redesign 😉
@olensmar ("Ole Lensmar") retweeted:
@Monokle_io ("Monokle - Git-enabled Kubernetes Config Tool") wrote:
Many tools offer validation for large Kubernetes resources. But, with Monokle you can create custom community plugins for tools like Argo CD & Prometheus!
Let the brilliant, Wito Delnat guide you through the easy process of building community plugins👇
https://loom.ly/UkQqEmw
@33mhz ("Querelle de Brestine-Boubilie") retweeted:
@sethharpesq ("Seth Harp") wrote:
Three main things you need to know for the 20th anniversary of the invasion of Iraq:
- all the people who did it are still in charge
- they're not even a little bit sorry for having killed a million innocent people
- the second they get the chance, they'll do it again
@schneierblog ("Schneier Blog") wrote:
New National Cybersecurity Strategy http://dlvr.it/SkRQP7
@MEGAprivacy ("MEGA") wrote:
MEGA has updated its client software to address vulnerabilities that could have impacted end-to-end security, read more on our blog:
https://blog.mega.io/e2ee-security-update/
@kennyog replied to a tweet by @kennyog:
To close this thread on a round number: thanks for reading to the end, and check out the paper at: https://mega-caveat.github.io (16/16)
@kennyog replied to a tweet by @kennyog:
On a personal note, working with @martinralbrecht, @M__Haller , Lenka Mareková was a blast - basically, this is the dream team when it comes to analysing “Crypto in the Wild”. (15/16)
@kennyog replied to a tweet by @kennyog:
We disclosed the attacks to MEGA on 29.09.2022. The disclosure process has been super smooth again - kudos to the MEGA team and thanks for the bounty. They’re releasing an update today, their blog at https://blog.mega.io/e2ee-security-update will have details. (12/16)
@kennyog replied to a tweet by @kennyog:
MEGA have made quite significant changes to their crypto - ECB is gone for RSA private key encryption, replaced with AES-GCM, the verbose error reporting is removed, and more. It’s been a complex task for MEGA to “repair the aeroplane in flight”. (13/16)
@kennyog replied to a tweet by @kennyog:
Our paper “Caveat Implementor! Key Recovery Attacks on MEGA” will appear at Eurocrypt 2023. Thanks to the program chairs and committee for accepting our work. (14/16)
@kennyog replied to a tweet by @kennyog:
What makes the attacks possible is that we also found an ECB encryption oracle in MEGA file-sharing. This lets us overwrite certain portions of the RSA private key with chosen data. Very handy for doing attacks, e.g. making sure all the math happens in a small subgroup. (10/16)
@kennyog replied to a tweet by @kennyog:
The paper has an easter egg: an improved attack on the original, unpatched MEGA system. The original attack needed 512, this was improved to 6 logins by Keegan Ryan and Nadia Heninger in https://eprint.iacr.org/2022/914. Now we only need 2 logins. (11/16)
@kennyog replied to a tweet by @kennyog:
Both attacks get us to the desired ECB decryption oracle. They need quite a lot of client logins - about 600 for the faster of the two. So quite hard to pull off - but not much harder than the previous, broken version of MEGA. (8/16)
@kennyog replied to a tweet by @kennyog:
Once we have the ECB decryption oracle, we can recover the RSA private key block-by-block. But why do that when you can pull out the big guns? Naturally, we use a lattice attack to finish the job. (9/16)
@kennyog replied to a tweet by @kennyog:
We managed to find two distinct attack vectors, exploiting different error messages that come up in client-side cryptographic processing. (6/16)
@kennyog replied to a tweet by @kennyog:
This gives us two attacks. One of them exploits failures in modular inversion when recomputing u = q^{-1} mod p. The other is a kind of “small subgroup meets Bleichenbacher” attack. Cool new techniques here! (7/16)
@kennyog replied to a tweet by @kennyog:
In one change, MEGA tightened up client-side RSA key validation. But they also made error reporting on the key validation and RSA decryption failures much more verbose. As cryptanalysts, we like error messages! (4/16)
@kennyog replied to a tweet by @kennyog:
Now the RSA private key is still protected by ECB-mode encryption under a master key. So we want to build an ECB decryption oracle. Cue cut and paste games. (5/16)
@kennyog replied to a tweet by @kennyog:
@MEGAprivacy is a cloud storage provider with 277 million users and 136 billion uploaded files. The service offers end-to-end encrypted storage, and claims strong security even against a malicious service provider. (2/16)
@kennyog replied to a tweet by @kennyog:
MEGA changed how their crypto works back in June 2022, in response to previous work by @M__Haller, Matilda Backendal and me. We decided to go down the rabbit-hole once again…. (3/16)
In a new paper, @martinralbrecht, @M__Haller, Lenka Mareková, and I took a fresh look at @MEGAprivacy. TL;DR: we broke the fixed version with attacks that can recover user RSA private keys and file keys. Paper and more at: https://mega-caveat.github.io (1/16)
with quote tweet:
MEGA - Malleable Encryption Goes Awry: I'm excited to share details of some new research on the security of @MEGAprivacy. Details at: https://mega-awry.io (1/28)
@BeeBabylon_ ("Bee Babylon 🌐") wrote:
Show á Íslandi í júní!!
with quote tweet:
@BeeBabylon_ ("Bee Babylon 🌐") wrote:
Tix are on sale for my Fringe preview in Iceland 🥳
Bringing along: @MarjoleinR @angusmaroon @MsKrystalEvans @StuartJayMurphy
@fakedansavage ("Dan Savage") wrote:
Not the obituary I wanted to read today.
@olensmar ("Ole Lensmar") retweeted:
@JediCowboyEric ("Eric Irwin") wrote:
Who is using @Testkube_io ? I am curious what people have done to extend it and take advantage of it as an operator.
Any gotchas or lessons learned worth sharing?
@fakedansavage ("Dan Savage") retweeted:
@realzoestrimpel ("Zoe Strimpel") wrote:
My latest: the age of the male hag https://www.spectator.co.uk/article/the-age-of-the-male-hag/ via @spectator
@Blklivesmatter ("Black Lives Matter") retweeted:
@interruptcrim ("Interrupting Criminalization") wrote:
"Abolition is a vision for the future, a world where we’ve divested from police, courts, and prisons; because instead of pumping money into the criminalization of the most disenfranchised among us, we’ve put that money into addressing the root causes..." https://theappeal.org/abolition-is-a-vision-for-the-future/