Scott Arciszewski

Residing at the intersection of PHP, security, cryptography, and open source software. He/him. Opinions are solely mine. RTs != endorsements, etc.

Scott Arciszewskiscottarc@infosec.exchange
2025-06-21

neveragain.tech

This is still relevant, IMHO

Scott Arciszewski boosted:
2025-06-05

$5B in revenue, millions of mobile players, one question: are the dice rolls fair?

When Monopoly GO! players questioned their dice roll outcomes, the game's developers hired us to conduct an independent cryptographic design assessment of their PRNG architecture.

Our cryptographic design assessment evaluated two core concerns:
✅ If the random number generator produces unbiased outcomes for all players
✅ Do the countermeasures effectively prevent malicious actors from predicting or manipulating results through client-side attacks

Read the case study: trailofbits.info/monopolygo-ca

Scott Arciszewski boosted:
PQC League of Evilpqcloe@infosec.exchange
2025-03-12

Urgent release by the PQ League of Evil:
Private key formats for ML-KEM and ML-DSA have been hotly debated recently. We at the league have discovered a missing perspective in the discussion: while the expanded private key format contains most information, it misses the matrix itself, which should be possible to store as well. Therefore, we suggest the following solution:
ASN.1 CHOICE of:
Seed
Expanded private key
Extra expanded private key
Both
More both
Extra both
All

We already have modules in the validation pipeline that only support extra expanded private keys, and it would be unfair to us early adopters to not standardize like this!

Of course, we are aware of the concerns that keys might contain redundant data. To address this, implementers SHOULD randomly flip bits in some of the keys before loading.

Scott Arciszewski boosted:
2025-03-08

thanks @danmcd for pointing me to this excellent TechDirt piece from Mike Masnick that sort of captures my thoughts here:

Why Techdirt Is Now A Democracy Blog (Whether We Like It Or Not)

"While political reporters are still doing their view-from-nowhere “Democrats say this, Republicans say that” dance, tech and legal journalists have been watching an unfortunately recognizable plan unfold — a playbook we’re all too familiar with. We’ve seen how technology can be wielded to consolidate power, how institutional guardrails can be circumvented through technical and legal workarounds, and how smoke and mirrors claims about “innovation” can mask old-fashioned power grabs. It’s a playbook we watched Musk perfect at Twitter, and now we’re seeing it deployed on a national scale.

Over the last few weeks, I’ve had a few people reach out about our coverage these days. Most have been very supportive of what we’ve been covering (in fact, people have been strongly encouraging us to keep it up), but a few asked questions regarding what Techdirt is focused on these days, and how much we were leaning into covering “politics.”

When the very institutions that made American innovation possible are being systematically dismantled, it’s not a “political” story anymore. It’s a story about whether the environment that enabled all the other stories we cover will continue to exist.

We’ve always covered the intersection of technology, innovation, and policy (27+ years and counting). Sometimes that meant writing about patents or copyright, sometimes about content moderation, sometimes about privacy. But what happens when the fundamental systems that make all of those conversations possible start breaking down? When the people dismantling those systems aren’t even pretending to replace them with something better?

But there’s more to it than that..."

techdirt.com/2025/03/04/why-te

Scott Arciszewski boosted:
2025-03-08

What's the most common feedback/comment I've received over the past month? "I used to like reading your stuff when you didn't write about politics all the time."

My response: Me too. But they've left me no choice at this point. If you think tech isn't politics and vice versa, you probably don't believe national security and cybersecurity are two sides of the same coin, either.

Scott Arciszewski boosted:
2025-02-18

I love that I've been on Mastodon more than 2 years now as my one and only social media platform (apart from LinkedIn, sorta), and I can say with some confidence that most of the accounts I'm interacting with are not bots, but instead are real live human beings with fascinating lives and interests. Thanks again everyone, and may we continue to enjoy this remarkable achievement for a long time to come.

Scott Arciszewski boosted:
2025-02-14

Thanks to OSTIF!, in 2024, we assessed cURL's HTTP/3 components. We found two issues, enhanced fuzzing coverage, and provided testing and security recommendations.

github.com/trailofbits/publica

cURL marked our 14th security assessment with OSTIF, with our first being in 2019. OSTIF's mission to secure critical open-source software has led to security improvements across projects on which we all depend.
Read their annual reports:
ostif.org/ostif-2024-annual-re
ostif.org/2024-sovtech-audit-r

Scott Arciszewski boosted:
2025-02-06

Drop what you are doing and read this incredible story from Wired, if you can. After that, come back here.

wired.com/story/edward-coristi

It mentions that a 19 y/o man who's assisting Musk's team and who has access to sensitive government systems is Edward Coristine. Wired said Coristine, who apparently goes by the nickname "Big Balls," runs a number of companies, including one called Tesla.Sexy LLC

"Tesla.Sexy controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market.While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review."

The really interesting part for me is Coristine's work history at a company called Path Networks, which Wired describes generously as a company "known for hiring reformed black-hat hackers."

"At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn resume. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company."

The founder of Path is a young man named Marshal Webb. I wrote about Webb back in 2016, in a story about a DDoS defense company he co-founded called BackConnect LLC. Working with Doug Madory, we determined that BackConnect had a long history of hijacking Internet address space that it didn't own.

krebsonsecurity.com/2016/09/dd

Incidentally, less than 24 hours after that story ran, my site KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept my site offline for nearly 4 days.

krebsonsecurity.com/2016/09/kr

Here's the real story behind why Coristine only worked at Path for a few months. He was fired after Webb accused him of making it known that one of Path's employees was Curtis Gervais, a serial swatter from Canada who was convicted of perpetrating dozens of swattings and bomb threats -- including at least two attempts on our home in 2014. [BTW the aforementioned Eric Taylor was convicted of a separate (successful) swatting against our home in 2013.

krebsonsecurity.com/2017/09/ca

krebsonsecurity.com/2017/02/me

In the screenshot here, we can see Webb replying to a message from Gervais stating that "Edward has been terminated for leaking internal information to the competitors."

Wired cited experts saying it's unlikely Coristine could have passed a security clearance needed to view the sensitive government information he now has access to.

Want to learn more about Path? Check out the website pathtruths.com/

‘Tempest Chats 2022

2 wes oa v
Mon, Jun 13

Marshal Webb

@ ‘The penalty for consorting with the enemy 105 D
“a Marshal Webb invited 1 person to the group.
+a Wheaty accepted an invitation to the group from Marshal
Webb.

Marshal Webb

Everyone welcome Wheaty to the group, he's here to replace Edward on
[] ‘weekends 19D)

Peter Potvin

¥00000000 11 2
[-] Welcome! 119 D

Bushhy
@ Velcome Wneaty! 115 >

Wheaty
@  ¥ Therkyou, happy tobe heel 129)

Marshal Webb

‘Wheaty welcome! | hope you won't be liquidated like your predecessor
[] 120

Wheaty

Pe)
v

MM Not achance!:) +n 5
Scott Arciszewski boosted:
Matthew McPherrinmattm@infosec.exchange
2025-02-05

Congratulations to the Firefox team for shipping CT enforcement!

> Starting in Firefox 135, Certificate Transparency is now enforced on all desktop platforms.

groups.google.com/a/mozilla.or

Scott Arciszewski boosted:
Paragon Initiative Enterprisesparagon@phpc.social
2025-02-04

New from our team: A PHP implementation of RFC 9180 (HPKE - Hybrid Public-Key Encryption):

github.com/paragonie/hpke-php

This should serve as building block for more secure protocols (i.e., RFC 9420 a.k.a. Messaging Layer Security)/

This would, in turn, enable PHP developers to write software that communicates with MLS-compatible end-to-end encrypted messaging services.

Scott Arciszewskiscottarc@infosec.exchange
2025-01-29

@huntermaxfield I'm happy to answer questions, but I abhor phone calls.

Scott Arciszewski boosted:
2025-01-28

I found a 1-click exploit in South Korea's biggest mobile chat app. This would have allowed to steal all user's chat messages.

Full write-up available here: stulle123.github.io/posts/kaka

Scott Arciszewski boosted:
2024-12-05

New from 404 Media: Yancey Spruill, who at time was Digital Ocean's CEO, told staff in all-hands meeting his former mentor was a member of the KKK, which he said shows how employees can work together despite holding different values. We got recordings 404media.co/ceo-attempted-to-n

Scott Arciszewski boosted:
2024-12-05

So, I guess the media was finally right about millennials killing industries

Scott Arciszewskiscottarc@infosec.exchange
2024-11-09

Years ago, I signed neveragain.tech

I stand by my decision to sign that.

Scott Arciszewski boosted:
Julia Evansb0rk@jvns.ca
2024-11-04

I feel like half of programming is remembering how weird stuff works and the other half is setting things up so that you do not have to remember the weird stuff

Scott Arciszewski boosted:
2024-10-24

I'm also honored to share this post from @scottarc about why he chose to join us and what he sees as the vision for #aspirepress.

scottarc.blog/2024/10/24/aspir

Scott Arciszewski boosted:
2024-10-24

AspirePress is honored and excited to share that Scott Arciszewski (@scottarc) has joined us as our security advisor and a project contributor!

Scott is an expert in security and will help ensure a fully secure, distributed, and freely available WordPress package repository for everyone.

Scott Arciszewski boosted:
2024-10-24

A vision of a distributed package repository in WordPress aspirepress.org/distributed-vi #wordpress #wp #wpdrama

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst