Husband, dad, mountain biker, professor of computer security at FH Münster and department lead @fraunhofersit. Private account.
"But if my threat model is Mossad, Signal could be forced to-"
No. Stop it. Your threat model isn't fucking Mossad--who could probably pwn half of the entire XMPP ecosystem with a single libxml2 zero-day. (Also maybe Matrix?)
"But my self-hosting"
Irrelevant.
"But jurisdiction"
You think Swiss privacy law will stop the CIA from doing another CryptoAG?
They probably have 10-20 of those floating around already. Private "no log" VPNs are an attractive target for that.
Die Schweden sind bereit den Beweis anzutreten:
#Wärmepumpe funktioniert in Deutschland doch!
#IKEA unterstützt #Wärmewende
The end of an era, Usenix announces this July will be its final annual conference. https://www.usenix.org/blog/usenix-atc-announcement
❤️ - Ricarda Lang erklärt der MOMA-Moderation im ÖRR wie einer Drittklässlerin stabil, warum ein #AfDVerbotsverfahren auf dem Weg zum notwendigen #AfDVerbot alternativlos ist. Wahrscheinlich jedoch nicht das letzte Mal…
☑️ ☑️ ☑️
You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraud.
"Oh yeah," you think. Obvious scam, right?
The caller says "I'll send you an in-app notification to prove I'm calling from your bank."
Your phone buzzes. You tap the notification This is what you see.
Still think it is a scam?
1/3
Warning, long text
Power Outage in Spain – An Analysis
Solar energy comes out of your panels as direct current (DC). That’s all well and good, but homes and grids run on alternating current (AC). Enter the inverter – the humble box that turns solar wizardry into household juice.
Now, inverters aren’t just fancy plug adapters. They have to sync up with the grid – which means they generate exactly the same frequency as the rest of the system. No grid? No syncing. In that case, the inverter goes into what’s called island mode and produces power only for local use. So, if my solar system isn’t connected to the external grid, it can’t run the house – but it can still power two little emergency sockets. Cheers, I guess.
Normally, the grid runs at 50 Hz – that’s hertz, not some obscure Scandinavian metal band. But this frequency can wobble a bit. Physically and technically speaking, it rises when there’s too much power and not enough consumption, and falls when there’s a hungry grid and not enough electricity to feed it.
To keep the grid safe, inverters have an emergency shutdown feature: if the frequency goes over a set limit (apparently around 50.2 Hz), they also jump ship and go into island mode.
Spain’s energy mix is a bit unusual: lots of nuclear, lots of renewables – and a large chunk of those renewables are solar. Makes perfect sense in a country where “cloudy” means three fluffy cotton balls drifted by.
Now, nuclear energy comes with two charming quirks. First, you can’t change its output quickly – it’s not a dimmer switch, more like a cruise ship rudder. Second, nuclear plants cost nearly the same to run at half speed as they do at full throttle. So, naturally, you want to keep them purring along at max capacity.
Then came Monday, with weather conditions perfect enough to make a solar engineer weep with joy: loads of sun, plenty of wind. By 9 a.m., Spain’s energy needs were entirely met by nuclear and renewables. In fact, they had surplus electricity and began exporting it by the bucketload. They shut down everything easy to shut down – but nuclear? No chance. It stayed full steam ahead.
Then, two unfortunate things happened: one transmission line to France caught fire (as you do), and another developed resonances due to meteorological oddities.
So far, this is all well documented. Now we step into speculation territory.
These instabilities meant Spain couldn’t get rid of its excess electricity. The grid frequency rose past that critical 50.2 Hz mark – and boom: many solar systems switched to island mode. At that moment, they were providing nearly 15 gigawatts – around 60% of the national supply. And just like that, poof – they were gone.
Suddenly, two-thirds of the electricity vanished. Wind, nukes, and batteries couldn’t keep up – quite the opposite, in fact. To prevent damage, the nuclear plants initiated emergency shutdowns. Not great. (More on why that’s bad in a bit.) Within seconds, the entire grid collapsed. The solar systems were poised to help – but there was no grid left to sync with.
Everything went dark.
Portugal and southern France were also knocked offline, as they’d been happily sipping from Spain’s excess power. The European grid wasn’t amused and unceremoniously kicked Spain out of the club. France, with a bit of backup and a stiff upper lip, restored its network fairly quickly. My home automation system even picked up the moment the frequency dipped and France cranked up its own generation.
Portugal got the rough end of the stick. With fewer reserves and being smaller in size, they couldn’t help themselves – and no one else could help either, since Spain’s their only neighbour.
Rebooting the Grid – Why It’s a Right Pain
Restarting a collapsed grid isn’t just a matter of flipping a giant switch. It’s tricky for two reasons:
The fix? You split the grid into smaller bits. For each chunk, you build up some capacity, bring it online, then move on to the next. Rinse and repeat. This takes hours. Meanwhile, the sun moves across the sky – and even if you do reconnect the solar arrays, they won’t produce nearly as much as before. Come 8 p.m., they’re more or less useless.
So Spain needed outside help. They were gradually reconnected to the European grid – in small, careful steps. Without that assistance, large parts of Spain would probably still be in the dark. That’s why electricity came back first in places like Barcelona, close to the French border, while Portugal endured the longest wait.
Notes & Musings
Gut, was trendete da denn heute beim Spiegel: Ein weiterer #ePA Angriff.
Erst einmal sollte man der Fairness halber sagen, dass diesmal zügig und konsequent reagiert wurde. Das Problem ist schnell abgestellt worden. Aber naja, es ist ein etwas spezielles Problem. Wir gehen mal in die Tiefen von Befugungen auf ePAs…
Ist einer meiner Follower eingeschrieben bei dem "Disease Management Program (DMP)"? Der @SaatChris hat da Ideen. Bitte melden per PM und wir switchen auf Signal.
What we know so far about causes
there has been a very strong oscillation in the power flows of the networks, a disconnection from the rest of the electrical system of the European system, and this disconnection has led to a collapse of the electrical system at 12.32 hours
"Se ha producido una oscilación muy fuerte en los flujos de potencia de las redes, una desconexión del resto del sistema eléctrico del sistema europeo, y esta desconexión ha conllevado un colapso del sistema eléctrico a las 12.32 horas"
Both Spain and Portugal keep all possibilities for a root cause open, but made it a point to stress that a cyberattack is extremely unlikely as a root cause.
Obviously the Canaries and the Baleares have been fully unaffected, as they have independent segregated grids that are not connected to mainland (there is a cable from Mallorca to Valencia, but the grid is independent).
Everyone in Porto seems to be on the streets now. There’s queues at the supermarkets that are open, but many are closed. Around me Lidl and Spar stayed open, Minipreço and Mercadona closed. Surprisingly little issues with traffic from what I can see, even though traffic lights are off. Many bakeries are empty of inventory. Metro isn’t running. I see many tourists wait in front of AirBnBs, I assume some of them have electronic locks.
An interesting day in #Barcelona it was...
I expected it to be one as I was scheduled to do a presentation with the "Autoritat Catalana de Protecció de Dades" on the risk of S3 buckets and other data leaks. For me it was a special presentation because the first time in my life I would do a presentation in Spanish. Put a lot of preparation into it but was nervous anyway. But it went fine and we wrapped it up at about 12:00 local time.
As we (Directora Meritxell Borràs i Solé and me) were debriefing, suddenly the lights went out. I expected a small localized hiccup, so we didn't think much about it and started our journey to the scheduled lunch. A taxi was waiting for us.
1/7
We still have 1 T-shirt left and our study is still running for 2 weeks. Get your systems checked for the #Rowhammer effect and get a free T-shirt if you do it 10 times on the same system. Even if you do it just once, you have the change to win an Amazon gift card. Help us understand the Rowhammer Effect better! More infos: https://flippyr.am/
49% of orgs found out they had a ransomware actor when the ransomware actor deployed the ransomware. Only 30% detected it internally - ie read their alerts and contained it.
The other 21% found out because somebody externally told them somebody was active on their network (eg law enforcement, CISA, NCSC etc).
Key lesson - read the alerts. If you can’t afford to read the alerts, don’t buy the products, get an MSSP.
I know this is EXTRAORDINARILY BAD TIMING but I am writing it to pin to my profiles.
So, I do a lot of stuff. I work in critical infrastructure. I volunteer operate career clinics. I teach and speak on the topics. I have not tooled my life to become wealthy by any means - I try to do ethical and interesting stuff.
Leaving X two years ago really hit my ability to be able to reach audiences. The hard fact is, I use the money I make on side gigs like commercial speaking to be able to do community stuff and run a free conference.
49/50 people reading this are not the target of this message. If you happen to be a security leader in an organization that hires speakers for security awareness, security education, or niche cybersecurity events - you can hire me! It's an important part of my ability to do more outreach, especially now with a massive and costly move.
If you are looking for a speaker in the next year, I have a easy to work with agent at https://www.leadingauthorities.com/speakers/lesley-carhart
My commercial prices are negotiable. I do not charge for community speaking. I cannot currently speak commercially in Australia and I am personally eating the cost of travel to the US for engagements.
Plenty of examples of my talks in bio and on YouTube!
Update. "US conference boycott urged after French scientist deported"
https://archive.is/Wxwdg
"Academics say they are increasingly wary of travelling to conferences in the US after a French scientist was deported over text messages critical of Donald #Trump’s cuts to research funding … Space scientist Mark Wieczorek [@mrak], director of research at the Institut de Physique du Globe de Paris, part of CNRS, said the situation was “very troubling” and, despite being a dual US-French citizen, he now would “only go to the US for the case of a family emergency”…Given the French scientist in question is a “permanent researcher employed by CNRS”, it is “unlikely that this person is a radicalised terrorist and it is unlikely that their hatred of Trump is greater than mine as a US citizen,” continued Wieczorek."
Since CVEs getting on KEV get more traction in enterprises (for patching/etc) I hear that CISA now accepts Trump Coin "donations" to add CVEs you want to KEV so you can juice up your vuln management program.
#Ubuntu is moving away from GNU coreutils to Rust-based uutils coreutils with Ubuntu 25.10. There are two big differences with this move:
1. uutils coreutils is MIT licensed, not GPL.
2. Obviously, it's written in Rust, a memory-safe compiled language, unlike C.
IMO, this is a good move.
https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995
Tarlogic found a "backdoor" in the ESP32 chips: https://social.lansky.name/@hn100/114127956134801350
Broadcom and Cypress chips have the same HCI "backdoor" allowing to write to the Bluetooth chip's RAM. This feature is used for firmware patches.
We didn't request CVEs for that 9 years ago. Instead, we built the InternalBlue Bluetooth research framework: https://github.com/seemoo-lab/internalblue
