đ Is it a vulnerability, or just a misunderstood feature?
At #NodeCongress2025, I broke it down in my talk: "What is a Vulnerability and Whatâs Not"
Topics:
đ Real vs. imagined risks in #Nodejs and #Express
đ Why #threatModels matter
#threatmodels
Regulating AI Behavior with a Hypervisor
Interesting research: âGuillotine: Hypervisors for Isolating Malicious AIs.â
Abstract:As AI models become more embedded in critical sectors like finance, healthca... https://www.schneier.com/blog/archives/2025/04/regulating-ai-behavior-with-a-hypervisor.html
#physicalsecurity #academicpapers #Uncategorized #threatmodels #AI
Who could possibly have seen Pokemon Go and Ingress player location data being sold to anyone with enough money? đ #ThreatModels
Sich von den #USA zu emanzipieren heiĂt auch, von #Microsoft wegzukommen. Im Ernstfall könnte man darĂŒber hier praktisch die komplette Wirtschaft lahmlegen. Der unangekĂŒndigte und dauerhafte Ausfall der Microsoft-Infrastruktur sollte jetzt Teil jedes #ThreatModels sein. #ITSecurity
As I write this, the most recent big move by Matt Mullenweg in his ongoing dispute with WP Engine was to abuse his position to seize control of a WP Engine owned plugin, justifying this act with a security fix. This justification might, under other circumstances, be believable. For example, if WP Engine werenât actively releasing security fixes.
Now, as I wrote on a Hacker News thread, Iâd been staying out of this drama. It wasnât my fight, I wasnât deeply familiar with the lore of the players involved, etc.
BUT! This specific tactic that Mullenweg employed happens to step on the toes of some underappreciated work I had done from 2016 to 2019 to try to mitigate supply chain attacks against WordPress. Thus, my HN comment about it.
Mullenwegâs behavior also calls into question the trustworthiness of WordPress not just as a hosting platform (WP.com, which hosts this website), but also the open source community (WP.org).
The vulnerability here is best demonstrated in the form of a shitpost:
âMattâ here is Mullenweg.I do not have a crystal ball that tells me the future, so whatever happens next is uncertain and entirely determined by the will of the WordPress community.
Even before I decided it was appropriate to chime in on this topic, or had really even paid attention to it, I had been hearing rumors of a hard-fork. And that maybe the right answer, but it could be excruciating for WordPress users if that happens.
Regardless of whether a hard-fork happens (or the WordPress community shifts sufficient power away from Mullenweg and Automattic), this vulnerability cannot continue if WordPress is to continue to be a trustworthy open source project.
Since this is a cryptography-focused blog, Iâd like to examine ways that the WordPress community could build governance mechanisms to mitigate the risk of one manâs ego.
Revisit Code-Signing
The core code, as well as any plugins and themes, should be signed by a secret key controlled by the developer that publishes said code. There should be a secure public key infrastructure for ensuring that itâs difficult for the infrastructure operators to surreptitiously replace a package or public key without possessing one of those secret keys.
I had previously begun work on a proposal to solve this problem for the PHP community, and in turn, WordPress. However, my solution (called Gossamer) wasnât designed with GDPR (specifically, the Right to be Forgotten) in mind.
Today, Iâm aware of SigStore, which has gotten a lot of traction with other programming language ecosystems.
Additionally, there is an ongoing proposal for an authority-free PKI for the Fediverse that appears to take GDPR into consideration (though thatâs more of an analysis for lawyers than cryptography experts to debate).
I think, at the intersection of both systems, there is a way to build a secure PKI where the developer maintains the keys as part of the normal course of operation.
Break-Glass Security with FROST
However, even with code-signing where the developers own their own keys, there is always a risk of a developer going rogue, or getting totally owned up.
Ideally, weâd want to mitigate that risk without reintroducing the single point of vulnerability that exists today. And weâd want to do it without a ton of protocol complexity visible to users (above what theyâd already need to accept to have secure code signing in place).
Fortunately, cryptographers already built the tool we would need: Threshold Signatures.
From RFC 9591, we could use FROST(Ed25519, SHA-512) to require a threshold quorum (say, 3) of high-trust entities (for which there would be, for example, 5) to share a piece of an Ed25519 secret key. Cryptographers often call these t-of-N (in this example, 3-of-5) thresholds. The specific values for t and N vary a lot for different threat models.
When a quorum of entities do coordinate, they can produce a signature for a valid protocol message to revoke a developerâs access to the system, thus allowing a hostile takeover. However, itâs not possible for them to coordinate without their activity being publicly visible to the entire community.
The best part about FROST(Ed25519, SHA-512) is that it doesnât require any code changes for signature verification. It spits out a valid Ed25519 signature, which you can check with just libsodium (or sodium_compat).
Closing Thoughts
If your threat model doesnât include leadershipâs inflated ego, or the corruption of social, political, and economic power, you arenât building trustworthy software.
Promises and intentions donât matter here. Mechanisms do.
Whatever the WordPress community decides is their best move forward (hard forks are the nuclear option, naturally), the end result cannot be replacing one tyrant with another.
The root cause isnât that Mullenweg is particularly evil, itâs that a large chunk of websites are beholden to only his whims (whether they realized it or not).
One can only make decisions that affects millions of lives and thousands of employees (though significantly fewer today than when this drama began) for so long before an outcome like this occurs.
Edit of XKCDIf you arenât immune to propaganda, you arenât immune to the corruption of power, either.
But if you architect your systems (governance and technological) to not place all this power solely in the hands of one unelected nerd, you mitigate the risk by design.
(Yes, you do invite a different set of problems, such as decision paralysis and inertia. But given WordPressâs glacial pace of minimum PHP version bumps over its lifetime, I donât think thatâs actually a new risk.)
With all that said, whatever the WordPress community decides is best for them, Iâm here to help.
https://scottarc.blog/2024/10/14/trust-rules-everything-around-me/
#AdvancedCustomFields #arrogance #automaticUpdates #Automattic #codeSigning #cybersecurity #ego #MattMullenweg #news #PKI #pluginSecurity #powerCorrupts #SecureCustomFields #security #softwareGovernance #supplyChain #supplyChainSecurity #supplyChainSecurity #technology #threatModels #trust #WordPress #WPEngine
As I've said elsewhere, the reporter has a problematic background and the bugs were over hyped but...
All those deplorables were in a basket and you just let them out? #ThreatModels
Maybe don't hang the keys to the vending machine on a hook on the vending machine itself, geez. #ThreatModels
It should not be possible for an asshole to pay money to show you whatever they want, and "we remove ads that violate our policies" is not the same thing as actually being concerned about what is being shown to users.
#ThreatModels
@Brahn i grill people on secret management hard in my #threatmodels so i definitely need to practice what i preach on this.
confession: i unfortunately don't encrypt the boot volume on most bare metal workstations because i occasionally need to bounce them when i'm at my other place (or the ups failed, that's happened before CYBERPOWER BOOOOO and i got locked out of something really important once for two weeks until i flew back.
I swear this isn't me being smug, but there's a reason I never participated in Stack Overflow, and it's this: a VC-funded for-profit company is always going to try to maximize the profit from the things its users do, no matter how much those users are doing it for a community or others.
It's important to consider #ThreatModels, which seems hard at first, but by asking yourself "how could they exploit this?" you can come up with a lot of justification for not participating.
I remember thinking how cool it was that Google was using all Android phones to measure traffic in order to accurately display it on Google Maps. Oh, sweet summer child. đ€Š #ThreatModels
Poisoning AI Models
New research into poisoning AI models:
The researchers first trained the AI... https://www.schneier.com/blog/archives/2024/01/poisoning-ai-models.html
#artificialintelligence #machinelearning #academicpapers #Uncategorized #threatmodels #LLM
We could be using #AI tools to help with things like searching for #malware or develop #threatmodels or tailor #cybersecurity controls. A company like #microsoft could use it for some of these things (they have a widely used threat modeling methodology and associated tool). Instead they are using it to trick people with #bingchat and make #malvertising worse.
/end
Given Chrome's #HTTPS ratcheting up news, I think it's relevant to reshare this old post of mine.
Threat models: the sushi placeâs static website
https://flameeyes.blog/2017/08/31/threat-models-the-sushi-place-static-site/
@darnell General Web Search is ... sort of its own thing. That's manageable through robots.txt or permissive / exclusive in-page tags.
(Those will generally prevent content from being presented, but may not prevent crawling, and in the case of on-page headers cannot by the mechanism through which they work (the spider has to crawl and read the header to determine what's being said).
There are groups such as the #ArchiveTeam who explicitly ignore robots.txt: https://wiki.archiveteam.org/index.php/Robots.txt
Then there's the somewhat newly recognised issue of AI LLM training data and derived works.
Other than those, what is your threat model here?
- What risks do you see?
- What are you trying to avoid?
- What would you specifically like to see?
My view is that online content is ... online. It's published, in the sense of public. If you want closed content you need to find some way of disclosing to a limited group. That has tremendous impacts on reach and influence.
That is contrasted with community and interaction, and a Fediverse which is crawled by Google is very different from one that is interfaced by Google and Facebook, parallel with their existing social networks (FB, Instagram, YouTube, Blogger, say).
#Meta #Metablock #DefederateMeta #ThreatModels #Risk #GeneralWebSearch #LLM #ArtificialIntelligence #TrainingData
OK, #threatModel time.
our team does not like being asked for "templates" or âoutlines" of our workshops. each TM is different in terms of where we spend our time.
we know the areas that must be covered in #security and #privacy #threatmodels, and i've been writing a play/runbook (pattern?) for the format of our workshops that is becoming training material.
but i don't want it to be a #template. what would you use? agenda? areas of interest? pattern? outline?
happy wednesday, #infosec!
Security Analysis of Threema
A group of Swiss researchers have published an impressive security analysis of Threema.
We provide an extensive cryptographic analysis of Threema, a Swiss-based en... https://www.schneier.com/blog/archives/2023/01/security-analysis-of-threema.html
#side-channelattacks #vulnerabilities #academicpapers #authentication #Uncategorized #cryptanalysis #threatmodels #encryption
Security Analysis of Threema https://www.schneier.com/blog/archives/2023/01/security-analysis-of-threema.html #side-channelattacks #vulnerabilities #academicpapers #authentication #Uncategorized #cryptanalysis #threatmodels #encryption
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst