Age verification laws are coming fast.
And, from my perspective, opponents are struggling to find impactful messaging to explain to the general public the damage they are about to do to freedom.
Or to propose alternate futures that address the underlying anxieties.
Sure, most folks that are here on #Nostr intuitively understand the dangers... And nod along when we gesture at the dangers of surveillance overreach.
But I worry that the common language for talking about these initiatives typically relies on some priors that are not universally shared outside people that live and breathe concerns about tech.
Saying that something is a surveillance dystopia works on me. But not the neighbors.
I'm guilty of being inside this language bubble too, and it's hard to escape.
Yet, when faced with politicians talking about protecting kids from bad things that parents feel they see right now... I worry that the communities doing pushback are struggling to:
1 -find framing that makes *enough sense* to the vast majority of people that they say 'ok this is net bad' and push back
2- find their own ways to productively connect with the anxieties that politicians are drawing on. E.g. worried parents.
3- offer things that are honest, well meaning alternative paths for the underlying problems
Anyone have thoughts on this? #AskNostr
Sauce: 
In a test of 100 coding models, 45% of them introduced a serious vulnerability.
For example, in 86% of tests, code wasn't secured against Cross-Site Scripting.
NOW-TERM IMPLICATIONS
This has big implications. Sure, there are the YOLOcoders that ship whole vibecoded apps without thinking about security. Or code review.
Some percentage of their users will get rekt.
If those projects get near high risk users, they are sprinkling knives in the weeds with potential for harm.
BUT BIGGER MODELS = BETTER?
Interestingly, even big fat models aren't massively better with security.
S'EVERYWHERE
My other worry? Vibecoding without security check steps is happening in existing projects / platforms etc.
Even when people say they are coding. Sometimes they be vibecoding.
This sort of thing has already come to tools you use, including to handle your funds & privacy.
Sure secure code writing & review has never been anything near universal, but the scale and speed of new code creation that #vibecoding enables is new.
VULNERABILITY DISCOVERY...ALSO ACCELERATING
ICYMI, vulnerability DISCOVERY is also accelerating a lot faster than secure code creation...
Whole industries are spinning up, including lots of offensive projects.
ME? I #VIBECODE
I love the change in how I create with code. But I think we are in for some really rough times, and the least informed parties are gonna be users. As ever.
In the longer run this problem space also seems to offer paths for AI-driven improvement in secure code creation. But since not everything is accelerating at the same pace, the deltas = harm.
Sauce: 
Like the proprietary attestation baked into a must-use form of identification is absolutely the wrong path...
And while we're at it, recall the rule of thumb: Age Verification either by deliberate or convenient naïveté is almost always a surveillance trojan horse.
Source:
Source: 
In other news, the UK Online Safety Act is forcing websites to begin collecting IDs.
This will end, predictably in fresh breaches.
And more harm to users.
Just as there are war hawks that delight in hard talk about military action, there are surveillance-yearners...
For reasons I'll never fully understand the UK politicians aren't just surveillance-permissive.
They delight in the idea.
Pre-crime preventative detention coming soon...
.
ATTACK FLOW
Keir Giles gets a message purporting to be from
U.S. State Dept asking for a consultation.
The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender.
Strong credibility signal to have a bunch of gov ppl on the CC line right?
Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.
So they seem to have just created some fake State Dept staff names and addresses.
INTRODUCING THE DECEPTION
The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.'
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document.
The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them.
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)
REMINDER: WHAT IS AN ASP?
What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.
Some older email clients for example don't. So providers like #Google let users create a special password just for those apps.
There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
SLOW FOOD SOCIAL ENGINEERING
This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.
It's like they know what we all expect from them...and then did the opposite.
Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access.
He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic.
Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original:
Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS*
WHO DID IT?
Enter the Google Threat Intelligence Group w/analysis & attribution.
GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR).
Nice people.
TAKEAWAYS?
Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access.
A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below)
GET SAFER
Do you think you face increased risk because of who you are & what you do?
✅Use Google's free Advanced Protection Program.
Set it up now: 
✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them..
READ THE REPORTS
Ours at Citizen Lab: 
Like a volcanic explosion.
Except instead of blanketing the world with ash, it's a smothering burden of low value, low-enjoyment, derivative, error-filled content.
He was reportedly tortured while in prison.
Story: 