Notices by Dan Goodin (dangoodin@infosec.exchange)

Here's another reminder that it's best to resist as much as possible the siren's call of relying on AI and other services from Big Tech. Gemini is blocking questions about Trump showing signs of dementia even as it answers the same question when applied to Biden. When we turn to AI we are abdicating our own judgement and research responsibilities to a broligarchy that bends to the whims of billionaires.

https://www.theverge.com/news/789152/google-ai-searches-blocking-trump-dementia-biden

Now that Marc Benioff, owner of Slack and Salesforce, has confirmed he sides with authoritarianism, it's more incumbent on us than ever to move off central platforms, which can dump communications we presumed were private or cut us off for any reason or no reason at all.

https://sfstandard.com/2025/10/10/marc-benioff-national-guard-sf/

The complexity and problem-solving required for making the Signal Protocol quantum safe are as daunting as any in modern-day engineering. In less adept hands, mucking about with an instrument as complex as the Signal protocol could have led to shortcuts or unintended consequences. Yet this latest post-quantum upgrade is nothing short of a triumph.

https://arstechnica.com/security/2025/10/why-signals-post-quantum-makeover-is-an-amazing-engineering-achievement/

After 25 years, I still struggle to find an intuitive way to describe computer "state" to non-techies. Such a simple thing and yet I still don't know how to give it a simple description/definition.

Can you imagine the huge bonanza espionage and ransomware threat actors are going to have when every service you use forces you to provide them with your ID? This is a disaster that 100% will happen. I can hardly wait.

So many people jumping to confirmation-biased conclusions with each new assassination detail. Will y'all please stop?

A prominent US Senator has called on the Federal Trade Commission to investigate Microsoft for “gross cybersecurity negligence,” citing the company’s continued use of the obsolete and vulnerable RC4 encryption cipher that Windows uses by default. Senator Ron Wyden went on to liken Microsoft to an "arsonist selling firefighting services to their victims.”

https://arstechnica.com/security/2025/09/senator-blasts-microsoft-for-making-default-windows-vulnerable-to-kerberoasting/

@dalias

Sorry about that. Already fixed by the time you called it out.

People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from Cloudflare. The three improperly issued certs escaped notice for 4 months.

https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-1-dns-service-pose-a-threat-to-the-internet/

We hear several times a year about zero-click vulnerabilities being actively exploited in WhatsApp. I don't remember a single such incident affecting Signal. Why is that? Is the Signal userbase too small? Is the app more secure? Something else?

https://www.whatsapp.com/security/advisories/2025/

After more than a decade of receiving these sorts of messages, I still never know how to respond in a way that might be remotely helpful.

UPDATE it's really disappointing to see how many responses here dismiss or make fun of people with mental illness. These are real people with real families and they're all suffering. There's nothing funny about any of this.

A reminder that software makers, hardware makers, cloud services, payment processors, and the like will throw their customers under the bus whenever it suits them. Your payment card, food delivery account, AWS instance, Gmail address -- all can be taken away on a whim for any reason or no reason. These providers are NOT your friend. Make plans now. Have backups in place. Practice self-reliance. Ween yourself off these one at a time.

@pixelpusher220 @ai6yr

I haven't been to a HD or Lowes in years. In SF, we have Discount Home Builders Supply & Hardware, a locally-owned place that's been in business for decades. The workers there monitor the isles and actively ask if you need/want help. All cities should be so lucky.

https://www.discountbuilderssupplysf.com

Once again, @malwaretech nails it, this time calling out the "gluttony of myopic visionaries" shilling the wonders of AI.

https://malwaretech.com/2025/08/every-reason-why-i-hate-ai.html

@malwaretech

"In reality, all we’ve created is a bot which is almost perfect at mimicking human-like natural language use, and the rest is people just projecting other human qualities on to it. Quite simply, “LLMs are doing reasoning” is the “look, my dog is smiling” of technology. In exactly the same way that dogs don’t convey their emotions via human-like facial expressions, there’s no reason to believe that even if computer could think, it’d perfectly mirror what looks like human reasoning."

Am I the only one who can't bring themselves to delete contacts who are no longer living?

I'm all for moving off of centralized platforms controlled by broligarchies. That said, how do we know platforms like Proton are any less horrible? Genuine question with no snark intended.

Interesting article reporting that Android will soon give Gemini broadened access to phones and the apps they run, even when Gemini has not been turned on. Article gos on to say people who don't want this should "open the Gemini app from your Android device" and turn off each app extension. Sounds simple enough, but I'm not finding any Gemini app installed on my pixel. Can anyone help me figure out what precisely people must do too keep Gemini off of their android devices?

https://tuta.com/blog/how-to-disable-gemini-on-android#_

Is it possible to opt out of all Substack invitations like this one? I'm so tired of having to unsubscribe from them one by one. It's 2025. Does Substack really require me to opt out each time someone subscribes me to a list I don't want to be on?

@BradRubenstein

I don't think I have a substack account. I really don't want one. I just want Substack to leave me alone.