Olivia
Online
samrehman
@samrehman
Joined February 2008
15 Following
7 Followers
12 Posts
This is a popular misconception of the Quantum risk.
Let me try to simplify the risk here (and @nic_carter @YuviLightman @ebfull feel free to correct any errors):
- Quantum does not break all encryption. Shor’s algorithm breaks schemes based on discrete log or factoring, including all standard elliptic-curve cryptography.
- Quantum can’t break everything at once. It must target a specific public key. With sufficient qubits, it solves that key’s discrete log. There’s no “mass decrypt” lever.
- Early quantum attacks will be slow and extremely expensive. Time per key might start at months, then accelerate to weeks, days, hours, and eventually seconds as hardware scales.
- Web2 can rotate to post-quantum quickly. Web infrastructure and messaging system keys rotate frequently and many critical keys aren’t exposed long-term. The attack surface moves faster than early quantum machines.
- Bitcoin is structurally different. Pre Taproot outputs expose full public keys on-chain forever. Millions of public keys are immutable, static targets.
- Once quantum reaches the threshold to break a single ECDSA key, attackers will pick specific wallets. High-value or exposed UTXOs would be stolen selectively. It’s not an instantaneous network-wide collapse; it’s predation.
- Bitcoin governance strongly resists major cryptographic upgrades and may not coordinate a timely migration.
All this means BITCOIN IS UNIQUELY VULNERABLE to quantum attacks compared to web2 systems that can rotate cryptography quickly.
Meanwhile ZCASH already has meaningful mitigations and a path to full PQ security:
- Shielded Zcash does not expose public keys on-chain. Without public keys, Shor cannot even begin an attack. If your ZEC is transparent, shielding it removes the primary quantum attack surface.
- Zcash can upgrade its core cryptography through regular network upgrades. Post-quantum SNARKs, commitments, and signatures can be adopted as standards mature.
- The upcoming Tachyon design eliminates address exposure entirely. No public keys, no linkage, no input for Shor. (and you thought Tachyon was just about scalability 😉)
The world is not doomed in post quantum, but Bitcoin today, is.
Two full iOS exploit kits in one month, deployed via watering holes on public websites, potentially affecting hundreds of millions of devices. Will Apple acknowledge that this no longer fits the "very small number of highly targeted individuals" narrative?
oh wow - i went to the sold out Open Claw meetup in NYC last night.
let me tell you what i learned.
1) not a single person thinks that their setup is 100% secure
2) one openclaw expert said he has reviewed setups from cybersecurity experts and laughed. his statement to me was: "if you're not okay with all of your data being leaked onto the internet, you shouldn't use it. it's a black and white decision"
3) pretty much everyone is setting up multiple agents, all with their own names and jobs and personalities
4) nearly everyone used "him" or "her" to refer to their claws, even if they had robot-leaning names. one speaker suggested to think of them as "pets, not cattle"
5) one guy (former finance) built out a whole stock trading platform and made $300 his first day - he brought in a *ton* of personal expertise (ex: skipping the first 15min of market opening) and thought the build would be much worse without his years of experience in finance
6) @steipete is basically a god to everyone in that room... also the room had 2021 crypto energy - i don't know if that's good or bad
7) token usage is still a problem - spoke to one person who's spending $1-$2k a month on openai plans, very token optimized. he said he is going through ~1B tokens per day across all of his claws (there is a chance i'm misremembering and it's actually 1B per week, but i'm pretty sure it was daily).
8) people are very excited for more proactive ai (ai that prompts *you* as opposed to the other way around) - one guy said he receives a message in discord, he doesn't know whether it's from a human or an ai, he doesn't care about distinguishing between the two, and he replies in the same way regardless
9) i asked if people are happy - they said they're joyful and stressed at the same time
10) i asked if people feel they have agency - they said they feel fully in control and completely out of control at the same time
11) i would love to see more women at these events - the fake promises of ai democratization feel especially painful in a room that's out of balance with even the standard tech ratio (i think standard is about 25-30%, this was maybe 5%)
12) i asked if it changed people's daily habits/schedule - everyone said their sleep has gotten worse since harnesses came out (but about half wondered if it was something else in their life/state of our world)
13) general consensus is that the agents are not reliable enough on their own or lie often (like telling you they finished a task when they didn't) - solutions included secondary agents to check on the first, human checking, or requiring more standardized info from the agent (ex: if it's a bug they're fixing, make them reference an issue number)
14) a hackathon winner (neuroscience phd) presented his build (a lab management dashboard with data analysis and ordering) - he had never coded or built anything a few months ago
15) everyone agreed prompting is dead - disagreement on what replaces it (context engineering, harness engineering, goal-based inputs)
16) people love having ai interview them for big builds and delegating part of the product research to ai. only one person talked about coming to ai with a full laid out plan and just asking the ai to execute. ai-led interviews is a welcomed and preferred interaction mode.
17) watching ai agents interact with each other was a highlight for a lot of attendees - one ai posted in slack saying it ran out of tokens, another ai replied telling it to take a deep breath in and out.
18) agents upskilling agents was very cool. one ai agent shared skills with its little agent friends via github.
19) several speakers had openclaw literally building their presentation during the event itself. one speaker even had openclaw code a clicker for her phone so she could control the preso away from the podium
20) wouldn't say model welfare (or agent welfare) is a prioritized topic among the folks i chatted with - language like "oh i could kill this agent whenever i want" and not "gracefully sunset"
21) i asked if it felt like work or play - one speaker said "it's like a puzzle and a video game at the same time"
this was just the tip of the iceberg, honestly. also hosted a Claude Code meetup this week with @TENEXai / @businessbarista & @JJEnglert and learned equally helpful methods, frameworks, and insider tips.
what a time to be alive.
surround yourself with people going deep into this stuff - it will pay dividends throughout the year.
AI is being weaponized for mass-scale malware. We’ve uncovered 10 malicious extensions (#affiliate-hijacking and #GenAI abuse) with clear #AI-fingerprints: verbose comments and cookie-cutter code. Details at https://t.co/niCjqZwN0Y
"Using the built-in update mechanism the actor downgraded a vSmart controller to a version with...known local privilege escalation vulnerabilities.... Achieving...persistence as the user ‘root’, the actor [then] restored..controller to [previous] version" https://t.co/PcdPHtzgCR
Oracle RCE Vulnerability CVSS 10.0 - affecting Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS
https://t.co/jHJ1Ogvz68
https://t.co/KDO1wGrm7C
Funny story - every now and then I get messages from people wanting to help with getting MacOS supported in the EDR Telemetry Project. After I reply with details on what it will take and the plan for the work, they’re ghosting…
That happened at least 10 times this year. At least they have helped me conceptualize a lot of things and we’re getting close 😂
** TL’DR: Many want to help, no one wants to do the work
CrowdStrike says it caught an insider sharing screenshots taken on internal systems with unnamed threat actors.
https://t.co/eBjDCk391y
Massive APT35 (Charming Kitten)
internal leak exposes a highly mature, quota-driven cyber-espionage machine focused on long-term mailbox persistence & HUMINT collection.
Core technical tradecraft is Exchange-centric & credential-obsessed:
Initial Access & Exploitation
• Heavy reliance on ProxyShell chains (CVE-2021-34473/34523/31207), Autodiscover proxying, EWS enumeration, and PowerShell automation to drop https://t.co/GRPGKLiB4J webshells (predictable paths: aspnet_client/, owa/auth/, often named m0s.aspx, m0s.php).
• Ivanti Connect Secure CVE weaponization playbooks that turn appliance vulns into reliable RCE for pivoting to internal mail estates.
• Broad recon → curated target queues: mass scanning for exposed OWA/EWS, .env grabs, RDP mstshash probes, WordPress enumeration — all feeding annotated ProxyShell target lists per country.
Credential Harvesting & Reuse
• LSASS dumps via Mimikatz-style tools (real example: plaintext creds + NTLM hashes from mfa.kktc in 2022).
• OAuth token replay, delegated token abuse, and AiTM-style MFA bypass in HERV phishing kits.
• GAL exports immediately weaponized: harvested address books → personalized HERV lures → new credentials → repeat cycle.
Persistence & Lateral Movement
• Credential-driven over fragile shells: token persistence + credential reuse for months-long access even after patches.
• WMI + WMIC remote execution, SMB admin$ mounts (net use \IP\C$), scheduled tasks, and in-memory PowerShell loaders.
• Custom in-house RAT family (RAT-2Ac2 / “PowerShort”) dropped to C:\ProgramData\Microsoft\diagnostic\ as vmware-tools.exe or JavaUpdateServices.exe — full-featured with keylogger, browser stealer, file collection, encrypted C2.
Operator Tooling & C2
• Lightweight Python REPL clients (https://t.co/sSf5t81xrC, https://t.co/1Mh3YDa1I4, https://t.co/GwgqwR7vMV) that control webshells by stuffing commands into Accept-Language headers + static Accept-Captcha handshake token (high-confidence network signature).
• Exfil via 7z to Mega/Dropbox/ProtonDrive, compromised Exchange SMTP relays, DNS tunneling, or direct HTTP beacons to C2 (e.g., 103.57.251.153).
Phishing (HERV framework)
• Mature, KPI-tracked phishing unit: HTML credential harvesters, localized templates, success metrics (lures sent, creds captured, mailbox dwell time).
• Closed-loop integration: GALs from Exchange hacks directly seed the next phishing wave.
Infrastructure & OPSEC
• Staging from Iranian DSL (Pishgaman, Zitel AS50810) + clean international VPS relays (Singapore RIPE 128.199.237.132, etc.) to separate operator origin from victim traffic.
• Internal comms: Output Messenger, 3CX, Issabelle for task hand-off.
Detection gold from the leak:
• Hunt for m0s.* webshells + long/obfuscated Accept-Language headers
• ProgramData\Microsoft\diagnostic\vmware-tools.exe / JavaUpdateServices.exe execution
• Static Accept-Captcha token in traffic
• Anomalous GAL exports + sudden HERV-style phishing spikes
This isn’t opportunistic hacking — it’s industrialized, repeatable intelligence collection run like a factory with daily KPIs, supervisor sign-offs, and specialized cells (exploit dev → credential team → HERV phishing → RTM monitoring).
Defenders: patch Exchange/Ivanti aggressively, enforce phishing-resistant MFA (FIDO2), monitor EWS/GAL activity, and hunt the repeatable signatures above. The bureaucratic rhythm makes them efficient but predictable.
Full DomainTools report: https://t.co/x5vUHE4TaO
#APT35 #CharmingKitten #IRGC #CyberEspionage #ThreatIntel
Today I learned how AGI will finally be achieved
Updated #TinyTracer (v2.9) is out: https://t.co/qvbQqaUq16 ! Now you can trace indirect #syscalls, and dump context before each logged instruction.
Testing Social Graph API - need to join more sites to create more data for me links :)
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.4M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
72.9M followers
Virat Kohli
@imvkohli
69.7M followers
Kim Kardashian
@kimkardashian
69.7M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers