Russell Phillips
@russell-infosec.bsky.social
Security leader & strategist with hands on experience ranging from policy to the pavement. Over the past 15+ years I've tackled the challenges of securing complex technical systems in the constantly changing world of live events.
https://russell.computer
https://russell.computer
A really neat paper on intercepting satellite coms satcom.sysnet.ucsd.edu/docs/dontloo...
satcom.sysnet.ucsd.edu
October 16, 2025 at 1:16 AM
A really neat paper on intercepting satellite coms satcom.sysnet.ucsd.edu/docs/dontloo...
I learned so much from the Document Security Alliance meeting! But does the term “Question Document” give artifact of power vibes to anyone else?
October 10, 2025 at 1:27 AM
I learned so much from the Document Security Alliance meeting! But does the term “Question Document” give artifact of power vibes to anyone else?
Heading out to DC for a talk at the Document Security Alliance annual meeting! I’m looking forward to learning more about the state of the art in secure documents. And also sharing what I’ve learned from live events.
October 9, 2025 at 1:22 AM
Heading out to DC for a talk at the Document Security Alliance annual meeting! I’m looking forward to learning more about the state of the art in secure documents. And also sharing what I’ve learned from live events.
Reposted by Russell Phillips
“This magazine uses Cookies.”
“In Formation values your privacy… we can’t tell you anything about it, because we value our privacy more than yours.”
“By turning this page, I agree to assign all of my assets and medical power of attorney to In Formation, Inc.”
😂
“In Formation values your privacy… we can’t tell you anything about it, because we value our privacy more than yours.”
“By turning this page, I agree to assign all of my assets and medical power of attorney to In Formation, Inc.”
😂
August 27, 2025 at 7:55 PM
“This magazine uses Cookies.”
“In Formation values your privacy… we can’t tell you anything about it, because we value our privacy more than yours.”
“By turning this page, I agree to assign all of my assets and medical power of attorney to In Formation, Inc.”
😂
“In Formation values your privacy… we can’t tell you anything about it, because we value our privacy more than yours.”
“By turning this page, I agree to assign all of my assets and medical power of attorney to In Formation, Inc.”
😂
Finally got back to my longstanding on-again off-again SDR project. Treated myself to a new Raspberry Pi to run it headless and wow, package support and native features are way better than last time I tried anything. Bluetooth headphones just worked! It is finally the year of the Linux Desktop!
August 27, 2025 at 8:10 PM
Finally got back to my longstanding on-again off-again SDR project. Treated myself to a new Raspberry Pi to run it headless and wow, package support and native features are way better than last time I tried anything. Bluetooth headphones just worked! It is finally the year of the Linux Desktop!
This paper is an excellent example of an academic dis track "Replication of Quantum Factorisation Records with an
8-bit Home Computer, an Abacus, and a Dog" - eprint.iacr.org/2025/1237.pdf
8-bit Home Computer, an Abacus, and a Dog" - eprint.iacr.org/2025/1237.pdf
eprint.iacr.org
August 23, 2025 at 2:26 AM
This paper is an excellent example of an academic dis track "Replication of Quantum Factorisation Records with an
8-bit Home Computer, an Abacus, and a Dog" - eprint.iacr.org/2025/1237.pdf
8-bit Home Computer, an Abacus, and a Dog" - eprint.iacr.org/2025/1237.pdf
If we do the former part right, we won’t need people to do the latter part. And it is actually hard for users to avoid services that retain metadata. Even assuming those services are accurate in their public statements, parsing them often requires expertise users shouldn’t be required to have.
Lawmakers must act to protect users’ metadata, and “people should make use of technologies which either do not retain metadata past the time where it is necessary to provision services, or do not collect it at all,” EFF’s @legind.bsky.social told @Metro.co.uk. metro.co.uk/2025/08/21/...
This 'invisible' data trail can reveal your location and sexuality to scammers
'A very detailed picture of your entire digital life can be discerned.'
metro.co.uk
August 21, 2025 at 9:58 PM
If we do the former part right, we won’t need people to do the latter part. And it is actually hard for users to avoid services that retain metadata. Even assuming those services are accurate in their public statements, parsing them often requires expertise users shouldn’t be required to have.
Reposted by Russell Phillips
McDonald’s security is a soggy fry bucket: plaintext creds, free-food exploits, CEO emails spilling, 64M job apps cracked by “123456.” They fired the whistle, not the bugs. Surveillance clown empire running on duct tape.
McDonald's not lovin' it when hacker exposes rotten security
: Burger slinger gets a McRibbing, reacts by firing staffer who helped
www.theregister.com
August 20, 2025 at 6:34 PM
McDonald’s security is a soggy fry bucket: plaintext creds, free-food exploits, CEO emails spilling, 64M job apps cracked by “123456.” They fired the whistle, not the bugs. Surveillance clown empire running on duct tape.
New NIST Digital Identity guidelines are out: www.nist.gov/blogs/cybers...
SP 800-63 no longer allows forcing users to change their password just because time has elapsed. Lets see if the insurance underwriters finally update their policies to match...I'm not holding my breath.
SP 800-63 no longer allows forcing users to change their password just because time has elapsed. Lets see if the insurance underwriters finally update their policies to match...I'm not holding my breath.
Let’s get Digital! Updated Digital Identity Guidelines are Here!
www.nist.gov
August 19, 2025 at 8:08 PM
New NIST Digital Identity guidelines are out: www.nist.gov/blogs/cybers...
SP 800-63 no longer allows forcing users to change their password just because time has elapsed. Lets see if the insurance underwriters finally update their policies to match...I'm not holding my breath.
SP 800-63 no longer allows forcing users to change their password just because time has elapsed. Lets see if the insurance underwriters finally update their policies to match...I'm not holding my breath.
Another excellent DEF CON! I’m excited to keep up with what all you cool people are doing!
August 11, 2025 at 5:17 PM
Another excellent DEF CON! I’m excited to keep up with what all you cool people are doing!
If you’re still at DEF CON swing by Track 5 at 2PM, I’ll be giving a fun talk on counterfeiting event credentials & how to get your fake badge into events!
August 10, 2025 at 8:32 PM
If you’re still at DEF CON swing by Track 5 at 2PM, I’ll be giving a fun talk on counterfeiting event credentials & how to get your fake badge into events!
“whenever Claude logged on, its context would be immediately filled with ASCII pictures of fish (Figure 3), which would then be auto-summarized and given to a new Claude, which would forget that it was trying to log onto a server.” red.anthropic.com/2025/cyber-c...
Cyber Competitions
red.anthropic.com
August 10, 2025 at 2:39 AM
“whenever Claude logged on, its context would be immediately filled with ASCII pictures of fish (Figure 3), which would then be auto-summarized and given to a new Claude, which would forget that it was trying to log onto a server.” red.anthropic.com/2025/cyber-c...
Interesting that the opinion on AI at DEF CON ranges from “let’s vibe code a SOAR stack” to “look at the vulns, so many vulns” but absolutely everyone is adjusting to having to deal with gen ai + security one way or the other.
August 9, 2025 at 11:48 PM
Interesting that the opinion on AI at DEF CON ranges from “let’s vibe code a SOAR stack” to “look at the vulns, so many vulns” but absolutely everyone is adjusting to having to deal with gen ai + security one way or the other.
Excited for a bunch of talks at DEF CON today! I’ve been looking for some good mesh networking solutions for event operations applications & RETCON seems like a fascinating solution: info.defcon.org/content/?id=...
info.defcon.org
August 8, 2025 at 4:16 PM
Excited for a bunch of talks at DEF CON today! I’ve been looking for some good mesh networking solutions for event operations applications & RETCON seems like a fascinating solution: info.defcon.org/content/?id=...
DEF CON vibes are good
August 7, 2025 at 9:02 PM
DEF CON vibes are good
Events have a particular business risk from data breaches. Beyond normal customer data, proprietary event data poses a real safety and reputation risk. Unannounced content, operational plans, riders, etc all make it worse.
Venice Film Festival Hacked, Attendee Data Compromised
www.hollywoodreporter.com/movies/movie...
www.hollywoodreporter.com/movies/movie...
Venice Film Festival Hacked, Attendee Data Compromised
The festival confirmed that a data breach exposed names, contact details, and tax data of accredited participants for this year's festival.
www.hollywoodreporter.com
August 7, 2025 at 2:45 PM
Events have a particular business risk from data breaches. Beyond normal customer data, proprietary event data poses a real safety and reputation risk. Unannounced content, operational plans, riders, etc all make it worse.
I'm packing for DEF CON and its so tempting to bring my microscope with me....
August 6, 2025 at 6:29 PM
I'm packing for DEF CON and its so tempting to bring my microscope with me....
I refuse to call voice phishing "vishing" not only does it sound goofy but it is not helpful. Promoting the idea that phishing is channel specific trains users to only pay attention in those channels. But phishing can be whatsappishing, intercomishing, twitchishing, or even coffeeshopishing.
August 5, 2025 at 6:41 PM
I refuse to call voice phishing "vishing" not only does it sound goofy but it is not helpful. Promoting the idea that phishing is channel specific trains users to only pay attention in those channels. But phishing can be whatsappishing, intercomishing, twitchishing, or even coffeeshopishing.
The privacy implications from publicly indexing LLM chats isn't surprising, but people routinely create policy that treats LLM chats like search queries rather than much more private data. The industry needs to reckon with the fact they've pushed users to share deeply. techcrunch.com/2025/07/31/y...
Your public ChatGPT queries are getting indexed by Google and other search engines | TechCrunch
Search engines are indexing links to ChatGPT conversations that have been made sharable with a link.
techcrunch.com
August 2, 2025 at 1:27 AM
The privacy implications from publicly indexing LLM chats isn't surprising, but people routinely create policy that treats LLM chats like search queries rather than much more private data. The industry needs to reckon with the fact they've pushed users to share deeply. techcrunch.com/2025/07/31/y...
Anyone have of any good examples of LLM code execution vulns that are server-side rather than user-side? As tool use becomes more common we should see more examples of this.
July 31, 2025 at 9:22 PM
Anyone have of any good examples of LLM code execution vulns that are server-side rather than user-side? As tool use becomes more common we should see more examples of this.
I'm late to the hot takes about Tea, but luckily for me it won't be long until another unsecured S3 bucket dumps a bunch of ID verification photos into the public. Then I'll seem prescient.
July 30, 2025 at 9:23 PM
I'm late to the hot takes about Tea, but luckily for me it won't be long until another unsecured S3 bucket dumps a bunch of ID verification photos into the public. Then I'll seem prescient.
This part of the Clorox hacking story is wild to me! Even if the helpdesk had followed their policy, the only information required for a password reset was the manager's name and the user's username. Even the unenforced policy was bad too! arstechnica.com/security/202...
After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords
Massive 2023 hack was easily preventable, Clorox says.
arstechnica.com
July 25, 2025 at 6:30 PM
This part of the Clorox hacking story is wild to me! Even if the helpdesk had followed their policy, the only information required for a password reset was the manager's name and the user's username. Even the unenforced policy was bad too! arstechnica.com/security/202...
LLMs are the new frontier in unsanitized user input and we're going to see more and more exploits of this.
July 23, 2025 at 6:30 PM
LLMs are the new frontier in unsanitized user input and we're going to see more and more exploits of this.