Brutkey

Neil Madden
@neilmadden@infosec.exchange
Neil Madden
@neilmadden@infosec.exchange

For reasons, I’m probably going to be looking for a new job around July/August time. If you know of any UK-based hybrid/remote opportunities I may be a good fit for, let me know. Either permanent or contract/consulting. (LinkedIn seems really crap for finding a job now). A little to sell myself:
Author of API Security in Action
Former Security Architect for Forgerock (IAM)
Long-time OAuth and JOSE working group member at IETF
Applied cryptography, HSMs, JWTs, macaroons etc

Consulting site: https://illuminated-security.com/
LinkedIn: https://uk.linkedin.com/in/neil-madden

#FediHire

Neil Madden
@neilmadden@infosec.exchange

My NDC Security talk about Tink from Oslo is now online: https://www.youtube.com/watch?v=peumD3MY8So

Neil Madden
@neilmadden@infosec.exchange

I feel like a lot of security issues with LLMs come from treating them as agents in their own right, rather than as a different form of UI.

Any actions that the LLM performs should be under the permissions of the user interacting with it, not permissions granted to the LLM itself.

Also only feed public info into it. Putting confidential data into an LLM is like putting secrets in the HTML source of your webpage.

Of course, like any UI technology, LLMs have specific vulnerabilities. But a lot of things become common sense when you adopt the right perspective.

Neil Madden
@neilmadden@infosec.exchange

New ECB Penguin just dropped. #crypto #cryptography

(I made this: CC BY 4.0, based on https://www.printables.com/model/683071-this-is-fine-meme (CC PD))

A meme of a dog against a flame background with the words β€œTHIS IS FINE” at the bottom. The image has been encrypted with AES in ECB mode but is still completely visible.
Neil Madden
@neilmadden@infosec.exchange

Welcome to my new followers. I have taken possession of your souls, for which I am eternally grateful.

By way of #introduction, here are a few things that I am sometimes known for:


I wrote the book API Security in Action published by Manning. It covers a lot about modern application security, JWTs, OAuth, Kubernetes, and is secretly a tutorial on cryptography in disguise.


I discovered the β€œPsychic Signatures” critical vulnerability in Java’s implementation of ECDSA signature verification (CVE-2022-21449).


My blog has made its way onto Hacker News a few times.


I’m fairly active in the #OAuth working group at the IETF. I used to be the Security Architect for ForgeRock (now part of Ping Identity).

In my past I have mostly been a software engineer. I also have a PhD in computer science, for what it’s worth, but only my bank calls me Dr and my daughter thinks I’m lying about that.

These days I run a company, Illuminated Security, that provides AppSec and Applied Cryptography consultancy, review, bespoke development, and training. I’m always happy to answer emails (eventually!) on most topics.