A New Spy Radio Signal Has Appeared. It's Broadcasting in Farsi. A new shortwave numbers station appeared the day the bombs fell. Nobody knows who's running it.

Numbers stations are back! Um. open.substack.com/pub/theicema...

What an incredible resource from Science Buddies!  Love reading about all of these amazing women in #STEM and #TECH #WomensHistoryMonth

A great list of biographies that celebrate women pioneers in all fields, including #computerscience #WomensHistoryMonth

Anonymous credentials: an illustrated primer This post has been on my back burner for well over a year. It’s been sitting here unwritten, not because the topic is unimportant — in fact, with every single month that goes by, I become mor…

I wrote a new post on anonymous credentials and how to build them. All of this is in service on a longer future post on how these will fit into age verification systems. blog.cryptographyengineering.com/2026/03/02/a...

Build your offensive security lab with 18 DRM-free books worth $700+. Download once, read anywhere, keep forever.

Pay what you want (starting around $36) and support the EFF while you’re at it: https://www.humblebundle.com/books/hacking-no-starch-books

Passkey Mythbusters: Short Takes on Common Misunderstandings @ Authenticate 2025 Passkeys promise to replace passwords with a simpler, more secure login experience, but myths and confusion still hold many organizations back. This session at Authenticate 2025 tacklea some commonly ...

At Authenticate, @iamkale.millerti.me, @nishantkaushik.com, and I decided to mix up the usual "Passkeys 101" and cover common misconceptions about #passkeys. Topics around cloud sync, phishing resistance, workforce usage, and concerns about vendor lock in.

blog.timcappalli.me/p/preso-auth...

Teaching Applied Cryptography in Beirut: Field Update Two months ago, I began what colleagues politely called an "ambitious" undertaking: teaching Applied Cryptography to fifty students at the American University of Beirut while the country navigates war...

I wrote a long post about my experiences so far in teaching applied cryptography at the American University of Beirut: www.linkedin.com/pulse/teachi...

The link is missing

📣THREAD: It’s surprising to me that so many people were surprised to learn that Signal runs partly on AWS (something we can do because we use encryption to make sure no one but you–not AWS, not Signal, not anyone–can access your comms).

It’s also concerning. 1/

Passkeys and Verifiable Digital Credentials: Friends or Foes? @ Authenticate 2025 A session at Authenticate 2025 which explores the nuanced dynamics between passkeys and verifiable digital credentials, and their technological foundations across usability, privacy, trust models, and...

#Passkeys and Verifiable Digital Credentials: Friends or Foes?

My presentation from Authenticate 2025!

blog.timcappalli.me/p/preso-auth...

#passkey #webauthn #vdc #mdl #mdoc #authenticate2025

Some upcoming talks for my course's Applied Cryptography Speaker Series

As always, you can learn more about my course at appliedcryptography.page

(Necessary disclaimer: I'm organizing these talks on my own, AUB is not involved, and they're happening online, not at the university)

"I don't have anything to hide why should I care about privacy?"

A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises Project compromises have common root causes we can mitigate: phishing, control handoff, and unsafe GitHub Actions triggers.

To implement robust mitigations across Geomys, I did a survey of open source project compromises in 2024/2025.

Three root causes dominate: phishing, control handoff, and unsafe GitHub Actions triggers. All three can be systematically avoided.

words.filippo.io/compromise-s...