Infosec Reading List - April 2025

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

InfoSec

• A Sneaky Phish Just Grabbed my Mailchimp Mailing List - finally we will all click on phishing emails, no matter what - [link]
• Security Turtles All the Way Down - important article on the definion of „secure“ - [link]
• Why Quantum Cryptanalysis is Bollocks - [pdf] - great presentation, fun to follow - [link]
• Locking down Signal - [link]
• Gmail unveils end-to-end encrypted messages. Only thing is: It’s not true E2EE. - [link]
• BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets - The filter loaded by BPFDoor enables the malware to be activated by network packets containing “magic sequences” – a set of byte sequences defined by the threat actor that tells the backdoor on the infected machine to perform an action. - [link]
• That groan you hear is users’ reaction to Recall going back into Windows - [link]
• Cynomi cinches $37M for its AI-based ‘virtual CISO’ for SMB cybersecurity - Cynomi has seen its annual recurring revenue triple in the last year, Primor said, with more than 100 service providers and consultancies — including big telcos like Deutsche Telekom — reselling Cynomi’s services to thousands of SMBs. - [link]
• It takes two: The 2025 Sophos Active Adversary Report - [link]
• Generative AI is not replacing jobs or hurting wages at all, say economists - “Most workers in the exposed occupations have now adopted these chatbots. Employers are also shifting gears and actively encouraging it. But then when we look at the economic outcomes, it really has not moved the needle.” - “My general conclusion is that any story that you want to tell about these tools being very transformative, needs to contend with the fact that at least two years after [the introduction of AI chatbots], they’ve not made a difference for economic outcomes.” - [link]
• OpenAI and Microsoft have put a price tag on what it means to achieve AGI: report - The two companies agreed to define AGI as a system that can generate $100 billion in profits. - [link]
• Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. - “This Isn’t Just a Bug. It’s a Trust Breakdown,” Wade wrote in his report. “People trust that changing their password will cut off unauthorized access.” - In response, Microsoft said the behavior is a “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it. - [link]
• An open letter to third-party suppliers - ‘Secure and resilient by design’ must go beyond slogans—it requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks. - I can underwrite the majority of the statements in this article by the JPM CISO, however, we need to be realistic: the market has a huge stake in defining what SaaS provider´s security will look like. If Saas providers with a horrible security do great business, it means that they have a strong value-add to their customers who are simply neglecting/risk-accepting the security aspects. This case is still the majority if you ask me. The more the market rejects these providers, the more security will become stronger and stronger. This will enforce a stronger change in the industry compared with „begging“ 3rd party providers to do better with security. - [link]
• Inside the M&S meltdown: 3am meetings and £40m a week in losses - [link]