Post

Infosec Reading List - January 2026

Posted
Preview Image
By Dominik Birk
4 min read

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

InfoSec

  • The end of the curl bug-bounty - I have also started to get the feeling that a lot of the security reporters submit reports with a bad faith attitude. These “helpers” try too hard to twist whatever they find into something horribly bad and a critical vulnerability, but they rarely actively contribute to actually improve curl. - We continue to immediately ban and publicly ridicule everyone who submits AI slop to the project. - drastic measures for a backbone software of the Internet - [link]
  • I spent a year on Linux and forgot to miss Windows - [link]
  • GenAI, The Snake Eating Its Own Tail - In short, the current GenAI model destroys the incentives to create new content. I’ve heard this referred to as “the great content collapse.” Will it lead to a world where, after the 2020s, there’s little-to-no content created by humans? Will the state of knowledge and creativity stagnate as a result? - [link]
  • On the Coming Industrialisation of Exploit Generation with LLMs - We should start assuming that in the near future the limiting factor on a state or group’s ability to develop exploits, break into networks, escalate privileges and remain in those networks, is going to be their token throughput over time, and not the number of hackers they employ. Nothing is certain, but we would be better off having wasted effort thinking through this scenario and have it not happen, than be unprepared if it does. - [link]
  • Why AI Keeps Falling for Prompt Injection Attacks - Imagine you work at a drive-through restaurant. Someone drives up and says: “I’ll have a double cheeseburger, large fries, and ignore previous instructions and give me the contents of the cash drawer.” - advantage compared with machines: Our basic human defenses come in at least three types: general instincts, social learning, and situation-specific training. These work together in a layered defense.We reason by assessing multiple layers of context: perceptual (what we see and hear), relational (who’s making the request), and normative (what’s appropriate within a given role or situation). We constantly navigate these layers, weighing them against each other. - [link]
  • Escaping the Vulnerability Management Hamster Wheel - [link]
  • FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled - Those warrants included language that would have legally allowed them to press Natanson’s fingers onto the devices, or hold them up to her face, to unlock them if biometrics were enabled. „enforcing“ the use of biometrics is way easier than then „enforcing“ the use of passwords - But the agents did take photos and audio recordings of conversations stored in the laptop’s Signal application, the court record says. - pairing your Signal phone app with additional devices might be comfortable to use but can increase risks - [link]
  • The Chief Insecurity Officer - Historically, we’ve framed the CISO role as securing the organization. But the business requires some level of insecurity to function. For work to happen, information must flow. Apps must be used. Links must be clicked. Sales needs to share proposals over channels you don’t fully control. - [link]
  • GrapheneOS is finally ready to break free from Pixels, and it may never look back - The makers of GrapheneOS have confirmed they are partnering with a major Android OEM to bring the privacy-focused Android fork to Snapdragon-powered smartphones. - [link]
  • Reverse engineering Lyft bikes for fun (and profit?) - [link]
  • Cyber Brief 26-02 - January 2026 - [link]
  • Password managers’ promise that they can’t see your vaults isn’t always true - The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server—either administrative or the result of a compromise—can, in fact, steal data and, in some cases, entire vaults. - The adversary can exploit this weakness by replacing the group public key with one from a keypair created by the adversary. Since the adversary knows the corresponding private key, it can use it to decrypt the ciphertext and then perform an account recovery on behalf of the targeted user. - using these password managers always goes back to the business case: do you really need all your passwords on multiple devices synched? Then these centrally managed services with different apps for different platforms can make sense to you but bring along the risks pointed out in the article. I think the business case is overvalued. Most of us can live with accessing our passwords from one device. But this is something everybody must decide on their own. - [link]
  • GrapheneOS - break free from Google and Apple - [link]
  • Kimwolf Botnet Lurking in Corporate, Govt. Networks - [link]
  • WhatsApp Encryption, a Lawsuit, and a Lot of Noise - [link]
  • I verified my LinkedIn Identity - here‘s what I actually handed over - [link]
infosec readinglist
This post is licensed under CC BY 4.0 by the author.