March 7, 2023

I love crypto research that demonstrates practical attacks. The paper `A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm` by Nicky Mouha and Christopher Celi demonstrates RCE (!) through controlled memory corruption in the final-round update of the Keccak code used by SHA-3. This implementation bug affected Python, PHP, and the SHA-3 Ruby package: https://eprint.iacr.org/2023/331

Bonus points for dropping a Metasploit reverse TCP payload!

The city of Rotterdam used an " AI " algorithm to flag people for possible social fraud. Wired et al figured out how this algorithm mostly flagged the most vulnerable people: young single moms with a low income and only basic knowledge of Dutch.