Way back on May 11th of 2022, I was visiting my team (Edge browser) for the week in Redmond, Washington. On Wednesday night, I left my ThinkPad X1 Extreme laptop in a work area on the 4th floor of the office when I went out for drinks with friends. After dinner, I decided not toContinue reading "An Improbable Recovery"| text/plain
A hot infosec topic these days is “How can we prevent abuse of AI agents?” While AI introduces awesome new capabilities, it also entails an enormous set of risks from the obvious and mu…| text/plain
The boys and I went to Maryland for the first half of August to visit family and check out some roller coasters. They hit Kings Dominion, Busch Gardens, Six Flags America (final season), and Hershe…| text/plain
I’ve written about security products previously, laying out the framing that security products combine sensors and throttles with threat intelligence to provide protection against threats. As…| text/plain
The team recently got a false-negative report on the SmartScreen phishing filter complaining that we fail to block firstline-trucking.com. I passed it along to our graders but then took a closer look myself. I figured that maybe the legit site was probably at a very similar domain name, e.g. firstlinetrucking.com or something, but no suchContinue reading "Attack Techniques: Fake Literally Everything! (Escrow Scam)"| text/plain
Recently, there’s been a surge in the popularity of trojan clipboard attacks whereby the attacker convinces the user to carry their attack payload across a security boundary and compromise the device. Meanwhile, AI hype is all the rage. I recent had a bad experience in what I thought was a simple AI task (draw aContinue reading "Vibe-coding for security"| text/plain
Over the last several decades, the Windows team has added a stream of additional security mitigation features to the platform to help application developers harden their applications against exploi…| text/plain
ericlaw talks about security, the web, and software in general| text/plain
The Web Platform offers a great deal of power, and unfortunately evil websites go to great lengths to abuse it. One of the weakest (but simplest to implement) protections against such abuse is to b…| text/plain
Microsoft Family Safety is a feature of Windows that allows parents to control their children’s access to apps and content in Windows. The feature is tied to the user accounts of the parent(s) and child(ren). When I visit https://family.microsoft.com and log in with my personal Microsoft Account, I’m presented with the following view: The “Nate”Continue reading "Family Safety Content Filtering"| text/plain
At WWDC 2025, Apple introduced an interesting new API, NEURLFilter, to respond to a key challenge we’ve talked about previously: the inherent conflict between privacy and security when trying…| text/plain
Since the first days of the web, users and administrators have sought to control the flow of information from the Internet to the local device. There are many different ways to implement internet f…| text/plain
The Fiddler Web Debugger is now old enough to drink, but I still use it pretty much every day. Fiddler hasn’t aged entirely gracefully as platforms and standards have changed over the decades…| text/plain
The vast majority of cyberthreats arrive via one of two related sources: That means that by combining network-level sensors and throttles with threat intelligence (about attacker sites), security s…| text/plain
Last November, I wrote a post about the basics of security software. In that post, I laid out how security software is composed of sensors and throttles controlled by threat intelligence. In today&…| text/plain
For busy web users, the humble Find-in-Page feature in the browser is one of the most important features available. While Google or Bing can get you to the page you’re looking for faster than…| text/plain
A fairly common security bug report is of the form: “I can put JavaScript inside a PDF file and it runs!” For example, open this PDF file with Chrome, and you can see the alert(1) messa…| text/plain
My second run of the 3M Half Marathon was Sunday January 21, 2024. My first half-marathon last year was cold (starting at 38F), but this year’s was slated to be even colder (33F) and I was ne…| text/plain
Authenticating to websites in browsers is complicated. There are numerous different approaches: the popular “Web Forms” approach, where username and password (“credentials”)…| text/plain
When building applications that display untrusted content, security designers have a major problem— if an attacker has full control of a block of pixels, he can make those pixels look like anything…| text/plain