Nadim Kobeissi
@kaepora
Followers
23,784
Following
676
Media
1,008
Statuses
5,871
💽 Applied cryptographer, senior auditor, computer scientist, puzzle game designer • @SymbolicSoft , @Cure53Berlin
Paris, France
Joined January 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
FELIX
• 204498 Tweets
アザラシ幼稚園
• 138731 Tweets
STRAY KIDS DOMINATE LOLLA
• 66781 Tweets
Arath
• 48006 Tweets
ロッキン
• 47829 Tweets
#LYKNConcert
• 41201 Tweets
#MoshiMoshixTENwithCANELE
• 40597 Tweets
Aerosmith
• 31224 Tweets
オアシス
• 25616 Tweets
LINGORM OTW EP4
• 24755 Tweets
#Shiorin3D
• 24401 Tweets
Mahomes
• 22687 Tweets
Kanye
• 22144 Tweets
Blake Snell
• 21289 Tweets
#キントレ
• 19244 Tweets
英霊博装
• 18710 Tweets
オベロン
• 16401 Tweets
淀川花火大会
• 13945 Tweets
Jacob Fatu
• 10023 Tweets
Pinned Tweet
🚨 New very cool public cryptography audit!
I'm very excited about this one. Big collab between
@symbolicsoft
and
@3miLabs
to audit a novel threshold ECDSA by
@dWalletLabs
geared towards MPC.
Big findings! MPC! AHE! Range proofs! Sigma protocols!
Download the full report 👇
We're thrilled to release our latest public audit report: a functional correctness and security assessment of
@dWalletLabs
's 2PC-MPC Rust implementation.
→ Download Full Report (PDF):
...or read on for more: 🧵
1
2
11
0
2
16
Apple distributed an internal memo today which referred to pushback against its new content surveillance measures as "the screeching voices of the minority." I have nothing to add.
284
3K
7K
"Signal needs your donations"
Signal, a 510(c)3 nonprofit operating under $50M loan (not grant, loan) from WhatsApp co-founder Brian Acton, paid its top developers and executives, on average:
- $650,000/year in 2021,
- $464,000/year in 2022.
Signal really needs our donations!
97
207
2K
If you too want to be part of the screeching voices of the minority, sign the open Apple Privacy Letter:
35
571
2K
@cronokirby
This memo genuinely makes me angry. Not Internet angry, not outrage angry, but genuine real anger. Imagine being so blind and short-sighted, imagine standing up the entire security & privacy community and then writing that off as "the screeching voices of the minority."
18
91
1K
SIGN THE OPEN LETTER AGAINST APPLE'S NEW PRIVACY-INVASIVE MEASURES:
The Apple Privacy Letter aims to unite Security & Privacy experts, researchers, Professors, policy advocates and Apple Consumers against Apple's planned moves against all of our privacy.
38
412
747
I am confident that this rollout is part of a broader strategy, coordinated with law enforcement partners around the world, with the aim of normalizing client-side scanning of *encrypted content across the entire device*, and not just photos synced via iCloud.
12
153
566
Apple managed an embargo across every tech journalist. They also invited a handful of cryptographers to review their design, but not one that also engaged in public education.
The lengths they’ve put towards controlling the narrative on this rollout is worth noting.
Apple is managing an embargo of reporters right now. It’s quite a remarkable thing watching them do this, goal is to make sure everyone reports this when Apple wants and on Apple’s terms.
9
63
290
8
170
489
Note that that's $650,000/year average per top developer or executive, not total!
How are these nonprofit salaries? How is this a responsible way to manage a nonprofit that's propped up by loans and begging for donations?
8
2
374
As of today, Lebanon is completely cut off from all electricity: the state can no longer provide *any* electricity, and due to the fuel shortage and the currency crash it's unlikely that a lot of people can turn on private generators, either.
27
127
294
@SalmanRushdie
@NewYorker
Welcome back, hero! May you live the rest of your days to their fullest. Your name will always be a service to intellectual freedom.
1
9
300
🧵 OK. In light of CrowdStrike's EDR causing the world to end, let's talk about why EDR (Endpoint Detection and Response) solutions are mostly bullshit. They're marketed as the ultimate cybersecurity solutions, but the reality is far from the hype.
3
67
275
We are now at over 3,000 screeching voices of the minority! We tried to vet every signature.
Our open letter now illustrates a very strong opposition to Apple's new content screening measures.
Thanks
@Snowden
for keeping me and
@georgionic
up all night!
6
60
245
@aaronp613
This is so that iOS’s voice recognition opens the app correctly when you ask Siri to
3
0
253
In November 2023,
@mer__edith
wrote a blog post begging for donations titled "Privacy is Priceless, but Signal is Expensive." It lists infrastructure costs in detai, but fails to mention that the Signal Foundation's top brass each earned, on average, $650,000 the preceding year.
3
8
248
Unconfirmed word on the street is that
@mer__edith
earned around $1,000,000 in compensation in 2023, the same year she published that blog post begging for donations, listing infrastructure cost but not mentioning this utterly insane remuneration for a donation-driven nonprofit.
4
6
225
@wcathcart
Sure, WhatsApp is end-to-end encrypted. I think it’s fair to wonder if WhatsApp exports metadata (contact list, chronological chatting relationships) to Meta for use in advertising and profiling, though. Does it?
13
3
203
PSA: By migrating Google Maps from to , Google has made it such that granting Location Access in your browser to Google Maps will now grant that same permission to all other Google services.
5
125
195
Dumbed-down explanation: Apple's iPhones will soon start secretly calling the police if they find photos on your phone that match fingerprints of photos depicting child abuse and any content eventually deemed objectionable.
This can/will be generalized to secure messaging
I’ve had independent confirmation from multiple people that Apple is releasing a client-side tool for CSAM scanning tomorrow. This is a really bad idea.
111
1K
3K
11
73
187
@mer__edith
My point is that if you want to justify taking out million dollar comp out of a tax-exempt nonprofit for a social cause while also begging for donations and saddling loans, and your excuse is needing exceptional engineering talent, maybe show up with the exceptional engineering.
2
1
175
We built truly decentralized tech for free discourse
It leverages
@orbit_db
,
@IPFS
, and
@NEARProtocol
A team of 10+ working for months, backed by
@naval
@polychaincap
@balajis
Limitless implications
And all I've been using it for is dumb posts about tomatoes
(Testnet soon)
13
31
163
Maybe this'll put what's happening in
#Palestine
more in perspective for my followers.
In 2006:
- Israel carpet-bombed my entire neighborhood, killing my friends, leaving me homeless
- I escaped through a field of unexploded cluster bombs to my mom waiting on other side (1/n)
9
66
170
@mer__edith
Meanwhile, Signal Desktop has been under life support for the past five years, with multiple known issues, including being vulnerable to a cloned state allowing for ghost devices to be set up undetectably:
🚨
@signalapp
on its website presents both mobile and desktop versions to be equally secure. As we showed, the desktop versions are vulnerable to data exfiltration and session hijacking.
This is consistent with early reports from 2018 and results from developers who successfully
12
42
282
3
3
165
@mer__edith
As a 501(c) nonprofit, the Signal Foundation is required by U.S. law to fill out a Form 990 which lists any and all expenses and compensation packages. These are viewable online by the general public here:
1
4
163
@mer__edith
They’ve shipped exactly one feature: usernames, while requiring them to be tied to phone numbers, which opened up another venue for them to be subpoenaed for user data while also making the entire feature pointless in terms of privacy against the Signal service itself.
1
4
164
@mer__edith
Some US folks are pointing out that these salaries are in line with expectations for best-of-the-best engineers from trillion-dollar such as Apple etc., which apparently Signal’s hiring has to compete against.
Okay. Great. Question: what has Signal shipped this year?
3
2
161
The Apple Privacy Letter's raised 4200+ signatures within 24 hours.
Interested to see whether Apple will turn a deaf ear (having already called folks "a screeching minority") next week or whether they'll address the issue.
If you still haven't signed: 👇
8
59
147
@cronokirby
Incredibly difficult to resist typing with extreme clarity what I think Apple's security team and especially this Marita Rodrigues should go do with themselves.
3
12
131
This is 100% political — whether or not
@Twitter
staff like the articles that get published on
@Quillette
, it’s obviously a legitimate online magazine with impactful writing and a large audience. Much smaller outfits deservedly get verified
~
@Twitter
won't verify
@Quillette
's account. I guess that's because we truck in hate facts such as men and women not being the same and
@jonkay
being a champion at disc golf
73
111
1K
5
20
138
If you look back further, three years back, Signal has:
- Ignored all research literature documenting protocol weaknesses since at least 2021 (c.f. previous tweet),
- Left Signal Desktop in a totally desolate, unmaintained state, aside from minor fixes,
- Shipped usernames in
4
3
139
@ahoy_cubism
本当にごめんなさい。日本を訪れるたびに、私は地元の文化を尊重し、良い印象を残すよう努力しています。このような訪問者は、すべての人にとってすべてを台無しにします。日本は美しい場所なのに、特に悲しいです。恥ずかしいです。
5
7
138
There is this odd emerging trend in applied cryptography where engineers with animal-inspired online personas are also those writing the most exceptionally accessible and pedagogical cryptography explainers.
This, by
@CendyneNaga
, is totally amazing:
4
23
135
The security and privacy community might succeed in rolling back today’s change and avoiding a world where virtually any content created or shared on your phone risks reporting you to the police, but in case we fail, I want folks to remember this tweet in, say, 2025.
1
26
116
@mindykaling
@hbomax
@velmatheseries
This show turned my television into a machine gun mercilessly shooting utter stupidity at my face until I turned it off
0
2
122
I decided to give the recent Pegasus coverage the benefit of the doubt and spent my lunch break looking up other reports by the same folks.
In a report published last week, their *only* evidence for attribution is a *self-signed* TLS certificate. That's not evidence.
5
64
116
For those who missed it: this is a fundamental flaw in Apple's CSAM tech, that bypasses all of their claimed security guarantees.
Apple can trivially use different CSAM datasets for each user. For one user it could be child abuse, for another it could be a much broader category.
Because surely it will ensure this, right? You’d want to ensure that Apple (or someone who hacks Apple’s servers) can’t change the database selectively to target it to you — and have a normal CSAM database for everyone else.
4
9
78
5
37
121
@ggreenwald
The real problem with the fighter jets that carpet bombed my neighborhood and left me homeless was the fact that they were all piloted by cisgender men
1
5
110
@MarioToenails
How about you delete this and stop spreading misinformation about honest developers building technologies that make the web more open?
4
0
120
I’m not sure that a very large chat room moderated discriminately by a randomly-assembled team in San Francisco can qualify itself as the “open Internet”
We are deeply concerned by the blocking of Twitter in Nigeria. Access to the free and
#OpenInternet
is an essential human right in modern society.
We will work to restore access for all those in Nigeria who rely on Twitter to communicate and connect with the world.
#KeepitOn
22K
30K
43K
1
22
114
@linusgsebastian
@priyanshuraj33
@eatinggerbers
@thisbrowngeek
@dbrand
@LinusTech
This is incredibly disappointing. The issue here is about how people around the world constantly have to deal with how English is the lens through which their identity is perceived a lot of the time, despite where they’re from. This is why people ask for cultural tolerance and
5
1
120
Mediapart's front page has three stories about Morocco, with claims such as Morocco "targeting at least 10,000 mobile phones including civilians and journalists."
This is not supported by *any* evidence presented by Amnesty. 𝗧𝗵𝗶𝘀 𝗶𝘀 𝗰𝗼𝗺𝗽𝗹𝗲𝘁𝗲𝗹𝘆 𝗺𝗮𝗱𝗲 𝘂𝗽.
9
50
97
Oh, I’m chill,
@WoolieWoolz
😄🤣🤣 but I’m interested in seeing if you will be at the higher levels once you have rotating laser mirrors and teleporters 😄😄😄
1
9
117
We've developed a UX at
@CapsuleSoc
that lets journalists, critics, scientists etc. write, read, follow with the same ease-of-use as centralized platforms.
Except, we're fully decentralized, building on
@IPFS
,
@orbit_db
and
@NEARProtocol
. Decentralized discourse is near. 🚀
10
29
114
There is simply no excuse for Twitter censoring links to virtually all popular Mastodon instances.
This is anticompetitive censorship and an abuse of power.
So any link to any Mastodon instance is blocked on Twitter? wtf...
0
1
18
5
21
113
I just learned through the news that no hospital in Gaza has ER services anymore. I learned this news through listening to a field reporter, who’s standing there reading the news after his wife and two children were all killed in an Israeli bombing yesterday. What am I looking at
2
54
112
This is exactly what happened to me in 2006, when I was 15, after Israel carpet-bombed south Beirut.
I remember that exact shape and color of the concrete, this exact aesthetic.
I climbed on top of the rubble and my mom was afraid I’d die from unexploded bombs.
I tried to
2
41
111
I was just telling a friend a funny story, and I realized that it's possibly funny enough to be shared on here:
In January 2019, I literally bumped into
@linusgsebastian
standing outside a restaurant in central Paris positively fuming in his sandals because the restaurant
1
0
110
1
0
105
@mysk_co
@mer__edith
You're letting her shift the issue scope! The issue isn't bad because you can clone Signal Desktop's state: it's bad because you can then run two different devices that'll sync the same state and be recognized as the same device! It allows setting up undetectable ghost devices!
3
5
107
@JustAnkurBagchi
A 150 IQ person can likely avoid writing such overly cringe posts that oversimplify intelligence
7
0
103
“At Apple, we believe privacy is a fundamental human right… unless 15% of our revenue is at stake”
6
27
100
Signal’s cult status amongst the cryptography in-group has led to a corrupt discourse that punishes constructive critical thinking and ostracizes any analysis of Signal that’s not wholly positive as being done in bad faith. Signal’s leadership has explicitly encouraged this.
This old thread by
@signalapp
's president addresses a report by johnjhacking about the same desktop app vulnerability we highlighted. The response downplays the risks on the basis that the level of access required to hijack a session is "only available if the device is already
14
29
191
5
11
100
This isn't to mention that Signal has done close to nothing to address the flurry of cryptographic weaknesses that have cropped up over the years:
If you look at leading scientific publications such as those from PETS, you’ll see that:
- Signal’s “sealed sender security” is broken and bogus (Martiny et al, 2021: )
- Signal has regressed in terms of deniability: (+upcoming
7
10
67
1
1
98
💥📣 BIG ANNOUNCEMENT: I'M MAKING AN INDIE PUZZLE GAME! 🎮🧩
I'm incredibly excited to announce DR. KOBUSHI'S LABYRINTHINE LABORATORY, my secret project for the past many many months!
CHECK US OUT AND PRE-ORDER ON KICKSTARTER:
RTs greatly appreciated!!
4
41
94
Removing " enthusiast" from my Twitter bio. What a joke. If Apple doesn't walk back this decision nobody has any business calling them a privacy company anymore.
2
4
86
Some Personal News™: I'm excited to announce that I'm joining
@nymproject
as Head of Software Integration. I will be responsible for integrating Nym's mixnet technology into as many software applications and ecosystems as possible. I will do my best!
7
11
83
@ReportingfromNY
@YairWallach
@RobertMackey
Not exactly; it’s incitement to genocide which yes, tends to include nationalism
1
1
78
Signal laments security researchers for not discussing concerns on their GitHub, but also blocks them from doing so.
Despite not interacting with it any time in recent years, I'm now blocked from the Signal GitHub. I've also been blocked by the Signal Twitter account.
6
16
95
2021: Child safety
2022: Terrorist recruitment prevention
2025: Firearm regulation enforcement
2027: "Combating misinformation"
4
26
73
🧵 9/ I forgot to mention just how invasive these solutions tend to be. They will monitor all running processes, all network requests, and in many cases communicate information somewhat indiscriminately to companies run by their vendor, often in violation of GDPR regulations.
3
12
80
Just finished the Riven remake, which is now (and I don’t say this lightly) my new favorite video game of all time.
I sincerely hope that
@cyanworlds
get the recognition that they deserve for this work of art.
Incredible puzzles to solve, as seen through my Riven notebook:
3
5
80
Ways through which a complacent Board of Directors can harm Signal:
- Approve the roll-out of usernames while still keeping phone numbers mandatory, thereby avoiding the elimination of a core metadata element,
- Roadblock the integration of anonymity tech, such as
@nymproject
4
9
73
Today I received a reply to an email I sent thirteen years ago.
8
0
76
A few weeks ago I proposed to the person I love and was blessed by her saying yes.
What was kept secret is that before proposing, I secretly reviewed her code for quality, cleanliness and proper programming practices. I didn’t want any hidden surprises
10
1
74
Today I had an on-stage rap battle about hummus with an Israeli cryptographer at a mathematics conference in the Arctic Circle.
2
0
72
My mother, who is stuck alone in Lebanon, alone, without a husband and with me as her only child, just got her long-stay visa application straight-up rejected, despite war being right at the door, despite having multiple five-year visas in the past, despite my gaining French
7
8
72
This is the most terrifying thing I've seen in quite a while:
An actual committee of actual scientists () voted to ban Russian scientists and their publications, based on their origins. Thank God this was later overturned.
2
9
71
Myself and my companies will never engage in any business with
@Ledger
in the future. Any of their business partners will be subject to scrutiny and likely also rejected.
I spent six years understanding how difficult it is to prove oneself to the more fascist elements in France.
Aujourd'hui, j'ai visité Ledger, leader français de la sécurisation des crypto-actifs. Il faut soutenir l'écosystème des cryptomonnaies, secteur d'avenir, et voici mes propositions :
(1/5)
810
3K
11K
3
21
66
Here, look, I just faked the evidence on my laptop in thirty seconds. This is the standard of evidence used to make "moderate-high confidence" attributions.
The security community is suspending critical thinking here because the findings confirm existing beliefs. It's a joke.
2
17
61
Thank you very much to everyone for all for all the kind comments on this, it’s sincerely heartwarming!
Becoming a European citizen came after twelve years abroad on work visas. I’m incredibly excited to vote in a secular democracy for the first time soon!!
5
2
70
🧵 7/ The entire core engineering premise of EDR solutions, adding invasive kernel drivers on top of consumer operating systems, is fraudulent in theory, and doomed to fail in practice. Any real solution would follow the engineering pathway of something like iOS, or like NixOS.
3
6
70
🧵 5/ The core problem isn’t about the reliability of staged releases. It’s about the insistence on integrating these solutions at the kernel level. This is where they cause instability, crashes, and even security vulnerabilities.
1
4
66
Still completely stunned by the fact that starting next week, your ability to have a coffee or ride a train in France will depend on you querying a centralized Linux server somewhere running MongoDB
3
7
61
If you look at leading scientific publications such as those from PETS, you’ll see that:
- Signal’s “sealed sender security” is broken and bogus (Martiny et al, 2021: )
- Signal has regressed in terms of deniability: (+upcoming
7
10
67
Imagine charging money for an infinitely inferior product to the free, secure, nonprofit, open source
@signalapp
secure messenger, and then accusing the world-class team auditing your security for free of "overselling".
There’s a new paper on Threema’s old communication protocol. Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings. Here’s some real talk:
41
33
130
2
7
65
🧵 8/ To conclude, EDRs are almost literally fraudulent solutions that in the vast majority of cases won't help you. They introduce foreign code into the kernel and do not stop attacks in practice.
Stop lining the pockets of companies that are promoting this foolish practice.
1
5
66
Un honneur incroyable m'a été accordé : Je viens de découvrir que j'ai été naturalisé français.
Ma gratitude est si grande que je ne peux même pas en saisir l'ampleur, elle dépasse ma conscience. Je suis béni. Je vais faire tout ce que je peux pour prouver que je le mérite.
13
2
66
🧵 3/ To comply, companies have to install unstable kernel drivers from third-party vendors. Kernel drivers! This is true for both Windows and Linux endpoints. These are the most privileged part of an operating system, and they're being cluttered with invasive third-party code.
2
6
65
I wish the researchers uncovering all this malware would do so without hyping up their results with what is clearly baseless and irresponsible conjecture. Not only does it lower the bar for the entire field, but I'm sure that they don't really have to do it to secure funding.
0
16
60