The UK government will spend about Β£630,000 running a discussion panel on its digital identity card plans, which minister James Frith said will "consider different perspectives and debate trade-offs" alongside a formal consultation.β¦
Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.
As always, the content & discussion guidelines should also be observed on r/netsec.
Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.
Itβs crazy how things come full circle more than a decade later.
About a decade ago, I got interested in calendar phishing after seeing Beau Bullockβs work at BHIS. Around that time, I built and shared some of my own Graph API scripts for calendar phishing, added support for it in my open source PhishAPI tool, and even introduced the idea to KnowBe4 so they could eventually bring it into phishing training for clients (which Kevin Mitnick himself used Beau's command-line tool to demonstrate).
I brought it to their attention at a clientβs request after using the technique successfully on them, during a time when calendar phishing was still largely overlooked as a real-world attack path.
Back then, it was still niche enough that plenty of defenders were not thinking about calendar invites as a phishing channel at all.
More than a decade later, Iβm still refining the concept, now as part of the commercial PhishU Framework.
Iβm happy to say the Framework fully supports Calendar Event phishing again, but now in a much more usable way:
Β· Native calendar event workflow
Β· Simple WYSIWYG w/ AI-generated timing suggestions and content
Β· As easy as selecting the Calendar Event template
Β· Automatically tied into training when used in a campaign
Itβs built for red teams and security teams that want realistic phishing assessments, including credential and session capture paths, not just allow-list-only email testing.
Most AI discussions focus on correctness.
Accuracy. Alignment. Output quality.
But thereβs a more fundamental problem underneath all of that:
Who β or what β is actually allowed to execute a decision?
---
I just published a paper introducing:
Authority Encoding Risk (AER)
A measurable variable for something most systems donβt track at all:
Authority ambiguity at the moment of execution.
---
Todayβs systems can tell you:
β’ if something is likely correct
β’ if it follows policy
β’ if it appears safe
But they cannot reliably answer:
Is this decision admissible under real-world authority constraints?
---
That gap shows up in:
β’ automation systems
β’ AI-assisted decisions
β’ institutional workflows
β’ underwriting and loss modeling
And right now, itβs largely invisible.
---
The paper breaks down:
β’ how authority ambiguity propagates into risk
β’ why existing frameworks fail to capture it
β’ how it can be measured before loss occurs
---
If youβre working anywhere near AI, risk, infrastructure, or decision systems β this is a layer worth paying attention to.
---
Thereβs a category of risk most AI systems donβt even know exists.
This paper represents an initial formulation.
Ongoing work is focused on tightening definitions, expanding evidence, and strengthening the model.
https://papers.ssrn.com/sol3/papers.cfm?abstract\_id=6229278
Nearly 80 percent of British manufacturers say they've been hit by a cyber incident in the past year, as new research suggests disruption on the factory floor is no longer an exception but business as usual.β¦
Login