Nathaniel Mott

README senior editor Nathaniel Mott has been covering security since 2011, with bylines in PCMag, The Guardian and too many other publications to list here.

Changelog: Deja vu on the edge
Welcome to Changelog for 9/28/23, published by Synack!
Commit 09_26_2023: U.S. surveillance relies on private allies
Welcome to Commit 09_26_2023, featuring reports on the public-private partnerships that enable U.S. surveillance, a max-severity vulnerability and more.
Commit 09_25_2023: Schrödinger's Scattered Spider
Welcome to Commit 09_25_2023, with coverage of the group that hacked MGM resorts, a new iOS spyware exploit chain and more.
Changelog: Signal makes a quantum leap
Welcome to Changelog for 9/21/23, published by Synack! README senior editor Nathaniel Mott here with Signal's plans for quantum computing and other infosec news.
Commit 09_19_2023: ShroudedSnooper, ShadowDragon
Hello! Welcome to Commit 09_19_2023. README senior editor Nathaniel Mott here with the latest infosec news, starting with ShroudedSnooper and ShadowDragon.
Commit 09_18_2023: Hello, world!
Hello! Welcome to Commit, a companion to Changelog intended to help you stay on top of infosec news in between installments of our weekly newsletter.
Changelog: MGM outages mark new chapter of ransomware chaos
Welcome to Changelog for 9/14/23. README senior editor Nathaniel Mott here with the latest on MGM Resorts, a Chrome zero-day and the week's top infosec news.
Changelog: Microsoft breaks down the Storm-0558 hack
README senior editor Nathaniel Mott here to tell you that no, you don’t have to check your calendar, it’s not Sunday. We’ve moved Changelog to Thursday so we can bring you the latest cybersecurity news without disturbing your weekend.
Changelog: Another busy week for Beijing cyberthreats
Welcome to Changelog for 8/27/23, published by Synack! README senior editor Nathaniel Mott here with a quick housekeeping note: This will be the last installment of the newsletter for August.
Changelog: The calm before many AI storms
Welcome to Changelog for 8/13/23! Nathaniel Mott here with the latest updates on AI-augmented influence operations, Microsoft's ongoing scrutiny and more.
U.S. cyber board’s Lapsus$ postmortem, CPU vulns and remembering Vim’s creator
U.S. cyber board’s Lapsus$ postmortem, CPU vulns and remembering Vim’s creator
Back-to-back Ivanti vulns, Microsoft woes and robocaller schadenfreude
Welcome to Changelog for 8/6/23, published by Synack! Nathaniel Mott here with the week’s security news. Yes, README will be covering Black Hat and DEF CON later this week, so stay tuned for highlights from Hacker Summer Camp.
Disruptive Chinese malware, Storm-0558 fallout and SEC cyber rules
Welcome to Changelog for 7/30/23, published by Synack! Nathaniel Mott here, still parsing the New York Times’ blockbuster report Saturday citing intelligence that China “has hidden deep inside the networks controlling power grids, communications systems and water supplies that feed military bases in the United States and around the world.”
Google cuts the cord, Microsoft takes a security pay cut and the U.S. slaps spyware firms
Welcome to Changelog for 7/23/23, published by Synack! Nathaniel Mott here, braving ongoing thunderstorms throughout upstate New York to bring you the week’s most noteworthy goings-on in cybersecurity.
China’s U.S. agency hacking spree, zero-days galore and USB malware
Welcome to Changelog for 7/16/23, published by Synack! Nathaniel Mott here, signing in from upstate New York. README was onsite at the Intelligence and National Security Summit in National Harbor, Md., where editor-in-chief Blake Sobczak picked up the conference highlights from the two-day annual conference.
TrueBot rises, a major port gets ransomwared and EVs’ cyber problem
Welcome to Changelog for 7/9/23, published by Synack! Nathaniel Mott here, hoping we can all finally catch a break from the big East Coast heat wave last week.
The SEC goes after SolarWinds, LockBit extorts TSMC and a high school password fail
Welcome to Changelog for 7/2/23, published by Synack! Nathaniel Mott here, ready to jinx everyone’s Fourth of July by bringing up the “K” word (Kaseya!).
Apple patches zero-days, MOVEit Transfer vuln leaks and the FBI gets cute
Welcome to Changelog for 6/25/23, published by Synack! Nathaniel Mott here after our Juneteenth break with the latest security news.
MOVEit users extorted, Barracuda bitten and GoAnywhere woes not going anywhere
Nathaniel Mott here, emerging from the smoke of Ottawa’s wildfires with the week’s security news. A quick programming note: We will not be publishing next week as we honor the Juneteenth holiday.
A new iOS zero-click exploit, MOVEit sees mass exploitation and ransomware keeps on coming
Welcome to Changelog for 6/4/23, published by Synack! Nathaniel Mott here from the sweltering heat of upstate New York with the week’s security news.
Ransomware that cares, TLD concerns and the “Sangria Tempest” cyberthreat
Welcome to Changelog for 5/21/23, published by Synack! Nathaniel Mott here with a recap of what happened in cyber this week. Programming note: Changelog will not publish next week as we observe Memorial Day in the U.S.
Snake’s takedown, irksome commercial surveillance and a federal data breach
Welcome to Changelog for 5/14/23, published by Synack—and Happy Mother’s Day! Nathaniel Mott here with the week’s security news.
Ransomware struggles, a SolarWinds retrospective and a safety win for location trackers
Welcome to Changelog for 5/7/23, published by Synack! Nathaniel Mott here with the latest security news and… pickleball? Let’s talk about it.
PaperCut vulnerabilities, DDoS amplification and jerks leaking info about schoolkids
Welcome to Changelog for 4/30/23, published by Synack! Nathaniel Mott here with the latest security news and the utmost sympathy for everyone heading home from RSA 2023 with new swag, business cards and bone-deep weariness.
RSAC 2023, supply chain problems and a broken ransomware record
Welcome to Changelog for 4/23/23, published by Synack! Nathaniel Mott here, writing in the calm before the RSA 2023 storm—but more on that in a moment.
Israeli spyware revealed, a doozy of a Patch Tuesday and ransomware fallout
Welcome to Changelog for 4/16/23, published by Synack! Nathaniel Mott here, back with a look at some of the biggest cybersecurity news of the week.
Russia’s ‘Vulkan Files,’ a 3CX supply chain attack and White House action on spyware
Welcome to Changelog for 4/2/23, published by Synack! Nathaniel Mott here, back with a look at some of the biggest cybersecurity news of the week.
Honeypots for Dota cheats, Dole ransomware and Russia’s waning influence ops
Welcome to Changelog for 2/26/23, published by Synack! Nate Mott here, signing on from upstate New York—which is currently getting less snow than Los Angeles—with the latest and greatest in the week’s cyber news.
Stalkerware worries, a WebKit zero-day and Chris Inglis’s departure
Welcome to Changelog for 2/19/23, published by Synack! Nate Mott here, writing from the cold-once-again boonies of upstate New York with this week’s cyber news:
AI-powered phishing: Chatbot hazard or hot air?
ChatGPT’s launch last November has captivated the security industry, as the artificially intelligent chatbot’s detailed responses seem ripe for abuse by scammers and cybercriminals. What’s the real threat?
Trickbot sanctions, hypervisor woes and ransomware by any other name
Welcome to Changelog for 2/12/23, published by Synack! The weather’s been nice here in upstate New York, but that hasn’t warmed my heart quite as much as international efforts to make life a little bit harder for some cybercriminals.
Passing the buck in cybersecurity, unleashing managed Chromebooks and ransomware attacks on schools
Welcome to Changelog for 2/5/23, published by Synack! Nate Mott here feeling old—more on that later—but keen to wrap up the week’s cybersecurity news:
Hive disrupted, Google’s ad problems and new wiper malware in Ukraine
Welcome to Changelog for 1/29/23, published by Synack! Nate Mott here and ready to recap the week in cybersecurity.
Top takeaways from ShmooCon: Less moose, more cyberthreats
ShmooCon 2023 has come and gone. Now it’s time to consider what the most laid-back infosec conference of the year — boasting the quirky tagline, “Less Moose Than Ever” — can tell us about the security industry heading into 2023.
ShmooCon highlights, T-Mobile’s API security woes and the government’s unfinished cyber business
Welcome to Changelog for 1/22/23, published by Synack! Hello from ShmooCon 2023! Nate Mott here, delivering you a special edition from the celebrated hacker conference in Washington, D.C., which ends today. We’ll get right to it:
Disappearing SBOMs, a bevy of zero-days and the Father Christmas Worm
Welcome to Changelog for 12/18/22, published by Synack! Nate here, delivering your last edition of the year.
China is scanning U.S. political targets. Who should care?
A recent FBI warning to Republican and Democratic party leaders about suspicious scanning by Chinese hackers left some researchers scratching their heads.
OpenSSL vulnerabilities are closer to heartburn than Heartbleed
The “S” in HTTPS stands for “secure,” but a newly disclosed pair of software flaws in one of the most popular open-source cryptographic libraries shows that assurance can come with a caveat.
4 takeaways from Apple’s security blitz
Apple has recently introduced a standalone security research site, significant changes to its bug bounty program and a bevy of security-related updates with iOS 16.
U.S. braces for China to eclipse Russian cyberthreat
“Russia is the hurricane, and China is climate change,” a top U.S. cybersecurity official said Tuesday, underscoring White House warnings about the long-term cyberespionage threat posed by Beijing.
How to pitch README
We’re looking for new writers eager to contribute to the security conversation!
Uber hack jolts outlook for MFA, cybersecurity regulations
A teenager believed to be associated with the Lapsus$ cybercriminal group hacked Uber last week, putting wind in the sails of U.S. efforts to enact stricter cybersecurity rules.
Hacking in tongues: Malware authors shake up their programming languages
Malware creators are relying on relatively uncommon programming languages such as Rust, Go, and Swift — and not just because they’re sick of writing code in C. Defenders have been forced to keep up.
‘Once-in-a-generation’ Log4j vulnerability could linger for a decade — cyber safety board
In its first-ever report for the Department of Homeland Security, a group of top government and industry cyber experts said the Log4j vulnerability triggered “one of the most intensive cybersecurity community responses in history” last December — and it’s far from over.
Deep-rooted firmware cyberthreats put defenders in a bind
Recent cyberthreats targeting firmware technology have underscored how tricky it is to weed out malware that can start wreaking havoc before infected computers even boot up.
How far can ‘good-faith’ hacking go? Experts question new DOJ guidance
The U.S. Justice Department last week softened its stance on prosecuting hackers under a decades-old law. Will the updates thaw DOJ’s relations with hacking communities famed for testing limits?
Lapsus$ breaks windows instead of picking locks, and that terrifies cybersecurity experts
T-Mobile is the latest high-profile target of the Lapsus$ cybercriminal group, whose bar-brawl tactics have stoked tech industry fears of copycat attacks
What do hackers risk by joining the ‘IT Army of Ukraine’?
A government-backed push in Ukraine to get grassroots support for hacking Russia is raising legal and ethical questions.
“Meant to be devastating.” Wiper malware rattles Ukraine as Russia presses invasion
HermeticWiper, much like the WhisperGate malware discovered in Ukrainian networks last month, deletes the Master Boot Record that allows the Windows operating system to load.
Crying wolf over QR codes? Coinbase’s Super Bowl ad sparks infosec debate
A Super Bowl ad last week from cryptocurrency platform Coinbase featured a bouncing QR code that ruffled feathers in the cybersecurity community. Some experts say the risks of scanning it may have been overblown.
Big Tech is mandating MFA. Hackers have workarounds
Multi-factor authentication offers users far more protection than a password alone. But experts warn it’s no panacea against hackers.
The internet is hooked on packages. Hackers have noticed
Cyberattacks targeting the “packages” that underpin global software programs have rattled the open-source community and exposed gaps in developers’ supply chain security practices.