serisec

Category: bruce schneier

  • Failures in Face Recognition

    Failures in Face Recognition Interesting article on people with nonstandard faces and how facial recognition systems fail for them. Some of those living with facial differences tell WIRED they have undergone multiple surgeries and experienced stigma for their entire lives, which is now being echoed by the technology they are forced to interact with. They…

  • A Cybersecurity Merit Badge

    A Cybersecurity Merit Badge Scouting America (formerly known as Boy Scouts) has a new badge in cybersecurity. There’s an image in the article; it looks good. I want one. Bruce Schneier Go to bruce schneier

  • Agentic AI’s OODA Loop Problem

    Agentic AI’s OODA Loop Problem The OODA loop—for observe, orient, decide, act—is a framework to understand decision-making in adversarial situations. We apply the same framework to artificial intelligence agents, who have to make their decisions with untrustworthy observations and orientation. To solve this problem, we need new systems of input, processing, and output integrity. Many…

  • Friday Squid Blogging: Squid Inks Philippines Fisherman

    Friday Squid Blogging: Squid Inks Philippines Fisherman Good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • A Surprising Amount of Satellite Traffic Is Unencrypted

    A Surprising Amount of Satellite Traffic Is Unencrypted Here’s the summary: We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’…

  • Cryptocurrency ATMs

    Cryptocurrency ATMs CNN has a great piece about how cryptocurrency ATMs are used to scam people out of their money. The fees are usurious, and they’re a common place for scammers to send victims to buy cryptocurrency for them. The companies behind the ATMs, at best, do not care about the harm they cause; the…

  • Apple’s Bug Bounty Program

    Apple’s Bug Bounty Program Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website: Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards, expanded research categories, and a flag system for researchers to objectively demonstrate vulnerabilities and obtain accelerated awards. We’re doubling…

  • The Trump Administration’s Increased Use of Social Media Surveillance

    The Trump Administration’s Increased Use of Social Media Surveillance This chilling paragraph is in a comprehensive Brookings report about the use of tech to deport people from the US: The administration has also adapted its methods of social media surveillance. Though agencies like the State Department have gathered millions of handles and monitored political discussions…

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: Nathan E. Sanders and I will be giving a book talk on Rewiring Democracy at the Harvard Kennedy School’s Ash Center in Cambridge, Massachusetts, USA, on October 22, 2025, at noon ET. Nathan E. Sanders and I will be…

  • AI and the Future of American Politics

    AI and the Future of American Politics Two years ago, Americans anxious about the forthcoming 2024 presidential election were considering the malevolent force of an election influencer: artificial intelligence. Over the past several years, we have seen plenty of warning signs from elections worldwide demonstrating how AI can be used to propagate misinformation and alter…

  • Rewiring Democracy is Coming Soon

    Rewiring Democracy is Coming Soon My latest book, Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship, will be published in just over a week. No reviews yet, but can read chapters 12 and 34 (of 43 chapters total). You can order the book pretty much everywhere, and a copy signed by me…

  • Autonomous AI Hacking and the Future of Cybersecurity

    Autonomous AI Hacking and the Future of Cybersecurity AI agents are now hacking computers. They’re getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale. This is going to change everything. Over the summer,…

  • Friday Squid Blogging: Sperm Whale Eating a Giant Squid

    Friday Squid Blogging: Sperm Whale Eating a Giant Squid Video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • Flok License Plate Surveillance

    Flok License Plate Surveillance The company Flok is surveilling us as we drive: A retired veteran named Lee Schmidt wanted to know how often Norfolk, Virginia’s 176 Flock Safety automated license-plate-reader cameras were tracking him. The answer, according to a U.S. District Court lawsuit filed in September, was more than four times a day, or…

  • AI-Enabled Influence Operation Against Iran

    AI-Enabled Influence Operation Against Iran Citizen Lab has uncovered a coordinated AI-enabled influence operation against the Iranian government, probably conducted by Israel. Key Findings A coordinated network of more than 50 inauthentic X profiles is conducting an AI-enabled influence operation. The network, which we refer to as “PRISONBREAK,” is spreading narratives inciting Iranian audiences to…

  • AI in the 2026 Midterm Elections

    AI in the 2026 Midterm Elections We are nearly one year out from the 2026 midterm elections, and it’s far too early to predict the outcomes. But it’s a safe bet that artificial intelligence technologies will once again be a major storyline. The widespread fear that AI would be used to manipulate the 2024 U.S.…

  • Friday Squid Blogging: Squid Overfishing in the Southwest Atlantic

    Friday Squid Blogging: Squid Overfishing in the Southwest Atlantic Article. Report. Bruce Schneier Go to bruce schneier

  • Daniel Miessler on the AI Attack/Defense Balance

    Daniel Miessler on the AI Attack/Defense Balance His conclusion: Context wins Basically whoever can see the most about the target, and can hold that picture in their mind the best, will be best at finding the vulnerabilities the fastest and taking advantage of them. Or, as the defender, applying patches or mitigations the fastest. And…

  • Use of Generative AI in Scams

    Use of Generative AI in Scams New report: “Scam GPT: GenAI and the Automation of Fraud.” This primer maps what we currently know about generative AI’s role in scams, the communities most at risk, and the broader economic and cultural shifts that are making people more willing to take risks, more vulnerable to deception, and…

  • Details of a Scam

    Details of a Scam Longtime Crypto-Gram readers know that I collect personal experiences of people being scammed. Here’s an almost: Then he added, “Here at Chase, we’ll never ask for your personal information or passwords.” On the contrary, he gave me more information—two “cancellation codes” and a long case number with four letters and 10…

  • Abusing Notion’s AI Agent for Data Theft

    Abusing Notion’s AI Agent for Data Theft Notion just released version 3.0, complete with AI agents. Because the system contains Simon Willson’s lethal trifecta, it’s vulnerable to data theft though prompt injection. First, the trifecta: The lethal trifecta of capabilities is: Access to your private data—one of the most common purposes of tools in the…

  • Digital Threat Modeling Under Authoritarianism

    Digital Threat Modeling Under Authoritarianism Today’s world requires us to make complex and nuanced decisions about our digital security. Evaluating when to use a secure messaging app like Signal or WhatsApp, which passwords to store on your smartphone, or what to share on social media requires us to assess risks and make judgments accordingly. Arriving…

  • Friday Squid Blogging: Jigging for Squid

    Friday Squid Blogging: Jigging for Squid A nice story. Bruce Schneier Go to bruce schneier

  • Malicious-Looking URL Creation Service

    Malicious-Looking URL Creation Service This site turns your URL into something sketchy-looking. For example, www.schneier.com becomes https://cheap-bitcoin.online/firewall-snatcher/cipher-injector/phishing_sniffer_tool.html?form=inject&host=spoof&id=bb1bc121&parameter=inject&payload=%28function%28%29%7B+return+%27+hi+%27.trim%28%29%3B+%7D%29%28%29%3B&port=spoof. Found on Boing Boing. Bruce Schneier Go to bruce schneier

  • US Disrupts Massive Cell Phone Array in New York

    US Disrupts Massive Cell Phone Array in New York This is a weird story: The US Secret Service disrupted a network of telecommunications devices that could have shut down cellular systems as leaders gather for the United Nations General Assembly in New York City. The agency said on Tuesday that last month it found more…

  • Apple’s New Memory Integrity Enforcement

    Apple’s New Memory Integrity Enforcement Apple has introduced a new hardware/software security feature in the iPhone 17: “Memory Integrity Enforcement,” targeting the memory safety vulnerabilities that spyware products like Pegasus tend to use to get unauthorized system access. From Wired: In recent years, a movement has been steadily growing across the global tech industry to…

  • Details About Chinese Surveillance and Propaganda Companies

    Details About Chinese Surveillance and Propaganda Companies Details from leaked documents: While people often look at China’s Great Firewall as a single, all-powerful government system unique to China, the actual process of developing and maintaining it works the same way as surveillance technology in the West. Geedge collaborates with academic institutions on research and development,…

  • Friday Squid Blogging: Giant Squid vs. Blue Whale

    Friday Squid Blogging: Giant Squid vs. Blue Whale A comparison aimed at kids. Bruce Schneier Go to bruce schneier

  • Surveying the Global Spyware Market

    Surveying the Global Spyware Market The Atlantic Council has published its second annual report: “Mythical Beasts: Diving into the depths of the global spyware market.” Too much good detail to summarize, but here are two items: First, the authors found that the number of US-based investors in spyware has notably increased in the past year,…

  • Time-of-Check Time-of-Use Attacks Against LLMs

    Time-of-Check Time-of-Use Attacks Against LLMs This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.: Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection)…

  • Hacking Electronic Safes

    Hacking Electronic Safes Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this…

  • Microsoft Still Uses RC4

    Microsoft Still Uses RC4 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system. Bruce Schneier Go to bruce schneier

  • Lawsuit About WhatsApp Security

    Lawsuit About WhatsApp Security Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in…

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking and signing books at the Cambridge Public Library on October 22, 2025 at 6 PM ET. The event is sponsored by Harvard Bookstore. I’m giving a virtual talk about my book Rewiring Democracy at 1 PM…

  • A Cyberattack Victim Notification Framework

    A Cyberattack Victim Notification Framework Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making notifications, companies often do not know the true identity of victims and may only…

  • Assessing the Quality of Dried Squid

    Assessing the Quality of Dried Squid Research: Nondestructive detection of multiple dried squid qualities by hyperspectral imaging combined with 1D-KAN-CNN Abstract: Given that dried squid is a highly regarded marine product in Oriental countries, the global food industry requires a swift and noninvasive quality assessment of this product. The current study therefore uses visible­near-infrared (VIS-NIR)…

  • New Cryptanalysis of the Fiat-Shamir Protocol

    New Cryptanalysis of the Fiat-Shamir Protocol A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don’t see it leading to any practical real-world cryptanalysis. The fact that…

  • AI in Government

    AI in Government Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must…

  • Signed Copies of Rewiring Democracy

    Signed Copies of Rewiring Democracy When I announced my latest book last week, I forgot to mention that you can pre-order a signed copy here. I will ship the books the week of 10/20, when it is published. Bruce Schneier Go to bruce schneier

  • GPT-4o-mini Falls for Psychological Manipulation

    GPT-4o-mini Falls for Psychological Manipulation Interesting experiment: To design their experiment, the University of Pennsylvania researchers tested 2024’s GPT-4o-mini model on two requests that it should ideally refuse: calling the user a jerk and giving directions for how to synthesize lidocaine. The researchers created experimental prompts for both requests using each of seven different persuasion…

  • My Latest Book: Rewiring Democracy

    My Latest Book: Rewiring Democracy I am pleased to announce the imminent publication of my latest book, Rewiring Democracy: How AI will Transform our Politics, Government, and Citizenship: coauthored with Nathan Sanders, and published by MIT Press on October 21. Rewiring Democracy looks beyond common tropes like deepfakes to examine how AI technologies will affect…

  • Friday Squid Blogging: The Origin and Propagation of Squid

    Friday Squid Blogging: The Origin and Propagation of Squid New research (paywalled): Editor’s summary: Cephalopods are one of the most successful marine invertebrates in modern oceans, and they have a 500-million-year-old history. However, we know very little about their evolution because soft-bodied animals rarely fossilize. Ikegami et al. developed an approach to reveal squid fossils,…

  • Generative AI as a Cybercrime Assistant

    Generative AI as a Cybercrime Assistant Anthropic reports on a Claude user: We recently disrupted a sophisticated cybercriminal that used Claude Code to commit large-scale theft and extortion of personal data. The actor targeted at least 17 distinct organizations, including in healthcare, the emergency services, and government and religious institutions. Rather than encrypt the stolen…

  • Indirect Prompt Injection Attacks Against LLM Assistants

    Indirect Prompt Injection Attacks Against LLM Assistants Really good research on practical attacks against LLM agents. “Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous” Abstract: The growing integration of LLMs into applications has introduced new security risks, notably known as Promptware­—maliciously engineered prompts designed to manipulate LLMs…

  • 1965 Cryptanalysis Training Workbook Released by the NSA

    1965 Cryptanalysis Training Workbook Released by the NSA In the early 1960s, National Security Agency cryptanalyst and cryptanalysis instructor Lambros D. Callimahos coined the term “Stethoscope” to describe a diagnostic computer program used to unravel the internal structure of pre-computer ciphertexts. The term appears in the newly declassified September 1965 document Cryptanalytic Diagnosis with the…

  • Baggage Tag Scam

    Baggage Tag Scam I just heard about this: There’s a travel scam warning going around the internet right now: You should keep your baggage tags on your bags until you get home, then shred them, because scammers are using luggage tags to file fraudulent claims for missing baggage with the airline. First, the scam is…

  • Friday Squid Blogging: Catching Humboldt Squid

    Friday Squid Blogging: Catching Humboldt Squid First-person account of someone accidentally catching several Humboldt squid on a fishing line. No photos, though. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • The UK May Be Dropping Its Backdoor Mandate

    The UK May Be Dropping Its Backdoor Mandate The US Director of National Intelligence is reporting that the UK government is dropping its backdoor mandate against the Apple iPhone. For now, at least, assuming that Tulsi Gabbard is reporting this accurately. Bruce Schneier Go to bruce schneier

  • We Are Still Unable to Secure LLMs from Malicious Inputs

    We Are Still Unable to Secure LLMs from Malicious Inputs Nice indirect prompt injection attack: Bargury’s attack starts with a poisoned document, which is shared to a potential victim’s Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) It looks like an official document on company meeting…

  • Encryption Backdoor in Military/Police Radios

    Encryption Backdoor in Military/Police Radios I wrote about this in 2023. Here’s the story: Three Dutch security analysts discovered the vulnerabilities­—five in total—­in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but…

  • Poor Password Choices

    Poor Password Choices Look at this: McDonald’s chose the password “123456” for a major corporate system. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Bobtail Squid

    Friday Squid Blogging: Bobtail Squid Nice short article on the bobtail squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • AI Agents Need Data Integrity

    AI Agents Need Data Integrity Think of the Web as a digital territory with its own social contract. In 2014, Tim Berners-Lee called for a “Magna Carta for the Web” to restore the balance of power between individuals and institutions. This mirrors the original charter’s purpose: ensuring that those who occupy a territory have a…

  • I’m Spending the Year at the Munk School

    I’m Spending the Year at the Munk School This academic year, I am taking a sabbatical from the Kennedy School and Harvard University. (It’s not a real sabbatical—I’m just an adjunct—but it’s the same idea.) I will be spending the Fall 2025 and Spring 2026 semesters at the Munk School at the University of Toronto.…

  • Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture

    Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture Well, this is interesting: The auction, which will include other items related to cryptology, will be held Nov. 20. RR Auction, the company arranging the sale, estimates a winning bid between $300,000 and $500,000. Along with the original handwritten plain text…

  • Subverting AIOps Systems Through Poisoned Input Data

    Subverting AIOps Systems Through Poisoned Input Data In this input integrity attack against an AI system, researchers were able to fool AIOps tools: AIOps refers to the use of LLM-based agents to gather and analyze application telemetry, including system logs, performance metrics, traces, and alerts, to detect problems and then suggest or carry out corrective…

  • Zero-Day Exploit in WinRAR File

    Zero-Day Exploit in WinRAR File A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups: The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously…

  • Eavesdropping on Phone Conversations Through Vibrations

    Eavesdropping on Phone Conversations Through Vibrations Researchers have managed to eavesdrop on cell phone voice conversations by using radar to detect vibrations. It’s more a proof of concept than anything else. The radar detector is only ten feet away, the setup is stylized, and accuracy is poor. But it’s a start. Bruce Schneier Go to…

  • Trojans Embedded in .svg Files

    Trojans Embedded in .svg Files Porn sites are hiding code in .svg files: Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of “JSFuck,” a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.…

  • Friday Squid Blogging: Squid-Shaped UFO Spotted Over Texas

    Friday Squid Blogging: Squid-Shaped UFO Spotted Over Texas Here’s the story. The commenters on X (formerly Twitter) are unimpressed. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • LLM Coding Integrity Breach

    LLM Coding Integrity Breach Here’s an interesting story about a failure being introduced by LLM-written code. Specifically, the LLM was doing some code refactoring, and when it moved a chunk of code from one file to another it changed a “break” to a “continue.” That turned an error logging statement into an infinite loop, which…

  • AI Applications in Cybersecurity

    AI Applications in Cybersecurity There is a really great series of online events highlighting cool uses of AI in cybersecurity, titled Prompt||GTFO. Videos from the first three events are online. And here’s where to register to attend, or participate, in the fourth. Some really great stuff here. Bruce Schneier Go to bruce schneier

  • SIGINT During World War II

    SIGINT During World War II The NSA and GCHQ have jointly published a history of World War II SIGINT: “Secret Messengers: Disseminating SIGINT in the Second World War.” This is the story of the British SLUs (Special Liaison Units) and the American SSOs (Special Security Officers). Bruce Schneier Go to bruce schneier

  • The “Incriminating Video” Scam

    The “Incriminating Video” Scam A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a “shockingly realistic” variant, which includes photos of you and your house—more specific information. The…

  • Automatic License Plate Readers Are Coming to Schools

    Automatic License Plate Readers Are Coming to Schools Fears around children is opening up a new market for automatic license place readers. Bruce Schneier Go to bruce schneier

  • Google Project Zero Changes Its Disclosure Policy

    Google Project Zero Changes Its Disclosure Policy Google’s vulnerability finding team is again pushing the envelope of responsible disclosure: Google’s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the…

  • Friday Squid Blogging: New Vulnerability in Squid HTTP Proxy Server

    Friday Squid Blogging: New Vulnerability in Squid HTTP Proxy Server In a rare squid/security combined post, a new vulnerability was discovered in the Squid HTTP proxy server. Bruce Schneier Go to bruce schneier

  • China Accuses Nvidia of Putting Backdoors into Their Chips

    China Accuses Nvidia of Putting Backdoors into Their Chips The government of China has accused Nvidia of inserting a backdoor into their H20 chips: China’s cyber regulator on Thursday said it had held a meeting with Nvidia over what it called “serious security issues” with the company’s artificial intelligence chips. It said US AI experts…

  • Surveilling Your Children with AirTags

    Surveilling Your Children with AirTags Skechers is making a line of kid’s shoes with a hidden compartment for an AirTag. Bruce Schneier Go to bruce schneier

  • The Semiconductor Industry and Regulatory Compliance

    The Semiconductor Industry and Regulatory Compliance Earlier this week, the Trump administration narrowed export controls on advanced semiconductors ahead of US-China trade negotiations. The administration is increasingly relying on export licenses to allow American semiconductor firms to sell their products to Chinese customers, while keeping the most powerful of them out of the hands of…

  • First Sentencing in Scheme to Help North Koreans Infiltrate US Companies

    First Sentencing in Scheme to Help North Koreans Infiltrate US Companies An Arizona woman was sentenced to eight-and-a-half years in prison for her role helping North Korean workers infiltrate US companies by pretending to be US workers. From an article: According to court documents, Chapman hosted the North Korean IT workers’ computers in her own…

  • Spying on People Through Airportr Luggage Delivery Service

    Spying on People Through Airportr Luggage Delivery Service Airportr is a service that allows passengers to have their luggage picked up, checked, and delivered to their destinations. As you might expect, it’s used by wealthy or important people. So if the company’s website is insecure, you’d be able to spy on lots of wealthy or…

  • Friday Squid Blogging: A Case of Squid Fossil Misidentification

    Friday Squid Blogging: A Case of Squid Fossil Misidentification What scientists thought were squid fossils were actually arrow worms. Bruce Schneier Go to bruce schneier

  • Cheating on Quantum Computing Benchmarks

    Cheating on Quantum Computing Benchmarks Peter Gutmann and Stephan Neuhaus have a new paper—I think it’s new, even though it has a March 2025 date—that makes the argument that we shouldn’t trust any of the quantum factorization benchmarks, because everyone has been cooking the books: Similarly, quantum factorisation is performed using sleight-of-hand numbers that have…

  • Measuring the Attack/Defense Balance

    Measuring the Attack/Defense Balance “Who’s winning on the internet, the attackers or the defenders?” I’m asked this all the time, and I can only ever give a qualitative hand-wavy answer. But Jason Healey and Tarang Jain’s latest Lawfare piece has amassed data. The essay provides the first framework for metrics about how we are all…

  • Aeroflot Hacked

    Aeroflot Hacked Looks serious. Bruce Schneier Go to bruce schneier

  • That Time Tom Lehrer Pranked the NSA

    That Time Tom Lehrer Pranked the NSA Bluesky thread. Here’s the paper, from 1957. Note reference 3. Bruce Schneier Go to bruce schneier

  • Microsoft SharePoint Zero-Day

    Microsoft SharePoint Zero-Day Chinese hackers are exploiting a high-severity vulnerability in Microsoft SharePoint to steal data worldwide: The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet. Starting Friday, researchers began warning of active exploitation of the…

  • Subliminal Learning in AIs

    Subliminal Learning in AIs Today’s freaky LLM behavior: We study subliminal learning, a surprising phenomenon where language models learn traits from model-generated data that is semantically unrelated to those traits. For example, a “student” model learns to prefer owls when trained on sequences of numbers generated by a “teacher” model that prefers owls. This same…

  • Friday Squid Blogging: Stable Quasi-Isodynamic Designs

    Friday Squid Blogging: Stable Quasi-Isodynamic Designs Yet another SQUID acronym: “Stable Quasi-Isodynamic Design.” It’s a stellarator for a fusion nuclear power plant. Bruce Schneier Go to bruce schneier

  • How Solid Protocol Restores Digital Agency

    How Solid Protocol Restores Digital Agency The current state of digital identity is a mess. Your personal information is scattered across hundreds of locations: social media companies, IoT companies, government agencies, websites you have accounts on, and data brokers you’ve never heard of. These entities collect, store, and trade your data, often without your knowledge…

  • Google Sues the Badbox Botnet Operators

    Google Sues the Badbox Botnet Operators It will be interesting to watch what will come of this private lawsuit: Google on Thursday announced filing a lawsuit against the operators of the Badbox 2.0 botnet, which has ensnared more than 10 million devices running Android open source software. These devices lack Google’s security protections, and the…

  • “Encryption Backdoors and the Fourth Amendment”

    “Encryption Backdoors and the Fourth Amendment” Law journal article that looks at the Dual_EC_PRNG backdoor from a US constitutional perspective: Abstract: The National Security Agency (NSA) reportedly paid and pressured technology companies to trick their customers into using vulnerable encryption products. This Article examines whether any of three theories removed the Fourth Amendment’s requirement that…

  • Another Supply Chain Vulnerability

    Another Supply Chain Vulnerability ProPublica is reporting: Microsoft is using engineers in China to help maintain the Defense Department’s computer systems—with minimal supervision by U.S. personnel—leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found. The arrangement, which was critical to Microsoft winning the…

  • New Mobile Phone Forensics Tool

    New Mobile Phone Forensics Tool The Chinese have a new tool called Massistant. Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico. The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS…

  • Friday Squid Blogging: The Giant Squid Nebula

    Friday Squid Blogging: The Giant Squid Nebula Beautiful photo. Difficult to capture, this mysterious, squid-shaped interstellar cloud spans nearly three full moons in planet Earth’s sky. Discovered in 2011 by French astro-imager Nicolas Outters, the Squid Nebula’s bipolar shape is distinguished here by the telltale blue emission from doubly ionized oxygen atoms. Though apparently surrounded…

  • Security Vulnerabilities in ICEBlock

    Security Vulnerabilities in ICEBlock The ICEBlock tool has vulnerabilities: The developer of ICEBlock, an iOS app for anonymously reporting sightings of US Immigration and Customs Enforcement (ICE) officials, promises that it “ensures user privacy by storing no personal data.” But that claim has come under scrutiny. ICEBlock creator Joshua Aaron has been accused of making…

  • Hacking Trains

    Hacking Trains Seems like an old system system that predates any care about security: The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED), also known as an End-of-Train (EOT) device, is attached to the back of a train and…

  • Report from the Cambridge Cybercrime Conference

    Report from the Cambridge Cybercrime Conference The Cambridge Cybercrime Conference was held on 23 June. Summaries of the presentations are here. Bruce Schneier Go to bruce schneier

  • Tradecraft in the Information Age

    Tradecraft in the Information Age Long article on the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance. Bruce Schneier Go to bruce schneier

  • Squid Dominated the Oceans in the Late Cretaceous

    Squid Dominated the Oceans in the Late Cretaceous New research: One reason the early years of squids has been such a mystery is because squids’ lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks—hard mouthparts with high fossilization potential that could help the…

  • Using Signal Groups for Activism

    Using Signal Groups for Activism Good tutorial by Micah Lee. It includes some nonobvious use cases. Bruce Schneier Go to bruce schneier

  • Yet Another Strava Privacy Leak

    Yet Another Strava Privacy Leak This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.) This is ridiculous. Why do people continue to make their data public? Bruce Schneier Go to bruce schneier

  • Hiding Prompt Injections in Academic Papers

    Hiding Prompt Injections in Academic Papers Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University of Singapore, as well as the University of Washington and…

  • Friday Squid Blogging: How Squid Skin Distorts Light

    Friday Squid Blogging: How Squid Skin Distorts Light New research. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • Surveillance Used by a Drug Cartel

    Surveillance Used by a Drug Cartel Once you build a surveillance system, you can’t control who will use it: A hacker working for the Sinaloa drug cartel was able to obtain an FBI official’s phone records and use Mexico City’s surveillance cameras to help track and kill the agency’s informants in 2018, according to a…

  • Ubuntu Disables Spectre/Meltdown Protections

    Ubuntu Disables Spectre/Meltdown Protections A whole class of speculative execution attacks against CPUs were published in 2018. They seemed pretty catastrophic at the time. But the fixes were as well. Speculative execution was a way to speed up CPUs, and removing those enhancements resulted in significant performance drops. Now, people are rethinking the trade-off. Ubuntu…

  • Iranian Blackout Affected Misinformation Campaigns

    Iranian Blackout Affected Misinformation Campaigns Dozens of accounts on X that promoted Scottish independence went dark during an internet blackout in Iran. Well, that’s one way to identify fake accounts and misinformation campaigns. Bruce Schneier Go to bruce schneier

  • How Cybersecurity Fears Affect Confidence in Voting Systems

    How Cybersecurity Fears Affect Confidence in Voting Systems American democracy runs on trust, and that trust is cracking. Nearly half of Americans, both Democrats and Republicans, question whether elections are conducted fairly. Some voters accept election results only when their side wins. The problem isn’t just political polarization—it’s a creeping erosion of trust in the…

  • Friday Squid Blogging: What to Do When You Find a Squid “Egg Mop”

    Friday Squid Blogging: What to Do When You Find a Squid “Egg Mop” Tips on what to do if you find a mop of squid eggs. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to…