serisec

Category: Uncategorized

  • How Solid Protocol Restores Digital Agency

    How Solid Protocol Restores Digital Agency The current state of digital identity is a mess. Your personal information is scattered across hundreds of locations: social media companies, IoT companies, government agencies, websites you have accounts on, and data brokers you’ve never heard of. These entities collect, store, and trade your data, often without your knowledge…

  • Google Sues the Badbox Botnet Operators

    Google Sues the Badbox Botnet Operators It will be interesting to watch what will come of this private lawsuit: Google on Thursday announced filing a lawsuit against the operators of the Badbox 2.0 botnet, which has ensnared more than 10 million devices running Android open source software. These devices lack Google’s security protections, and the…

  • “Encryption Backdoors and the Fourth Amendment”

    “Encryption Backdoors and the Fourth Amendment” Law journal article that looks at the Dual_EC_PRNG backdoor from a US constitutional perspective: Abstract: The National Security Agency (NSA) reportedly paid and pressured technology companies to trick their customers into using vulnerable encryption products. This Article examines whether any of three theories removed the Fourth Amendment’s requirement that…

  • Another Supply Chain Vulnerability

    Another Supply Chain Vulnerability ProPublica is reporting: Microsoft is using engineers in China to help maintain the Defense Department’s computer systems—with minimal supervision by U.S. personnel—leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found. The arrangement, which was critical to Microsoft winning the…

  • New Mobile Phone Forensics Tool

    New Mobile Phone Forensics Tool The Chinese have a new tool called Massistant. Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico. The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS…

  • Friday Squid Blogging: The Giant Squid Nebula

    Friday Squid Blogging: The Giant Squid Nebula Beautiful photo. Difficult to capture, this mysterious, squid-shaped interstellar cloud spans nearly three full moons in planet Earth’s sky. Discovered in 2011 by French astro-imager Nicolas Outters, the Squid Nebula’s bipolar shape is distinguished here by the telltale blue emission from doubly ionized oxygen atoms. Though apparently surrounded…

  • Security Vulnerabilities in ICEBlock

    Security Vulnerabilities in ICEBlock The ICEBlock tool has vulnerabilities: The developer of ICEBlock, an iOS app for anonymously reporting sightings of US Immigration and Customs Enforcement (ICE) officials, promises that it “ensures user privacy by storing no personal data.” But that claim has come under scrutiny. ICEBlock creator Joshua Aaron has been accused of making…

  • Hacking Trains

    Hacking Trains Seems like an old system system that predates any care about security: The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED), also known as an End-of-Train (EOT) device, is attached to the back of a train and…

  • Report from the Cambridge Cybercrime Conference

    Report from the Cambridge Cybercrime Conference The Cambridge Cybercrime Conference was held on 23 June. Summaries of the presentations are here. Bruce Schneier Go to bruce schneier

  • Tradecraft in the Information Age

    Tradecraft in the Information Age Long article on the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance. Bruce Schneier Go to bruce schneier

  • Squid Dominated the Oceans in the Late Cretaceous

    Squid Dominated the Oceans in the Late Cretaceous New research: One reason the early years of squids has been such a mystery is because squids’ lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks—hard mouthparts with high fossilization potential that could help the…

  • Using Signal Groups for Activism

    Using Signal Groups for Activism Good tutorial by Micah Lee. It includes some nonobvious use cases. Bruce Schneier Go to bruce schneier

  • Yet Another Strava Privacy Leak

    Yet Another Strava Privacy Leak This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.) This is ridiculous. Why do people continue to make their data public? Bruce Schneier Go to bruce schneier

  • Hiding Prompt Injections in Academic Papers

    Hiding Prompt Injections in Academic Papers Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University of Singapore, as well as the University of Washington and…

  • Friday Squid Blogging: How Squid Skin Distorts Light

    Friday Squid Blogging: How Squid Skin Distorts Light New research. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • Surveillance Used by a Drug Cartel

    Surveillance Used by a Drug Cartel Once you build a surveillance system, you can’t control who will use it: A hacker working for the Sinaloa drug cartel was able to obtain an FBI official’s phone records and use Mexico City’s surveillance cameras to help track and kill the agency’s informants in 2018, according to a…

  • Ubuntu Disables Spectre/Meltdown Protections

    Ubuntu Disables Spectre/Meltdown Protections A whole class of speculative execution attacks against CPUs were published in 2018. They seemed pretty catastrophic at the time. But the fixes were as well. Speculative execution was a way to speed up CPUs, and removing those enhancements resulted in significant performance drops. Now, people are rethinking the trade-off. Ubuntu…

  • Iranian Blackout Affected Misinformation Campaigns

    Iranian Blackout Affected Misinformation Campaigns Dozens of accounts on X that promoted Scottish independence went dark during an internet blackout in Iran. Well, that’s one way to identify fake accounts and misinformation campaigns. Bruce Schneier Go to bruce schneier

  • How Cybersecurity Fears Affect Confidence in Voting Systems

    How Cybersecurity Fears Affect Confidence in Voting Systems American democracy runs on trust, and that trust is cracking. Nearly half of Americans, both Democrats and Republicans, question whether elections are conducted fairly. Some voters accept election results only when their side wins. The problem isn’t just political polarization—it’s a creeping erosion of trust in the…

  • The Age of Integrity

    The Age of Integrity We need to talk about data integrity. Narrowly, the term refers to ensuring that data isn’t tampered with, either in transit or in storage. Manipulating account balances in bank databases, removing entries from criminal records, and murder by removing notations about allergies from medical records are all integrity attacks. More broadly,…

  • Friday Squid Blogging: What to Do When You Find a Squid “Egg Mop”

    Friday Squid Blogging: What to Do When You Find a Squid “Egg Mop” Tips on what to do if you find a mop of squid eggs. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to…

  • White House Bans WhatsApp

    White House Bans WhatsApp Reuters is reporting that the White House has banned WhatsApp on all employee devices: The notice said the “Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved…

  • What LLMs Know About Their Users

    What LLMs Know About Their Users Simon Willison talks about ChatGPT’s new memory dossier feature. In his explanation, he illustrates how much the LLM—and the company—knows about its users. It’s a big quote, but I want you to read it all. Here’s a prompt you can use to give you a solid idea of what’s…

  • Here’s a Subliminal Channel You Haven’t Considered Before

    Here’s a Subliminal Channel You Haven’t Considered Before Scientists can manipulate air bubbles trapped in ice to encode messages. Bruce Schneier Go to bruce schneier

  • Largest DDoS Attack to Date

    Largest DDoS Attack to Date It was a recently unimaginable 7.3 Tbps: The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally…

  • Surveillance in the US

    Surveillance in the US Good article from 404 Media on the cozy surveillance relationship between local Oregon police and ICE: In the email thread, crime analysts from several local police departments and the FBI introduced themselves to each other and made lists of surveillance tools and tactics they have access to and felt comfortable using,…

  • Friday Squid Blogging: Gonate Squid Video

    Friday Squid Blogging: Gonate Squid Video This is the first ever video of the Antarctic Gonate Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • Self-Driving Car Video Footage

    Self-Driving Car Video Footage Two articles crossed my path recently. First, a discussion of all the video Waymo has from outside its cars: in this case related to the LA protests. Second, a discussion of all the video Tesla has from inside its cars. Lots of things are collecting lots of video of lots of…

  • Ghostwriting Scam

    Ghostwriting Scam The variations seem to be endless. Here’s a fake ghostwriting scam that seems to be making boatloads of money. This is a big story about scams being run from Texas and Pakistan estimated to run into tens if not hundreds of millions of dollars, viciously defrauding Americans with false hopes of publishing bestseller…

  • Where AI Provides Value

    Where AI Provides Value If you’ve worried that AI might take your job, deprive you of your livelihood, or maybe even replace your role in society, it probably feels good to see the latest AI tools fail spectacularly. If AI recommends glue as a pizza topping, then you’re safe for another day. But the fact…

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking at the International Conference on Digital Trust, AI and the Future in Edinburgh, Scotland on Tuesday, June 24 at 4:00 PM. The list is maintained on this page. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Stubby Squid

    Friday Squid Blogging: Stubby Squid Video of the stubby squid (Rossia pacifica) from offshore Vancouver Island. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • Paragon Spyware Used to Spy on European Journalists

    Paragon Spyware Used to Spy on European Journalists Paragon is an Israeli spyware company, increasingly in the news (now that NSO Group seems to be waning). “Graphite” is the name of its product. Citizen Lab caught it spying on multiple European journalists with a zero-click iOS exploit: On April 29, 2025, a select group of…

  • Airlines Secretly Selling Passenger Data to the Government

    Airlines Secretly Selling Passenger Data to the Government This is news: A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected U.S. travellers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where…

  • New Way to Track Covertly Android Users

    New Way to Track Covertly Android Users Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught. The details are interesting, and worth reading in detail: >Tracking code that Meta and Russia-based Yandex embed into millions of…

  • Report on the Malicious Uses of AI

    Report on the Malicious Uses of AI OpenAI just published its annual report on malicious uses of AI. By using AI as a force multiplier for our expert investigative teams, in the three months since our last report we’ve been able to detect, disrupt and expose abusive activity including social engineering, cyber espionage, deceptive employment…

  • Hearing on the Federal Government and AI

    Hearing on the Federal Government and AI On Thursday I testified before the House Committee on Oversight and Government Reform at a hearing titled “The Federal Government in the Age of Artificial Intelligence.” The other speakers mostly talked about how cool AI was—and sometimes about how cool their own company was—but I was asked by…

  • Friday Squid Blogging: Squid Run in Southern New England

    Friday Squid Blogging: Squid Run in Southern New England Southern New England is having the best squid run in years. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • The Ramifications of Ukraine’s Drone Attack

    The Ramifications of Ukraine’s Drone Attack You can read the details of Operation Spiderweb elsewhere. What interests me are the implications for future warfare: If the Ukrainians could sneak drones so close to major air bases in a police state such as Russia, what is to prevent the Chinese from doing the same with U.S.…

  • New Linux Vulnerabilities

    New Linux Vulnerabilities They’re interesting: Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. […] “This means that if a local attacker manages…

  • Australia Requires Ransomware Victims to Declare Payments

    Australia Requires Ransomware Victims to Declare Payments A new Australian law requires larger companies to declare any ransomware payments they have made. Bruce Schneier Go to bruce schneier

  • Why Take9 Won’t Improve Cybersecurity

    Why Take9 Won’t Improve Cybersecurity There’s a new cybersecurity awareness campaign: Take9. The idea is that people—you, me, everyone—should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share. There’s a website—of…

  • Surveillance Via Smart Toothbrush

    Surveillance Via Smart Toothbrush The only links are from The Daily Mail and The Mirror, but a marital affair was discovered because the cheater was recorded using his smart toothbrush at home when he was supposed to be at work. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: NGC 1068 Is the “Squid Galaxy”

    Friday Squid Blogging: NGC 1068 Is the “Squid Galaxy” I hadn’t known that the NGC 1068 galaxy is nicknamed the “Squid Galaxy.” It is, and it’s spewing neutrinos without the usual accompanying gamma rays. Bruce Schneier Go to bruce schneier

  • Location Tracking App for Foreigners in Moscow

    Location Tracking App for Foreigners in Moscow Russia is proposing a rule that all foreigners in Moscow install a tracking app on their phones. Using a mobile application that all foreigners will have to install on their smartphones, the Russian state will receive the following information: Residence location Fingerprint Face photograph Real-time geo-location monitoring This…

  • Chinese-Owned VPNs

    Chinese-Owned VPNs One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies. It would…

  • Signal Blocks Windows Recall

    Signal Blocks Windows Recall This article gives a good rundown of the security risks of Windows Recall, and the repurposed copyright protection took that Signal used to block the AI feature from scraping Signal data. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: US Naval Ship Attacked by Squid in 1978

    Friday Squid Blogging: US Naval Ship Attacked by Squid in 1978 Interesting story: USS Stein was underway when her anti-submarine sonar gear suddenly stopped working. On returning to port and putting the ship in a drydock, engineers observed many deep scratches in the sonar dome’s rubber “NOFOUL” coating. In some areas, the coating was described…

  • The Voter Experience

    The Voter Experience Technology and innovation have transformed every part of society, including our electoral experiences. Campaigns are spending and doing more than at any other time in history. Ever-growing war chests fuel billions of voter contacts every cycle. Campaigns now have better ways of scaling outreach methods and offer volunteers and donors more efficient…

  • More AIs Are Taking Polls and Surveys

    More AIs Are Taking Polls and Surveys I already knew about the declining response rate for polls and surveys. The percentage of AI bots that respond to surveys is also increasing. Solutions are hard: 1. Make surveys less boring. We need to move past bland, grid-filled surveys and start designing experiences people actually want to…

  • DoorDash Hack

    DoorDash Hack A DoorDash driver stole over $2.5 million over several months: The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the others involved had created. Devagiri would then mark the…

  • The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)”

    The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)” In response to a FOIA request, the NSA released “Fifty Years of Mathematical Cryptanalysis (1937-1987),” by Glenn F. Stahly, with a lot of redactions. Weirdly, this is the second time the NSA has declassified the document. John Young got a copy in 2019. This one has a…

  • Communications Backdoor in Chinese Power Inverters

    Communications Backdoor in Chinese Power Inverters This is a weird story: U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. […] Over the past nine months, undocumented…

  • Friday Squid Blogging: Pet Squid Simulation

    Friday Squid Blogging: Pet Squid Simulation From Hackaday.com, this is a neural network simulation of a pet squid. Autonomous Behavior: The squid moves autonomously, making decisions based on his current state (hunger, sleepiness, etc.). Implements a vision cone for food detection, simulating realistic foraging behavior. Neural network can make decisions and form associations. Weights are…

  • AI-Generated Law

    AI-Generated Law On April 14, Dubai’s ruler, Sheikh Mohammed bin Rashid Al Maktoum, announced that the United Arab Emirates would begin using artificial intelligence to help write its laws. A new Regulatory Intelligence Office would use the technology to “regularly suggest updates” to the law and “accelerate the issuance of legislation by up to 70%.” AI would create a…

  • Google’s Advanced Protection Now on Android

    Google’s Advanced Protection Now on Android Google has extended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users. Wired article, behind a paywall. Bruce Schneier Go to bruce schneier

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking (remotely) at the Sektor 3.0 Festival in Warsaw, Poland, May 21-22, 2025. The list is maintained on this page. Bruce Schneier Go to bruce schneier

  • Court Rules Against NSO Group

    Court Rules Against NSO Group The case is over: A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users. I’m sure it’ll be appealed. Everything always is. Bruce Schneier Go to bruce…

  • Florida Backdoor Bill Fails

    Florida Backdoor Bill Fails A Florida bill requiring encryption backdoors failed to pass. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Japanese Divers Video Giant Squid

    Friday Squid Blogging: Japanese Divers Video Giant Squid The video is really amazing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • Chinese AI Submersible

    Chinese AI Submersible A Chinese company has developed an AI-piloted submersible that can reach speeds “similar to a destroyer or a US Navy torpedo,” dive “up to 60 metres underwater,” and “remain static for more than a month, like the stealth capabilities of a nuclear submarine.” In case you’re worried about the military applications of…

  • Fake Student Fraud in Community Colleges

    Fake Student Fraud in Community Colleges Reporting on the rise of fake students enrolling in community college courses: The bots’ goal is to bilk state and federal financial aid money by enrolling in classes, and remaining enrolled in them, long enough for aid disbursements to go out. They often accomplish this by submitting AI-generated work.…

  • Another Move in the Deepfake Creation/Detection Arms Race

    Another Move in the Deepfake Creation/Detection Arms Race Deepfakes are now mimicking heartbeats In a nutshell Recent research reveals that high-quality deepfakes unintentionally retain the heartbeat patterns from their source videos, undermining traditional detection methods that relied on detecting subtle skin color changes linked to heartbeats. The assumption that deepfakes lack physiological signals, such as…

  • NCSC Guidance on “Advanced Cryptography”

    NCSC Guidance on “Advanced Cryptography” The UK’s National Cyber Security Centre just released its white paper on “Advanced Cryptography,” which it defines as “cryptographic techniques for processing encrypted data, providing enhanced functionality over and above that provided by traditional cryptography.” It includes things like homomorphic encryption, attribute-based encryption, zero-knowledge proofs, and secure multiparty computation. It’s…

  • Privacy for Agentic AI

    Privacy for Agentic AI Sooner or later, it’s going to happen. AI systems will start acting as agents, doing things on our behalf with some degree of autonomy. I think it’s worth thinking about the security of that now, while its still a nascent idea. In 2019, I joined Inrupt, a company that is commercializing…

  • Friday Squid Blogging: Pyjama Squid

    Friday Squid Blogging: Pyjama Squid The small pyjama squid (Sepioloidea lineolata) produces toxic slime, “a rare example of a poisonous predatory mollusc.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • US as a Surveillance State

    US as a Surveillance State Two essays were just published on DOGE’s data collection and aggregation, and how it ends with a modern surveillance state. It’s good to see this finally being talked about. Bruce Schneier Go to bruce schneier

  • Upskilling Your Security Team – A CISO’s Strategy for Closing the Skills Gap

    Upskilling Your Security Team – A CISO’s Strategy for Closing the Skills Gap The cybersecurity skills gap is a persistent challenge facing organizations worldwide. As threats become more sophisticated and technology evolves at a rapid pace, the demand for skilled security professionals far outpaces supply. For CISOs, this isn’t just a hiring problem-it’s a strategic…

  • WhatsApp Case Against NSO Group Progressing

    WhatsApp Case Against NSO Group Progressing Meta is suing NSO Group, basically claiming that the latter hacks WhatsApp and not just WhatsApp users. We have a procedural ruling: Under the order, NSO Group is prohibited from presenting evidence about its customers’ identities, implying the targeted WhatsApp users are suspected or actual criminals, or alleging that…

  • Applying Security Engineering to Prompt Injection Security

    Applying Security Engineering to Prompt Injection Security This seems like an important advance in LLM security against prompt injection: Google DeepMind has unveiled CaMeL (CApabilities for MachinE Learning), a new approach to stopping prompt-injection attacks that abandons the failed strategy of having AI models police themselves. Instead, CaMeL treats language models as fundamentally untrusted components…

  • Windscribe Acquitted on Charges of Not Collecting Users’ Data

    Windscribe Acquitted on Charges of Not Collecting Users’ Data The company doesn’t keep logs, so couldn’t turn over data: Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in…

  • Cryptocurrency Thefts Get Physical

    Cryptocurrency Thefts Get Physical Long story of a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Squid Facts on Your Phone

    Friday Squid Blogging: Squid Facts on Your Phone Text “SQUID” to 1-833-SCI-TEXT for daily squid facts. The website has merch. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • New Linux Rootkit

    New Linux Rootkit Interesting: The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market. At the heart of the issue is the heavy reliance on monitoring system calls,…

  • Regulating AI Behavior with a Hypervisor

    Regulating AI Behavior with a Hypervisor Interesting research: “Guillotine: Hypervisors for Isolating Malicious AIs.” Abstract:As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models—models that, by accident…

  • Android Improves Its Security

    Android Improves Its Security Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it’s nice to see Google add it to their phones. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Live Colossal Squid Filmed

    Friday Squid Blogging: Live Colossal Squid Filmed A live colossal squid was filmed for the first time in the ocean. It’s only a juvenile: a foot long. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • Age Verification Using Facial Scans

    Age Verification Using Facial Scans Discord is testing the feature: “We’re currently running tests in select regions to age-gate access to certain spaces or user settings,” a spokesperson for Discord said in a statement. “The information shared to power the age verification method is only used for the one-time age verification process and is not…

  • CVE Program Almost Unfunded

    CVE Program Almost Unfunded Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of…

  • Slopsquatting

    Slopsquatting As AI coding assistants invent nonexistent software libraries to download and use, enterprising attackers create and upload libraries with those names—laced with malware, of course. Bruce Schneier Go to bruce schneier

  • China Sort of Admits to Being Behind Volt Typhoon

    China Sort of Admits to Being Behind Volt Typhoon The Wall Street Journal has the story: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.…

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m giving an online talk on AI and trust for the Weizenbaum Institute on April 24, 2025 at 2:00 PM CEST (8:00 AM ET). The list is maintained on this page.   B. Schneier Go to bruce schneier

  • AI Vulnerability Finding

    AI Vulnerability Finding Microsoft is reporting that its AI systems are able to find new vulnerabilities in source code: Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered…

  • Friday Squid Blogging: Squid and Efficient Solar Tech

    Friday Squid Blogging: Squid and Efficient Solar Tech Researchers are trying to use squid color-changing biochemistry for solar tech. This appears to be new and related research to a 2019 squid post. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce…

  • Reimagining Democracy

    Reimagining Democracy Imagine that all of us—all of society—have landed on some alien planet and need to form a government: clean slate. We do not have any legacy systems from the United States or any other country. We do not have any special or unique interests to perturb our thinking. How would we govern ourselves?…

  • How to Leak to a Journalist

    How to Leak to a Journalist Neiman Lab has some good advice on how to leak a story to a journalist. Bruce Schneier Go to bruce schneier

  • Arguing Against CALEA

    Arguing Against CALEA At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades,…

  • DIRNSA Fired

    DIRNSA Fired In “Secrets and Lies” (2000), I wrote: It is poor civic hygiene to install technologies that could someday facilitate a police state. It’s something a bunch of us were saying at the time, in reference to the vast NSA’s surveillance capabilities. I have been thinking of that quote a lot as I read…

  • Troy Hunt Gets Phished

    Troy Hunt Gets Phished In case you need proof that anyone, even people who do cybersecurity for a living, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Two-Man Giant Squid

    Friday Squid Blogging: Two-Man Giant Squid The Brooklyn indie art-punk group, Two-Man Giant Squid, just released a new album. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • Web 3.0 Requires Data Integrity

    Web 3.0 Requires Data Integrity If you’ve ever taken a computer security class, you’ve probably learned about the three legs of computer security—confidentiality, integrity, and availability—known as the CIA triad. When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts. In a world populated…

  • Rational Astrologies and Security

    Rational Astrologies and Security John Kelsey and I wrote a short paper for the Rossfest Festschrift: “Rational Astrologies and Security“: There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational astrology. First identified by…

  • Cell Phone OPSEC for Border Crossings

    Cell Phone OPSEC for Border Crossings I have heard stories of more aggressive interrogation of electronic devices at US border crossings. I know a lot about securing computers, but very little about securing phones. Are there easy ways to delete data—files, photos, etc.—on phones so it can’t be recovered? Does resetting a phone to factory…

  • The Signal Chat Leak and the NSA

    The Signal Chat Leak and the NSA US National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities. “I didn’t see this loser in the group,” Waltz told Fox News about Atlantic editor in…

  • AIs as Trusted Third Parties

    AIs as Trusted Third Parties This is a truly fascinating paper: “Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography.” The basic idea is that AIs can act as trusted third parties: Abstract: We often interact with untrusted parties. Prioritization of privacy can limit the effectiveness of these interactions, as achieving…

  • Friday Squid Blogging: Squid Werewolf Hacking Group

    Friday Squid Blogging: Squid Werewolf Hacking Group In another rare squid/cybersecurity intersection, APT37 is also known as “Squid Werewolf.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Bruce Schneier Go to bruce schneier

  • A Taxonomy of Adversarial Machine Learning Attacks and Mitigations

    A Taxonomy of Adversarial Machine Learning Attacks and Mitigations NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures. Bruce Schneier Go to bruce schneier

  • AI Data Poisoning

    AI Data Poisoning Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare’s new system lures them into a “maze” of realistic-looking but irrelevant pages, wasting the crawler’s computing resources. The approach is a notable shift from…

  • Report on Paragon Spyware

    Report on Paragon Spyware Citizen Lab has a new report on Paragon’s spyware: Key Findings: Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious…

  • More Countries are Demanding Backdoors to Encrypted Apps

    More Countries are Demanding Backdoors to Encrypted Apps Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are—of course—are terrible idea. Also: “A Feminist Argument…