serisec

Category: Uncategorized

  • My Writings Are in the LibGen AI Training Corpus

    My Writings Are in the LibGen AI Training Corpus The Atlantic has a search tool that allows you to search for specific works in the “LibGen” database of copyrighted works that Meta used to train its AI models. (The rest of the article is behind a paywall, but not the search tool.) It’s impossible to…

  • Friday Squid Blogging: A New Explanation of Squid Camouflage

    Friday Squid Blogging: A New Explanation of Squid Camouflage New research: An associate professor of chemistry and chemical biology at Northeastern University, Deravi’s recently published paper in the Journal of Materials Chemistry C sheds new light on how squid use organs that essentially function as organic solar cells to help power their camouflage abilities. As…

  • NCSC Releases Post-Quantum Cryptography Timeline

    NCSC Releases Post-Quantum Cryptography Timeline The UK’s National Computer Security Center (part of GCHQ) released a timeline—also see their blog post—for migration to quantum-computer-resistant cryptography. It even made The Guardian. Bruce Schneier Go to bruce schneier

  • Critical GitHub Attack

    Critical GitHub Attack This is serious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a…

  • Is Security Human Factors Research Skewed Towards Western Ideas and Habits?

    Is Security Human Factors Research Skewed Towards Western Ideas and Habits? Really interesting research: “How WEIRD is Usable Privacy and Security Research?” by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama: Abstract: In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated,…

  • Improvements in Brute Force Attacks

    Improvements in Brute Force Attacks New paper: “GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3.” Abstract: Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit keys are recommended, there are many…

  • TP-Link Router Botnet

    TP-Link Router Botnet There is a new botnet that is infecting TP-Link routers: The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware…

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. I’m speaking at the University of Toronto’s Rotman School of Management in Toronto, Canada, on April 3, 2025. The list is maintained on this page.…

  • Friday Squid Blogging: SQUID Band

    Friday Squid Blogging: SQUID Band A bagpipe and drum band: SQUID transforms traditional Bagpipe and Drum Band entertainment into a multi-sensory rush of excitement, featuring high energy bagpipes, pop music influences and visually stunning percussion! As usual, you can also use this squid post to talk about the security stories in the news that I…

  • RIP Mark Klein

    RIP Mark Klein 2006 AT&T whistleblower Mark Klein has died. Bruce Schneier Go to bruce schneier

  • China, Russia, Iran, and North Korea Intelligence Sharing

    China, Russia, Iran, and North Korea Intelligence Sharing Former CISA Director Jen Easterly writes about a new international intelligence sharing co-op: Historically, China, Russia, Iran & North Korea have cooperated to some extent on military and intelligence matters, but differences in language, culture, politics & technological sophistication have hindered deeper collaboration, including in cyber. Shifting…

  • Silk Typhoon Hackers Indicted

    Silk Typhoon Hackers Indicted Lots of interesting details in the story: The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security who allegedly worked…

  • Thousands of WordPress Websites Infected with Malware

    Thousands of WordPress Websites Infected with Malware The malware includes four separate backdoors: Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed. A unique case we haven’t seen before. Which introduces another type of attack made possibly by abusing websites that don’t monitor 3rd party dependencies in…

  • Rayhunter: Device to Detect Cellular Surveillance

    Rayhunter: Device to Detect Cellular Surveillance The EFF has created an open-source hardware tool to detect IMSI catchers: fake cell phone towers that are used for mass surveillance of an area. It runs on a $20 mobile hotspot. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Squid Loyalty Cards

    Friday Squid Blogging: Squid Loyalty Cards Squid is a loyalty card platform in Ireland. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • The Combined Cipher Machine

    The Combined Cipher Machine Interesting article—with photos!—of the US/UK “Combined Cipher Machine” from WWII. Bruce Schneier Go to bruce schneier

  • CISA Identifies Five New Vulnerabilities Currently Being Exploited

    CISA Identifies Five New Vulnerabilities Currently Being Exploited Of the five, one is a Windows vulnerability, another is a Cisco vulnerability. We don’t have any details about who is exploiting them, or how. News article. Slashdot thread. Bruce Schneier Go to bruce schneier

  • Trojaned AI Tool Leads to Disney Hack

    Trojaned AI Tool Leads to Disney Hack This is a sad story of someone who downloaded a Trojaned AI tool that resulted in hackers taking over his computer and, ultimately, costing him his job. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Eating Bioluminescent Squid

    Friday Squid Blogging: Eating Bioluminescent Squid Firefly squid is now a delicacy in New York. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • “Emergent Misalignment” in LLMs

    “Emergent Misalignment” in LLMs Interesting research: “Emergent Misalignment: Narrow finetuning can produce broadly misaligned LLMs“: Abstract: We present a surprising result regarding LLMs and alignment. In our experiment, a model is finetuned to output insecure code without disclosing this to the user. The resulting model acts misaligned on a broad range of prompts that are…

  • An iCloud Backdoor Would Make Our Phones Less Safe

    An iCloud Backdoor Would Make Our Phones Less Safe Last month, the UK government demanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access…

  • North Korean Hackers Steal $1.5B in Cryptocurrency

    North Korean Hackers Steal $1.5B in Cryptocurrency It looks like a very sophisticated attack against the Dubai-based exchange Bybit: Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a “Multisig Cold Wallet” when, somehow, it…

  • More Research Showing AI Breaking the Rules

    More Research Showing AI Breaking the Rules These researchers had LLMs play chess against better opponents. When they couldn’t win, they sometimes resorted to cheating. Researchers gave the models a seemingly impossible task: to win against Stockfish, which is one of the strongest chess engines in the world and a much better player than any…

  • Implementing Cryptography in AI Systems

    Implementing Cryptography in AI Systems Interesting research: “How to Securely Implement Cryptography in Deep Neural Networks.” Abstract: The wide adoption of deep neural networks (DNNs) raises the question of how can we equip them with a desired cryptographic functionality (e.g, to decrypt an encrypted input, to verify that this input is authorized, or to hide…

  • Friday Squid Blogging: New Squid Fossil

    Friday Squid Blogging: New Squid Fossil A 450-million-year-old squid fossil was dug up in upstate New York. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • An LLM Trained to Create Backdoors in Code

    An LLM Trained to Create Backdoors in Code Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.” Bruce Schneier Go to bruce schneier

  • Device Code Phishing

    Device Code Phishing This isn’t new, but it’s increasingly popular: The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support…

  • Story About Medical Device Security

    Story About Medical Device Security Ben Rothke relates a story about me working with a medical device firm back when I was with BT. I don’t remember the story at all, or who the company was. But it sounds about right. Bruce Schneier Go to bruce schneier

  • Atlas of Surveillance

    Atlas of Surveillance The EFF has released its Atlas of Surveillance, which documents police surveillance technology across the US. Bruce Schneier Go to bruce schneier

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. My talk is at 4:00 PM ET on the 15th. I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025.…

  • Friday Squid Blogging: Squid the Care Dog

    Friday Squid Blogging: Squid the Care Dog The Vanderbilt University Medical Center has a pediatric care dog named “Squid.” Blog moderation policy. Bruce Schneier Go to bruce schneier

  • AI and Civil Service Purges

    AI and Civil Service Purges Donald Trump and Elon Musk’s chaotic approach to reform is upending government operations. Critical functions have been halted, tens of thousands of federal staffers are being encouraged to resign, and congressional mandates are being disregarded. The next phase: The Department of Government Efficiency reportedly wants to use AI to cut…

  • DOGE as a National Cyberattack

    DOGE as a National Cyberattack In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national…

  • Delivering Malware Through Abandoned Amazon S3 Buckets

    Delivering Malware Through Abandoned Amazon S3 Buckets Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for…

  • Trusted Encryption Environments

    Trusted Encryption Environments Really good—and detailed—survey of Trusted Encryption Environments (TEEs.) Bruce Schneier Go to bruce schneier

  • Pairwise Authentication of Humans

    Pairwise Authentication of Humans Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations. To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons. This is how…

  • UK Is Ordering Apple to Break Its Own Encryption

    UK Is Ordering Apple to Break Its Own Encryption The Washington Post is reporting that the UK government has served Apple with a “technical capability notice” as defined by the 2016 Investigatory Powers Act, requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This is a big…

  • Screenshot-Reading Malware

    Screenshot-Reading Malware Kaspersky is reporting on a new type of smartphone malware. The malware in question uses optical character recognition (OCR) to review a device’s photo library, seeking screenshots of recovery phrases for crypto wallets. Based on their assessment, infected Google Play apps have been downloaded more than 242,000 times. Kaspersky says: “This is the…

  • Friday Squid Blogging: The Colossal Squid

    Friday Squid Blogging: The Colossal Squid Long article on the colossal squid. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • AIs and Robots Should Sound Robotic

    AIs and Robots Should Sound Robotic Most people know that robots no longer sound like tinny trash cans. They sound like Siri, Alexa, and Gemini. They sound like the voices in labyrinthine customer support phone trees. And even those robot voices are being made obsolete by new AI-generated voices that can mimic every vocal nuance…

  • On Generative AI Security

    On Generative AI Security Microsoft’s AI Red Team just published “Lessons from Red Teaming 100 Generative AI Products.” Their blog post lists “three takeaways,” but the eight lessons in the report itself are more useful: Understand what the system can do and where it is applied. You don’t have to compute gradients to break an…

  • Deepfakes and the 2024 US Election

    Deepfakes and the 2024 US Election Interesting analysis: We analyzed every instance of AI use in elections collected by the WIRED AI Elections Project (source for our analysis), which tracked known uses of AI for creating political content during elections taking place in 2024 worldwide. In each case, we identified what AI was used for…

  • Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware

    Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware This is yet another story of commercial spyware being used against journalists and civil society members. The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had “high confidence” that the…

  • Friday Squid Blogging: On Squid Brains

    Friday Squid Blogging: On Squid Brains Interesting. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • Fake Reddit and WeTransfer Sites are Pushing Malware

    Fake Reddit and WeTransfer Sites are Pushing Malware There are thousands of fake Reddit and WeTransfer webpages that are pushing malware. They exploit people who are using search engines to search sites like Reddit. Unsuspecting victims clicking on the link are taken to a fake WeTransfer site that mimicks the interface of the popular file-sharing…

  • ExxonMobil Lobbyist Caught Hacking Climate Activists

    ExxonMobil Lobbyist Caught Hacking Climate Activists The Department of Justice is investigating a lobbying firm representing ExxonMobil for hacking the phones of climate activists: The hacking was allegedly commissioned by a Washington, D.C., lobbying firm, according to a lawyer representing the U.S. government. The firm, in turn, was allegedly working on behalf of one of…

  • pinoy call centers

    you know who are fucked when cost of inference drop 50x?

  • CISA Under Trump

    CISA Under Trump Jen Easterly is out as the Director of CISA. Read her final interview: There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day.…

  • New VPN Backdoor

    New VPN Backdoor A newly discovered VPN backdoor uses some interesting tactics to avoid detection: When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can’t be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a…

  • Friday Squid Blogging: Beaked Whales Feed on Squid

    Friday Squid Blogging: Beaked Whales Feed on Squid A Travers’ beaked whale (Mesoplodon traversii) washed ashore in New Zealand, and scientists conlcuded that “the prevalence of squid remains [in its stomachs] suggests that these deep-sea cephalopods form a significant part of the whale’s diet, similar to other beaked whale species.” Blog moderation policy. Bruce Schneier…

  • Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024)

    Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024) Last month, Henry Farrell and I convened the Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024) at Johns Hopkins University’s Bloomberg Center in Washington DC. This is a small, invitational workshop on the future of democracy. As with the previous two workshops, the goal was to bring…

  • AI Will Write Complex Laws

    AI Will Write Complex Laws Artificial intelligence (AI) is writing law today. This has required no changes in legislative procedure or the rules of legislative bodies—all it takes is one legislator, or legislative assistant, to use generative AI in the process of drafting a bill. In fact, the use of AI by legislators is only…

  • AI Mistakes Are Very Different from Human Mistakes

    AI Mistakes Are Very Different from Human Mistakes Humans make mistakes all the time. All of us do, every day, in tasks both new and routine. Some of our mistakes are minor and some are catastrophic. Mistakes can break trust with our friends, lose the confidence of our bosses, and sometimes be the difference between…

  • Biden Signs New Cybersecurity Order

    Biden Signs New Cybersecurity Order President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent…

  • Friday Squid Blogging: Opioid Alternatives from Squid Research

    Friday Squid Blogging: Opioid Alternatives from Squid Research Is there nothing that squid research can’t solve? “If you’re working with an organism like squid that can edit genetic information way better than any other organism, then it makes sense that that might be useful for a therapeutic application like deadening pain,” he said. […] Researchers…

  • Social Engineering to Disable iMessage Protections

    Social Engineering to Disable iMessage Protections I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link…

  • FBI Deletes PlugX Malware from Thousands of Computers

    FBI Deletes PlugX Malware from Thousands of Computers According to a DOJ press release, the FBI was able to delete the Chinese-used PlugX malware from “approximately 4,258 U.S.-based computers and networks.” Details: To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the…

  • Phishing False Alarm

    Phishing False Alarm A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards. Bruce Schneier Go to bruce schneier

  • no guacamole machine

    https://selkies-project.github.io/selkies-gstreamer/design/ https://docs.linuxserver.io/images/docker-webtop/ whats the use of a remote linux desktop? in my mind i only need a ssh session to a linux instance. whereas i might more likely want a desktop session if i use windows

  • are cow slow?

    https://www.lanl.gov/media/news/0321-computational-storage https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html#zfs-arc-max

  • The First Password on the Internet

    The First Password on the Internet It was created in 1973 by Peter Kirstein: So from the beginning I put password protection on my gateway. This had been done in such a way that even if UK users telephoned directly into the communications computer provided by Darpa in UCL, they would require a password. In…

  • Upcoming Speaking Engagements

    Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking on “AI: Trust & Power” at Capricon 45 in Chicago, Illinois, USA, at 11:30 AM on February 7, 2025. I’m also signing books there on Saturday, February 8, starting at 1:45 PM. I’m speaking at Boskone…

  • Microsoft Takes Legal Action Against AI “Hacking as a Service” Scheme

    Microsoft Takes Legal Action Against AI “Hacking as a Service” Scheme Not sure this will matter in the end, but it’s a positive move: Microsoft is accusing three individuals of running a “hacking-as-a-service” scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content. The foreign-based…

  • Apps That Are Spying on Your Location

    Apps That Are Spying on Your Location 404 Media is reporting on all the apps that are spying on your location, based on a hack of the location data company Gravy Analytics: The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating…

  • Friday Squid Blogging: Cotton-and-Squid-Bone Sponge

    Friday Squid Blogging: Cotton-and-Squid-Bone Sponge News: A sponge made of cotton and squid bone that has absorbed about 99.9% of microplastics in water samples in China could provide an elusive answer to ubiquitous microplastic pollution in water across the globe, a new report suggests. […] The study tested the material in an irrigation ditch, a…

  • Zero-Day Vulnerability in Ivanti VPN

    Zero-Day Vulnerability in Ivanti VPN It’s being actively exploited. Bruce Schneier Go to bruce schneier

  • US Treasury Department Sanctions Chinese Company Over Cyberattacks

    US Treasury Department Sanctions Chinese Company Over Cyberattacks From the Washington Post: The sanctions target Beijing Integrity Technology Group, which U.S. officials say employed workers responsible for the Flax Typhoon attacks which compromised devices including routers and internet-enabled cameras to infiltrate government and industrial targets in the United States, Taiwan, Europe and elsewhere. Bruce Schneier…

  • Privacy of Photos.app’s Enhanced Visual Search

    Privacy of Photos.app’s Enhanced Visual Search Initial speculation about a new Apple feature. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Anniversary Post

    Friday Squid Blogging: Anniversary Post I made my first squid post nineteen years ago this week. Between then and now, I posted something about squid every week (with maybe only a few exceptions). There is a lot out there about squid, even more if you count the other meanings of the word. Blog moderation policy.…

  • ShredOS

    ShredOS ShredOS is a stripped-down operating system designed to destroy data. GitHub page here. Bruce Schneier Go to bruce schneier

  • Google Is Allowing Device Fingerprinting

    Google Is Allowing Device Fingerprinting Lukasz Olejnik writes about device fingerprinting, and why Google’s policy change to allow it in 2025 is a major privacy setback. Bruce Schneier Go to bruce schneier

  • Gift Card Fraud

    Gift Card Fraud It’s becoming an organized crime tactic: Card draining is when criminals remove gift cards from a store display, open them in a separate location, and either record the card numbers and PINs or replace them with a new barcode. The crooks then repair the packaging, return to a store and place the…

  • Salt Typhoon’s Reach Continues to Grow

    Salt Typhoon’s Reach Continues to Grow The US government has identified a ninth telecom that was successfully hacked by Salt Typhoon. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Squid on Pizza

    Friday Squid Blogging: Squid on Pizza Pizza Hut in Taiwan has a history of weird pizzas, including a “2022 scalloped pizza with Oreos around the edge, and deep-fried chicken and calamari studded throughout the middle.” Blog moderation policy. Bruce Schneier Go to bruce schneier

  • Casino Players Using Hidden Cameras for Cheating

    Casino Players Using Hidden Cameras for Cheating The basic strategy is to place a device with a hidden camera in a position to capture normally hidden card values, which are interpreted by an accomplice off-site and fed back to the player via a hidden microphone. Miniaturization is making these devices harder to detect. Presumably AI…

  • Scams Based on Fake Google Emails

    Scams Based on Fake Google Emails Scammers are hacking Google Forms to send email to victims that come from google.com. Brian Krebs reports on the effects. Boing Boing post. Bruce Schneier Go to bruce schneier

  • Spyware Maker NSO Group Found Liable for Hacking WhatsApp

    Spyware Maker NSO Group Found Liable for Hacking WhatsApp A judge has found that NSO Group, maker of the Pegasus spyware, has violated the US Computer Fraud and Abuse Act by hacking WhatsApp in order to spy on people using it. Jon Penney and I wrote a legal paper on the case. Bruce Schneier Go…

  • Criminal Complaint against LockBit Ransomware Writer

    Criminal Complaint against LockBit Ransomware Writer The Justice Department has published the criminal complaint against Dmitry Khoroshev, for building and maintaining the LockBit ransomware. Bruce Schneier Go to bruce schneier

  • Friday Squid Blogging: Squid Sticker

    Friday Squid Blogging: Squid Sticker A sticker for your water bottle. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • Mailbox Insecurity

    Mailbox Insecurity It turns out that all cluster mailboxes in the Denver area have the same master key. So if someone robs a postal carrier, they can open any mailbox. I get that a single master key makes the whole system easier, but it’s very fragile security. Bruce Schneier Go to bruce schneier

  • New Advances in the Understanding of Prime Numbers

    New Advances in the Understanding of Prime Numbers Really interesting research into the structure of prime numbers. Not immediately related to the cryptanalysis of prime-number-based public-key algorithms, but every little bit matters. Bruce Schneier Go to bruce schneier

  • Hacking Digital License Plates

    Hacking Digital License Plates Not everything needs to be digital and “smart.” License plates, for example: Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on…

  • Short-Lived Certificates Coming to Let’s Encrypt

    Short-Lived Certificates Coming to Let’s Encrypt Starting next year: Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift from anything we’ve done before—short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS…

  • Upcoming Speaking Events

    Upcoming Speaking Events This is a current list of where and when I am scheduled to speak: I’m speaking at a joint meeting of the Boston Chapter of the IEEE Computer Society and GBC/ACM, in Boston, Massachusetts, USA, at 7:00 PM ET on Thursday, January 9, 2025. The event will take place at the Massachusetts…

  • Ultralytics Supply-Chain Attack

    Ultralytics Supply-Chain Attack Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary: On December 4, a malicious version 8.3.41 of the popular AI library ultralytics ­—which has almost 60 million downloads—was published to the Python Package Index (PyPI) package repository. The package contained downloader code that was…

  • Friday Squid Blogging: Biology and Ecology of the Colossal Squid

    Friday Squid Blogging: Biology and Ecology of the Colossal Squid Good survey paper. Blog moderation policy. Bruce Schneier Go to bruce schneier

  • Jailbreaking LLM-Controlled Robots

    Jailbreaking LLM-Controlled Robots Surprising no one, it’s easy to trick an LLM-controlled robot into ignoring its safety instructions. Bruce Schneier Go to bruce schneier

  • Full-Face Masks to Frustrate Identification

    Full-Face Masks to Frustrate Identification This is going to be interesting. It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap. Bruce Schneier Go to bruce schneier

  • Trust Issues in AI

    Trust Issues in AI For a technology that seems startling in its modernity, AI sure has a long history. Google Translate, OpenAI chatbots, and Meta AI image generators are built on decades of advancements in linguistics, signal processing, statistics, and other fields going back to the early days of computing—and, often, on seed funding from…

  • Detecting Pegasus Infections

    Detecting Pegasus Infections This tool seems to do a pretty good job. The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for…

  • Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device

    Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device Fifteen years ago I blogged about a different SQUID. Here’s an update: Fleeing drivers are a common problem for law enforcement. They just won’t stop unless persuaded­—persuaded by bullets, barriers, spikes, or snares. Each option is risky business. Shooting up a fugitive’s car is one possibility. But…

  • free book

    https://www.troyhunt.com/pwned-the-book-is-now-available-for-free/

  • free!

    https://github.com/google/vanir

  • another free waf

    https://docs.bunkerweb.io/1.5.12/integrations/

  • that didnt take long…

    First of all, it’s highly unlikely that this containerized version of Android 12 will pass Play Integrity checks, especially once the new Play Integrity upgrades roll out next year. That means many Android apps will refuse to run entirely. Second, the container appears to use microG instead of Google Play Services, which means certain features…

  • a monitoring option

    https://bluewavelabs.gitbook.io/checkmate/users-guide/pagespeed-monitoring

  • AI and the 2024 Elections

    AI and the 2024 Elections It’s been the biggest year for elections in human history: 2024 is a “super-cycle” year in which 3.7 billion eligible voters in 72 countries had the chance to go the polls. These are also the first AI elections, where many feared that deepfakes and artificial intelligence-generated misinformation would overwhelm the…

  • Algorithms Are Coming for Democracy—but It’s Not All Bad

    Algorithms Are Coming for Democracy—but It’s Not All Bad In 2025, AI is poised to change every aspect of democratic politics—but it won’t necessarily be for the worse. India’s prime minister, Narendra Modi, has used AI to translate his speeches for his multilingual electorate in real time, demonstrating how AI can help diverse democracies to…

  • Details about the iOS Inactivity Reboot Feature

    Details about the iOS Inactivity Reboot Feature I recently wrote about the new iOS feature that forces an iPhone to reboot after it’s been inactive for a longish period of time. Here are the technical details, discovered through reverse engineering. The feature triggers after seventy-two hours of inactivity, even it is remains connected to Wi-Fi.…

  • why CAs?

    https://follow.agwa.name/notice/AoZSMI38xcA3TrN1sm