2979 matches found
On Passkey Usability
Matt Burgess tries to only use passkeys. The results are mixed...
No, Toothbrushes Were Not Used in a Massive DDoS Attack
The widely reported story last week that 1.5 million smart toothbrushes were hacked and used in a DDoS attack is false. Near as I can tell, a German reporter talking to someone at Fortinet got it wrong, and then everyone else ran with it without reading the German text. It was a hypothetical, whi...
A Self-Enforcing Protocol to Solve Gerrymandering
In 2009, I wrote: There are several ways two people can divide a piece of cake in half. One way is to find someone impartial to do it for them. This works, but it requires another person. Another way is for one person to divide the piece, and the other person to complain to the police, a judge, o...
NSA Buying Bulk Surveillance Data on Americans without a Warrant
It finally admitted to buying bulk data on Americans from data brokers, in response to a query by Senator Weyden. This is almost certainly illegal, although the NSA maintains that it is legal until its told otherwise. Some news articles...
Microsoft Executives Hacked
Microsoft is reporting that a Russian intelligence agency--the same one responsible for SolarWinds--accessed the email system of the companys executives. Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and ga...
On IoT Devices and Software Liability
New law journal article: Smart Device Manufacturer Liability and Redress for Third-Party Cyberattack Victims Abstract: Smart devices are used to facilitate cyberattacks against both their users and third parties. While users are generally able to seek redress following a cyberattack via data...
Pharmacies Giving Patient Records to Police without Warrants
Add pharmacies to the list of industries that are giving private data to the police without a warrant...
OpenAI Is Not Training on Your Dropbox Documents—Today
Theres a rumor flying around the Internet that OpenAI is training foundation models on your Dropbox documents. Heres CNBC. Heres Boing Boing. Some articles are more nuanced, but theres still a lot of confusion. It seems not to be true. Dropbox isnt sharing all of your documents with OpenAI. But...
Apple to Add Manual Authentication to iMessage
Signal has had the ability to manually authenticate another account for years. iMessage is getting it: The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is wh...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking at the AI Summit New York on December 6, 2023. The list is maintained on this page...
Friday Squid Blogging: Eating Dancing Squid
Its not actually alive, but it twitches in response to soy sauce. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New York Increases Cybersecurity Rules for Financial Companies
Another example of a large and influential state doing things the federal government wont: Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say...
On the Cybersecurity Jobs Shortage
In April, Cybersecurity Ventures reported on extreme cybersecurity job shortage: Global cybersecurity job vacancies grew by 350 percent, from one million openings in 2013 to 3.5 million in 2021, according to Cybersecurity Ventures. The number of unfilled jobs leveled off in 2022, and remains at 3...
Using Hacked LastPass Keys to Steal Cryptocurrency
Remember last November, when hackers broke into the network for LastPass--a password database--and stole password vaults with both encrypted and plaintext data for over 25 million users? Well, theyre now using that data break into crypto wallets and drain them: $35 million and counting, all going...
Fake Signal and Telegram Apps in the Google Play Store
Google removed fake Signal and Telegram apps from its Play store. An app with the name Signal Plus Messenger was available on Play for nine months and had been downloaded from Play roughly 100 times before Google took it down last April after being tipped off by security firm ESET. It was also...
Spyware Vendor Hacked
A Brazilian spyware app vendor was hacked by activists: In an undated note seen by TechCrunch, the unnamed hackers described how they found and exploited several security vulnerabilities that allowed them to compromise WebDetetive’s servers and access its user databases. By exploiting other flaws...
The Inability to Simultaneously Verify Sentience, Location, and Identity
Really interesting "systematization of knowledge" paper: "SoK: The Ghost Trilemma" Abstract: Trolls, bots, and sybils distort online discourse and compromise the security of networked platforms. User identity is central to the vectors of attack and manipulation employed in these contexts. However...
Indirect Instruction Injection in Multi-Modal LLMs
Interesting research: "Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs": Abstract: We demonstrate how images and sounds can be used for indirect prompt and instruction injection in multi-modal LLMs. An attacker generates an adversarial perturbation corresponding t...
On the Catastrophic Risk of AI
Earlier this week, I signed on to a short group statement, coordinated by the Center for AI Safety: Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war. The press coverage has been extensive, and surprising t...
Friday Squid Blogging: Online Cephalopod Course
Atlas Obscura has a five-part online course on cephalopods, taught by squid biologist Dr. Sarah McAnulty. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Expeditionary Cyberspace Operations
Cyberspace operations now officially has a physical dimension, meaning that the United States has official military doctrine about cyberattacks that also involve an actual human gaining physical access to a piece of computing infrastructure. A revised version of Joint Publication 3-12 Cyberspace...
On the Poisoning of LLMs
Interesting essay on the poisoning of LLMs--ChatGPT in particular: Given that weve known about model poisoning for years, and given the strong incentives the black-hat SEO crowd has to manipulate results, its entirely possible that bad actors have been poisoning ChatGPT for months. We dont know...
Credible Handwriting Machine
In case you dont have enough to worry about, someone has built a credible handwriting machine: This is still a work in progress, but the project seeks to solve one of the biggest problems with other homework machines, such as this one that I covered a few months ago after it blew up on social...
A Hacker’s Mind News
My latest book continues to sell well. Its ranking hovers between 1,500 and 2,000 on Amazon. Its been spied in airports. Reviews are consistently good. I have been enjoying giving podcast interviews. It all feels pretty good right now. You can order a signed book from me here. For those of you in...
Friday Squid Blogging: New Species of Vampire Squid Lives 3,000 Feet below Sea Level
At least, it seems to be a new species. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: We’re Almost at Flying Squid Drones
Researchers are prototyping multi-segment shapeshifter drones, which are "the precursors to flying squid-bots." As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Arresting IT Administrators
This is one way of ensuring that IT keeps up with patches: Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers. Prosecutors said the five IT officials of the public...
Friday Squid Blogging: Injured Giant Squid and Paddleboarder
Heres a video--I dont know where its from--of an injured juvenile male giant squid grabbing on to a paddleboard. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Hacking Boston’s CharlieCard
Interesting discussion of vulnerabilities and exploits against Bostons CharlieCard...
LastPass Security Breach
The company was hacked, and customer information accessed. No passwords were compromised...
Sirius XM Software Vulnerability
This is new: Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was i...
Facebook Fined $276M under GDPR
Facebook--Meta--was just fined $276 million USD for a data leak that included full names, birth dates, phone numbers, and location. Metas total fine by the Data Protection Commission is over $700 million. Total GDPR fines are over €2 billion EUR since 2018...
Failures in Twitter’s Two-Factor Authentication System
Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the...
Friday Squid Blogging: Newfoundland Giant Squid Sculpture
In 1878, a 55-foot-long giant squid washed up on the shores of Glovers Harbour, Newfoundland. Its the largest giant squid ever recorded--although scientists now think that the size was an exaggeration or the result of postmortem stretching--and theres a full-sized statue of it near the beach wher...
Friday Squid Blogging: The Reproductive Habits of Giant Squid
Interesting: A recent study on giant squid that have washed ashore along the Sea of Japan coast has raised the possibility that the animal has a different reproductive method than many other types of squid. Almost all squid and octopus species are polygamous, with multiple males passing sperm to ...
Adversarial ML Attack that Secretly Gives a Language Model a Point of View
Machine learning security is extraordinarily difficult because the attacks are so varied--and it seems that each new one is weirder than the next. Heres the latest: a training-time attack that forces the model to exhibit a point of view: Spinning Language Models: Risks of Propaganda-As-A-Service...
Inserting a Backdoor into a Machine-Learning System
Interesting research: "ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks, by Tim Clifford, Ilia Shumailov, Yiren Zhao, Ross Anderson, and Robert Mullins: Abstract: Early backdoor attacks against machine learning set off an arms race in attack and defence...
NSA Employee Charged with Espionage
An ex-NSA employee has been charged with trying to sell classified data to the Russians but instead actually talking to an undercover FBI agent. Its a weird story, and the FBI affidavit raises more questions than it answers. The employee only worked for the NSA for three weeks--which is weird in...
Friday Squid Blogging: Breeding the Oval Squid
Japanese scientists are trying to breed the oval squid in captivity. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
New Report on IoT Security
The Atlantic Council has published a report on securing the Internet of Things: "Security in the Billions: Toward a Multinational Strategy to Better Secure the IoT Ecosystem." The report examines the regulatory approaches taken by four countries--the US, the UK, Australia, and Singapore--to secur...
Automatic Cheating Detection in Human Racing
This is a fascinating glimpse of the future of automatic cheating detection in sports: Maybe you heard about the truly insane false-start controversy in track and field? Devon Allen--a wide receiver for the Philadelphia Eagles--was disqualified from the 110-meter hurdles at the World Athletics...
Responsible Disclosure for Cryptocurrency Security
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two...
Signal Phone Numbers Exposed in Twilio Hack
Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed: Heres what our users need to know: All users can rest assured that their message history, contact lists, profile information, whom theyd blocked, and other personal data remain private and secure and...
Zoom Exploit on MacOS
This vulnerability was reported to Zoom last December: The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter the...
Twitter Exposes Personal Information for 5.4 Million Accounts
Twitter accidentally exposed the personal information--including phone numbers and email addresses--for 5.4 million accounts. And someone was trying to sell this information. In January 2022, we received a report through our bug bounty program of a vulnerability in Twitters systems. As a result o...
On the Subversion of NIST by the NSA
Nadiya Kostyuk and Susan Landau wrote an interesting paper: "Dueling Over DUALECDRBG: The Consequences of Corrupting a Cryptographic Standardization Process": Abstract: In recent decades, the U.S. National Institute of Standards and Technology NIST, which develops cryptographic standards for...
Long Story on the Accused CIA Vault 7 Leaker
Long article about Joshua Schulte, the accused leaker of the WikiLeaks Vault 7 and Vault 8 CIA data. Well worth reading...
Friday Squid Blogging: Squid Migration and Climate Change
New research on the changing migration of the Doryteuthis opalescens as a result of climate change. News article: Stanford researchers have solved a mystery about why a species of squid native to California has been found thriving in the Gulf of Alaska about 1,800 miles north of its expected rang...
An Elaborate Employment Con in the Internet Age
The story is an old one, but the tech gives it a bunch of new twists: Gemma Brett, a 27-year-old designer from west London, had only been working at Madbird for two weeks when she spotted something strange. Curious about what her commute would be like when the pandemic was over, she searched for...
Amy Zegart on Spycraft in the Internet Age
Amy Zegart has a new book: Spies, Lies, and Algorithms: The History and Future of American Intelligence. Wired has an excerpt: In short, data volume and accessibility are revolutionizing sensemaking. The intelligence playing field is leveling -- and not in a good way. Intelligence collectors are...