2981 matches found
San Francisco Police Illegally Spying on Protesters
Last summer, the San Francisco police illegally used surveillance cameras at the George Floyd protests. The EFF is suing the police: This surveillance invaded the privacy of protesters, targeted people of color, and chills and deters participation and organizing for future protests. The SFPD also...
On the Log4j Vulnerability
Its serious: The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. Fr...
NSO Group’s Pegasus Spyware Used Against US State Department Officials
NSO Groups descent into Internet pariah status continues. Its Pegasus spyware was used against nine US State Department employees. We dont know which NSO Group customer trained the spyware on the US. But the company does: NSO Group said in a statement on Thursday that it did not have any indicati...
Google Shuts Down Glupteba Botnet, Sues Operators
Google took steps to shut down the Glupteba botnet, at least for now. The botnet uses the bitcoin blockchain as a backup command-and-control mechanism, making it hard to get rid of it permanently. So Google is also suing the botnets operators. Its an interesting strategy. Lets see if its successf...
Airline Passenger Mistakes Vintage Camera for a Bomb
I feel sorry for the accused: The "security incident" that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding -- after an airline passenger mistook another travelers camera for a bomb, sources said Sunday. American...
The European Parliament Voted to Ban Remote Biometric Surveillance
Its not actually banned in the EU yet -- the legislative process is much more complicated than that -- but its a step: a total ban on biometric mass surveillance. To respect "privacy and human dignity," MEPs said that EU lawmakers should pass a permanent ban on the automated recognition of...
Tracking People by their MAC Addresses
Yet another article on the privacy risks of static MAC addresses and always-on Bluetooth connections. This one is about wireless headphones. The good news is that product vendors are fixing this: Several of the headphones which could be tracked over time are for sale in electronics stores, but...
Friday Squid Blogging: Squid Communication
Interesting article on squid communication. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Excellent Write-up of the SolarWinds Security Breach
Robert Chesney wrote up the Solar Winds story as a case study, and its a really good summary...
Seny Kamara on "Crypto for the People"
Seny Kamara gave an excellent keynote talk this year at the online CRYPTO Conference. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to...
US Postal Service Files Blockchain Voting Patent
The US Postal Service has filed a patent on a blockchain voting method: Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot...
Friday Squid Blogging: New Squid Species off the New Zealand Coast
There's a new diversity of species. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Squid Comic
It's not very good, but it has a squid in it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Baby Sea Otters Prefer Shrimp to Squid
At least, this one does. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Tracking People Without GPS
Interesting research: The trick in accurately tracking a person with this method is finding out what kind of activity they're performing. Whether they're walking, driving a car, or riding in a train or airplane, it's pretty easy to figure out when you know what you're looking for. The sensors can...
NSA Links WannaCry to North Korea
There's evidence: Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other...
Friday Squid Blogging: Live Squid Washes up on North Carolina Beach
A "mysterious squid" -- big and red -- washed up on a beach in Carteret County, North Carolina. Someone found it, still alive, and set it back in the water after taking some photos of it. Squid scientists later decided it was a diamondback squid. So, you think that O'Shea might know the identity ...
Reading Analytics and Privacy
Interesting paper: "The rise of reading analytics and the emerging calculus of reading privacy in the digital world," by Clifford Lynch: Abstract: This paper studies emerging technologies for tracking reading behaviors "reading analytics" and their implications for reader privacy, attempting to...
Faking Domain Names with Unicode Characters
It's things like this that make phishing attacks easier. News article...
France to Stop Certifying Non-Quantum-Safe Encryption
France is accelerating its transition to post-quantum encryption: France's cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems...
Interesting Paper Exploring Prompt Injection
This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and t...
AI Use by the US Government
On 14 April, the Trump administration quietly acknowledged the widespread use of AI to automate government processes. The office of management and budget OMB disclosed a staggering 3,611 active or planned use cases for AI across the federal government. The list has ballooned by 70% from the one...
Friday Squid Blogging: Regulating Squid Fishing in the South Pacific
The South Pacific Regional Fisheries Management Organization SPRFMO needs to regulate squid fishing in the South Pacific. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
A Ransomware Negotiator Was Working for a Ransomware Gang
Someone pleaded guilty to secretly working for a ransomware gang as he negotiated ransomware payments for clients...
Defense in Depth, Medieval Style
This article on the walls of Constantinople is fascinating. The system comprised four defensive lines arranged in formidable layers: The brick-lined ditch, divided by bulkheads and often flooded, 15-20 meters wide and up to 7 meters deep. A low breastwork, about 2 meters high, enabling defenders...
How Hackers Are Thinking About AI
Interesting paper: "What hackers talk about when they talk about AI: Early-stage diffusion of a cybercrime innovation." Abstract: The rapid expansion of artificial intelligence AI is raising concerns about its potential to transform cybercrime. Beyond empowering novice offenders, AI stands to...
Sen. Sanders Talks to Claude About AI and Privacy
Claude is actually pretty good on the issues...
Israel Hacked Traffic Cameras in Iran
Multiple news outlets are reporting on Israel's hacking of Iranian traffic cameras and how they assisted with the killing of that country's leadership. The New York Times has an article on the intelligence operation more generally...
LLM-Assisted Deanonymization
Turns out that LLMs are good at de-anonymization: We show that LLM agents can figure out who you are from your anonymous online posts. Across Hacker News, Reddit, LinkedIn, and anonymized interview transcripts, our method identifies users with high precision and scales to tens of thousands of...
Trojans Embedded in .svg Files
Porn sites are hiding code in .svg files: Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of "JSFuck," a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text. Once...
Friday Squid Blogging: Squid Run in Southern New England
Southern New England is having the best squid run in years. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...
Surveillance Via Smart Toothbrush
The only links are from The Daily Mail and The Mirror, but a marital affair was discovered because the cheater was recorded using his smart toothbrush at home when he was supposed to be at work...
Location Tracking App for Foreigners in Moscow
Russia is proposing a rule that all foreigners in Moscow install a tracking app on their phones. Using a mobile application that all foreigners will have to install on their smartphones, the Russian state will receive the following information: Residence location Fingerprint Face photograph...
Friday Squid Blogging: Squid Facts on Your Phone
Text "SQUID" to 1-833-SCI-TEXT for daily squid facts. The website has merch. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...
Cryptocurrency Thefts Get Physical
Long story of a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping...
Android Improves Its Security
Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it's nice to see Google add it to their phones...
Age Verification Using Facial Scans
Discord is testing the feature: "We're currently running tests in select regions to age-gate access to certain spaces or user settings," a spokesperson for Discord said in a statement. "The information shared to power the age verification method is only used for the one-time age verification...
North Korean Hackers Steal $1.5B in Cryptocurrency
It looks like a very sophisticated attack against the Dubai-based exchange Bybit: Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a "Multisig Cold Wallet" when,...
Delivering Malware Through Abandoned Amazon S3 Buckets
Here's a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don't realize that they have been abandoned, and still...
Friday Squid Blogging: The Colossal Squid
Long article on the colossal squid. Blog moderation policy...
Friday Squid Blogging: Opioid Alternatives from Squid Research
Is there nothing that squid research can't solve? "If you're working with an organism like squid that can edit genetic information way better than any other organism, then it makes sense that that might be useful for a therapeutic application like deadening pain," he said. … Researchers hope to...
FBI Deletes PlugX Malware from Thousands of Computers
According to a DOJ press release, the FBI was able to delete the Chinese-used PlugX malware from "approximately 4,258 U.S.-based computers and networks." Details: To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is...
Friday Squid Blogging: Cotton-and-Squid-Bone Sponge
News: A sponge made of cotton and squid bone that has absorbed about 99.9% of microplastics in water samples in China could provide an elusive answer to ubiquitous microplastic pollution in water across the globe, a new report suggests. … The study tested the material in an irrigation ditch, a...
Friday Squid Blogging: Anniversary Post
I made my first squid post nineteen years ago this week. Between then and now, I posted something about squid every week with maybe only a few exceptions. There is a lot out there about squid, even more if you count the other meanings of the word. Blog moderation policy...
ShredOS
ShredOS is a stripped-down operating system designed to destroy data. GitHub page here...
Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device
Fifteen years ago I blogged about a different SQUID. Here's an update: Fleeing drivers are a common problem for law enforcement. They just won’t stop unless persuaded--persuaded by bullets, barriers, spikes, or snares. Each option is risky business. Shooting up a fugitive’s car is one possibilit...
Details about the iOS Inactivity Reboot Feature
I recently wrote about the new iOS feature that forces an iPhone to reboot after it's been inactive for a longish period of time. Here are the technical details, discovered through reverse engineering. The feature triggers after seventy-two hours of inactivity, even it is remains connected to Wi-...
What Graykey Can and Can’t Unlock
This is from 404 Media: The Graykey, a phone unlocking and forensics tool that is used by law enforcement around the world, is only able to retrieve partial data from all modern iPhones that run iOS 18 or iOS 18.0.1, which are two recently released versions of Apple's mobile operating system,...
Good Essay on the History of Bad Password Policies
Stuart Schechter makes some good points on the history of bad password policies: Morris and Thompson's work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistak...
Prompt Injection Defenses Against LLM Cyberattacks
Interesting research: "Hacking Back the AI-Hacker: Prompt Injection as a Defense Against LLM-driven Cyberattacks": Large language models LLMs are increasingly being harnessed to automate cyberattacks, making sophisticated exploits more accessible and scalable. In response, we propose a new defens...