2982 matches found
Poisoning AI Models
New research into poisoning AI models: The researchers first trained the AI models using supervised learning and then used additional "safety training" methods, including more supervised learning, reinforcement learning, and adversarial training. After this, they checked if the AI still had hidde...
Friday Squid Blogging: Squid Parts into Fertilizer
Its squid parts from college dissections, so its not a volume operation. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Surveillance by the US Postal Service
This is not about mass surveillance of mail, this is about the sorts of targeted surveillance the US Postal Inspection Service uses to catch mail thieves: To track down an alleged mail thief, a US postal inspector used license plate reader technology, GPS data collected by a rental car company,...
Model Extraction Attack on Neural Networks
Adi Shamir et al. have a new model extraction attack on neural networks: Polynomial Time Cryptanalytic Extraction of Neural Network Models Abstract: Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks DNNs for a variety of tasks. Thus, it is essential ...
When Apps Go Rogue
Interesting story of an Apple Macintosh app that went rogue. Basically, it was a good app until one particular update…when it went bad. With more official macOS features added in 2021 that enabled the "Night Shift" dark mode, the NightOwl app was left forlorn and forgotten on many older Macs. Few...
Friday Squid Blogging: Chromatophores
Neat: Chromatophores are tiny color-changing cells in cephalopods. Watch them blink back and forth from purple to white on this squids skin in an Instagram video taken by Drew Chicone… Its completely hypnotic to watch these tiny cells flash with color. Its as if the squid has a little sky full of...
Buying Campaign Contributions as a Hack
The first Republican primary debate has a popularity threshold to determine who gets to appear: 40,000 individual contributors. Now there are a lot of conventional ways a candidate can get that many contributors. Doug Burgum came up with a novel idea: buy them: A long-shot contender at the bottom...
Friday Squid Blogging: See-Through Squid
Doryteuthis opalescens is known as the market squid, and was critical in the recent squid RNA research. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
AI-Generated Steganography
New research suggests that AIs can produce perfectly secure steganographic images: Abstract: Steganography is the practice of encoding secret information into innocuous content in such a manner that an adversarial third party would not realize that there is hidden meaning. While this problem has...
The Software-Defined Car
Developers are starting to talk about the software-defined car. For decades, features have accumulated like cruft in new vehicles: a box here to control the antilock brakes, a module there to run the cruise control radar, and so on. Now engineers and designers are rationalizing the way they go...
Friday Squid Blogging: Squid Chromolithographs
Beautiful illustrations. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. EDITED TO ADD 6/4: Slashdot thread...
Friday Squid Blogging: Giant Squid Video
A video--authentic, not a deep fake--of a giant squid close to the surface. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: Creating Batteries Out of Squid Cells
This is fascinating: "When a squid ends up chipping what’s called its ring tooth, which is the nail underneath its tentacle, it needs to regrow that tooth very rapidly, otherwise it can’t claw its prey," he explains. This was intriguing news and it sparked an idea in Hopkins lab where he’d been...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking on “How to Reclaim Power in the Digital World” at EPFL in Lausanne, Switzerland, on Thursday, March 16, 2023, at 5:30 PM CET. I’ll be discussing my new book A Hacker’s Mind: How the Powerful Bend Society’s Rules at...
NIST Is Updating Its Cybersecurity Framework
NIST is planning a significant update of its Cybersecurity Framework. At this point, its asking for feedback and comments to its concept paper. 1. Do the proposed changes reflect the current cybersecurity landscape standards, risks, and technologies? 2. Are the proposed changes sufficient and...
Schneier on Security Audiobook Sale
Im not sure why, but Audiobooks.com is offering the audiobook version of Schneier on Security at 50% off until January 17. EDITED TO ADD: The audiobook of We Have Root is 50% off until January 27 if you use this link...
Trojaned Windows Installer Targets Ukraine
Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system: Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian...
How to Surrender to a Drone
The Ukrainian army has released an instructional video explaining how Russian soldiers should surrender to a drone: "Seeing the drone in the field of view, make eye contact with it," the video instructs. Soldiers should then raise their arms and signal theyre ready to follow. After that the drone...
Friday Squid Blogging: Squid in Concert
Squid is performing a concert in London in February. If you dont know what their music is like, try this or this or this. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
A Security Vulnerability in the KmsdBot Botnet
Security researchers found a software bug in the KmsdBot cryptomining botnet: With no error-checking built in, sending KmsdBot a malformed command--like its controllers did one day while Akamai was watching--created a panic crash with an "index out of range" error. Because theres no persistence...
The Decoupling Principle
This is a really interesting paper that discusses what the authors call the Decoupling Principle: The idea is simple, yet previously not clearly articulated: to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they ne...
Using Wi-FI to See through Walls
This technique measures device response time to determine distance: The scientists tested the exploit by modifying an off-the-shelf drone to create a flying scanning device, the Wi-Peep. The robotic aircraft sends several messages to each device as it flies around, establishing the positions of...
Iran’s Digital Surveillance Tools Leaked
Its Irans turn to have its digital surveillance tools leaked: According to these internal documents, SIAM is a computer system that works behind the scenes of Iranian cellular networks, providing its operators a broad menu of remote commands to alter, disrupt, and monitor how customers use their...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the World Ethical Data Forum, online, October 26-28, 2022. I’m speaking at the 24th International Information Security Conference in Madrid, Spain, on November 17, 2022. The list is maintained on this page...
October Is Cybersecurity Awareness Month
For the past nineteen years, October has been Cybersecurity Awareness Month here in the US, and that event that has always been part advice and part ridicule. I tend to fall on the apathy end of the spectrum; I dont think Ive ever mentioned it before. But the memes can be funny. Heres a decent...
Differences in App Security/Privacy Based on Country
Depending on where you are when you download your Android apps, it might collect more or less data about you. The apps we downloaded from Google Play also showed differences based on country in their security and privacy capabilities. One hundred twenty-seven apps varied in what the apps were...
Hertzbleed: A New Side-Channel Attack
Hertzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but its not generally viable because measuring power consumption is often hard. This new attack measures power consumption ...
Friday Squid Blogging: Squid Changes Color from Black to Transparent
Neat video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Zero-Day Vulnerabilities Are on the Rise
Both Google and Mandiant are reporting a significant increase in the number of zero-day vulnerabilities reported in 2021. Google: 2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the...
Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries
Interesting implementation mistake: The vulnerability, which Oracle patched on Tuesday, affects the company’s implementation of the Elliptic Curve Digital Signature Algorithm in Java versions 15 and above. ECDSA is an algorithm that uses the principles of elliptic curve cryptography to authentica...
Clever Cryptocurrency Theft
Beanstalk Farms is a decentralized finance project that has a majority stake governance system: basically people have proportional votes based on the amount of currency they own. A clever hacker used a "flash loan" feature of another decentralized finance project to borrow enough of the currency ...
Wyze Camera Vulnerability
Wyze ignored a vulnerability in its home security cameras for three years. Bitdefender, who discovered the vulnerability, let the company get away with it. In case youre wondering, no, that is not normal in the security community. While experts tell me that the concept of a "responsible disclosur...
Stalking with an Apple Watch
The malicious uses of these technologies are scary: Police reportedly arrived on the scene last week and found the man crouched beside the womans passenger side door. According to the police, the man had, at some point, wrapped his Apple Watch across the spokes of the womans passenger side front...
Using Radar to Read Body Language
Yet another method of surveillance: Radar can detect you moving closer to a computer and entering its personal space. This might mean the computer can then choose to perform certain actions, like booting up the screen without requiring you to press a button. This kind of interaction already exist...
Interview with the Head of the NSA’s Research Directorate
MIT Technology Review published an interview with Gil Herrera, the new head of the NSAs Research Directorate. Theres a lot of talk about quantum computing, monitoring 5G networks, and the problems of big data: The math department, often in conjunction with the computer science department, helps...
Intel Is Maintaining Legacy Technology for Security Research
Interesting: Intel’s issue reflects a wider concern: Legacy technology can introduce cybersecurity weaknesses. Tech makers constantly improve their products to take advantage of speed and power increases, but customers don’t always upgrade at the same pace. This creates a long tail of old product...
US Blacklists NSO Group
The Israeli cyberweapons arms manufacturer -- and human rights violator, and probably war criminal -- NSO Group has been added to the US Department of Commerces trade blacklist. US companies and individuals cannot sell to them. Aside from the obvious difficulties this causes, itll make it harder...
Using Fake Student Accounts to Shill Brands
It turns out that its surprisingly easy to create a fake Harvard student and get a harvard.edu email account. Scammers are using that prestigious domain name to shill brands: Basically, it appears that anyone with $300 to spare can - or could, depending on whether Harvard successfully shuts down...
Alaska’s Department of Health and Social Services Hack
Apparently, a nation-state hacked Alaskas Department of Health and Social Services. Not sure why Alaskas Department of Health and Social Services is of any interest to a nation-state, but thats probably just my failure of imagination...
Friday Squid Blogging: Chinese Squid Fishing Near the Galapagos
The Chinese have been illegally squid fishing near the Galapagos Islands. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
More on NIST’s Post-Quantum Cryptography
Back in July, NIST selected third-round algorithms for its post-quantum cryptography standard. Recently, Daniel Apon of NIST gave a talk detailing the selection criteria. Interesting stuff. NOTE: Were in the process of moving this blog to WordPress. Comments will be disabled until the move is...
Denmark, Sweden, Germany, the Netherlands and France SIGINT Alliance
This paper describes a SIGINT and code-breaking alliance between Denmark, Sweden, Germany, the Netherlands and France called Maximator: Abstract: This article is first to report on the secret European five-partner sigint alliance Maximator that started in the late 1970s. It discloses the name...
New Report on Police Digital Forensics Techniques
According to a new CSIS report, "going dark" is not the most pressing problem facing law enforcement in the age of digital data: Over the past year, we conducted a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups...
Detecting Laptop Tampering
Micah Lee ran a two-year experiment designed to detect whether or not his laptop was ever tampered with. The results are inconclusive, but demonstrate how difficult it can be to detect laptop tampering...
GCHQ Found -- and Disclosed -- a Windows 10 Vulnerability
Now this is good news. The UK's National Cyber Security Centre NCSC -- part of GCHQ -- found a serious vulnerability in Windows Defender their anti-virus component. Instead of keeping it secret and all of us vulnerable, it alerted Microsoft. I'd like believe the US does this, too...
The Future of Ransomware
Ransomware isn't new, but it's increasingly popular and profitable. The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It's extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay,...
Flock Cameras Can Surveil Cars Without License Plates
This is from a 2024 company presentation: Officers can also tap into data showing a car's decals, bumper stickers, back and top racks--along with temporary and unique state tags. Flock calls it a "Vehicle Fingerprint" and it's touted as a way for law enforcement officials to get more information...
Robot Police Officers
We've taken one small step towards robot police officers: a drone capable of disarming a suspect: In a June 22 video posted on the Sacramento County Sheriff’s Office’s Instagram page, an officer wearing goggles can be seen operating a drone to retrieve a knife from an armed suspect hiding inside ...
Critical Zcash Vulnerability Found and Fixed
If you're a user--owner?--of this cryptocurrency, this is important: On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He found one fast enou...
Fast16 Malware
Researchers have reverse-engineered a piece of malware named Fast16. It's almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet: "…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malwar...