2981 matches found
Details of a Phone Scam
First-person account of someone who fell for a scam, that started as a fake Amazon service rep and ended with a fake CIA agent, and lost $50,000 cash. And this is not a naive or stupid person. The details are fascinating. And if you think it couldnt happen to you, think again. Given the right set...
Friday Squid Blogging: Vegan Squid-Ink Pasta
It uses black beans for color and seaweed for flavor. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Molly White Reviews Blockchain Book
Molly White--of "Web3 is Going Just Great" fame--reviews Chris Dixons blockchain solutions book: Read Write Own: In fact, throughout the entire book, Dixon fails to identify a single blockchain project that has successfully provided a non-speculative service at any kind of scale. The closest he...
Friday Squid Blogging: Squid Parts into Fertilizer
Its squid parts from college dissections, so its not a volume operation. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
GCHQ Christmas Codebreaking Challenge
Looks like fun. Details here...
Surveillance Cameras Disguised as Clothes Hooks
This seems like a bad idea. And there are ongoing lawsuits against Amazon for selling them...
Surveillance by the US Postal Service
This is not about mass surveillance of mail, this is about the sorts of targeted surveillance the US Postal Inspection Service uses to catch mail thieves: To track down an alleged mail thief, a US postal inspector used license plate reader technology, GPS data collected by a rental car company,...
Facebook Enables Messenger End-to-End Encryption by Default
Its happened. Details here, and tech details here for messages in transit and here for messages in storage Rollout to everyone will take months, but its a good day for both privacy and security. Slashdot thread...
AI and Trust
I trusted a lot today. I trusted my phone to wake me on time. I trusted Uber to arrange a taxi for me, and the driver to get me to the airport safely. I trusted thousands of other drivers on the road not to ram my car on the way. At the airport, I trusted ticket agents and maintenance engineers a...
AI Decides to Engage in Insider Trading
A stock-trading AI a simulated experiment engaged in insider trading, even though it "knew" it was wrong. The agent is put under pressure in three ways. First, it receives a email from its "manager" that the company is not doing well and needs better performance in the next quarter. Second, the...
Chocolate Swiss Army Knife
Its realistic looking. If I drop it in a bin with my keys and wallet, will the TSA confiscate it?...
Wisconsin Governor Hacks the Veto Process
In my latest book, A Hackers Mind, I wrote about hacks as loophole exploiting. This is a great example: The Wisconsin governor used his line-item veto powers--supposedly unique in their specificity--to change a one-year funding increase into a 400-year funding increase. He took this wording:...
The US Is Spying on the UN Secretary General
The Washington Post is reporting that the US is spying on the UN Secretary General. The reports on Guterres appear to contain the secretary generals personal conversations with aides regarding diplomatic encounters. They indicate that the United States relied on spying powers granted under the...
Power LED Side-Channel Attack
This is a clever new side-channel attack: The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader--or of an attached peripheral device--during cryptographic operations. This technique allowed the researchers to pull a...
Friday Squid Blogging: Squid Chromolithographs
Beautiful illustrations. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. EDITED TO ADD 6/4: Slashdot thread...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at IT-S Now 2023 in Vienna, Austria, on June 2, 2023 at 8:30 AM CEST. The list is maintained on this page...
Camera the Size of a Grain of Salt
Cameras are getting smaller and smaller, changing the scale and scope of surveillance...
Trojaned Windows Installer Targets Ukraine
Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system: Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian...
Russian Software Company Pretending to Be American
Computer code developed by a company called Pushwoosh is in about 8,000 Apple and Google smartphone apps. The company pretends to be American when it is actually Russian. According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian to...
Museum Security
Interesting interview: Banks dont take millions of dollars and put them in plastic bags and hang them on the wall so everybody can walk right up to them. But we do basically the same thing in museums and hang the assets right out on the wall. So its our job, then, to either use technology or...
Recovering Passwords by Measuring Residual Heat
Researchers have used thermal cameras and ML guessing techniques to recover passwords from measuring the residual heat left by fingers on keyboards. From the abstract: We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting...
Friday Squid Blogging: Squid Filmed Changing Color for Camouflage Purposes
Video of oval squid Sepioteuthis lessoniana changing color in reaction to their background. The research paper claims this is the first time this has been documented. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog...
Upcoming Speaking Events
This is a current list of where and when I am scheduled to speak: I’m participating in an online panel discussion on “Ukraine and Russia: The Online War,” hosted by UMass Amherst, at 5:00 PM Eastern on March 31, 2022. I’m speaking at Future Summits in Antwerp, Belgium on May 18, 2022. I’m speakin...
Me on App Store Monopolies and Security
There are two bills working their way through Congress that would force companies like Apple to allow competitive app stores. Apple hates this, since it would break its monopoly, and its making a variety of security arguments to bolster its argument. I have written a rebuttal: I would like to...
Friday Squid Blogging: Cephalopods Thirty Million Years Older Than Previously Thought
New fossils from Newfoundland push the origins of cephalopods to 522 million years ago. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Are Fake COVID Testing Sites Harvesting Data?
Over the past few weeks, Ive seen a bunch of writing about what seems to be fake COVID-19 testing sites. They take your name and info, and do a nose swab, but you never get test results. Speculation centered around data harvesting, but that didnt make sense because it was far too labor intensive...
Fake QR Codes on Parking Meters
The City of Austin is warning about QR codes stuck to parking meters that take people to fraudulent payment sites...
Drones Carrying Explosives
Weve now had an unsuccessful assassination attempt by explosive-laden drones...
Using Fake Student Accounts to Shill Brands
It turns out that its surprisingly easy to create a fake Harvard student and get a harvard.edu email account. Scammers are using that prestigious domain name to shill brands: Basically, it appears that anyone with $300 to spare can - or could, depending on whether Harvard successfully shuts down...
On Cell Phone Metadata
Interesting Twitter thread on how cell phone metadata can be used to identify and track people who dont want to be identified and tracked...
How the FBI Gets Location Information
Vice has a detailed article about how the FBI gets data from cell phone providers like AT&T, T-Mobile, and Verizon, based on a leaked I think 2019 139-page presentation...
Missouri Governor Doesn’t Understand Responsible Disclosure
The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a states website, and then reported it to the state. The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers arou...
Schneier.com is Moving
Im switching my website software from Movable Type to WordPress, and moving to a new host. The migration is expected to last from approximately 3 AM EST Monday until 4 PM EST Tuesday. The site will still be visible during that time, but comments will be disabled. This is to prevent any new commen...
Insider Attack on the Carnegie Library
Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught. Its a perennial problem: trusted insiders have to be trusted...
North Korea ATM Hack
The US Cybersecurity and Infrastructure Security Agency CISA published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide: This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agenc...
Friday Squid Blogging: How Squid Survive Freezing, Oxygen-Deprived Waters
Lots of interesting genetic details. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
I'm Leaving IBM
Today is my last day at IBM. If you've been following along, IBM bought my startup Resilient Systems in Spring 2016. Since then, I have been with IBM, holding the nicely ambiguous title of "Special Advisor." As of the end of the month, I will be back on my own. I will continue to write and speak,...
New Report on Police Digital Forensics Techniques
According to a new CSIS report, "going dark" is not the most pressing problem facing law enforcement in the age of digital data: Over the past year, we conducted a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups...
Third Annual Cybercrime Conference
Ross Anderson liveblogged the Third Annual Cybercrime Conference...
Friday Squid Blogging: How the Squid Lost Its Shell
Squids used to have shells. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Detecting Laptop Tampering
Micah Lee ran a two-year experiment designed to detect whether or not his laptop was ever tampered with. The results are inconclusive, but demonstrate how difficult it can be to detect laptop tampering...
Sensitive Super Bowl Security Documents Left on an Airplane
A CNN reporter found some sensitive -- but, technically, not classified -- documents about Super Bowl security in the front pocket of an airplane seat...
Security Vulnerability in Apple's HomeKit
The story of the recent vulnerability in Apple's HomeKit...
Hacking Fingerprint Readers with Master Prints
There's interesting research on using a set of "master" digital fingerprints to fool biometric readers. The work is theoretical at the moment, but they might be able to open about two-thirds of iPhones with these master prints. Definitely something to keep watching. Research paper behind a paywal...
Tracing Spam from E-mail Headers
Interesting article from Brian Krebs...
Cybersecurity and the Gap Between Skill and Ability
Last week, national security agencies from the Five Eyes--that's the rich, English-language-speaking countries club--jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more...
Google Is Suing Chinese Scammers Who Are Using Gemini
Not sure this will have any effect, but I support the effort: According to Google's legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their...
Flock Cameras Can Surveil Cars Without License Plates
This is from a 2024 company presentation: Officers can also tap into data showing a car's decals, bumper stickers, back and top racks--along with temporary and unique state tags. Flock calls it a "Vehicle Fingerprint" and it's touted as a way for law enforcement officials to get more information...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at DemocracyXChange 2026 in Toronto, Ontario, Canada, on April 18, 2026. I’m speaking at the SANS AI Cybersecurity Summit 2026 in Arlington, Virginia, USA, at 9:40 AM ET on April 20, 2026. I'm speaking at the Greater...
On Anthropic’s Mythos Preview and Project Glasswing
The cybersecurity industry is obsessing over Anthropic's new model, Claude Mythos Preview, and its effects on cybersecurity. Anthropic said that it is not releasing it to the general public because of its cyberattack capabilities, and has launched Project Glasswing to run the model against a whol...