2981 matches found
Friday Squid Blogging: Squid Inks Philippines Fisherman
Good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Friday Squid Blogging: Squid Overfishing in the Southwest Atlantic
Article. Report...
Abusing Notion’s AI Agent for Data Theft
Notion just released version 3.0, complete with AI agents. Because the system contains Simon Willson's lethal trifecta, it's vulnerable to data theft though prompt injection. First, the trifecta: The lethal trifecta of capabilities is: Access to your private data --one of the most common purposes...
US Disrupts Massive Cell Phone Array in New York
This is a weird story: The US Secret Service disrupted a network of telecommunications devices that could have shut down cellular systems as leaders gather for the United Nations General Assembly in New York City. The agency said on Tuesday that last month it found more than 300 SIM servers and...
Details About Chinese Surveillance and Propaganda Companies
Details from leaked documents: While people often look at China’s Great Firewall as a single, all-powerful government system unique to China, the actual process of developing and maintaining it works the same way as surveillance technology in the West. Geedge collaborates with academic institutio...
Time-of-Check Time-of-Use Attacks Against LLMs
This is a nice piece of research: "Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents".: Abstract: Large Language Model LLM-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security...
Hacking Electronic Safes
Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it's the one that exploits a feature intended as a legitimate unlock method for locksmiths that's the more widespread and dangerous. "This attack i...
A Cyberattack Victim Notification Framework
Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making notifications, companies often do not know the true...
Signed Copies of Rewiring Democracy
When I announced my latest book last week, I forgot to mention that you can pre-order a signed copy here. I will ship the books the week of 10/20, when it is published...
Friday Squid Blogging: The Origin and Propagation of Squid
New research paywalled: Editor 's summary: Cephalopods are one of the most successful marine invertebrates in modern oceans, and they have a 500-million-year-old history. However, we know very little about their evolution because soft-bodied animals rarely fossilize. Ikegami et al. developed an...
Google Project Zero Changes Its Disclosure Policy
Google's vulnerability finding team is again pushing the envelope of responsible disclosure: Google's Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period...
Ubuntu Disables Spectre/Meltdown Protections
A whole class of speculative execution attacks against CPUs were published in 2018. They seemed pretty catastrophic at the time. But the fixes were as well. Speculative execution was a way to speed up CPUs, and removing those enhancements resulted in significant performance drops. Now, people are...
Why Take9 Won’t Improve Cybersecurity
There's a new cybersecurity awareness campaign: Take9. The idea is that people--you, me, everyone--should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share. There's a...
Friday Squid Blogging: NGC 1068 Is the “Squid Galaxy”
I hadn't known that the NGC 1068 galaxy is nicknamed the "Squid Galaxy." It is, and it's spewing neutrinos without the usual accompanying gamma rays. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...
Friday Squid Blogging: Pyjama Squid
The small pyjama squid Sepioloidea lineolata produces toxic slime, "a rare example of a poisonous predatory mollusc." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...
US as a Surveillance State
Two essays were just published on DOGE's data collection and aggregation, and how it ends with a modern surveillance state. It's good to see this finally being talked about. EDITED TO ADD 5/3: Here's a free link to that first essay...
Critical GitHub Attack
This is serious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have...
Is Security Human Factors Research Skewed Towards Western Ideas and Habits?
Really interesting research: "How WEIRD is Usable Privacy and Security Research?" by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama: Abstract : In human factor fields such as human-computer interaction HCI and psychology, researchers have been concerned that participants mostly come from...
Silk Typhoon Hackers Indicted
Lots of interesting details in the story: The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China's Ministry of Publ...
Friday Squid Blogging: New Squid Fossil
A 450-million-year-old squid fossil was dug up in upstate New York. Blog moderation policy...
Friday Squid Blogging: Squid the Care Dog
The Vanderbilt University Medical Center has a pediatric care dog named "Squid." Blog moderation policy...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. My talk is at 4:00 PM ET on the 15th. I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. The list is maintaine...
Fake Reddit and WeTransfer Sites are Pushing Malware
There are thousands of fake Reddit and WeTransfer webpages that are pushing malware. They exploit people who are using search engines to search sites like Reddit. Unsuspecting victims clicking on the link are taken to a fake WeTransfer site that mimicks the interface of the popular file-sharing...
Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024)
Last month, Henry Farrell and I convened the Third Interdisciplinary Workshop on Reimagining Democracy IWORD 2024 at Johns Hopkins University's Bloomberg Center in Washington DC. This is a small, invitational workshop on the future of democracy. As with the previous two workshops, the goal was to...
Social Engineering to Disable iMessage Protections
I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some...
US Treasury Department Sanctions Chinese Company Over Cyberattacks
From the Washington Post: The sanctions target Beijing Integrity Technology Group, which U.S. officials say employed workers responsible for the Flax Typhoon attacks which compromised devices including routers and internet-enabled cameras to infiltrate government and industrial targets in the...
Friday Squid Blogging: Squid on Pizza
Pizza Hut in Taiwan has a history of weird pizzas, including a "2022 scalloped pizza with Oreos around the edge, and deep-fried chicken and calamari studded throughout the middle." Blog moderation policy...
Short-Lived Certificates Coming to Let’s Encrypt
Starting next year: Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before--short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the...
Friday Squid Blogging: Squid-Inspired Needle Technology
Interesting research: Using jet propulsion inspired by squid, researchers demonstrate a microjet system that delivers medications directly into tissues, matching the effectiveness of traditional needles. Blog moderation policy...
NSO Group Spies on People on Behalf of Governments
The Israeli company NSO Group sells Pegasus spyware to countries around the world including countries like Saudi Arabia, UAE, India, Mexico, Morocco and Rwanda. We assumed that those countries use the spyware themselves. Now we've learned that that's not true: that NSO Group employees operate the...
The Scale of Geoblocking by Nation
Interesting analysis: We introduce and explore a little-known threat to digital equality and freedomwebsites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to information in repressive regimes. Clarifying distinctions between...
Mapping License Plate Scanners in the US
DeFlock is a crowd-sourced project to map license plate scanners. It only records the fixed scanners, of course. The mobile scanners on cars are not mapped...
IoT Devices in Password-Spraying Botnet
Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in "highly evasive" password spraying. Not sure about the "highly evasive" part; the techniques seem basically what you get in a distributed password-guessing attack: "Any threat actor using the CovertNetwork-1658...
Tracking World Leaders Using Strava
Way back in 2018, people noticed that you could find secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could look at the public data and find places where there should be no people running. Six...
Indian Fishermen Are Catching Less Squid
Fishermen in Tamil Nadu are reporting smaller catches of squid. Blog moderation policy...
Evaluating the Effectiveness of Reward Modeling of Generative AI Systems
New research evaluating the effectiveness of reward modeling during Reinforcement Learning from Human Feedback RLHF: "SEAL: Systematic Error Analysis for Value ALignment." The paper introduces quantitative metrics for evaluating the effectiveness of modeling and aligning human values: Abstract:...
Friday Squid Blogging: Self-Healing Materials from Squid Teeth
Making self-healing materials based on the teeth in squid suckers. Blog moderation policy...
Criminal Gang Physically Assaulting People for Their Cryptocurrency
This is pretty horrific: …a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elder...
Apple Is Alerting iPhone Users of Spyware Attacks
Not a lot of details: Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. Its the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April...
Friday Squid Blogging: Underwater Sculptures Use Squid Ink for Coloring
The Molinière Underwater Sculpture Park has pieces that are colored in part with squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Dublin Tech Summit in Dublin, Ireland, June 15-16, 2022. The list is maintained on this page...
2017 Tesla Hack
Interesting story of a class break against the entire Tesla fleet...
Insider Attack on the Carnegie Library
Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught. Its a perennial problem: trusted insiders have to be trusted...
Friday Squid Blogging: Jurassic Fish Chokes on Squid
Here's a fossil of a 150-million year old fish that choked to death on a belemnite rostrum : the hard, internal shell of an extinct, squid-like animal. Original paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation...
A Taxonomy of Cognitive Security
Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but--even better--Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and...
Friday Squid Blogging: Bioluminescent Bacteria in Squid
The Hawaiian bobtail squid has bioluminescent bacteria...
Sen. Wyden Warns of Another Section 702 Abuse
Sen. Ron Wyden is warning us of an abuse of Section 702: Wyden took to the Senate floor to deliver a lengthy speech, ostensibly about the since approved with support of many Democrats nomination of Joshua Rudd to lead the NSA. Wyden was protesting that nomination, but in the context of Rudd being...
Friday Squid Blogging: Jumbo Flying Squid in the South Pacific
The population needs better conservation. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
New Attack Against Wi-Fi
It's called AirSnitch: Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs Service Set Identifiers. This cross-layer identity...
On Moltbook
The MIT Technology Review has a good article on Moltbook, the supposed AI-only social network: Many people have pointed out that a lot of the viral comments were in fact posted by people posing as bots. But even the bot-written posts are ultimately the result of people pulling the strings, more...