2981 matches found
Social Engineering to Disable iMessage Protections
I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some...
Friday Squid Blogging: Squid on Pizza
Pizza Hut in Taiwan has a history of weird pizzas, including a "2022 scalloped pizza with Oreos around the edge, and deep-fried chicken and calamari studded throughout the middle." Blog moderation policy...
Friday Squid Blogging: Squid-Inspired Needle Technology
Interesting research: Using jet propulsion inspired by squid, researchers demonstrate a microjet system that delivers medications directly into tissues, matching the effectiveness of traditional needles. Blog moderation policy...
NSO Group Spies on People on Behalf of Governments
The Israeli company NSO Group sells Pegasus spyware to countries around the world including countries like Saudi Arabia, UAE, India, Mexico, Morocco and Rwanda. We assumed that those countries use the spyware themselves. Now we've learned that that's not true: that NSO Group employees operate the...
The Scale of Geoblocking by Nation
Interesting analysis: We introduce and explore a little-known threat to digital equality and freedomwebsites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to information in repressive regimes. Clarifying distinctions between...
Mapping License Plate Scanners in the US
DeFlock is a crowd-sourced project to map license plate scanners. It only records the fixed scanners, of course. The mobile scanners on cars are not mapped...
Friday Squid Blogging: Squid-A-Rama in Des Moines
Squid-A-Rama will be in Des Moines at the end of the month. Visitors will be able to dissect squid, explore fascinating facts about the species, and witness a live squid release conducted by local divers. How are they doing a live squid release? Simple: this is Des Moines, Washington; not Des...
IoT Devices in Password-Spraying Botnet
Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in "highly evasive" password spraying. Not sure about the "highly evasive" part; the techniques seem basically what you get in a distributed password-guessing attack: "Any threat actor using the CovertNetwork-1658...
Indian Fishermen Are Catching Less Squid
Fishermen in Tamil Nadu are reporting smaller catches of squid. Blog moderation policy...
Evaluating the Effectiveness of Reward Modeling of Generative AI Systems
New research evaluating the effectiveness of reward modeling during Reinforcement Learning from Human Feedback RLHF: "SEAL: Systematic Error Analysis for Value ALignment." The paper introduces quantitative metrics for evaluating the effectiveness of modeling and aligning human values: Abstract:...
Friday Squid Blogging: Self-Healing Materials from Squid Teeth
Making self-healing materials based on the teeth in squid suckers. Blog moderation policy...
Criminal Gang Physically Assaulting People for Their Cryptocurrency
This is pretty horrific: …a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elder...
Apple Is Alerting iPhone Users of Spyware Attacks
Not a lot of details: Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. Its the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Dublin Tech Summit in Dublin, Ireland, June 15-16, 2022. The list is maintained on this page...
2017 Tesla Hack
Interesting story of a class break against the entire Tesla fleet...
Insider Attack on the Carnegie Library
Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught. Its a perennial problem: trusted insiders have to be trusted...
Seny Kamara on "Crypto for the People"
Seny Kamara gave an excellent keynote talk this year at the online CRYPTO Conference. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to...
Friday Squid Blogging: Jurassic Fish Chokes on Squid
Here's a fossil of a 150-million year old fish that choked to death on a belemnite rostrum : the hard, internal shell of an extinct, squid-like animal. Original paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation...
A Taxonomy of Cognitive Security
Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but--even better--Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and...
Friday Squid Blogging: Bioluminescent Bacteria in Squid
The Hawaiian bobtail squid has bioluminescent bacteria...
Possible New Result in Quantum Factorization
I'm skeptical about--and not qualified to review--this new result in factorization with a quantum computer, but if it's true it's a theoretical improvement in the speed of factoring large numbers with a quantum computer...
Friday Squid Blogging: Squid Fishing Tips
This is a video of advice for squid fishing in Puget Sound. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Ireland Proposes Giving Police New Digital Surveillance Powers
This is coming: The Irish government is planning to bolster its police's ability to intercept communications, including encrypted messages, and provide a legal basis for spyware use...
AI-Powered Surveillance in Schools
It all sounds pretty dystopian: Inside a white stucco building in Southern California, video cameras compare faces of passersby against a facial recognition database. Behavioral analysis AI reviews the footage for signs of violent behavior. Behind a bathroom door, a smoke detector-shaped device...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the David R. Cheriton School of Computer Science in Waterloo, Ontario, Canada, on January 27, 2026, at 1:30 PM ET. I’m speaking at the Université de Montréal in Montreal, Quebec, Canada, on January 29, 2026, at 4:00...
Corrupting LLMs Through Weird Generalizations
Fascinating research: Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs. Abstract LLMs are useful because they generalize so well. But can you have too much of a good thing? We show that a small amount of finetuning in narrow contexts can dramatically shift behavior outside...
Deliberate Internet Shutdowns
For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted "to prevent immoral activities." No additional explanation...
Against the Federal Moratorium on State-Level Regulation of AI
Cast your mind back to May of this year: Congress was in the throes of debate over the massive budget bill. Amidst the many seismic provisions, Senator Ted Cruz dropped a ticking time bomb of tech policy: a ten-year moratorium on the ability of states to regulate artificial intelligence. To many,...
Building Trustworthy AI Agents
The promise of personal AI assistants rests on a dangerous assumption: that we can trust systems we haven’t made trustworthy. We can’t. And today’s versions are failing us in predictable ways: pushing us to do things against our own best interests, gaslighting us with doubt about things we are or...
AIs Exploiting Smart Contracts
I have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature. Here's some interesting research on training AIs to automatically exploit smart contracts: AI models are increasingly good at cyber tasks, as we've written about before. But what is t...
Banning VPNs
This is crazy. Lawmakers in several US states are contemplating banning VPNs, because…think of the children! As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of "protecting children" in A.B. 105/S.B. 130. It’s an age verification bill that...
Huawei and Chinese Surveillance
This quote is from House of Huawei: The Secret History of China 's Most Powerful Company. "Long before anyone had heard of Ren Zhengfei or Huawei, Wan Runnan had been China's star entrepreneur in the 1980s, with his company, the Stone Group, touted as "China's IBM." Wan had believed that economic...
On Hacking Back
Former DoJ attorney John Carlin writes about hackback, which he defines thus: "A hack back is a type of cyber response that incorporates a counterattack designed to proactively engage with, disable, or collect evidence about an attacker. Although hack backs can take on various forms, they are--b...
Faking Receipts with AI
Over the past few decades, it's become easier and easier to create fake receipts. Decades ago, it required special paper and printers--I remember a company in the UK advertising its services to people trying to cover up their affairs. Then, receipts became computerized, and faking them required...
Scientists Need a Positive Vision for AI
For many in the research community, it's gotten harder to be optimistic about the impacts of artificial intelligence. As authoritarianism is rising around the world, AI-generated "slop" is overwhelming legitimate media, while AI-generated deepfakes are spreading misinformation and parroting...
Cybercriminals Targeting Payroll Sites
Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people's credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim to realize what is happening. I feel li...
Friday Squid Blogging: Giant Squid at the Smithsonian
I can't believe that I haven't yet posted this picture of a giant squid at the Smithsonian. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Signal’s Post-Quantum Cryptographic Implementation
Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they allowed it to remain more or less the same as it ha...
Friday Squid Blogging: “El Pulpo The Squid”
There is a new cigar named "El Pulpo The Squid." Yes, that means "The Octopus The Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Cryptocurrency ATMs
CNN has a great piece about how cryptocurrency ATMs are used to scam people out of their money. The fees are usurious, and they're a common place for scammers to send victims to buy cryptocurrency for them. The companies behind the ATMs, at best, do not care about the harm they cause; the profits...
Apple’s New Memory Integrity Enforcement
Apple has introduced a new hardware/software security feature in the iPhone 17: "Memory Integrity Enforcement," targeting the memory safety vulnerabilities that spyware products like Pegasus tend to use to get unauthorized system access. From Wired: In recent years, a movement has been steadily...
Lawsuit About WhatsApp Security
Attaullah Baig, WhatsApp's former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging violations of the whistleblower...
Friday Squid Blogging: Catching Humboldt Squid
First-person account of someone accidentally catching several Humboldt squid on a fishing line. No photos, though. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Encryption Backdoor in Military/Police Radios
I wrote about this in 2023. Here's the story: Three Dutch security analysts discovered the vulnerabilities--five in total--in a European radio standard called TETRA Terrestrial Trunked Radio, which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radio...
Poor Password Choices
Look at this: McDonald's chose the password "123456" for a major corporate system...
Friday Squid Blogging: Bobtail Squid
Nice short article on the bobtail squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
The “Incriminating Video” Scam
A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a "shockingly realistic" variant, which includes photos of you and your house--more...
Spying on People Through Airportr Luggage Delivery Service
Airportr is a service that allows passengers to have their luggage picked up, checked, and delivered to their destinations. As you might expect, it's used by wealthy or important people. So if the company's website is insecure, you'd be able to spy on lots of wealthy or important people. And mayb...
Aeroflot Hacked
Looks serious...
Subliminal Learning in AIs
Today's freaky LLM behavior: We study subliminal learning, a surprising phenomenon where language models learn traits from model-generated data that is semantically unrelated to those traits. For example, a "student" model learns to prefer owls when trained on sequences of numbers generated by a...