2981 matches found
Friday Squid Blogging: Underwater Sculptures Use Squid Ink for Coloring
The Molinière Underwater Sculpture Park has pieces that are colored in part with squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Dublin Tech Summit in Dublin, Ireland, June 15-16, 2022. The list is maintained on this page...
2017 Tesla Hack
Interesting story of a class break against the entire Tesla fleet...
Insider Attack on the Carnegie Library
Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught. Its a perennial problem: trusted insiders have to be trusted...
Friday Squid Blogging: Jurassic Fish Chokes on Squid
Here's a fossil of a 150-million year old fish that choked to death on a belemnite rostrum : the hard, internal shell of an extinct, squid-like animal. Original paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation...
A Taxonomy of Cognitive Security
Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but--even better--Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and...
Friday Squid Blogging: Bioluminescent Bacteria in Squid
The Hawaiian bobtail squid has bioluminescent bacteria...
Sen. Wyden Warns of Another Section 702 Abuse
Sen. Ron Wyden is warning us of an abuse of Section 702: Wyden took to the Senate floor to deliver a lengthy speech, ostensibly about the since approved with support of many Democrats nomination of Joshua Rudd to lead the NSA. Wyden was protesting that nomination, but in the context of Rudd being...
Possible New Result in Quantum Factorization
I'm skeptical about--and not qualified to review--this new result in factorization with a quantum computer, but if it's true it's a theoretical improvement in the speed of factoring large numbers with a quantum computer...
On Moltbook
The MIT Technology Review has a good article on Moltbook, the supposed AI-only social network: Many people have pointed out that a lot of the viral comments were in fact posted by people posing as bots. But even the bot-written posts are ultimately the result of people pulling the strings, more...
Friday Squid Blogging: Squid Fishing Tips
This is a video of advice for squid fishing in Puget Sound. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Ireland Proposes Giving Police New Digital Surveillance Powers
This is coming: The Irish government is planning to bolster its police's ability to intercept communications, including encrypted messages, and provide a legal basis for spyware use...
AI-Powered Surveillance in Schools
It all sounds pretty dystopian: Inside a white stucco building in Southern California, video cameras compare faces of passersby against a facial recognition database. Behavioral analysis AI reviews the footage for signs of violent behavior. Behind a bathroom door, a smoke detector-shaped device...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the David R. Cheriton School of Computer Science in Waterloo, Ontario, Canada, on January 27, 2026, at 1:30 PM ET. I’m speaking at the Université de Montréal in Montreal, Quebec, Canada, on January 29, 2026, at 4:00...
Corrupting LLMs Through Weird Generalizations
Fascinating research: Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs. Abstract LLMs are useful because they generalize so well. But can you have too much of a good thing? We show that a small amount of finetuning in narrow contexts can dramatically shift behavior outside...
Deliberate Internet Shutdowns
For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted "to prevent immoral activities." No additional explanation...
Against the Federal Moratorium on State-Level Regulation of AI
Cast your mind back to May of this year: Congress was in the throes of debate over the massive budget bill. Amidst the many seismic provisions, Senator Ted Cruz dropped a ticking time bomb of tech policy: a ten-year moratorium on the ability of states to regulate artificial intelligence. To many,...
Building Trustworthy AI Agents
The promise of personal AI assistants rests on a dangerous assumption: that we can trust systems we haven’t made trustworthy. We can’t. And today’s versions are failing us in predictable ways: pushing us to do things against our own best interests, gaslighting us with doubt about things we are or...
AIs Exploiting Smart Contracts
I have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature. Here's some interesting research on training AIs to automatically exploit smart contracts: AI models are increasingly good at cyber tasks, as we've written about before. But what is t...
Banning VPNs
This is crazy. Lawmakers in several US states are contemplating banning VPNs, because…think of the children! As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of "protecting children" in A.B. 105/S.B. 130. It’s an age verification bill that...
Huawei and Chinese Surveillance
This quote is from House of Huawei: The Secret History of China 's Most Powerful Company. "Long before anyone had heard of Ren Zhengfei or Huawei, Wan Runnan had been China's star entrepreneur in the 1980s, with his company, the Stone Group, touted as "China's IBM." Wan had believed that economic...
AI as Cyberattacker
From Anthropic: In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree--using AI not just as an advisor, but to execute the cyberattacks...
Scam USPS and E-Z Pass Texts and Websites
Google has filed a complaint in court that details the scam: In a complaint filed Wednesday, the tech giant accused "a cybercriminal group in China" of selling "phishing for dummies" kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of...
New Attacks Against Secure Enclaves
Encryption can protect data at rest and data in transit, but does nothing for data in use. What we have are secure enclaves. I've written about this before: Almost all cloud services have to perform some computation on our data. Even the simplest storage provider has code to copy bytes from an...
Faking Receipts with AI
Over the past few decades, it's become easier and easier to create fake receipts. Decades ago, it required special paper and printers--I remember a company in the UK advertising its services to people trying to cover up their affairs. Then, receipts became computerized, and faking them required...
Scientists Need a Positive Vision for AI
For many in the research community, it's gotten harder to be optimistic about the impacts of artificial intelligence. As authoritarianism is rising around the world, AI-generated "slop" is overwhelming legitimate media, while AI-generated deepfakes are spreading misinformation and parroting...
Cybercriminals Targeting Payroll Sites
Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people's credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim to realize what is happening. I feel li...
Friday Squid Blogging: Giant Squid at the Smithsonian
I can't believe that I haven't yet posted this picture of a giant squid at the Smithsonian. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Signal’s Post-Quantum Cryptographic Implementation
Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they allowed it to remain more or less the same as it ha...
Friday Squid Blogging: “El Pulpo The Squid”
There is a new cigar named "El Pulpo The Squid." Yes, that means "The Octopus The Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Cryptocurrency ATMs
CNN has a great piece about how cryptocurrency ATMs are used to scam people out of their money. The fees are usurious, and they're a common place for scammers to send victims to buy cryptocurrency for them. The companies behind the ATMs, at best, do not care about the harm they cause; the profits...
Digital Threat Modeling Under Authoritarianism
Today's world requires us to make complex and nuanced decisions about our digital security. Evaluating when to use a secure messaging app like Signal or WhatsApp, which passwords to store on your smartphone, or what to share on social media requires us to assess risks and make judgments...
Apple’s New Memory Integrity Enforcement
Apple has introduced a new hardware/software security feature in the iPhone 17: "Memory Integrity Enforcement," targeting the memory safety vulnerabilities that spyware products like Pegasus tend to use to get unauthorized system access. From Wired: In recent years, a movement has been steadily...
Baggage Tag Scam
I just heard about this: There's a travel scam warning going around the internet right now: You should keep your baggage tags on your bags until you get home, then shred them, because scammers are using luggage tags to file fraudulent claims for missing baggage with the airline. First, the scam i...
Encryption Backdoor in Military/Police Radios
I wrote about this in 2023. Here's the story: Three Dutch security analysts discovered the vulnerabilities--five in total--in a European radio standard called TETRA Terrestrial Trunked Radio, which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radio...
I’m Spending the Year at the Munk School
This academic year, I am taking a sabbatical from the Kennedy School and Harvard University. It's not a real sabbatical--I'm just an adjunct--but it's the same idea. I will be spending the Fall 2025 and Spring 2026 semesters at the Munk School at the University of Toronto. I will be organizing a...
LLM Coding Integrity Breach
Here's an interesting story about a failure being introduced by LLM-written code. Specifically, the LLM was doing some code refactoring, and when it moved a chunk of code from one file to another it changed a "break" to a "continue." That turned an error logging statement into an infinite loop,...
Spying on People Through Airportr Luggage Delivery Service
Airportr is a service that allows passengers to have their luggage picked up, checked, and delivered to their destinations. As you might expect, it's used by wealthy or important people. So if the company's website is insecure, you'd be able to spy on lots of wealthy or important people. And mayb...
Cheating on Quantum Computing Benchmarks
Peter Gutmann and Stephan Neuhaus have a new paper--I think it's new, even though it has a March 2025 date--that makes the argument that we shouldn't trust any of the quantum factorization benchmarks, because everyone has been cooking the books: Similarly, quantum factorisation is performed using...
Subliminal Learning in AIs
Today's freaky LLM behavior: We study subliminal learning, a surprising phenomenon where language models learn traits from model-generated data that is semantically unrelated to those traits. For example, a "student" model learns to prefer owls when trained on sequences of numbers generated by a...
Squid Dominated the Oceans in the Late Cretaceous
New research: One reason the early years of squids has been such a mystery is because squids' lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks--hard mouthparts with high fossilization potential that could help the team...
Yet Another Strava Privacy Leak
This time it's the Swedish prime minister's bodyguards. Last year, it was the US Secret Service and Emmanuel Macron's bodyguards. in 2018, it was secret US military bases. This is ridiculous. Why do people continue to make their data public?...
Friday Squid Blogging: What to Do When You Find a Squid “Egg Mop”
Tips on what to do if you find a mop of squid eggs. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Self-Driving Car Video Footage
Two articles crossed my path recently. First, a discussion of all the video Waymo has from outside its cars: in this case related to the LA protests. Second, a discussion of all the video Tesla has from inside its cars. Lots of things are collecting lots of video of lots of other things. How and...
Ghostwriting Scam
The variations seem to be endless. Here's a fake ghostwriting scam that seems to be making boatloads of money. This is a big story about scams being run from Texas and Pakistan estimated to run into tens if not hundreds of millions of dollars, viciously defrauding Americans with false hopes of...
Report on the Malicious Uses of AI
OpenAI just published its annual report on malicious uses of AI. By using AI as a force multiplier for our expert investigative teams, in the three months since our last report we’ve been able to detect, disrupt and expose abusive activity including social engineering, cyber espionage, deceptive...
Privacy for Agentic AI
Sooner or later, it's going to happen. AI systems will start acting as agents, doing things on our behalf with some degree of autonomy. I think it's worth thinking about the security of that now, while its still a nascent idea. In 2019, I joined Inrupt, a company that is commercializing Tim...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. I'm speaking at the University of Toronto's Rotman School of Management in Toronto, Canada, on April 3, 2025. The list is maintained on this page...
Rayhunter: Device to Detect Cellular Surveillance
The EFF has created an open-source hardware tool to detect IMSI catchers: fake cell phone towers that are used for mass surveillance of an area. It runs on a $20 mobile hotspot...
UK Demanded Apple Add a Backdoor to iCloud
Last month, the UK government demanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access to anyone, anywhere in the world. I...