The First Password on the Internet

It was created in 1973 by Peter Kirstein: So from the beginning I put password protection on my gateway. This had been done in such a way that even if UK users telephoned directly into the communications computer provided by Darpa in UCL, they would require a password. In fact this was the first...

Microsoft Takes Legal Action Against AI “Hacking as a Service” Scheme

Not sure this will matter in the end, but it's a positive move: Microsoft is accusing three individuals of running a "hacking-as-a-service" scheme that was designed to allow the creation of harmful and illicit content using the company's platform for AI-generated content. The foreign-based...

Friday Squid Blogging: Cotton-and-Squid-Bone Sponge

News: A sponge made of cotton and squid bone that has absorbed about 99.9% of microplastics in water samples in China could provide an elusive answer to ubiquitous microplastic pollution in water across the globe, a new report suggests. … The study tested the material in an irrigation ditch, a...

Apps That Are Spying on Your Location

404 Media and Wired are reporting on all the apps that are spying on your location, based on a hack of the location data company Gravy Analytics: The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating ap...

Zero-Day Vulnerability in Ivanti VPN

It's being actively exploited...

US Treasury Department Sanctions Chinese Company Over Cyberattacks

From the Washington Post: The sanctions target Beijing Integrity Technology Group, which U.S. officials say employed workers responsible for the Flax Typhoon attacks which compromised devices including routers and internet-enabled cameras to infiltrate government and industrial targets in the...

Privacy of Photos.app’s Enhanced Visual Search

Initial speculation about a new Apple feature...

Friday Squid Blogging: Anniversary Post

I made my first squid post nineteen years ago this week. Between then and now, I posted something about squid every week with maybe only a few exceptions. There is a lot out there about squid, even more if you count the other meanings of the word. Blog moderation policy...

ShredOS

ShredOS is a stripped-down operating system designed to destroy data. GitHub page here...

Google Is Allowing Device Fingerprinting

Lukasz Olejnik writes about device fingerprinting, and why Google's policy change to allow it in 2025 is a major privacy setback. EDITED TO ADD 1/12: Shashdot thread...

Gift Card Fraud

It's becoming an organized crime tactic: Card draining is when criminals remove gift cards from a store display, open them in a separate location, and either record the card numbers and PINs or replace them with a new barcode. The crooks then repair the packaging, return to a store and place the...

Salt Typhoon’s Reach Continues to Grow

The US government has identified a ninth telecom that was successfully hacked by Salt Typhoon...

Casino Players Using Hidden Cameras for Cheating

The basic strategy is to place a device with a hidden camera in a position to capture normally hidden card values, which are interpreted by an accomplice off-site and fed back to the player via a hidden microphone. Miniaturization is making these devices harder to detect. Presumably AI will soon...

Friday Squid Blogging: Squid on Pizza

Pizza Hut in Taiwan has a history of weird pizzas, including a "2022 scalloped pizza with Oreos around the edge, and deep-fried chicken and calamari studded throughout the middle." Blog moderation policy...

Scams Based on Fake Google Emails

Scammers are hacking Google Forms to send email to victims that come from google.com. Brian Krebs reports on the effects. Boing Boing post...

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

A judge has found that NSO Group, maker of the Pegasus spyware, has violated the US Computer Fraud and Abuse Act by hacking WhatsApp in order to spy on people using it. Jon Penney and I wrote a legal paper on the case...

Criminal Complaint against LockBit Ransomware Writer

The Justice Department has published the criminal complaint against Dmitry Khoroshev, for building and maintaining the LockBit ransomware...

Friday Squid Blogging: Squid Sticker

A sticker for your water bottle. Blog moderation policy...

Mailbox Insecurity

It turns out that all cluster mailboxes in the Denver area have the same master key. So if someone robs a postal carrier, they can open any mailbox. I get that a single master key makes the whole system easier, but it's very fragile security...

New Advances in the Understanding of Prime Numbers

Really interesting research into the structure of prime numbers. Not immediately related to the cryptanalysis of prime-number-based public-key algorithms, but every little bit matters...

Hacking Digital License Plates

Not everything needs to be digital and "smart." License plates, for example: Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By...

Short-Lived Certificates Coming to Let’s Encrypt

Starting next year: Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before--short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the...

Upcoming Speaking Events

This is a current list of where and when I am scheduled to speak: I'm speaking at a joint meeting of the Boston Chapter of the IEEE Computer Society and GBC/ACM, in Boston, Massachusetts, USA, at 7:00 PM ET on Thursday, January 9, 2025. The event will take place at the Massachusetts Institute of...

Friday Squid Blogging: Biology and Ecology of the Colossal Squid

Good survey paper. Blog moderation policy...

Ultralytics Supply-Chain Attack

Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary: On December 4, a malicious version 8.3.41 of the popular AI library ultralytics ­--which has almost 60 million downloads--was published to the Python Package Index PyPI package repository. The...

Jailbreaking LLM-Controlled Robots

Surprising no one, it's easy to trick an LLM-controlled robot into ignoring its safety instructions...

Full-Face Masks to Frustrate Identification

This is going to be interesting. It's a video of someone trying on a variety of printed full-face masks. They won't fool anyone for long, but will survive casual scrutiny. And they're cheap and easy to swap...

Trust Issues in AI

This essay was written with Nathan E. Sanders. It originally appeared as a response to Evgeny Morozov in Boston Review's forum, "The AI We Deserve." For a technology that seems startling in its modernity, AI sure has a long history. Google Translate, OpenAI chatbots, and Meta AI image generators...

Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device

Fifteen years ago I blogged about a different SQUID. Here's an update: Fleeing drivers are a common problem for law enforcement. They just won’t stop unless persuaded­--persuaded by bullets, barriers, spikes, or snares. Each option is risky business. Shooting up a fugitive’s car is one possibilit...

Detecting Pegasus Infections

This tool seems to do a pretty good job. The company's Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify...

AI and the 2024 Elections

It's been the biggest year for elections in human history: 2024 is a "super-cycle" year in which 3.7 billion eligible voters in 72 countries had the chance to go the polls. These are also the first AI elections, where many feared that deepfakes and artificial intelligence-generated misinformation...

Algorithms Are Coming for Democracy—but It’s Not All Bad

In 2025, AI is poised to change every aspect of democratic politics--but it won't necessarily be for the worse. India's prime minister, Narendra Modi, has used AI to translate his speeches for his multilingual electorate in real time, demonstrating how AI can help diverse democracies to be more...

Details about the iOS Inactivity Reboot Feature

I recently wrote about the new iOS feature that forces an iPhone to reboot after it's been inactive for a longish period of time. Here are the technical details, discovered through reverse engineering. The feature triggers after seventy-two hours of inactivity, even it is remains connected to Wi-...

Friday Squid Blogging: Squid-Inspired Needle Technology

Interesting research: Using jet propulsion inspired by squid, researchers demonstrate a microjet system that delivers medications directly into tissues, matching the effectiveness of traditional needles. Blog moderation policy...

Race Condition Attacks against LLMs

These are two attacks against the system components surrounding LLMs: We propose that LLM Flowbreaking, following jailbreaking and prompt injection, joins as the third on the growing list of LLM attack types. Flowbreaking is less about whether prompt or response guardrails can be bypassed, and mo...

NSO Group Spies on People on Behalf of Governments

The Israeli company NSO Group sells Pegasus spyware to countries around the world including countries like Saudi Arabia, UAE, India, Mexico, Morocco and Rwanda. We assumed that those countries use the spyware themselves. Now we've learned that that's not true: that NSO Group employees operate the...

What Graykey Can and Can’t Unlock

This is from 404 Media: The Graykey, a phone unlocking and forensics tool that is used by law enforcement around the world, is only able to retrieve partial data from all modern iPhones that run iOS 18 or iOS 18.0.1, which are two recently released versions of Apple's mobile operating system,...

Security Analysis of the MERGE Voting Protocol

Interesting analysis: An Internet Voting System Fatally Flawed in Creative New Ways. Abstract: The recently published "MERGE" protocol is designed to be used in the prototype CAC-vote system. The voting kiosk and protocol transmit votes over the internet and then transmit voter-verifiable paper...

Friday Squid Blogging: Transcriptome Analysis of the Indian Squid

Lots of details that are beyond me. Blog moderation policy...

The Scale of Geoblocking by Nation

Interesting analysis: We introduce and explore a little-known threat to digital equality and freedom­websites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to information in repressive regimes. Clarifying distinctions between...

Secret Service Tracking People’s Locations without Warrant

This feels important: The Secret Service has used a technology called Locate X which uses location data harvested from ordinary apps installed on phones. Because users agreed to an opaque terms of service page, the Secret Service believes it doesn't need a warrant...

Steve Bellovin’s Retirement Talk

Steve Bellovin is retiring. Here's his retirement talk, reflecting on his career and what the cybersecurity field needs next...

Why Italy Sells So Much Spyware

Interesting analysis: Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of...

Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days

Zero-day vulnerabilities are more commonly used, according to the Five Eyes: Key Findings In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023,...

Friday Squid Blogging: Female Gonatus Onyx Squid Carrying Her Eggs

Fantastic video of a female Gonatus onyx squid swimming while carrying her egg sack. An earlier related post. Blog moderation policy...

Good Essay on the History of Bad Password Policies

Stuart Schechter makes some good points on the history of bad password policies: Morris and Thompson's work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistak...

New iOS Security Feature Makes It Harder for Police to Unlock Seized Phones

Everybody is reporting about a new security iPhone security feature with iOS 18: if the phone hasn't been used for a few days, it automatically goes into its "Before First Unlock" state and has to be rebooted. This is a really good security feature. But various police departments don't like it,...

Mapping License Plate Scanners in the US

DeFlock is a crowd-sourced project to map license plate scanners. It only records the fixed scanners, of course. The mobile scanners on cars are not mapped...

Criminals Exploiting FBI Emergency Data Requests

I've been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too. Turns out the same thing is true for non-technical backdoors: The advisory said that the...

Friday Squid Blogging: Squid-A-Rama in Des Moines

Squid-A-Rama will be in Des Moines at the end of the month. Visitors will be able to dissect squid, explore fascinating facts about the species, and witness a live squid release conducted by local divers. How are they doing a live squid release? Simple: this is Des Moines, Washington; not Des...