Microsoft Is Adding New Cryptography Algorithms

Microsoft is updating SymCrypt, its core cryptographic library, with new quantum-secure algorithms. Microsofts details are here. From a news article: The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum...

Evaluating the Effectiveness of Reward Modeling of Generative AI Systems

New research evaluating the effectiveness of reward modeling during Reinforcement Learning from Human Feedback RLHF: "SEAL: Systematic Error Analysis for Value ALignment." The paper introduces quantitative metrics for evaluating the effectiveness of modeling and aligning human values: Abstract:...

New Chrome Zero-Day

According to Microsoft researchers, North Korean hackers have been using a Chrome zero-day exploit to steal cryptocurrency...

Australia Threatens to Force Companies to Break Encryption

In 2018, Australia passed the Assistance and Access Act, which--among other things--gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These...

Friday Squid Blogging: Live Video of Promachoteuthis Squid

The first live video of the Promachoteuthis squid, filmed at a newly discovered seamount off the coast of Chile. Blog moderation policy...

YubiKey Side-Channel Attack

There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. Its a complicated attack, requiring the victims username and password, and physical access to their YubiKey--as well as some technical expertise and equipment. Still, nice piece of security analysi...

Long Analysis of the M-209

Really interesting analysis of the American M-209 encryption device and its security...

Security Researcher Sued for Disproving Government Statements

This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher. Lets hope the judge throws the case out...

List of Old NSA Training Videos

The NSAs "National Cryptographic School Television Catalogue" from 1991 lists about 600 COMSEC and SIGINT training videos. There are a bunch explaining the operations of various cryptographic equipment, and a few code words I have never heard of before...

SQL Injection Attack on Airport Security

Interesting vulnerability: …a special lane at airport security called Known Crewmember KCM. KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips. The KCM process is fairly simple: the employee uses the dedicated la...

Friday Squid Blogging: Economic Fallout from Falklands Halting Squid Fishing

Details. Blog moderation policy...

Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published

The "long lost lecture" by Adm. Grace Hopper has been published by the NSA. Note that there are two parts. Its a wonderful talk: funny, engaging, wise, prescient. Remember that talk was given in 1982, less than a year before the ARPANET switched to TCP/IP and the internet went operational. She wa...

Matthew Green on Telegram’s Encryption

Matthew Green wrote a really good blog post on what Telegrams encryption is and is not. EDITED TO ADD 8/28: Another good explainer from Kaspersky...

The Present and Future of TV Surveillance

Ars Technica has a good article on whats happening in the world of television surveillance. More than even I realized...

US Federal Court Rules Against Geofence Warrants

This is a big deal. A US Appeals Court ruled that geofence warrants--these are general warrants demanding information about all people within a geographical boundary--are unconstitutional. The decision seems obvious to me, but you cant take anything for granted...

Friday Squid Blogging: Self-Healing Materials from Squid Teeth

Making self-healing materials based on the teeth in squid suckers. Blog moderation policy...

Take a Selfie Using a NY Surveillance Camera

This site will let you take a selfie with a New York City traffic surveillance camera. EDITED TO ADD: BoingBoing post...

Surveillance Watch

This is a fantastic project mapping the global surveillance industry...

Story of an Undercover CIA Agent who Penetrated Al Qaeda

Rolling Stone has a long investigative story non-paywalled version here about a CIA agent who spent years posing as an Islamic radical. Unrelated, but also in the "real life spies" file: a fake Sudanese diving resort run by Mossad...

Hacking Wireless Bicycle Shifters

This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually implement this attack. Research paper. Another news stor...

The State of Ransomware

Palo Alto Networks published its semi-annual report on ransomware. From the Executive Summary: Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762...

Friday Squid Blog: The Market for Squid Oil Is Growing

How did I not know before now that there was a market for squid oil? The squid oil market has experienced robust growth in recent years, expanding from $4.56 billion in 2023 to $4.94 billion in 2024 at a compound annual growth rate CAGR of 8.5%. The growth in the historic period can be attributed...

New Windows IPv6 Zero-Click Vulnerability

The press is reporting a critical Windows vulnerability affecting IPv6. As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets. Microsoft also share...

NIST Releases First Post-Quantum Encryption Algorithms

From the Federal Register: After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes:...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking at eCrime 2024 in Boston, Massachusetts, USA. The event runs from September 24 through 26, 2024, and my keynote is on the 24th. The list is maintained on this page...

Texas Sues GM for Collecting Driving Data without Consent

Texas is suing General Motors for collecting driver data without consent and then selling it to insurance companies: From CNN: In car models from 2015 and later, the Detroit-based car manufacturer allegedly used technology to "collect, record, analyze, and transmit highly detailed driving data...

On the Voynich Manuscript

Really interesting article on the ancient-manuscript scholars who are applying their techniques to the Voynich Manuscript. No one has been able to understand the writing yet, but there are some new understandings: Davis presented her findings at the medieval-studies conference and published them ...

Taxonomy of Generative AI Misuse

Interesting paper: "Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data”: Generative, multimodal artificial intelligence GenAI offers transformative potential across industries, but its misuse poses significant risks. Prior research has shed light on the potential of...

Friday Squid Blogging: SQUID Is a New Computational Tool for Analyzing Genomic AI

Yet another SQUID acronym: SQUID, short for Surrogate Quantitative Interpretability for Deepnets, is a computational tool created by Cold Spring Harbor Laboratory CSHL scientists. Its designed to help interpret how AI models analyze the genome. Compared with other analysis tools, SQUID is more...

People-Search Site Removal Services Largely Ineffective

Consumer Reports has a new study of people-search site removal services, concluding that they dont really work: As a whole, people-search removal services are largely ineffective. Private information about each participant on the people-search sites decreased after using the people-search removal...

Problems with Georgia’s Voter Registration Portal

Its possible to cancel other peoples voter registrations: On Friday, four days after Georgia Democrats began warning that bad actors could abuse the states new online portal for canceling voter registrations, the Secretary of States Office acknowledged to ProPublica that it had identified multipl...

On the Cyber Safety Review Board

When an airplane crashes, impartial investigatory bodies leap into action, empowered by law to unearth what happened and why. But there is no such empowered and impartial body to investigate CrowdStrikes faulty update that recently unfolded, ensnarling banks, airlines, and emergency services to t...

New Patent Application for Car-to-Car Surveillance

Ford has a new patent application for a system where cars monitor each others speeds, and then report then to some central authority. Slashdot thread...

Friday Squid Blogging: Treating Squid Parasites

A newly discovered parasite that attacks squid eggs has been treated. Blog moderation policy...

Leaked GitHub Python Token

Heres a disaster that didnt happen: Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub, which granted elevated access to the GitHub repositories of the Python language, Python Package Index PyPI, and the Python...

Education in Secure Software Development

The Linux Foundation and OpenSSF released a report on the state of education in secure software development. …many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all...

Nearly 7% of Internet Traffic Is Malicious

Cloudflare reports on the state of applications security. It claims that 6.8% of Internet traffic is malicious. And that CVEs are exploited as quickly as 22 minutes after proof-of-concepts are published. News articles...

Providing Security Updates to Automobile Software

Auto manufacturers are just starting to realize the problems of supporting the software in older models: Today’s phones are able to receive updates six to eight years after their purchase date. Samsung and Google provide Android OS updates and security updates for seven years. Apple halts servici...

New Research in Detecting AI-Generated Videos

The latest in what will be a continuing arms race between creating and detecting videos: The new tool the research project is unleashing on deepfakes, called "MISLnet", evolved from years of data derived from detecting fake images and video with tools that spot changes made to digital video or...

Friday Squid Blogging: Sunscreen from Squid Pigments

Theyre better for the environment. Blog moderation policy...

Compromising the Secure Boot Process

This isnt good: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised ...

The CrowdStrike Outage and Market-Driven Brittleness

Fridays massive internet outage, caused by a mid-sized tech company called CrowdStrike, disrupted major airlines, hospitals, and banks. Nearly 7,000 flights were canceled. It took down 911 systems and factories, courthouses, and television stations. Tallying the total cost will take time. The...

Data Wallets Using the Solid Protocol

I am the Chief of Security Architecture at Inrupt, Inc., the company that is commercializing Tim Berners-Lees Solid open W3C standard for distributed data ownership. This week, we announced a digital wallet based on the Solid architecture. Details are here, but basically a digital wallet is a...

Robot Dog Internet Jammer

Supposedly the DHS has these: The robot, called "NEO," is a modified version of the "Quadruped Unmanned Ground Vehicle" Q-UGV sold to law enforcement by a company called Ghost Robotics. Benjamine Huffman, the director of DHSs Federal Law Enforcement Training Centers FLETC, told police at the 2024...

2017 ODNI Memo on Kaspersky Labs

Its heavily redacted, but still interesting. Many more ODNI documents here...

Snake Mimics a Spider

This is a fantastic video. Its an Iranian spider-tailed horned viper Pseudocerastes urarachnoides. Its tail looks like a spider, which the snake uses to fool passing birds looking for a meal...

Friday Squid Blogging: Peru Trying to Protect its Squid Fisheries

Peru is trying to protect its territorial waters from Chinese squid-fishing boats. Blog moderation policy...

Brett Solomon on Digital Rights

Brett Solomon is retiring from AccessNow after fifteen years as its Executive Director. Hes written a blog post about what hes learned and what comes next...

Criminal Gang Physically Assaulting People for Their Cryptocurrency

This is pretty horrific: …a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elder...

Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious

6.8%, to be precise. From ZDNet: However, Distributed Denial of Service DDoS attacks continue to be cybercriminals weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDo...