2979 matches found
Problems with Georgia’s Voter Registration Portal
Its possible to cancel other peoples voter registrations: On Friday, four days after Georgia Democrats began warning that bad actors could abuse the states new online portal for canceling voter registrations, the Secretary of States Office acknowledged to ProPublica that it had identified multipl...
On the Cyber Safety Review Board
When an airplane crashes, impartial investigatory bodies leap into action, empowered by law to unearth what happened and why. But there is no such empowered and impartial body to investigate CrowdStrikes faulty update that recently unfolded, ensnarling banks, airlines, and emergency services to t...
New Patent Application for Car-to-Car Surveillance
Ford has a new patent application for a system where cars monitor each others speeds, and then report then to some central authority. Slashdot thread...
Friday Squid Blogging: Treating Squid Parasites
A newly discovered parasite that attacks squid eggs has been treated. Blog moderation policy...
Leaked GitHub Python Token
Heres a disaster that didnt happen: Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub, which granted elevated access to the GitHub repositories of the Python language, Python Package Index PyPI, and the Python...
Education in Secure Software Development
The Linux Foundation and OpenSSF released a report on the state of education in secure software development. …many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all...
Nearly 7% of Internet Traffic Is Malicious
Cloudflare reports on the state of applications security. It claims that 6.8% of Internet traffic is malicious. And that CVEs are exploited as quickly as 22 minutes after proof-of-concepts are published. News articles...
Providing Security Updates to Automobile Software
Auto manufacturers are just starting to realize the problems of supporting the software in older models: Today’s phones are able to receive updates six to eight years after their purchase date. Samsung and Google provide Android OS updates and security updates for seven years. Apple halts servici...
New Research in Detecting AI-Generated Videos
The latest in what will be a continuing arms race between creating and detecting videos: The new tool the research project is unleashing on deepfakes, called "MISLnet", evolved from years of data derived from detecting fake images and video with tools that spot changes made to digital video or...
Friday Squid Blogging: Sunscreen from Squid Pigments
Theyre better for the environment. Blog moderation policy...
Compromising the Secure Boot Process
This isnt good: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised ...
The CrowdStrike Outage and Market-Driven Brittleness
Fridays massive internet outage, caused by a mid-sized tech company called CrowdStrike, disrupted major airlines, hospitals, and banks. Nearly 7,000 flights were canceled. It took down 911 systems and factories, courthouses, and television stations. Tallying the total cost will take time. The...
Data Wallets Using the Solid Protocol
I am the Chief of Security Architecture at Inrupt, Inc., the company that is commercializing Tim Berners-Lees Solid open W3C standard for distributed data ownership. This week, we announced a digital wallet based on the Solid architecture. Details are here, but basically a digital wallet is a...
Robot Dog Internet Jammer
Supposedly the DHS has these: The robot, called "NEO," is a modified version of the "Quadruped Unmanned Ground Vehicle" Q-UGV sold to law enforcement by a company called Ghost Robotics. Benjamine Huffman, the director of DHSs Federal Law Enforcement Training Centers FLETC, told police at the 2024...
2017 ODNI Memo on Kaspersky Labs
Its heavily redacted, but still interesting. Many more ODNI documents here...
Snake Mimics a Spider
This is a fantastic video. Its an Iranian spider-tailed horned viper Pseudocerastes urarachnoides. Its tail looks like a spider, which the snake uses to fool passing birds looking for a meal...
Friday Squid Blogging: Peru Trying to Protect its Squid Fisheries
Peru is trying to protect its territorial waters from Chinese squid-fishing boats. Blog moderation policy...
Brett Solomon on Digital Rights
Brett Solomon is retiring from AccessNow after fifteen years as its Executive Director. Hes written a blog post about what hes learned and what comes next...
Criminal Gang Physically Assaulting People for Their Cryptocurrency
This is pretty horrific: …a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elder...
Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious
6.8%, to be precise. From ZDNet: However, Distributed Denial of Service DDoS attacks continue to be cybercriminals weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDo...
Hacking Scientific Citations
Some scholars are inflating their reference counts by sneaking them into metadata: Citations of scientific work abide by a standardized referencing system: Each reference explicitly mentions at least the title, authors names, publication year, journal or conference name, and page numbers of the...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking--along with John Bruce, the CEO and Co-founder of Inrupt--at the 18th Annual CDOIQ Symposium in Cambridge, Massachusetts, USA. The symposium runs from July 16 through 18, 2024, and my session is on Tuesday, July 16 at...
Friday Squid Blogging: 1994 Lair of Squid Game
I didnt know: In 1994, Hewlett-Packard released a miracle machine: the HP 200LX pocket-size PC. In the depths of the device, among the MS-DOS productivity apps built into its fixed memory, there lurked a first-person maze game called Lair of Squid. … In Lair of Squid, youre trapped in an underwat...
The NSA Has a Long-Lost Lecture by Adm. Grace Hopper
The NSA has a video recording of a 1982 lecture by Adm. Grace Hopper titled "Future Possibilities: Data, Hardware, Software, and People." The agency is so far refusing to release it. Basically, the recording is in an obscure video format. People at the NSA cant easily watch it, so they cant redac...
Apple Is Alerting iPhone Users of Spyware Attacks
Not a lot of details: Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. Its the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April...
RADIUS Vulnerability
New attack against the RADIUS authentication protocol: The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network...
Reverse-Engineering Ticketmaster’s Barcode System
Interesting: By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removin...
On the CSRB’s Non-Investigation of the SolarWinds Attack
ProPublica has a long investigative article on how the Cyber Safety Review Board failed to investigate the SolarWinds attack, and specifically Microsofts culpability, even though they were directed by President Biden to do so...
Friday Squid Blogging: Newly Discovered Vampire Squid
A new vampire squid species was discovered in the South China Sea. Blog moderation policy...
New Open SSH Vulnerability
Its a serious one: The vulnerability, which is a signal handler race condition in OpenSSHs server sshd, allows unauthenticated remote code execution RCE as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration. ...
Upcoming Book on AI and Democracy
If youve been reading my blog, youve noticed that I have written a lot about AI and democracy, mostly with my co-author Nathan Sanders. I am pleased to announce that were writing a book on the topic. This isnt a book about deep fakes, or misinformation. This is a book about what happens when AI...
Public Surveillance of Bars
This article about an app that lets people remotely view bars to see if theyre crowded or not is filled with commentary--on both sides--about privacy and openness...
Model Extraction from Neural Networks
A new paper, "Polynomial Time Cryptanalytic Extraction of Neural Network Models," by Adi Shamir and others, uses ideas from differential cryptanalysis to extract the weights inside a neural network using specific queries and their results. This is much more theoretical than practical, but its a...
Friday Squid Blogging: New Squid Species
A new squid species--of the Gonatidae family--was discovered. The video shows her holding a brood of very large eggs. Research paper...
James Bamford on Section 702 Extension
Longtime NSA-watcher James Bamford has a long article on the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act FISA...
Security Analysis of the EU’s Digital Wallet
A group of cryptographers have analyzed the eiDAS 2.0 regulation electronic identification and trust services that defines the new EU Digital Identity Wallet...
The US Is Banning Kaspersky
This move has been coming for a long time. The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban--th...
Breaking the M-209
Interesting paper about a German cryptanalysis machine that helped break the US M-209 mechanical ciphering machine. The paper contains a good description of how the M-209 works...
Paul Nakasone Joins OpenAI’s Board of Directors
Former NSA Director Paul Nakasone has joined the board of OpenAI...
Friday Squid Blogging: Squid Nebula
Beautiful astronomical photo...
Ross Anderson’s Memorial Service
The memorial service for Ross Anderson will be held on Saturday, at 2:00 PM BST. People can attend remotely on Zoom. The passcode is "L3954FrrEF"...
Recovering Public Keys from Signatures
Interesting summary of various ways to derive the public key from digitally signed files. Normally, with a signature scheme, you have the public key and want to know whether a given signature is valid. But what if we instead have a message and a signature, assume the signature is valid, and want ...
New Blog Moderation Policy
There has been a lot of toxicity in the comments section of this blog. Recently, were having to delete more and more comments. Not just spam and off-topic comments, but also sniping and personal attacks. Its gotten so bad that I need to do something. My options are limited because Im just one...
The Hacking of Culture and the Creation of Socio-Technical Debt
Culture is increasingly mediated through algorithms. These algorithms have splintered the organization of culture, a result of states and tech companies vying for influence over mass audiences. One byproduct of this splintering is a shift from imperfect but broad cultural narratives to a...
Rethinking Democracy for the Age of AI
There is a lot written about technologys threats to democracy. Polarization. Artificial intelligence. The concentration of wealth and power. I have a more general story: The political and economic systems of governance that were created in the mid-18th century are poorly suited for the 21st...
Using LLMs to Exploit Vulnerabilities
Interesting research: "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities." Abstract: LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the...
Friday Squid Blogging: Squid Cartoon
Squid humor. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im appearing on a panel on Society and Democracy at ACM Collective Intelligence in Boston, Massachusetts. The conference runs from June 26 through 29, 2024, and my panel is at 9:00 AM on Friday, June 28. Im speaking on "Reimagining...
Demo of AES GCM Misuse Problems
This is really neat demo of the security problems arising from reusing nonces with a symmetric cipher in GCM mode...
AI and the Indian Election
As India concluded the worlds largest election on June 5, 2024, with over 640 million votes counted, observers could assess how the various parties and factions used artificial intelligence technologies--and what lessons that holds for the rest of the world. The campaigns made extensive use of AI...