2979 matches found
Using AI for Political Polling
Public polling is a critical function of modern political campaigns and movements, but it isnt what it once was. Recent US election cycles have produced copious postmortems explaining both the successes and the flaws of public polling. There are two main reasons polling fails. First, nonresponse...
LLMs Acting Deceptively
New research: "Deception abilities emerged in large language models": Abstract: Large language models LLMs are currently at the forefront of intertwining AI systems with human communication and everyday life. Thus, aligning them with human values is of great importance. However, given the steady...
Exploiting Mistyped URLs
Interesting research: "Hyperlink Hijacking: Exploiting Erroneous URL Links to Phantom Domains": Abstract: Web users often follow hyperlinks hastily, expecting them to be correctly programmed. However, it is possible those links contain typos or other mistakes. By discovering active but erroneous...
Friday Squid Blogging: Squid Catch Quotas in Peru
Peru has set a lower squid quota for 2024. The article says "giant squid," but that seems wrong. We dont eat those. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Security and Human Behavior (SHB) 2024
This week, I hosted the seventeenth Workshop on Security and Human Behavior at the Harvard Kennedy School. This is the first workshop since our co-founder, Ross Anderson, died unexpectedly. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of...
The Justice Department Took Down the 911 S5 Botnet
The US Justice Department has dismantled an enormous botnet: According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide...
Espionage with a Drone
The US is using a World War II law that bans aircraft photography of military installations to charge someone with doing the same thing with a drone...
Online Privacy and Overfishing
Microsoft recently caught state-backed hackers using its generative AI tools to help with their attacks. In the security community, the immediate questions werent about how hackers were using the tools that was utterly predictable, but about how Microsoft figured it out. The natural conclusion wa...
Breaking a Password Manager
Interesting story of breaking the security of the RoboForm password manager in order to recover a cryptocurrency wallet password. Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number...
Seeing Like a Data Structure
Technology was once simply a tool--and a small one at that--used to amplify human intent and capacity. That was the story of the industrial revolution: we could control nature and build large, complex human societies, and the more we employed and mastered technology, the better things got. We don...
AI Will Increase the Quantity—and Quality—of Phishing Scams
A piece I coauthored with Fredrik Heiding and Arun Vishwanath in the Harvard Business Review: Summary. Gen AI tools are rapidly making these emails more advanced, harder to spot, and significantly more dangerous. Recent research showed that 60% of participants fell victim to artificial intelligen...
Friday Squid Blogging: Baby Colossal Squid
This video might be a juvenile colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
How AI Will Change Democracy
I dont think its an exaggeration to predict that artificial intelligence will affect every aspect of our society. Not by doing new things. But mostly by doing things that are already being done by humans, perfectly competently. Replacing humans with AIs isnt necessarily interesting. But when an A...
Supply Chain Attack against Courtroom Software
No word on how this backdoor was installed: A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode o...
Privacy Implications of Tracking Wireless Access Points
Brian Krebs reports on research into geolocating routers: Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geolocate devices. Researchers from the University of...
Lattice-Based Cryptosystems and Quantum Cryptanalysis
Quantum computers are probably coming, though we dont know when--and when they arrive, they will, most likely, be able to break our standard public-key cryptography algorithms. In anticipation of this possibility, cryptographers have been working on quantum-resistant public-key algorithms. The...
Friday Squid Blogging: Dana Squid Attacking Camera
Fantastic footage of a Dana squid attacking a camera at a depth of about a kilometer. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
On the Zero-Day Market
New paper: "Zero Progress on Zero Days: How the Last Ten Years Created the Modern Spyware Market": Abstract: Spyware makes surveillance simple. The last ten years have seen a global market emerge for ready-made software that lets governments surveil their citizens and foreign adversaries alike an...
Personal AI Assistants and Privacy
Microsoft is trying to create a personal digital assistant: At a Build conference event on Monday, Microsoft revealed a new AI-powered feature called "Recall" for Copilot+ PCs that will allow Windows 11 users to search and retrieve their past activities on their PC. To make it work, Recall record...
Unredacting Pixelated Text
Experiments in unredacting text that has been pixelated...
Detecting Malicious Trackers
From Slashdot: Apple and Google have launched a new industry standard called "Detecting Unwanted Location Trackers" to combat the misuse of Bluetooth trackers for stalking. Starting Monday, iPhone and Android users will receive alerts when an unknown Bluetooth device is detected moving with them...
IBM Sells Cybersecurity Group
IBM is selling its QRadar product suite to Palo Alto Networks, for an undisclosed--but probably surprisingly small--sum. I have a personal connection to this. In 2016, IBM bought Resilient Systems, the startup I was a part of. It became part if IBMs cybersecurity offerings, mostly and weirdly...
Friday Squid Blogging: Emotional Support Squid
When asked what makes this an "emotional support squid" and not just another stuffed animal, its creator says: Theyre emotional support squid because theyre large, and cuddly, but also cheerfully bright and derpy. They make great neck pillows and you can fidget with the arms and tentacles for...
FBI Seizes BreachForums Website
The FBI has seized the BreachForums website, used by ransomware criminals to leak stolen corporate data. If law enforcement has gained access to the hacking forums backend data, as they claim, they would have email addresses, IP addresses, and private messages that could expose members and be use...
Zero-Trust DNS
Microsoft is working on a promising-looking protocol to lock down DNS. ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform--the core component of the Windows Firewall--directly into client devices. Jake Williams, VP of research an...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im giving a webinar via Zoom on Wednesday, May 22, at 11:00 AM ET. The topic is "Should the USG Establish a Publicly Funded AI Option?" The list is maintained on this page...
Another Chrome Vulnerability
Google has patched another Chrome zero-day: On Thursday, Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and Windows and...
LLMs’ Data-Control Path Insecurity
Back in the 1960s, if you played a 2,600Hz tone into an AT&T pay phone, you could make calls without paying. A phone hacker named John Draper noticed that the plastic whistle that came free in a box of Captain Crunch cereal worked to make the right sound. That became his hacker name, and everyone...
Friday Squid Blogging: Squid Mating Strategies
Some squids are "consorts," others are "sneakers." The species is healthiest when individuals have different strategies randomly. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New Attack Against Self-Driving Car AI
This is another attack that convinces the AI to ignore road signs: Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the...
How Criminals Are Using Generative AI
Theres a new report on how criminals are using generative AI tools: Key Takeaways: Adoption rates of AI technologies among criminals lag behind the rates of their industry counterparts because of the evolving nature of cybercrime. Compared to last year, criminals seem to have abandoned any attemp...
New Attack on VPNs
This attack has been feasible for over two decades: Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering. TunnelVision, ...
New Lawsuit Attempting to Make Adversarial Interoperability Legal
Lots of complicated details here: too many for me to summarize well. It involves an obscure Section 230 provision--and an even more obscure typo. Read this...
Friday Squid Blogging: Squid Purses
Squid-shaped purses for sale. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
My TED Talks
I have spoken at several TED conferences over the years. TEDxPSU 2010: "Reconceptualizing Security" TEDxCambridge 2013: "The Battle for Power on the Internet" TEDMed 2016: "Who Controls Your Medical Data?" Im putting this here because I want all three links in one place...
Rare Interviews with Enigma Cryptanalyst Marian Rejewski
The Polish Embassy has posted a series of short interview segments with Marian Rejewski, the first person to crack the Enigma. Details from his biography...
The UK Bans Default Passwords
The UK is the first country to ban default passwords on IoT devices. On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. The Product Security and...
AI Voice Scam
Scammers tricked a company into believing they were dealing with a BBC presenter. They faked her voice, and accepted money intended for her...
WhatsApp in India
Meta has threatened to pull WhatsApp out of India if the courts try to force it to break its end-to-end encryption...
Whale Song Code
During the Cold War, the US Navy tried to make a secret code out of whale song. The basic plan was to develop coded messages from recordings of whales, dolphins, sea lions, and seals. The submarine would broadcast the noises and a computer--the Combo Signal Recognizer CSR--would detect the specif...
Friday Squid Blogging: Searching for the Colossal Squid
A cruise ship is searching for the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Long Article on GM Spying on Its Cars’ Drivers
Kashmir Hill has a really good article on how GM tricked its drivers into letting it spy on them--and then sold that data to insurance companies...
The Rise of Large-Language-Model Optimization
The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is comin...
Dan Solove on Privacy Regulation
Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: "I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article." His mini-abstract: In this Article I argue that most of the time, privacy...
Microsoft and Security Incentives
Former senior White House cyber policy director A. J. Grotto talks about the economic incentives for companies to improve their security--in particular, Microsoft: Grotto told us Microsoft had to be "dragged kicking and screaming" to provide logging capabilities to the government by default, and...
Using Legitimate GitHub URLs for Malware
Interesting social-engineering attack vector: McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the "C++ Library Manager for Windows, Linux, and MacOS," known as vcpkg. The attacker is exploiting a property of...
Friday Squid Blogging: Squid Trackers
A new bioadhesive makes it easier to attach trackers to squid. Note: the article does not discuss squid privacy rights. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Other Attempts to Take Over Open Source Projects
After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique: The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated...
Using AI-Generated Legislative Amendments as a Delaying Technique
Canadian legislators proposed 19,600 amendments--almost certainly AI-generated--to a bill in an attempt to delay its adoption. I wrote about many different legislative delaying tactics in A Hackers Mind, but this is a new one...
X.com Automatically Changing Link Text but Not URLs
Brian Krebs reported that X formerly known as Twitter started automatically changing twitter.com links to x.com links. The problem is: 1 it changed any domain name that ended with "twitter.com," and 2 it only changed the links appearance anchortext, not the underlying URL. So if you were a clever...