2979 matches found
New Lattice Cryptanalytic Technique
A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems. A few things to note. One, this paper has not yet been peer...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking twice at RSA Conference 2024 in San Francisco. Ill be on a panel on software liability on May 6, 2024 at 8:30 AM, and Im giving a keynote on AI and democracy on May 7, 2024 at 2:25 PM. The list is maintained on this pag...
Friday Squid Blogging: The Awfulness of Squid Fishing Boats
Its a pretty awful story. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Smuggling Gold by Disguising it as Machine Parts
Someone got caught trying to smuggle 322 pounds of gold thats about a quarter of a cubic foot out of Hong Kong. It was disguised as machine parts: On March 27, customs officials x-rayed two air compressors and discovered that they contained gold that had been "concealed in the integral parts" of...
Backdoor in XZ Utils That Almost Happened
Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention--but it should. There’s an important moral to the story of the attack and its discovery: The...
In Memoriam: Ross Anderson, 1956–2024
Last week, I posted a short memorial of Ross Anderson. The Communications of the ACM asked me to expand it. Heres the longer version. EDITED TO ADD 4/11: Two weeks before he passed away, Ross gave an 80-minute interview where he told his life story...
US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack
The US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior US government officials. From the executive summary: The Board finds that this intrusion was preventable...
Security Vulnerability of HTML Emails
This is a newly discovered email vulnerability: The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in...
Friday Squid Blogging: SqUID Bots
Theyre AI warehouse robots. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed
It seems that the FCC might be fixing the vulnerabilities in SS7 and the Diameter protocol: On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers locations. The FCC...
Surveillance by the New Microsoft Outlook App
The ProtonMail people are accusing Microsofts new Outlook for Windows app of conducting extensive surveillance on its users. It shares data with advertisers, a lot of data: The window informs users that Microsoft and those 801 third parties use their data for a number of purposes, including to:...
Class-Action Lawsuit against Google’s Incognito Mode
The lawsuit has been settled: Google has agreed to delete "billions of data records" the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit file...
XZ Utils Backdoor
The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer--weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica:...
Declassified NSA Newsletters
Through a 2010 FOIA request yes, it took that long, we have copies of the NSAs KRYPTOS Society Newsletter, "Tales of the Krypt," from 1994 to 2003. There are many interesting things in the 800 pages of newsletter. There are many redactions. And a 1994 review of Applied Cryptography by redacted:...
Magic Security Dust
Adam Shostack is selling magic security dust. Its about time someone is commercializing this essential technology...
Ross Anderson
Ross Anderson unexpectedly passed away Thursday night in, I believe, his home in Cambridge. I cant remember when I first met Ross. Of course it was before 2008, when we created the Security and Human Behavior workshop. It was well before 2001, when we created the Workshop on Economics and...
Friday Squid Blogging: The Geopolitics of Eating Squid
New York Times op-ed on the Chinese dominance of the squid industry: Chinas domination in seafood has raised deep concerns among American fishermen, policymakers and human rights activists. They warn that China is expanding its maritime reach in ways that are putting domestic fishermen around the...
Lessons from a Ransomware Attack against the British Library
You might think that libraries are kind of boring, but this self-analysis of a 2023 ransomware and extortion attack against the British Library is anything but...
Hardware Vulnerability in Apple’s M-Series Chips
Its yet another hardware side-channel attack: The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s...
Security Vulnerability in Saflok’s RFID-Based Keycard Locks
Its pretty devastating: Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of...
On Secure Voting Systems
Andrew Appel shepherded a public comment--signed by twenty election cybersecurity experts, including myself--on best practices for ballot marking devices and vote tabulation. It was written for the Pennsylvania legislature, but its general in nature. From the executive summary: We believe that no...
AI and Trust
Watch the Video on YouTube.com A 15-minute talk by Bruce Schneier...
Licensing AI Engineers
The debate over professionalizing software engineers is decades old. The basic idea is that, like lawyers and architects, there should be some professional licensing requirement for software engineers. Heres a law journal article recommending the same idea for AI engineers. This Article proposes...
Friday Squid Blogging: New Species of Squid Discovered
A new species of squid was discovered, along with about a hundred other species. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Google Pays $10M in Bug Bounties in 2023
BleepingComputer has the details. Its $2M less than in 2022, but its still a lot. The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the programs launch in 2010 has reached $59 million. For Android, the worlds most popular and widely used mobile...
Public AI as an Alternative to Corporate AI
This mini-essay was my contribution to a round table on Power and Governance in the Age of AI. Its nothing I havent said here before, but for anyone who hasnt read my longer essays on the topic, its a shorter introduction. The increasingly centralized control of AI is an ominous sign. When tech...
Cheating Automatic Toll Booths by Obscuring License Plates
The Wall Street Journal is reporting on a variety of techniques drivers are using to obscure their license plates so that automatic readers cant identify them and charge tolls properly. Some drivers have power-washed paint off their plates or covered them with a range of household items such as...
AI and the Evolution of Social Media
Oh, how the mighty have fallen. A decade ago, social media was celebrated for sparking democratic uprisings in the Arab world and beyond. Now front pages are splashed with stories of social platforms’ role in misinformation, business conspiracy, malfeasance, and risks to mental health. In a 2022...
Drones and the US Air Force
Fascinating analysis of the use of drones on a modern battlefield--that is, Ukraine--and the inability of the US Air Force to react to this change. The F-35A certainly remains an important platform for high-intensity conventional warfare. But the Air Force is planning to buy 1,763 of the aircraft...
Friday Squid Blogging: Operation Squid
Operation Squid found 1.3 tons of cocaine hidden in frozen fish. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Improving C++
C++ guru Herb Sutter writes about how we can improve the programming language for better security. The immediate problem "is" that it’s Too Easy By Default™ to write security and safety vulnerabilities in C++ that would have been caught by stricter enforcement of known rules for type, bounds,...
Automakers Are Sharing Driver Data with Insurers without Consent
Kasmir Hill has the story: Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have...
Burglars Using Wi-Fi Jammers to Disable Security Cameras
The arms race continues, as burglars are learning how to use jammers to disable Wi-Fi security cameras...
Jailbreaking LLMs with ASCII Art
Researchers have demonstrated that putting words in ASCII art can cause LLMs--GPT-3.5, GPT-4, Gemini, Claude, and Llama2--to ignore their safety instructions. Research paper...
Using LLMs to Unredact Text
Initial results in using LLMs to unredact text based on the size of the individual-word redaction rectangles. This feels like something that a specialized ML system could be trained on...
Friday Squid Blogging: New Plant Looks Like a Squid
Newly discovered plant looks like a squid. And its super weird: The plant, which grows to 3 centimetres tall and 2 centimetres wide, emerges to the surface for as little as a week each year. It belongs to a group of plants known as fairy lanterns and has been given the scientific name...
Essays from the Second IWORD
The Ash Center has posted a series of twelve essays stemming from the Second Interdisciplinary Workshop on Reimagining Democracy IWORD 2023. Aviv Ovadya, Democracy as Approximation: A Primer for “AI for Democracy” Innovators Kathryn Peters, Permission and Participation Claudia Chwalisz, Moving...
A Taxonomy of Prompt Injection Attacks
Researchers ran a global prompt hacking competition, and have documented the results in a paper that both gives a lot of good examples and tries to organize a taxonomy of effective prompt injection strategies. It seems as if the most common successful strategy is the "compound instruction attack,...
How Public AI Can Strengthen Democracy
With the worlds focus turning to misinformation, manipulation, and outright propaganda ahead of the 2024 U.S. presidential election, we know that democracy has an AI problem. But were learning that AI has a democracy problem, too. Both challenges must be addressed for the sake of democratic...
Surveillance through Push Notifications
The Washington Post is reporting on the FBIs increasing use of push notification data--"push tokens"--to identify people. The police can request this data from companies like Apple and Google without a warrant. The investigative technique goes back years. Court orders that were issued in 2019 to...
The Insecurity of Video Doorbells
Consumer Reports has analyzed a bunch of popular Internet-connected video doorbells. Their security is terrible. First, these doorbells expose your home IP address and WiFi network name to the internet without encryption, potentially opening your home network to online criminals. … Anyone who can...
LLM Prompt Injection Worm
Researchers have demonstrated a worm that spreads through prompt injection. Details: In one instance, the researchers, acting as attackers, wrote an email including the adversarial text prompt, which "poisons" the database of an email assistant using retrieval-augmented generation RAG, a way for...
Friday Squid Blogging: New Extinct Species of Vampire Squid Discovered
Paleontologists have discovered a 183-million-year-old species of vampire squid. Prior research suggests that the vampyromorph lived in the shallows off an island that once existed in what is now the heart of the European mainland. The research team believes that the remarkable degree of...
NIST Cybersecurity Framework 2.0
NIST has released version 2.0 of the Cybersecurity Framework: The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It al...
How the “Frontier” Became the Slogan of Uncontrolled AI
Artificial intelligence AI has been billed as the next frontier of humanity: the newly available expanse whose exploration will drive the next era of growth, wealth, and human flourishing. Its a scary metaphor. Throughout American history, the drive for expansion and the very concept of terrain u...
A Cyber Insurance Backstop
In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of...
China Surveillance Company Hacked
Last week, someone posted something like 570 files, images and chat logs from a Chinese company called I-Soon. I-Soon sells hacking and espionage services to Chinese national and local government. Lots of details in the news articles. These arent details about the tools or techniques, more the...
Apple Announces Post-Quantum Encryption Algorithms for iMessage
Apple announced PQ3, its post-quantum encryption standard based on the Kyber secure key-encapsulation protocol, one of the post-quantum algorithms selected by NIST in 2022. Theres a lot of detail in the Apple blog post, and more in Douglas Stabilas security analysis. I am of two minds about this...
Friday Squid Blogging: Illex Squid and Climate Change
There are correlations between the populations of the Illex Argentines squid and water temperatures. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
AIs Hacking Websites
New research: LLM Agents can Autonomously Hack Websites Abstract: In recent years, large language models LLMs have become increasingly capable and can now interact with tools i.e., call functions, read documents, and recursively call themselves. As a result, these LLMs can now function autonomous...