2979 matches found
New Image/Video Prompt Injection Attacks
Simon Willison has been playing with the video processing capabilities of the new Gemini Pro 1.5 model from Google, and its really impressive. Which means a lot of scary new video prompt injection attacks. And remember, given the current state of technology, prompt injection attacks are impossibl...
Details of a Phone Scam
First-person account of someone who fell for a scam, that started as a fake Amazon service rep and ended with a fake CIA agent, and lost $50,000 cash. And this is not a naive or stupid person. The details are fascinating. And if you think it couldnt happen to you, think again. Given the right set...
Microsoft Is Spying on Users of Its AI Tools
Microsoft announced that it caught Chinese, Russian, and Iranian hackers using its AI tools--presumably coding tools--to improve their hacking abilities. From their report: In collaboration with OpenAI, we are sharing threat intelligence showing detected state affiliated adversaries--tracked as...
EU Court of Human Rights Rejects Encryption Backdoors
The European Court of Human Rights has ruled that breaking end-to-end encryption by adding backdoors violates human rights: Seemingly most critically, the Russian government told the ECHR that any intrusion on private lives resulting from decrypting messages was "necessary" to combat terrorism in...
Friday Squid Blogging: Vegan Squid-Ink Pasta
It uses black beans for color and seaweed for flavor. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
On the Insecurity of Software Bloat
Good essay on software bloat and the insecurities it causes. The world ships too much code, most of it by third parties, sometimes unintended, most of it uninspected. Because of this, there is a huge attack surface full of mediocre code. Efforts are ongoing to improve the quality of code itself,...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Munich Security Conference MSC 2024 in Munich, Germany, on Friday, February 16, 2024. I’m giving a keynote on “AI and Trust” at Generative AI, Free Speech, & Public Discourse. The symposium will be held at...
Improving the Cryptanalysis of Lattice-Based Public-Key Algorithms
The winner of the Best Paper Award at Crypto this year was a significant improvement to lattice-based cryptanalysis. This is important, because a bunch of NISTs post-quantum options base their security on lattice problems. I worry about standardizing on post-quantum algorithms too quickly. We are...
A Hacker’s Mind is Out in Paperback
The paperback version of A Hackers Mind has just been published. Its the same book, only a cheaper format. But--and this is the real reason I am posting this--Amazon has significantly discounted the hardcover to $15 to get rid of its stock. This is much cheaper than I am selling it for, and cheap...
Molly White Reviews Blockchain Book
Molly White--of "Web3 is Going Just Great" fame--reviews Chris Dixons blockchain solutions book: Read Write Own: In fact, throughout the entire book, Dixon fails to identify a single blockchain project that has successfully provided a non-speculative service at any kind of scale. The closest he...
On Passkey Usability
Matt Burgess tries to only use passkeys. The results are mixed...
Friday Squid Blogging: A Penguin Named “Squid”
Amusing story about a penguin named "Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
No, Toothbrushes Were Not Used in a Massive DDoS Attack
The widely reported story last week that 1.5 million smart toothbrushes were hacked and used in a DDoS attack is false. Near as I can tell, a German reporter talking to someone at Fortinet got it wrong, and then everyone else ran with it without reading the German text. It was a hypothetical, whi...
On Software Liabilities
Over on Lawfare, Jim Dempsey published a really interesting proposal for software liability: "Standard for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor." Section 1 of this paper sets the stage by briefly describing the problem to be solved. Section ...
Teaching LLMs to Be Deceptive
Interesting research: "Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training": Abstract: Humans are capable of strategically deceptive behavior: behaving helpfully in most situations, but then behaving very differently in order to pursue alternative objectives when given th...
Documents about the NSA’s Banning of Furby Toys in the 1990s
Via a FOIA request, we have documents from the NSA about their banning of Furby toys. 404 Media has the story. EDITED TO ADD: The documents are now on Archive.org...
Deepfake Fraud
A deepfake video conference call--with everyone else on the call a fake--fooled a finance worker into sending $25M to the criminals account...
Friday Squid Blogging: Illex Squid in Argentina Waters
Argentina is reporting that there is a good population of illex squid in its waters ready for fishing, and is working to ensure that Chinese fishing boats dont take it all. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my bl...
David Kahn
David Kahn has died. His groundbreaking book, The Codebreakers was the first serious book I read about codebreaking, and one of the primary reasons I entered this field. He will be missed. EDITED TO ADD 2/4: Funeral website. EDITED TO ADD 2/10: New York Times obituary...
A Self-Enforcing Protocol to Solve Gerrymandering
In 2009, I wrote: There are several ways two people can divide a piece of cake in half. One way is to find someone impartial to do it for them. This works, but it requires another person. Another way is for one person to divide the piece, and the other person to complain to the police, a judge, o...
Facebook’s Extensive Surveillance Network
Consumer Reports is reporting that Facebook has built a massive surveillance network: Using a panel of 709 volunteers who shared archives of their Facebook data, Consumer Reports found that a total of 186,892 companies sent data about them to the social network. On average, each participant in th...
CFPB’s Proposed Data Rules
In October, the Consumer Financial Protection Bureau CFPB proposed a set of rules that if implemented would transform how financial institutions handle personal data about their customers. The rules put control of that data back in the hands of ordinary Americans, while at the same time undermini...
New Images of Colossus Released
GCHQ has released new images of the WWII Colossus code-breaking computer, celebrating the machines eightieth anniversary birthday?. News article...
NSA Buying Bulk Surveillance Data on Americans without a Warrant
It finally admitted to buying bulk data on Americans from data brokers, in response to a query by Senator Weyden. This is almost certainly illegal, although the NSA maintains that it is legal until its told otherwise. Some news articles...
Microsoft Executives Hacked
Microsoft is reporting that a Russian intelligence agency--the same one responsible for SolarWinds--accessed the email system of the companys executives. Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and ga...
Friday Squid Blogging: Footage of Black-Eyed Squid Brooding Her Eggs
Amazing footage of a black-eyed squid Gonatus onyx carrying thousands of eggs. They tend to hang out about 6,200 feet below sea level. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Chatbots and Human Conversation
For most of history, communicating with a computer has not been like communicating with a person. In their earliest years, computers required carefully constructed instructions, delivered through punch cards; then came a command-line interface, followed by menus and options and text boxes. If you...
Quantum Computing Skeptics
Interesting article. I am also skeptical that we are going to see useful quantum computers anytime soon. Since at least 2019, I have been saying that this is hard. And that we dont know if its "land a person on the surface of the moon" hard, or "land a person on the surface of the sun" hard. They...
Poisoning AI Models
New research into poisoning AI models: The researchers first trained the AI models using supervised learning and then used additional "safety training" methods, including more supervised learning, reinforcement learning, and adversarial training. After this, they checked if the AI still had hidde...
Side Channels Are Common
Really interesting research: "Lend Me Your Ear: Passive Remote Physical Side Channels on PCs." Abstract: We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often...
AI Bots on X (Twitter)
You can find them by searching for OpenAI chatbot warning messages, like: "Im sorry, I cannot provide a response as it goes against OpenAIs use case policy." I hadnt thought about this before: identifying bots by searching for distinctive bot phrases...
Friday Squid Blogging: New Foods from Squid Fins
We only eat about half of a squid, ignoring the fins. A group of researchers is working to change that. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Zelle Is Using My Name and Voice without My Consent
Okay, so this is weird. Zelle has been using my name, and my voice, in audio podcast ads--without my permission. At least, I think it is without my permission. Its possible that I gave some sort of blanket permission when speaking at an event. Its not likely, but it is possible. I wrote to Zelle...
Speaking to the CIA’s Creative Writing Group
This is a fascinating story. Last spring, a friend of a friend visited my office and invited me to Langley to speak to Invisible Ink, the CIAs creative writing group. I asked Vivian not her real name what she wanted me to talk about. She said that the topic of the talk was entirely up to me. I...
Canadian Citizen Gets Phone Back from Police
After 175 million failed password guesses, a judge rules that the Canadian police must return a suspects phone. Judge Carter said the investigation can continue without the phones, and he noted that Ottawa police have made a formal request to obtain more data from Google. "This strikes me as a...
Code Written with AI Assistants Is Less Secure
Interesting research: "Do Users Write More Insecure Code with AI Assistants?": Abstract: We conduct the first large-scale user study examining how users interact with an AI Code assistant to solve a variety of security related tasks across different programming languages. Overall, we find that...
The Story of the Mirai Botnet
Over at Wired, Andy Greenberg has an excellent story about the creators of the 2016 Mirai botnet...
Voice Cloning with Very Short Samples
New research demonstrates voice cloning, in multiple languages, using samples ranging from one to twelve seconds. Research paper...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the International PolCampaigns Expo IPE24 in Cape Town, South Africa, January 25-26, 2024. The list is maintained on this page...
Friday Squid Blogging: Giant Squid from Newfoundland in the 1800s
Interesting article, with photographs. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
On IoT Devices and Software Liability
New law journal article: Smart Device Manufacturer Liability and Redress for Third-Party Cyberattack Victims Abstract: Smart devices are used to facilitate cyberattacks against both their users and third parties. While users are generally able to seek redress following a cyberattack via data...
Pharmacies Giving Patient Records to Police without Warrants
Add pharmacies to the list of industries that are giving private data to the police without a warrant...
Facial Scanning by Burger King in Brazil
In 2000, I wrote: "If McDonalds offered three free Big Macs for a DNA sample, there would be lines around the block." Burger King in Brazil is almost there, offering discounts in exchange for a facial scan. From a marketing video: "At the end of the year, its Friday every day, and the hangover...
PIN-Stealing Android Malware
This is an old piece of malware--the Chameleon Android banking Trojan--that now disables biometric authentication in order to steal the PIN: The second notable new feature is the ability to interrupt biometric operations on the device, like fingerprint and face unlock, by using the Accessibility...
Second Interdisciplinary Workshop on Reimagining Democracy
Last month, I convened the Second Interdisciplinary Workshop on Reimagining Democracy IWORD 2023 at the Harvard Kennedy School Ash Center. As with IWORD 2022, the goal was to bring together a diverse set of thinkers and practitioners to talk about how democracy might be reimagined for the...
Friday Squid Blogging—18th Anniversary Post: New Species of Pygmy Squid Discovered
Theyre Ryukyuan pygmy squid Idiosepius kijimuna and Hannans pygmy squid Kodama jujutsu. The second one represents an entire new genus. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. And, yes, this is the eighteenth anniversary of...
Improving Shor’s Algorithm
We dont have a useful quantum computer yet, but we do have quantum algorithms. Shors algorithm has the potential to factor large numbers faster than otherwise possible, which--if the run times are actually feasible--could break both the RSA and Diffie-Hellman public-key algorithms. Now, computer...
New iPhone Exploit Uses Four Zero-Days
Kaspersky researchers are detailing "an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky." Its a zero-click exploit that makes use of four iPhone zero-days. The most intriguing new detail is the...
Facial Recognition Systems in the US
A helpful summary of which US retail stores are using facial recognition, thinking about using it, or currently not planning on using it. This, of course, can all change without notice. Three years ago, I wrote that campaigns to ban facial recognition are too narrow. The problem here is...
TikTok Editorial Analysis
TikTok seems to be skewing things in the interests of the Chinese Communist Party. This is a serious analysis, and the methodology looks sound. Conclusion: Substantial Differences in Hashtag Ratios Raise Concerns about TikToks Impartiality Given the research above, we assess a strong possibility...