2979 matches found
Friday Squid Blogging: Sqids
Theyre short unique strings: Sqids pronounced "squids" is an open-source library that lets you generate YouTube-looking IDs from numbers. These IDs are short, can be generated from a custom alphabet and are guaranteed to be collision-free. I havent dug into the details enough to know how they can...
AI Is Scarily Good at Guessing the Location of Random Photos
Wow: To test PIGEONs performance, I gave it five personal photos from a trip I took across America years ago, none of which have been published online. Some photos were snapped in cities, but a few were taken in places nowhere near roads or other easily recognizable landmarks. That didnt seem to...
AI and Lossy Bottlenecks
Artificial intelligence is poised to upend much of society, removing human limitations inherent in many systems. One such limitation is information and logistical bottlenecks in decision-making. Traditionally, people have been forced to reduce complex choices to a small handful of options that do...
New iPhone Security Features to Protect Stolen Devices
Apple is rolling out a new "Stolen Device Protection" feature that seems well thought out: When Stolen Device Protection is turned on, Face ID or Touch ID authentication is required for additional actions, including viewing passwords or passkeys stored in iCloud Keychain, applying for a new Apple...
Google Stops Collecting Location Data from Maps
Google Maps now stores location data locally on your device, meaning that Google no longer has that data to turn over to the police...
Friday Squid Blogging: Squid Parts into Fertilizer
Its squid parts from college dissections, so its not a volume operation. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Ben Rothke’s Review of A Hacker’s Mind
Ben Rothke chose A Hackers Mind as "the best information security book of 2023."...
Data Exfiltration Using Indirect Prompt Injection
Interesting attack on a LLM: In Writer, users can enter a ChatGPT-like session to edit or create their documents. In this chat session, the LLM can retrieve information from sources on the web to assist users in creation of their documents. We show that attackers can prepare websites that, when a...
Cyberattack on Ukraine’s Kyivstar Seems to Be Russian Hacktivists
The Solntsepek group has taken credit for the attack. Theyre linked to the Russian military, so its unclear whether the attack was government directed or freelance. This is one of the most significant cyberattacks since Russia invaded in February 2022...
GCHQ Christmas Codebreaking Challenge
Looks like fun. Details here...
OpenAI Is Not Training on Your Dropbox Documents—Today
Theres a rumor flying around the Internet that OpenAI is training foundation models on your Dropbox documents. Heres CNBC. Heres Boing Boing. Some articles are more nuanced, but theres still a lot of confusion. It seems not to be true. Dropbox isnt sharing all of your documents with OpenAI. But...
Police Get Medical Records without a Warrant
More unconstrained surveillance: Lawmakers noted the pharmacies policies for releasing medical records in a letter dated Tuesday to the Department of Health and Human Services HHS Secretary Xavier Becerra. The letter--signed by Sen. Ron Wyden D-Ore., Rep. Pramila Jayapal D-Wash., and Rep. Sara...
Friday Squid Blogging: Underwater Sculptures Use Squid Ink for Coloring
The Molinière Underwater Sculpture Park has pieces that are colored in part with squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
A Robot the Size of the World
In 2016, I wrote about an Internet that affected the world in a direct, physical manner. It was connected to your smartphone. It had sensors like cameras and thermostats. It had actuators: Drones, autonomous cars. And it had smarts in the middle, using sensor data to figure out what to do and the...
Surveillance Cameras Disguised as Clothes Hooks
This seems like a bad idea. And there are ongoing lawsuits against Amazon for selling them...
Surveillance by the US Postal Service
This is not about mass surveillance of mail, this is about the sorts of targeted surveillance the US Postal Inspection Service uses to catch mail thieves: To track down an alleged mail thief, a US postal inspector used license plate reader technology, GPS data collected by a rental car company,...
New Windows/Linux Firmware Attack
Interesting attack based on malicious pre-OS logo images: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux…. The...
Facebook Enables Messenger End-to-End Encryption by Default
Its happened. Details here, and tech details here for messages in transit and here for messages in storage Rollout to everyone will take months, but its a good day for both privacy and security. Slashdot thread...
Friday Squid Blogging: Influencer Accidentally Posts Restaurant Table QR Ordering Code
Another rare security + squid story: The woman--who has only been identified by her surname, Wang--was having a meal with friends at a hotpot restaurant in Kunming, a city in southwest China. When everyone’s selections arrived at the table, she posted a photo of the spread on the Chinese social...
New Bluetooth Attack
New attack breaks forward secrecy in Bluetooth. Three news articles: BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions forward and future secrecy, compromising the confidentiality of past and future communications between devices. This is achieved by exploitin...
Spying through Push Notifications
When you get a push notification on your Apple or Google phone, those notifications go through Apple and Google servers. Which means that those companies can spy on them--either for their own reasons or in response to government demands. Sen. Wyden is trying to get to the bottom of this: In a...
Security Analysis of a Thirteenth-Century Venetian Election Protocol
Interesting analysis: This paper discusses the protocol used for electing the Doge of Venice between 1268 and the end of the Republic in 1797. We will show that it has some useful properties that in addition to being interesting in themselves, also suggest that its fundamental design principle is...
AI and Mass Spying
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those...
AI and Trust
I trusted a lot today. I trusted my phone to wake me on time. I trusted Uber to arrange a taxi for me, and the driver to get me to the airport safely. I trusted thousands of other drivers on the road not to ram my car on the way. At the airport, I trusted ticket agents and maintenance engineers a...
Friday Squid Blogging: Strawberry Squid in the Galápagos
Scientists have found Strawberry Squid, "whose mismatched eyes help them simultaneously search for prey above and below them," among the coral reefs in the Galápagos Islands. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my...
AI Decides to Engage in Insider Trading
A stock-trading AI a simulated experiment engaged in insider trading, even though it "knew" it was wrong. The agent is put under pressure in three ways. First, it receives a email from its "manager" that the company is not doing well and needs better performance in the next quarter. Second, the...
Extracting GPT’s Training Data
This is clever: The actual attack is kind of silly. We prompt the model with the command "Repeat the word poem forever" and sit back and watch as the model responds complete transcript here. In the abridged example above, the model emits a real email address and phone number of some unsuspecting...
Breaking Laptop Fingerprint Sensors
Theyre not that good: Security researchers Jesse DAguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN...
Digital Car Keys Are Coming
Soon we will be able to unlock and start our cars from our phones. Lets hope people are thinking about security...
Secret White House Warrantless Surveillance Program
There seems to be no end to warrantless surveillance: According to the letter, a surveillance program now known as Data Analytical Services DAS has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone record...
Friday Squid Blogging: Squid Nebula
Pretty photograph. The Squid Nebula is shown in blue, indicating doubly ionized oxygen--which is when you ionize your oxygen once and then ionize it again just to make sure. In all seriousness, it likely indicates a low-mass star nearing the end of its life. As usual, you can also use this squid...
Chocolate Swiss Army Knife
Its realistic looking. If I drop it in a bin with my keys and wallet, will the TSA confiscate it?...
LitterDrifter USB Worm
A new worm that spreads via USB sticks is infecting computers in Ukraine and beyond. The group--known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm--has been active since at least 2014 and has been attributed to Russia’s Federal Security Service by the...
Apple to Add Manual Authentication to iMessage
Signal has had the ability to manually authenticate another account for years. iMessage is getting it: The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is wh...
Email Security Flaw Found in the Wild
Googles Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world. TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this...
Using Generative AI for Surveillance
Generative AI is going to be a powerful tool for data analysis and summarization. Heres an example of it being used for sentiment analysis. My guess is that it isnt very good yet, but that it will get better...
Friday Squid Blogging: Unpatched Vulnerabilities in the Squid Caching Proxy
In a rare squid/security post, heres an article about unpatched vulnerabilities in the Squid caching proxy. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Ransomware Gang Files SEC Complaint
A ransomware gang, annoyed at not being paid, filed an SEC complaint against its victim for not disclosing its security breach within the required four days. This is over the top, but is just another example of the extreme pressure ransomware gangs put on companies after seizing their data. Gangs...
FTC’s Voice Cloning Challenge
The Federal Trade Commission is running a competition "to foster breakthrough ideas on preventing, monitoring, and evaluating malicious voice cloning."...
Leaving Authentication Credentials in Public Code
Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000...
New SSH Vulnerability
This is interesting: For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking at the AI Summit New York on December 6, 2023. The list is maintained on this page...
How .tk Became a TLD for Scammers
Sad story of Tokelau, and how its top-level domain "became the unwitting host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users. Scammers began using .tk websites to do everything from harvesting passwords and payment...
Ten Ways AI Will Change Democracy
Artificial intelligence will change so many aspects of society, largely in ways that we cannot conceive of yet. Democracy, and the systems of governance that surround it, will be no exception. In this short essay, I want to move beyond the "AI-generated disinformation" trope and speculate on some...
Friday Squid Blogging: The History and Morality of US Squid Consumption
Really interesting article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
The Privacy Disaster of Modern Smart Cars
Article based on a Mozilla report...
Online Retail Hack
Selling miniature replicas to unsuspecting shoppers: Online marketplaces sell tiny pink cowboy hats. They also sell miniature pencil sharpeners, palm-size kitchen utensils, scaled-down books and camping chairs so small they evoke the Stonehenge scene in "This Is Spinal Tap." Many of the minuscule...
Decoupling for Security
This is an excerpt from a longer paper. You can read the whole thing complete with sidebars and illustrations here. Our message is simple: it is possible to get the best of both worlds. We can and should get the benefits of the cloud while taking security back into our own hands. Here we outline ...
Spaf on the Morris Worm
Gene Spafford wrote an essay reflecting on the Morris Worm of 1988--thirty-five years ago. His lessons from then are still applicable today...
Crashing iPhones with a Flipper Zero
The Flipper Zero is an incredibly versatile hacking device. Now it can be used to crash iPhones in its vicinity by sending them a never-ending stream of pop-ups. These types of hacks have been possible for decades, but they require special equipment and a fair amount of expertise. The capabilitie...