2979 matches found
Belgian Tax Hack
Heres a fascinating tax hack from Belgium listen to the details here, episode 484 of "No Such Thing as a Fish," at 28:00. Basically, its about a music festival on the border between Belgium and Holland. The stage was in Holland, but the crowd was in Belgium. When the copyright collector came...
Class-Action Lawsuit for Scraping Data without Permission
I have mixed feelings about this class-action lawsuit against OpenAI and Microsoft, claiming that it "scraped 300 billion words from the internet" without either registering as a data broker or obtaining consent. On the one hand, I want this to be a protected fair use of public data. On the other...
The Password Game
Amusing parody of password rules. BoingBoing: For example, at a certain level, your password must include todays Wordle answer. And then theres rule 27: "At least 50% of your password must be in the Wingdings font." EDITED TO ADD 7/13: Here are all the rules...
Self-Driving Cars Are Surveillance Cameras on Wheels
Police are already using self-driving car footage as video evidence: While security cameras are commonplace in American cities, self-driving cars represent a new level of access for law enforcement and a new method for encroachment on privacy, advocates say. Crisscrossing the city on their...
Friday Squid Blogging: See-Through Squid
Doryteuthis opalescens is known as the market squid, and was critical in the recent squid RNA research. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
The US Is Spying on the UN Secretary General
The Washington Post is reporting that the US is spying on the UN Secretary General. The reports on Guterres appear to contain the secretary generals personal conversations with aides regarding diplomatic encounters. They indicate that the United States relied on spying powers granted under the...
Redacting Documents with a Black Sharpie Doesn’t Work
We have learned this lesson again: As part of the FTC v. Microsoft hearing, Sony supplied a document from PlayStation chief Jim Ryan that includes redacted details on the margins Sony shares with publishers, its Call of Duty revenues, and even the cost of developing some of its games. It looks li...
Stalkerware Vendor Hacked
The stalkerware company LetMeSpy has been hacked: TechCrunch reviewed the leaked data, which included years of victims call logs and text messages dating back to 2013. The database we reviewed contained current records on at least 13,000 compromised devices, though some of the devices shared litt...
Typing Incriminating Evidence in the Memo Field
Dont do it: Recently, the manager of the Harvard Med School morgue was accused of stealing and selling human body parts. Cedric Lodge and his wife Denise were among a half-dozen people arrested for some pretty grotesque crimes. This part is also at least a little bit funny though: Over a three-ye...
Excel Data Forensics
In this detailed article about academic plagiarism are some interesting details about how to do data forensics on Excel files. It really needs the graphics to understand, so see the description at the link. And, yes, an author of a paper on dishonesty is being accused of dishonesty. Theres more...
Friday Squid Blogging: Giggling Squid
Giggling Squid is a Thai chain in the UK. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
UPS Data Harvested for SMS Phishing Attacks
I get UPS phishing spam on my phone all the time. I never click on it, because its so obviously spam. Turns out that hackers have been harvesting actual UPS delivery data from a Canadian tracking tool for its phishing SMSs...
AI as Sensemaking for Public Comments
Its become fashionable to think of artificial intelligence as an inherently dehumanizing technology, a ruthless force of automation that has unleashed legions of virtual skilled laborers in faceless form. But what if AI turns out to be the one tool able to identify what makes your ideas special,...
Ethical Problems in Computer Security
Tadayoshi Kohno, Yasemin Acar, and Wulf Loh wrote excellent paper on ethical thinking within the computer security community: "Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversation": Abstract: The computer security research community regularly tackles ethical...
Power LED Side-Channel Attack
This is a clever new side-channel attack: The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader--or of an attached peripheral device--during cryptographic operations. This technique allowed the researchers to pull a...
Friday Squid Blogging: Squid Can Edit Their RNA
This is just crazy: Scientists dont yet know for sure why octopuses, and other shell-less cephalopods including squid and cuttlefish, are such prolific editors. Researchers are debating whether this form of genetic editing gave cephalopods an evolutionary leg or tentacle up or whether the editing...
Security and Human Behavior (SHB) 2023
Im just back from the sixteenth Workshop on Security and Human Behavior, hosted by Alessandro Acquisti at Carnegie Mellon University in Pittsburgh. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro...
On the Need for an AI Public Option
Artificial intelligence will bring great benefits to all of humanity. But do we really want to entrust this revolutionary technology solely to a small group of US tech companies? Silicon Valley has produced no small number of moral disappointments. Google retired its "dont be evil" pledge before...
Identifying the Idaho Killer
The New York Times has a long article on the investigative techniques used to identify the person who stabbed and killed four University of Idaho students. Pay attention to the techniques: The case has shown the degree to which law enforcement investigators have come to rely on the digital...
AI-Generated Steganography
New research suggests that AIs can produce perfectly secure steganographic images: Abstract: Steganography is the practice of encoding secret information into innocuous content in such a manner that an adversarial third party would not realize that there is hidden meaning. While this problem has...
Friday Squid Blogging: Light-Emitting Squid
Its a Taningia danae: Their arms are lined with two rows of sharp retractable hooks. And, like most deep-sea squid, they are adorned with light organs called photophores. They have some on the underside of their mantle. There are more facing upward, near one of their eyes. But it’s the photophore...
Operation Triangulation: Zero-Click iPhone Malware
Kaspersky is reporting a zero-click iOS exploit in the wild: Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases. The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to th...
Paragon Solutions Spyware: Graphite
Paragon Solutions is yet another Israeli spyware company. Their product is called "Graphite," and is a lot like NSO Groups Pegasus. And Paragon is working with what seems to be US approval: American approval, even if indirect, has been at the heart of Paragons strategy. The company sought a list ...
How Attorneys Are Harming Cybersecurity Incident Response
New paper: "Lessons Lost: Incident Response in the Age of Cyber Insurance and Breach Attorneys": Abstract: Incident Response IR allows victim firms to detect, contain, and recover from security incidents. It should also help the wider community avoid similar attacks in the future. In pursuit of...
Snowden Ten Years Later
In 2013 and 2014, I wrote extensively about new revelations regarding NSA surveillance based on the documents provided by Edward Snowden. But I had a more personal involvement as well. I wrote the essay below in September 2013. The New Yorker agreed to publish it, but the Guardian asked me not to...
The Software-Defined Car
Developers are starting to talk about the software-defined car. For decades, features have accumulated like cruft in new vehicles: a box here to control the antilock brakes, a module there to run the cruise control radar, and so on. Now engineers and designers are rationalizing the way they go...
Friday Squid Blogging: Squid Chromolithographs
Beautiful illustrations. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. EDITED TO ADD 6/4: Slashdot thread...
Open-Source LLMs
In February, Meta released its large language model: LLaMA. Unlike OpenAI and its ChatGPT, Meta didnt just give the world a chat window to play with. Instead, it released the code into the open-source community, and shortly thereafter the model itself was leaked. Researchers and programmers...
On the Catastrophic Risk of AI
Earlier this week, I signed on to a short group statement, coordinated by the Center for AI Safety: Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war. The press coverage has been extensive, and surprising t...
Chinese Hacking of US Critical Infrastructure
Everyone is writing about an interagency and international report on Chinese hacking of US critical infrastructure. Lots of interesting details about how the group, called Volt Typhoon, accesses target networks and evades detection...
Brute-Forcing a Fingerprint Reader
Its neither hard nor expensive: Unlike password authentication, which requires a direct match between what is inputted and whats stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only...
Friday Squid Blogging: Online Cephalopod Course
Atlas Obscura has a five-part online course on cephalopods, taught by squid biologist Dr. Sarah McAnulty. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Expeditionary Cyberspace Operations
Cyberspace operations now officially has a physical dimension, meaning that the United States has official military doctrine about cyberattacks that also involve an actual human gaining physical access to a piece of computing infrastructure. A revised version of Joint Publication 3-12 Cyberspace...
On the Poisoning of LLMs
Interesting essay on the poisoning of LLMs--ChatGPT in particular: Given that weve known about model poisoning for years, and given the strong incentives the black-hat SEO crowd has to manipulate results, its entirely possible that bad actors have been poisoning ChatGPT for months. We dont know...
Indiana, Iowa, and Tennessee Pass Comprehensive Privacy Laws
Its been a big month for US data privacy. Indiana, Iowa, and Tennessee all passed state privacy laws, bringing the total number of states with a privacy law up to eight. No private right of action in any of those, which means its up to the states to enforce the laws...
Credible Handwriting Machine
In case you dont have enough to worry about, someone has built a credible handwriting machine: This is still a work in progress, but the project seeks to solve one of the biggest problems with other homework machines, such as this one that I covered a few months ago after it blew up on social...
Google Is Not Deleting Old YouTube Videos
Google has backtracked on its plan to delete inactive YouTube videos--at least for now. Of course, it could change its mind anytime it wants. It would be nice if this would get people to think about the vulnerabilities inherent in letting a for-profit monopoly decide what of human creativity is...
Friday Squid Blogging: Peruvian Squid-Fishing Regulation Drives Chinese Fleets Away
A Peruvian oversight law has the opposite effect: Peru in 2020 began requiring any foreign fishing boat entering its ports to use a vessel monitoring system allowing its activities to be tracked in real time 24 hours a day. The equipment, which tracks a vessels geographic position and fishing...
Security Risks of New .zip and .mov Domains
Researchers are worried about Googles .zip and .mov domains, because they are confusing. Mistaking a URL for a filename could be a security vulnerability...
Microsoft Secure Boot Bug
Microsoft is currently patching a zero-day Secure-Boot bug. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has...
Micro-Star International Signing Key Stolen
Micro-Star International--aka MSI--had its UEFI signing key stolen last month. This raises the possibility that the leaked key could push out updates that would infect a computers most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesnt have an automated...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at IT-S Now 2023 in Vienna, Austria, on June 2, 2023 at 8:30 AM CEST. The list is maintained on this page...
Friday Squid Blogging: Giant Squid Video
A video--authentic, not a deep fake--of a giant squid close to the surface. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Ted Chiang on the Risks of AI
Ted Chiang has an excellent essay in the New Yorker: "Will A.I. Become the New McKinsey?" The question we should be asking is: as A.I. becomes more powerful and flexible, is there any way to keep it from being another version of McKinsey? The question is worth considering across different meaning...
Building Trustworthy AI
We will all soon get into the habit of using AI tools for help with everyday problems and tasks. We should get in the habit of questioning the motives, incentives, and capabilities behind them, too. Imagine youre using an AI chatbot to plan a vacation. Did it suggest a particular resort because i...
FBI Disables Russian Malware
Reuters is reporting that the FBI "had identified and disabled malware wielded by Russias FSB security service against an undisclosed number of American computers, a move they hoped would deal a death blow to one of Russias leading cyber spying programs." The headline says that the FBI "sabotaged...
PIPEDREAM Malware against Industrial Control Systems
Another nation-state malware, Russian in origin: In the early stages of the war in Ukraine in 2022, PIPEDREAM, a known malware was quietly on the brink of wiping out a handful of critical U.S. electric and liquid natural gas sites. PIPEDREAM is an attack toolkit with unmatched and unprecedented...
AI Hacking Village at DEF CON This Year
At DEF CON this year, Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI will all open up their models for attack. The DEF CON event will rely on an evaluation platform developed by Scale AI, a California company that produces training for AI applications. Participants wi...
Friday Squid Blogging: “Mediterranean Beef Squid” Hoax
The viral video of the "Mediterranean beef squid"is a hoax. Its not even a deep fake; its a plastic toy. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Large Language Models and Elections
Earlier this week, the Republican National Committee released a video that it claims was "built entirely with AI imagery." The content of the ad isnt especially novel--a dystopian vision of America under a second term with President Joe Biden--but the deliberate emphasis on the technology used to...