2979 matches found
Friday Squid Blogging: When the Octopus and Squid Lost Their Shells
Cephalopod ancestors once had shells. When did they lose them? With the molecular clock technique, which allowed him to use DNA to map out the evolutionary history of the cephalopods, he found that today's cuttlefish, squids and octopuses began to appear 160 to 100 million years ago, during the...
Clickable Endnotes to Click Here to Kill Everybody
In Click Here to Kill Everybody, I promised clickable endnotes. They're finally available...
Presidential Candidate Andrew Yang Has Quantum Encryption Policy
At least one presidential candidate has a policy about quantum computing and encryption. It has two basic planks. One: fund quantum-resistant encryption standards. Note: NIST is already doing this. Two, fund quantum computing. Unlike many far more pressing computer security problems, the market...
Resetting Your GE Smart Light Bulb
If you need to reset the software in your GE smart light bulb -- firmware version 2.8 or later -- just follow these easy instructions: Start with your bulb off for at least 5 seconds. 1. Turn on for 8 seconds 2. Turn off for 2 seconds 3. Turn on for 8 seconds 4. Turn off for 2 seconds 5. Turn on...
Details of the Cloud Hopper Attacks
Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported. The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud...
Cell Networks Hacked by (Probable) Nation-State Attackers
A sophisticated attacker has successfuly infiltrated cell providers to collect information on specific users: The hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records -- including times and...
Cardiac Biometric
MIT Technology Review is reporting about an infrared laser device that can identify people by their unique cardiac signature at a distance: A new device, developed for the Pentagon after US Special Forces requested it, can identify people without seeing their face: instead it detects their unique...
Ransomware Recovery Firms Who Secretly Pay Hackers
ProPublica is reporting on companies that pretend to recover data locked up by ransomware, but just secretly pay the hackers and then mark up the cost to the victims...
Friday Squid Blogging: Squid Cars
Jalopnik asks the important question: "If squids ruled the earth, what would their cars be like?" As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Applied Cryptography is Banned in Oregon Prisons
My Applied Cryptography is on a list of books banned in Oregon prisons. It's not me -- and it's not cryptography -- it's that the prisons ban books that teach people to code. The subtitle is "Algorithms, Protocols, and Source Code in C" -- and that's the reason. My more recent Cryptography...
Research on Human Honesty
New research from Science: "Civic honesty around the globe": Abstract: Civic honesty is essential to social capital and economic development, but is often in conflict with material self-interest. We examine the trade-off between honesty and self-interest using field experiments in 355 cities...
US Journalist Detained When Returning to US
Pretty horrible story of a US journalist who had his computer and phone searched at the border when returning to the US from Mexico. After I gave him the password to my iPhone, Moncivias spent three hours reviewing hundreds of photos and videos and emails and calls and texts, including encrypted...
Digital License Plates
They're a thing: Developers say digital plates utilize "advanced telematics" -- to collect tolls, pay for parking and send out Amber Alerts when a child is abducted. They also help recover stolen vehicles by changing the display to read "Stolen," thereby alerting everyone within eyeshot. This mak...
Google Releases Basic Homomorphic Encryption Tool
Google has released an open-source cryptographic tool: Private Join and Compute. From a Wired article: Private Join and Compute uses a 1970s methodology known as "commutative encryption" to allow data in the data sets to be encrypted with multiple keys, without it mattering which order the keys a...
Yubico Security Keys with a Crypto Flaw
Wow, is this an embarrassing bug: Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness ...
Friday Squid Blogging: Fantastic Video of a Juvenile Giant Squid
It's amazing: Then, about 20 hours into the recording from the Medusa's fifth deployment, Dr. Robinson saw the sharp points of tentacles sneaking into the camera's view. "My heart felt like exploding," he said on Thursday, over a shaky phone connection from the ship's bridge. At first, the animal...
I'm Leaving IBM
Today is my last day at IBM. If you've been following along, IBM bought my startup Resilient Systems in Spring 2016. Since then, I have been with IBM, holding the nicely ambiguous title of "Special Advisor." As of the end of the month, I will be back on my own. I will continue to write and speak,...
Cellebrite Claims It Can Unlock Any iPhone
The digital forensics company Cellebrite now claims it can unlock any iPhone. I dithered before blogging this, not wanting to give the company more publicity. But I decided that everyone who wants to know already knows, and that Apple already knows. It's all of us that need to know...
Spanish Soccer League App Spies on Fans
The Spanish Soccer League's smartphone app spies on fans in order to find bars that are illegally streaming its games. The app listens with the microphone for the broadcasts, and then uses geolocation to figure out where the phone is. The Spanish data protection agency has ordered the league to...
MongoDB Offers Field Level Encryption
MongoDB now has the ability to encrypt data by field: MongoDB calls the new feature Field Level Encryption. It works kind of like end-to-end encrypted messaging, which scrambles data as it moves across the internet, revealing it only to the sender and the recipient. In such a "client-side"...
Person in Latex Mask Impersonated French Minister
Forget deep fakes. Someone wearing a latex mask fooled people on video calls for a period of two years, successfully scamming 80 million euros from rich French citizens...
Florida City Pays Ransomware
Learning from the huge expenses Atlanta and Baltimore incurred by refusing to pay ransomware, the Florida City of Riveria Beach decided to pay up. The ransom amount of almost $600,000 is a lot, but much cheaper than the alternative...
iPhone Apps Surreptitiously Communicated with Unknown Servers
Long news article alternate source on iPhone privacy, specifically the enormous amount of data your apps are collecting without your knowledge. A lot of this happens in the middle of the night, when you're probably not otherwise using your phone: IPhone apps I discovered tracking me by passing...
Election Security
Stanford University's Cyber Policy Center has published a long report on the security of US elections. Summary: it's not good...
Friday Squid Blogging: Squid Tea Bags
It's pu'er tea -- from Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Backdoor Built into Android Firmware
In 2017, some Android phones came with a backdoor pre-installed: Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday. Triada first came to light in 2016 in articles publishe...
Fake News and Pandemics
When the next pandemic strikes, we'll be fighting it on two fronts. The first is the one you immediately think about: understanding the disease, researching a cure and inoculating the population. The second is new, and one you might not have thought much about: fighting the deluge of rumors,...
How Apple's "Find My" Feature Works
Matthew Green intelligently speculates about how Apple's new "Find My" feature works. If you haven't already been inspired by the description above, let me phrase the question you ought to be asking: how is this system going to avoid being a massive privacy nightmare? Let me count the concerns: I...
Hacking Hardware Security Modules
Security researchers Gabriel Campana and Jean-Baptiste Bédrune are giving a hardware security module HSM talk at BlackHat in August: This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It wi...
Risks of Password Managers
Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned. My particular choices about security an...
Maciej Cegłowski on Privacy in the Information Age
Maciej Cegłowski has a really good essay explaining how to think about privacy today: For the purposes of this essay, I'll call it "ambient privacy" -- the understanding that there is value in having our everyday interactions with one another remain outside the reach of monitoring, and that the...
Data, Surveillance, and the AI Arms Race
According to foreign policy experts and the defense establishment, the United States is caught in an artificial intelligence arms race with China -- one with serious implications for national security. The conventional version of this story suggests that the United States is at a disadvantage...
Friday Squid Blogging: Climate Change Could be Good for Squid
Basically, they thrive in a high CO2 environment, because it doesn't bother them and makes their prey weaker. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking on "Securing a World of Physically Capable Computers" at Oxford University on Monday, June 17, 2019. The list is maintained on this page...
Computers and Video Surveillance
It used to be that surveillance cameras were passive. Maybe they just recorded, and no one looked at the video unless they needed to. Maybe a bored guard watched a dozen different screens, scanning for something interesting. In either case, the video was only stored for a few days because storage...
Video Surveillance by Computer
The ACLU's Jay Stanley has just published a fantastic report: "The Dawn of Robot Surveillance" blog post here Basically, it lays out a future of ubiquitous video cameras watched by increasingly sophisticated video analytics software, and discusses the potential harms to society. I'm not going to...
Report on the Stalkerware Industry
Citizen Lab just published an excellent report on the stalkerware industry. Boing Boing post...
Rock-Paper-Scissors Robot
How in the world did I not know about this for three years? Researchers at the University of Tokyo have developed a robot that always wins at rock-paper-scissors. It watches the human player's hand, figures out which finger position the human is about to deploy, and reacts quickly enough to alway...
Workshop on the Economics of Information Security
Last week, I hosted the eighteenth Workshop on the Economics of Information Security at Harvard. Ross Anderson liveblogged the talks...
Employment Scam
Interesting story of an old-school remote-deposit capture fraud scam, wrapped up in a fake employment scam. Slashdot thread...
Friday Squid Blogging: Possible New Squid Species
NOAA video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
iOS Shortcut for Recording the Police
"Hey Siri; I'm getting pulled over" can be a shortcut: Once the shortcut is installed and configured, you just have to say, for example, "Hey Siri, I'm getting pulled over." Then the program pauses music you may be playing, turns down the brightness on the iPhone, and turns on "do not disturb"...
Security and Human Behavior (SHB) 2019
Today is the second day of the twelfth Workshop on Security and Human Behavior, which I am hosting at Harvard University. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and...
Chinese Military Wants to Develop Custom OS
Citing security concerns, the Chinese military wants to replace Windows with its own custom operating system: Thanks to the Snowden, Shadow Brokers, and Vault7 leaks, Beijing officials are well aware of the US' hefty arsenal of hacking tools, available for anything from smart TVs to Linux servers...
Lessons Learned Trying to Secure Congressional Campaigns
Really interesting first-hand experience from Maciej Cegłowski...
The Cost of Cybercrime
Really interesting paper calculating the worldwide cost of cybercrime: Abstract: In 2012 we presented the first systematic study of the costs of cybercrime. In this paper,we report what has changed in the seven years since. The period has seen major platform evolution, with the mobile phone...
The Importance of Protecting Cybersecurity Whistleblowers
Interesting essay arguing that we need better legislation to protect cybersecurity whistleblowers. Congress should act to protect cybersecurity whistleblowers because information security has never been so important, or so challenging. In the wake of a barrage of shocking revelations about data...
The Human Cost of Cyberattacks
The International Committee of the Red Cross has just published a report: "The Potential Human Cost of Cyber-Operations." It's the result of an "ICRC Expert Meeting" from last year, but was published this week. Here's a shorter blog post if you don't want to read the whole thing. And commentary b...
Friday Squid Blogging: Hundred-Million-Year-Old Squid Relative Found in Amber
This is a really interesting find. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Fraudulent Academic Papers
The term "fake news" has lost much of its meaning, but it describes a real and dangerous Internet trend. Because it's hard for many people to differentiate a real news site from a fraudulent one, they can be hoodwinked by fictitious news stories pretending to be real. The result is that otherwise...