Hacking Trains

Seems like an old system system that predates any care about security: The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device FRED, also known as an End-of-Train EOT device, is attached to the back of a train and sends...

Report from the Cambridge Cybercrime Conference

The Cambridge Cybercrime Conference was held on 23 June. Summaries of the presentations are here...

Squid Dominated the Oceans in the Late Cretaceous

New research: One reason the early years of squids has been such a mystery is because squids' lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks--hard mouthparts with high fossilization potential that could help the team...

Tradecraft in the Information Age

Long article on the difficulty impossibility? of human spying in the age of ubiquitous digital surveillance...

Using Signal Groups for Activism

Good tutorial by Micah Lee. It includes some nonobvious use cases...

Yet Another Strava Privacy Leak

This time it's the Swedish prime minister's bodyguards. Last year, it was the US Secret Service and Emmanuel Macron's bodyguards. in 2018, it was secret US military bases. This is ridiculous. Why do people continue to make their data public?...

Hiding Prompt Injections in Academic Papers

Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan's Waseda University, South Korea's KAIST, China's Peking University and the National University of Singapore, as wel...

Friday Squid Blogging: How Squid Skin Distorts Light

New research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...

Surveillance Used by a Drug Cartel

Once you build a surveillance system, you can't control who will use it: A hacker working for the Sinaloa drug cartel was able to obtain an FBI official’s phone records and use Mexico City’s surveillance cameras to help track and kill the agency’s informants in 2018, according to a new US justice...

Ubuntu Disables Spectre/Meltdown Protections

A whole class of speculative execution attacks against CPUs were published in 2018. They seemed pretty catastrophic at the time. But the fixes were as well. Speculative execution was a way to speed up CPUs, and removing those enhancements resulted in significant performance drops. Now, people are...

Iranian Blackout Affected Misinformation Campaigns

Dozens of accounts on X that promoted Scottish independence went dark during an internet blackout in Iran. Well, that's one way to identify fake accounts and misinformation campaigns...

How Cybersecurity Fears Affect Confidence in Voting Systems

American democracy runs on trust, and that trust is cracking. Nearly half of Americans, both Democrats and Republicans, question whether elections are conducted fairly. Some voters accept election results only when their side wins. The problem isn't just political polarization--it's a creeping...

Friday Squid Blogging: What to Do When You Find a Squid “Egg Mop”

Tips on what to do if you find a mop of squid eggs. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...

The Age of Integrity

We need to talk about data integrity. Narrowly, the term refers to ensuring that data isn’t tampered with, either in transit or in storage. Manipulating account balances in bank databases, removing entries from criminal records, and murder by removing notations about allergies from medical record...

White House Bans WhatsApp

Reuters is reporting that the White House has banned WhatsApp on all employee devices: The notice said the "Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risk...

What LLMs Know About Their Users

Simon Willison talks about ChatGPT's new memory dossier feature. In his explanation, he illustrates how much the LLM--and the company--knows about its users. It's a big quote, but I want you to read it all. Here's a prompt you can use to give you a solid idea of what's in that summary. I first sa...

Here’s a Subliminal Channel You Haven’t Considered Before

Scientists can manipulate air bubbles trapped in ice to encode messages...

Largest DDoS Attack to Date

It was a recently unimaginable 7.3 Tbps: The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It...

Friday Squid Blogging: Gonate Squid Video

This is the first ever video of the Antarctic Gonate Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Surveillance in the US

Good article from 404 Media on the cozy surveillance relationship between local Oregon police and ICE: In the email thread, crime analysts from several local police departments and the FBI introduced themselves to each other and made lists of surveillance tools and tactics they have access to and...

Self-Driving Car Video Footage

Two articles crossed my path recently. First, a discussion of all the video Waymo has from outside its cars: in this case related to the LA protests. Second, a discussion of all the video Tesla has from inside its cars. Lots of things are collecting lots of video of lots of other things. How and...

Ghostwriting Scam

The variations seem to be endless. Here's a fake ghostwriting scam that seems to be making boatloads of money. This is a big story about scams being run from Texas and Pakistan estimated to run into tens if not hundreds of millions of dollars, viciously defrauding Americans with false hopes of...

Where AI Provides Value

If you've worried that AI might take your job, deprive you of your livelihood, or maybe even replace your role in society, it probably feels good to see the latest AI tools fail spectacularly. If AI recommends glue as a pizza topping, then you're safe for another day. But the fact remains that AI...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking at the International Conference on Digital Trust, AI and the Future in Edinburgh, Scotland on Tuesday, June 24 at 4:00 PM. The list is maintained on this page...

Friday Squid Blogging: Stubby Squid

Video of the stubby squid Rossia pacifica from offshore Vancouver Island. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Paragon Spyware Used to Spy on European Journalists

Paragon is an Israeli spyware company, increasingly in the news now that NSO Group seems to be waning. "Graphite" is the name of its product. Citizen Lab caught it spying on multiple European journalists with a zero-click iOS exploit: On April 29, 2025, a select group of iOS users were notified b...

Airlines Secretly Selling Passenger Data to the Government

This is news: A data broker owned by the country's major airlines, including Delta, American Airlines, and United, collected U.S. travellers' domestic flight records, sold access to them to Customs and Border Protection CBP, and then as part of the contract told CBP to not reveal where the data...

New Way to Covertly Track Android Users

Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught. The details are interesting, and worth reading in detail: Tracking code that Meta and Russia-based Yandex embed into millions of...

Friday Squid Blogging: Squid Run in Southern New England

Southern New England is having the best squid run in years. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Hearing on the Federal Government and AI

On Thursday I testified before the House Committee on Oversight and Government Reform at a hearing titled "The Federal Government in the Age of Artificial Intelligence." The other speakers mostly talked about how cool AI was--and sometimes about how cool their own company was--but I was asked by...

Report on the Malicious Uses of AI

OpenAI just published its annual report on malicious uses of AI. By using AI as a force multiplier for our expert investigative teams, in the three months since our last report we’ve been able to detect, disrupt and expose abusive activity including social engineering, cyber espionage, deceptive...

The Ramifications of Ukraine’s Drone Attack

You can read the details of Operation Spiderweb elsewhere. What interests me are the implications for future warfare: If the Ukrainians could sneak drones so close to major air bases in a police state such as Russia, what is to prevent the Chinese from doing the same with U.S. air bases? Or the...

New Linux Vulnerabilities

They're interesting: Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux...

Australia Requires Ransomware Victims to Declare Payments

A new Australian law requires larger companies to declare any ransomware payments they have made...

Why Take9 Won’t Improve Cybersecurity

There's a new cybersecurity awareness campaign: Take9. The idea is that people--you, me, everyone--should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share. There's a...

Friday Squid Blogging: NGC 1068 Is the “Squid Galaxy”

I hadn't known that the NGC 1068 galaxy is nicknamed the "Squid Galaxy." It is, and it's spewing neutrinos without the usual accompanying gamma rays. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Surveillance Via Smart Toothbrush

The only links are from The Daily Mail and The Mirror, but a marital affair was discovered because the cheater was recorded using his smart toothbrush at home when he was supposed to be at work...

Location Tracking App for Foreigners in Moscow

Russia is proposing a rule that all foreigners in Moscow install a tracking app on their phones. Using a mobile application that all foreigners will have to install on their smartphones, the Russian state will receive the following information: Residence location Fingerprint Face photograph...

Chinese-Owned VPNs

One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are often surreptitiously owned by Chinese companies. It would be hard for...

Friday Squid Blogging: US Naval Ship Attacked by Squid in 1978

Interesting story: USS Stein was underway when her anti-submarine sonar gear suddenly stopped working. On returning to port and putting the ship in a drydock, engineers observed many deep scratches in the sonar dome's rubber "NOFOUL" coating. In some areas, the coating was described as being...

Signal Blocks Windows Recall

This article gives a good rundown of the security risks of Windows Recall, and the repurposed copyright protection took that Signal used to block the AI feature from scraping Signal data...

The Voter Experience

Technology and innovation have transformed every part of society, including our electoral experiences. Campaigns are spending and doing more than at any other time in history. Ever-growing war chests fuel billions of voter contacts every cycle. Campaigns now have better ways of scaling outreach...

More AIs Are Taking Polls and Surveys

I already knew about the declining response rate for polls and surveys. The percentage of AI bots that respond to surveys is also increasing. Solutions are hard: 1. Make surveys less boring. We need to move past bland, grid-filled surveys and start designing experiences people actually want to...

DoorDash Hack

A DoorDash driver stole over $2.5 million over several months: The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the othe...

The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)”

In response to a FOIA request, the NSA released "Fifty Years of Mathematical Cryptanalysis 1937-1987," by Glenn F. Stahly, with a lot of redactions. Weirdly, this is the second time the NSA has declassified the document. John Young got a copy in 2019. This one has a few less redactions. And nothi...

Friday Squid Blogging: Pet Squid Simulation

From Hackaday.com, this is a neural network simulation of a pet squid. Autonomous Behavior: The squid moves autonomously, making decisions based on his current state hunger, sleepiness, etc.. Implements a vision cone for food detection, simulating realistic foraging behavior. Neural network can...

Communications Backdoor in Chinese Power Inverters

This is a weird story: U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. … Over the past nine...

AI-Generated Law

On April 14, Dubai's ruler, Sheikh Mohammed bin Rashid Al Maktoum, announced that the United Arab Emirates would begin using artificial intelligence to help write its laws. A new Regulatory Intelligence Office would use the technology to "regularly suggest updates" to the law and "accelerate the...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking remotely at the Sektor 3.0 Festival in Warsaw, Poland, May 21-22, 2025. The list is maintained on this page...

Google’s Advanced Protection Now on Android

Google has extended its Advanced Protection features to Android devices. It's not for everybody, but something to be considered by high-risk users. Wired article, behind a paywall...