Court Rules Against NSO Group

The case is over: A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users. I'm sure it'll be appealed. Everything always is...

Florida Backdoor Bill Fails

A Florida bill requiring encryption backdoors failed to pass...

Friday Squid Blogging: Japanese Divers Video Giant Squid

The video is really amazing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Chinese AI Submersible

A Chinese company has developed an AI-piloted submersible that can reach speeds "similar to a destroyer or a US Navy torpedo," dive "up to 60 metres underwater," and "remain static for more than a month, like the stealth capabilities of a nuclear submarine." In case you're worried about the...

Fake Student Fraud in Community Colleges

Reporting on the rise of fake students enrolling in community college courses: The bots' goal is to bilk state and federal financial aid money by enrolling in classes, and remaining enrolled in them, long enough for aid disbursements to go out. They often accomplish this by submitting AI-generate...

Another Move in the Deepfake Creation/Detection Arms Race

Deepfakes are now mimicking heartbeats In a nutshell Recent research reveals that high-quality deepfakes unintentionally retain the heartbeat patterns from their source videos, undermining traditional detection methods that relied on detecting subtle skin color changes linked to heartbeats. The...

Friday Squid Blogging: Pyjama Squid

The small pyjama squid Sepioloidea lineolata produces toxic slime, "a rare example of a poisonous predatory mollusc." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Privacy for Agentic AI

Sooner or later, it's going to happen. AI systems will start acting as agents, doing things on our behalf with some degree of autonomy. I think it's worth thinking about the security of that now, while its still a nascent idea. In 2019, I joined Inrupt, a company that is commercializing Tim...

NCSC Guidance on “Advanced Cryptography”

The UK's National Cyber Security Centre just released its white paper on "Advanced Cryptography," which it defines as "cryptographic techniques for processing encrypted data, providing enhanced functionality over and above that provided by traditional cryptography." It includes things like...

US as a Surveillance State

Two essays were just published on DOGE's data collection and aggregation, and how it ends with a modern surveillance state. It's good to see this finally being talked about. EDITED TO ADD 5/3: Here's a free link to that first essay...

WhatsApp Case Against NSO Group Progressing

Meta is suing NSO Group, basically claiming that the latter hacks WhatsApp and not just WhatsApp users. We have a procedural ruling: Under the order, NSO Group is prohibited from presenting evidence about its customers' identities, implying the targeted WhatsApp users are suspected or actual...

Applying Security Engineering to Prompt Injection Security

This seems like an important advance in LLM security against prompt injection: Google DeepMind has unveiled CaMeL CApabilities for MachinE Learning, a new approach to stopping prompt-injection attacks that abandons the failed strategy of having AI models police themselves. Instead, CaMeL treats...

Windscribe Acquitted on Charges of Not Collecting Users’ Data

The company doesn't keep logs, so couldn't turn over data: Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in connection...

Friday Squid Blogging: Squid Facts on Your Phone

Text "SQUID" to 1-833-SCI-TEXT for daily squid facts. The website has merch. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Cryptocurrency Thefts Get Physical

Long story of a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping...

New Linux Rootkit

Interesting: The company has released a working rootkit called "Curing" that uses iouring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market. At the heart of the issue is the heavy...

Regulating AI Behavior with a Hypervisor

Interesting research: "Guillotine: Hypervisors for Isolating Malicious AIs." Abstract :As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a...

Android Improves Its Security

Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it's nice to see Google add it to their phones...

Friday Squid Blogging: Live Colossal Squid Filmed

A live colossal squid was filmed for the first time in the ocean. It's only a juvenile: a foot long. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Age Verification Using Facial Scans

Discord is testing the feature: "We're currently running tests in select regions to age-gate access to certain spaces or user settings," a spokesperson for Discord said in a statement. "The information shared to power the age verification method is only used for the one-time age verification...

CVE Program Almost Unfunded

Mitre's CVE's program--which provides common naming and other informational resources about cybersecurity vulnerabilities--was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal...

Slopsquatting

As AI coding assistants invent nonexistent software libraries to download and use, enterprising attackers create and upload libraries with those names--laced with malware, of course. EDITED TO ADD 1/22: Research paper. Slashdot thread...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm giving an online talk on AI and trust for the Weizenbaum Institute on April 24, 2025 at 2:00 PM CEST 8:00 AM ET. The list is maintained on this page...

China Sort of Admits to Being Behind Volt Typhoon

The Wall Street Journal has the story: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers ar...

Friday Squid Blogging: Squid and Efficient Solar Tech

Researchers are trying to use squid color-changing biochemistry for solar tech. This appears to be new and related research to a 2019 squid post. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

AI Vulnerability Finding

Microsoft is reporting that its AI systems are able to find new vulnerabilities in source code: Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer...

Reimagining Democracy

Imagine that all of us--all of society--have landed on some alien planet and need to form a government: clean slate. We do not have any legacy systems from the United States or any other country. We do not have any special or unique interests to perturb our thinking. How would we govern ourselves...

How to Leak to a Journalist

Neiman Lab has some good advice on how to leak a story to a journalist...

Arguing Against CALEA

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today's threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have...

DIRNSA Fired

In "Secrets and Lies" 2000, I wrote: It is poor civic hygiene to install technologies that could someday facilitate a police state. It's something a bunch of us were saying at the time, in reference to the vast NSA's surveillance capabilities. I have been thinking of that quote a lot as I read ne...

Friday Squid Blogging: Two-Man Giant Squid

The Brooklyn indie art-punk group, Two-Man Giant Squid, just released a new album. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

Troy Hunt Gets Phished

In case you need proof that anyone , even someone who does cybersecurity for a living, can fall for a phishing attack, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. EDITED TO ADD 4/14: Commentary from Adam Shostack and Cory Doctorow...

Web 3.0 Requires Data Integrity

If you've ever taken a computer security class, you've probably learned about the three legs of computer security--confidentiality, integrity, and availability--known as the CIA triad. When we talk about a system being secure, that's what we're referring to. All are important, but to different...

Rational Astrologies and Security

John Kelsey and I wrote a short paper for the Rossfest Festschrift: "Rational Astrologies and Security": There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational...

Cell Phone OPSEC for Border Crossings

I have heard stories of more aggressive interrogation of electronic devices at US border crossings. I know a lot about securing computers, but very little about securing phones. Are there easy ways to delete data--files, photos, etc.--on phones so it can't be recovered? Does resetting a phone to...

The Signal Chat Leak and the NSA

US National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities. "I didn't see this loser in the group," Waltz...

Friday Squid Blogging: Squid Werewolf Hacking Group

In another rare squid/cybersecurity intersection, APT37 is also known as "Squid Werewolf." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...

AIs as Trusted Third Parties

This is a truly fascinating paper: "Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography." The basic idea is that AIs can act as trusted third parties: Abstract: We often interact with untrusted parties. Prioritization of privacy can limit t...

A Taxonomy of Adversarial Machine Learning Attacks and Mitigations

NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures...

AI Data Poisoning

Cloudflare has a new feature--available to free users as well--that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare's new system lures them into a "maze" of realistic-looking but irrelevant pages, wasting the crawler's computing resources...

Report on Paragon Spyware

Citizen Lab has a new report on Paragon's spyware: Key Findings: Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group...

More Countries are Demanding Backdoors to Encrypted Apps

Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are--of course--are terrible ide...

Friday Squid Blogging: A New Explanation of Squid Camouflage

New research: An associate professor of chemistry and chemical biology at Northeastern University, Deravi’s recently published paper in the Journal of Materials Chemistry C sheds new light on how squid use organs that essentially function as organic solar cells to help power their camouflage...

My Writings Are in the LibGen AI Training Corpus

The Atlantic has a search tool that allows you to search for specific works in the "LibGen" database of copyrighted works that Meta used to train its AI models. The rest of the article is behind a paywall, but not the search tool. It’s impossible to know exactly which parts of LibGen Meta used to...

NCSC Releases Post-Quantum Cryptography Timeline

The UK's National Computer Security Center part of GCHQ released a timeline--also see their blog post--for migration to quantum-computer-resistant cryptography. It even made The Guardian...

Critical GitHub Attack

This is serious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have...

Is Security Human Factors Research Skewed Towards Western Ideas and Habits?

Really interesting research: "How WEIRD is Usable Privacy and Security Research?" by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama: Abstract : In human factor fields such as human-computer interaction HCI and psychology, researchers have been concerned that participants mostly come from...

Improvements in Brute Force Attacks

New paper: "GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3." Abstract: Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit...

Friday Squid Blogging: SQUID Band

A bagpipe and drum band: SQUID transforms traditional Bagpipe and Drum Band entertainment into a multi-sensory rush of excitement, featuring high energy bagpipes, pop music influences and visually stunning percussion! As usual, you can also use this squid post to talk about the security stories i...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. I'm speaking at the University of Toronto's Rotman School of Management in Toronto, Canada, on April 3, 2025. The list is maintained on this page...