New Attacks Against Secure Enclaves Encryption can protect data at rest and data in transit, but does nothing for data in use. What we have are secure enclaves. I've written about this before: Almost all cloud services have to perform some computation on our data. Even the simplest storage…

Friday Squid Blogging: Squid Game: The Challenge, Season Two The second season of the Netflix reality competition show Squid Game: The Challenge has dropped. (Too many links to pick a few -- search for it.) As usual, you can also use this squid post to talk about the security stories in the news…

Faking Receipts with AI Over the past few decades, it's become easier and easier to create fake receipts. Decades ago, it required special paper and printers -- I remember a company in the UK advertising its services to people trying to cover up their affairs. Then, receipts became computerized,…

Rigged Poker Games The Department of Justice has indicted thirty-one people over the high-tech rigging of high-stakes poker games. In a typical legitimate poker game, a dealer uses a shuffling machine to shuffle the cards randomly before dealing them to all the players in a particular order. As…

Scientists Need a Positive Vision for AI For many in the research community, it's gotten harder to be optimistic about the impacts of artificial intelligence. As authoritarianism is rising around the world, AI-generated "slop" is overwhelming legitimate media, while AI-generated deepfakes are…

Cybercriminals Targeting Payroll Sites Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people's credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim…

AI Summarization Optimization These days, the most important meeting attendee isn’t a person: It’s the AI notetaker. This system assigns action items and determines the importance of what is said. If it becomes necessary to revisit the facts of the meeting, its summary is treated as impartial…

Friday Squid Blogging: Giant Squid at the Smithsonian I can't believe that I haven't yet posted this picture of a giant squid at the Smithsonian. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Will AI Strengthen or Undermine Democracy? Listen to the Audio on NextBigIdeaClub.com Below, co-authors Bruce Schneier and Nathan E. Sanders share five key insights from their new book, Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship. What's the big idea? AI can…

The AI-Designed Bioweapon Arms Race Interesting article about the arms race between AI systems that invent/design new biological pathogens, and AI systems that detect them before they're created: The team started with a basic test: use AI tools to design variants of the toxin ricin, then test them…

Signal’s Post-Quantum Cryptographic Implementation Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they…

Social Engineering People’s Credit Card Details Good Wall Street Journal article on criminal gangs that scam people out of their credit card information: Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York…

Louvre Jewel Heist I assume I don't have to explain last week's Louvre jewel heist. I love a good caper, and have (like many others) eagerly followed the details. An electric ladder to a second-floor window, an angle grinder to get into the room and the display cases, security guards there more to…

First Wap: A Surveillance Computer You’ve Never Heard Of Mother Jones has a long article on surveillance arms manufacturers, their wares, and how they avoid export control laws: Operating from their base in Jakarta, where permissive export laws have allowed their surveillance business to flourish,…

Friday Squid Blogging: “El Pulpo The Squid” There is a new cigar named "El Pulpo The Squid." Yes, that means "The Octopus The Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Part Four of The Kryptos Sculpture Two people found the solution. They used the power of research, not cryptanalysis, finding clues amongst the Sanborn papers at the Smithsonian's Archives of American Art. This comes as an awkward time, as Sanborn is auctioning off the solution. There were legal…

Serious F5 Breach This is bad: F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a "sophisticated" threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a "long-term." Security…

Failures in Face Recognition Interesting article on people with nonstandard faces and how facial recognition systems fail for them. Some of those living with facial differences tell WIRED they have undergone multiple surgeries and experienced stigma for their entire lives, which is now being…

A Cybersecurity Merit Badge Scouting America (formerly known as Boy Scouts) has a new badge in cybersecurity. There's an image in the article; it looks good. I want one.

Agentic AI’s OODA Loop Problem The OODA loop—for observe, orient, decide, act—is a framework to understand decision-making in adversarial situations. We apply the same framework to artificial intelligence agents, who have to make their decisions with untrustworthy observations and orientation. To…

Friday Squid Blogging: Squid Inks Philippines Fisherman Good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

A Surprising Amount of Satellite Traffic Is Unencrypted Here's the summary: We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being…

Cryptocurrency ATMs CNN has a great piece about how cryptocurrency ATMs are used to scam people out of their money. The fees are usurious, and they're a common place for scammers to send victims to buy cryptocurrency for them. The companies behind the ATMs, at best, do not care about the harm they…

Apple’s Bug Bounty Program Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website: Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards, expanded research categories, and a flag system for researchers…

Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I and Nathan E. Sanders will be giving a book talk on Rewiring Democracy at the Harvard Kennedy School’s Ash Center in Cambridge, Massachusetts, USA, on October 22, 2025 at noon ET. I and Nathan E.…

The Trump Administration’s Increased Use of Social Media Surveillance This chilling paragraph is in a comprehensive Brookings report about the use of tech to deport people from the US: The administration has also adapted its methods of social media surveillance. Though agencies like the State…

Rewiring Democracy is Coming Soon My latest book, Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship, will be published in just over a week. No reviews yet, but can read chapters 12 and

AI and the Future of American Politics Two years ago, Americans anxious about the forthcoming 2024 presidential election were considering the malevolent force of an election influencer: artificial intelligence. Over the past several years, we have seen plenty of warning signs from elections…

Friday Squid Blogging: Sperm Whale Eating a Giant Squid Video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Autonomous AI Hacking and the Future of Cybersecurity AI agents are now hacking computers. They're getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale.…

Flok License Plate Surveillance The company Flok is surveilling us as we drive: A retired veteran named Lee Schmidt wanted to know how often Norfolk, Virginia's 176 Flock Safety automated license-plate-reader cameras were tracking him. The answer, according to a U.S. District Court lawsuit filed…

AI-Enabled Influence Operation Against Iran Citizen Lab has uncovered a coordinated AI-enabled influence operation against the Iranian government, probably conducted by Israel. Key Findings A coordinated network of more than 50 inauthentic X profiles is conducting an AI-enabled influence…

AI in the 2026 Midterm Elections We are nearly one year out from the 2026 midterm elections, and it's far too early to predict the outcomes. But it's a safe bet that artificial intelligence technologies will once again be a major storyline. The widespread fear that AI would be used to manipulate…

Friday Squid Blogging: Squid Overfishing in the Southwest Atlantic Article. Report.

Daniel Miessler on the AI Attack/Defense Balance His conclusion: Context wins Basically whoever can see the most about the target, and can hold that picture in their mind the best, will be best at finding the vulnerabilities the fastest and taking advantage of them. Or, as the defender, applying…

Use of Generative AI in Scams New report: "Scam GPT: GenAI and the Automation of Fraud." This primer maps what we currently know about generative AI’s role in scams, the communities most at risk, and the broader economic and cultural shifts that are making people more willing to take risks, more…

Details of a Scam Longtime Crypto-Gram readers know that I collect personal experiences of people being scammed. Here's an almost: Then he added, "Here at Chase, we'll never ask for your personal information or passwords." On the contrary, he gave me more information -- two "cancellation codes"…

Abusing Notion’s AI Agent for Data Theft Notion just released version 3.0, complete with AI agents. Because the system contains Simon Willson's lethal trifecta, it's vulnerable to data theft though prompt injection. First, the trifecta: The lethal trifecta of capabilities is: Access to your…

Friday Squid Blogging: Jigging for Squid A nice story.

Digital Threat Modeling Under Authoritarianism Today's world requires us to make complex and nuanced decisions about our digital security. Evaluating when to use a secure messaging app like Signal or WhatsApp, which passwords to store on your smartphone, or what to share on social media requires…

Malicious-Looking URL Creation Service This site turns your URL into something sketchy-looking. For example, www.schneier.com becomes Found on Boing Boing.

US Disrupts Massive Cell Phone Array in New York This is a weird story: The US Secret Service disrupted a network of telecommunications devices that could have shut down cellular systems as leaders gather for the United Nations General Assembly in New York City. The agency said on Tuesday that…

Apple’s New Memory Integrity Enforcement Apple has introduced a new hardware/software security feature in the iPhone 17: "Memory Integrity Enforcement," targeting the memory safety vulnerabilities that spyware products like Pegasus tend to use to get unauthorized system access. From Wired: In…

Details About Chinese Surveillance and Propaganda Companies Details from leaked documents: While people often look at China’s Great Firewall as a single, all-powerful government system unique to China, the actual process of developing and maintaining it works the same way as surveillance…

Friday Squid Blogging: Giant Squid vs. Blue Whale A comparison aimed at kids.

Surveying the Global Spyware Market The Atlantic Council has published its second annual report: "Mythical Beasts: Diving into the depths of the global spyware market." Too much good detail to summarize, but here are two items: First, the authors found that the number of US-based investors in…

Time-of-Check Time-of-Use Attacks Against LLMs This is a nice piece of research: "Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents".: Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment…

Hacking Electronic Safes Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it's the one that exploits a feature intended as a legitimate unlock method for locksmiths that's the more widespread and…

Microsoft Still Uses RC4 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system.

Lawsuit About WhatsApp Security Attaullah Baig, WhatsApp's former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging…