Friday Squid Blogging: Regulating Squid Fishing in the South Pacific The South Pacific Regional Fisheries Management Organization (SPRFMO) needs to regulate squid fishing in the South Pacific. As usual, you can also use this squid post to talk about the security stories in the news that I haven't…

CISA Security Leak Crazy story: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.…

macOS Kernel Memory Corruption Exploit A group used Anthropic's Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple's M5. News article.

On AI Security Good report: Executive Summary: Let's say you wanted to make sure that your AI is secure. Can you just maximize the security and privacy benchmark and call it a day? Nope, because benchmarks don't actually work for measuring AI capabilities (even when they are NOT emergent systemic…

Laurie Anderson Is Quoting Me Not by name, but Laurie Anderson quotes me in one of the tracks of her new album: My favorite quote is from a cryptologist who said "If you think technology will solve your problems, you don't understand technology and you don't understand your problems." Also in…

Zero-Day Exploit Against Windows BitLocker It's nasty, but it requires physical access to the computer: The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the…

Friday Squid Blogging: Bigfin Squid Article about the bigfin squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Bypassing On-Camera Age-Verification Checks Some AI-based video age-verification checks can be fooled with a fake mustache.

Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m giving a virtual talk on “The Security of Trust in the Age of AI,” hosted by the Financial Women’s Association of New York, at 6:00 PM ET on May 21, 2026. I’m speaking at the Potsdam Conference on…

How Dangerous Is Anthropic’s Mythos AI? Last month, Anthropic made a remarkable announcement about its new model, Claude Mythos Preview: it was so good at finding security vulnerabilities in software that the company would not release it to the general public. Instead, it would only be available…

OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities The UK's AI Security Institute evaluated GPT-5.5's ability to find security vulnerabilities, and found that it is comparable to Claude Mythos. Note that the OpenAI model is generally available. Here is the Institute's…

Copy.Fail Linux Vulnerability This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to…

LLMs and Text-in-Text Steganography Turns out that LLMs are really good at hiding text messages in other text messages.

Friday Squid Blogging: Giant Squid Live in the Waters of Western Australia Evidence of them has been found by analyzing DNA in the seawater. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Insider Betting on Polymarket Insider trading is rife on Polymarket: Analysis by the Anti-Corruption Data Collective, a non-profit research and advocacy group, found that long-shot bets -- ­defined as wagers of $2,500 or more at odds of 35 percent or less -- ­on the platform had an average win…

Smart Glasses for the Authorities ICE is developing its own version of smart glasses, with facial recognition tied to various databases.

Rowhammer Attack Against NVIDIA Chips A new rowhammer attack gives complete control of NVIDIA CPUs. On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new -- ­and potentially…

DarkSword Malware DarkSword is a sophisticated piece of malware -- probably government designed -- that targets iOS. Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks…

Hacking Polymarket Polymarket is a platform where people can bet on real-world events, political and otherwise. Leaving the ethical considerations of this aside (for one, it facilitates assassination), one of the issues with making this work is the verification of these real-world events.…

A Ransomware Negotiator Was Working for a Ransomware Gang Someone pleaded guilty to secretly working for a ransomware gang as he negotiated ransomware payments for clients.

Fast16 Malware Researchers have reverse-engineered a piece of malware named Fast16. It's almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet: "...the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an…

Claude Mythos Has Found 271 Zero-Days in Firefox That's a lot. No, it's an extraordinary number: Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration…

What Anthropic’s Mythos Means for the Future of Cybersecurity Two weeks ago, Anthropic announced that its new model, Claude Mythos Preview, can autonomously find and weaponize software vulnerabilities, turning them into working exploits without expert guidance. These were vulnerabilities in key…

Medieval Encrypted Letter Decoded Sent by a Spanish diplomat. Apparently people have been working on it since it was rediscovered in 1860.

Friday Squid Blogging: How Squid Survived Extinction Events Science news: Scientists have finally cracked a long-standing mystery about squid and cuttlefish evolution by analyzing newly sequenced genomes alongside global datasets. The research reveals that these bizarre, intelligent creatures…

Hiding Bluetooth Trackers in Mail It was used to track a Dutch naval ship: Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they…

FBI Extracts Deleted Signal Messages from iPhone Notification Database 404 Media reports (alternate site): The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s…

ICE Uses Graphite Spyware ICE has admitted that it uses spyware from the Israeli company Graphite.

Mexican Surveillance Company Grupo Seguritech is a Mexican surveillance company that is expanding into the US.

Is “Satoshi Nakamoto” Really Adam Back? The New York Times has a long article where the author lays out an impressive array of circumstantial evidence that the inventor of Bitcoin is the cypherpunk Adam Back. I don't know. The article is convincing, but it's written to be convincing. I can't…

Friday Squid Blogging: New Giant Squid Video Pretty fantastic video from Japan of a giant squid eating another squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Mythos and Cybersecurity

Defense in Depth, Medieval Style This article on the walls of Constantinople is fascinating. The system comprised four defensive lines arranged in formidable layers: The brick-lined ditch, divided by bulkheads and often flooded, 15­20 meters wide and up to 7 meters deep. A low breastwork, about 2…

Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking at DemocracyXChange 2026 in Toronto, Ontario, Canada, on April 18, 2026. I’m speaking at the SANS AI Cybersecurity Summit 2026 in Arlington, Virginia, USA, at 9:40 AM ET on April 20, 2026.…

How Hackers Are Thinking About AI Interesting paper: "What hackers talk about when they talk about AI: Early-stage diffusion of a cybercrime innovation." Abstract: The rapid expansion of artificial intelligence (AI) is raising concerns about its potential to transform cybercrime. Beyond empowering…

On Anthropic’s Mythos Preview and Project Glasswing The cybersecurity industry is obsessing over Anthropic's new model, Claude Mythos Preview, and its effects on cybersecurity. Anthropic said that it is not releasing it to the general public because of its cyberattack capabilities, and has…

AI Chatbots and Trust All the leading AI chatbots are sycophantic, and that's a problem: Participants rated sycophantic AI responses as more trustworthy than balanced ones. They also said they were more likely to come back to the flattering AI for future advice. And critically ­ they couldn't tell…

Friday Squid Blogging: Squid Overfishing in the South Pacific Regulation is hard: The South Pacific Regional Fisheries Management Organization (SPRFMO) oversees fishing across roughly 59 million square kilometers (22 million square miles) of the South Pacific high seas, trying to impose order on a…

Sen. Sanders Talks to Claude About AI and Privacy Claude is actually pretty good on the issues.

On Microsoft’s Lousy Cloud Security ProPublica has a scoop: In late 2024, the federal government's cybersecurity evaluators rendered a troubling verdict on one of Microsoft's biggest cloud computing offerings. The tech giant's "lack of proper detailed security documentation" left reviewers with a…

Python Supply-Chain Compromise This is news: A malicious supply chain compromise has been identified in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file (litellm_init.pth, 34,628 bytes) which is automatically executed by the Python…

Cybersecurity in the Age of Instant Software AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: “instant software.” Taken to an extreme, it might become easier for a user to have an AI write an…

Hong Kong Police Can Force You to Reveal Your Encryption Keys According to a new law, the Hong Kong police can demand that you reveal the encryption keys protecting your computer, phone, hard drives, etc. -- even if you are just transiting the airport. In a security alert dated March 26, the U.S.…

New Mexico’s Meta Ruling and Encryption Mike Masnick points out that the recent New Mexico court ruling against Meta has some bad implications for end-to-end encryption, and security in general: If the "design choices create liability" framework seems worrying in the abstract, the New Mexico case…

Google Wants to Transition to Post-Quantum Cryptography by 2029 Google says that it will fully transition to post-quantum cryptography by 2029. I think this is a good move, not because I think we will have a useful quantum computer anywhere near that year, but because crypto-agility is always a…

Friday Squid Blogging: Jurassic Fish Chokes on Squid Here's a fossil of a 150-million year old fish that choked to death on a belemnite rostrum: the hard, internal shell of an extinct, squid-like animal. Original paper. As usual, you can also use this squid post to talk about the security stories…

Company that Secretly Records and Publishes Zoom Meetings WebinarTV searches the internet for public Zoom invites, joins the meetings, secretly records them, and publishes (alternate link) the recordings. It doesn't use the Zoom record feature, so Zoom can't do anything about it.

US Bans All Foreign-Made Consumer Routers This is for new routers; you don't have to throw away your existing ones: The Executive Branch determination noted that foreign-produced routers (1) introduce "a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and…

Possible US Government iPhone Hacking Tool Leaked Wired writes (alternate source): Security researchers at Google on Tuesday released a report describing what they're calling "Coruna," a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing…

Is “Hackback” Official US Cybersecurity Strategy? The 2026 US "Cyber Strategy for America" document is mostly the same thing we've seen out of the White House for over a decade, but with a more aggressive tone. But one sentence stood out: "We will unleash the private sector by creating incentives…