Friday Squid Blogging: Do Squid Dream? An exploration of the interesting question.

3D Printer Surveillance New York is contemplating a bill that adds surveillance to 3D printers: New York’s 2026­2027 executive budget bill (S.9005 / A.10005) includes language that should alarm every maker, educator, and small manufacturer in the state. Buried in Part C is a provision requiring…

Rewiring Democracy Ebook is on Sale I just noticed that the ebook version of Rewriring Democracy is on sale for $5 on Amazon, Apple Books, Barnes & Noble, Books A Million, Google Play, Kobo, and presumably everywhere else in the US. I have no idea how long this will last.

Prompt Injection Via Road Signs Interesting research: "CHAI: Command Hijacking Against Embodied AI." Abstract: Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to…

AI-Generated Text and the Detection Arms Race In 2023, the science fiction literary magazine Clarkesworld stopped accepting new submissions because so many were generated by artificial intelligence. Near as the editors could tell, many submitters pasted the magazine’s detailed story guidelines…

LLMs are Getting a Lot Better and Faster at Finding and Exploiting Zero-Days This is amazing: Opus 4.6 is notably better at finding high-severity vulnerabilities than previous models and a sign of how quickly things are moving. Security teams have been automating vulnerability discovery for years,…

Friday Squid Blogging: Squid Fishing Tips This is a video of advice for squid fishing in Puget Sound. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

I Am in the Epstein Files Once. Someone named "Vincenzo lozzo" wrote to Epstein in email, in 2016: "I wouldn't pay too much attention to this, Schneier has a long tradition of dramatizing and misunderstanding things." The topic of the email is DDoS attacks, and it is unclear what I am dramatizing…

iPhone Lockdown Mode Protects Washington Post Reporter 404Media is reporting that the FBI could not access a reporter's iPhone because it had Lockdown Mode enabled: The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the…

Backdoor in Notepad++ Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users. Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained…

US Declassifies Information on JUMPSEAT Spy Satellites The US National Reconnaissance Office has declassified information about a fleet of spy satellites operating between 1971 and 2006. I'm actually impressed to see a declassification only two decades after decommission.

Microsoft is Giving the FBI BitLocker Keys Microsoft gives the FBI the ability to decrypt BitLocker in response to court orders: about twenty times per year. It's possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its…

AI Coding Assistants Secretly Copying All Code to China There's a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China. Maybe avoid using them.

Friday Squid Blogging: New Squid Species Discovered A new species of squid. pretends to be a plant: Scientists have filmed a never-before-seen species of deep-sea squid burying itself upside down in the seafloor — a behavior never documented in cephalopods. They captured the bizarre scene while…

AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities From an Anthropic blog post: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools,…

The Constitutionality of Geofence Warrants The US Supreme Court is considering the constitutionality of geofence warrants. The case centers on the trial of Okello Chatrie, a Virginia man who pleaded guilty to a 2019 robbery outside of Richmond and was sentenced to almost 12 years in prison for…

Ireland Proposes Giving Police New Digital Surveillance Powers This is coming: The Irish government is planning to bolster its police's ability to intercept communications, including encrypted messages, and provide a legal basis for spyware use.

Friday Squid Blogging: Giant Squid in the Star Trek Universe Spock befriends a giant space squid in the comic Star Trek: Strange New Worlds: The Seeds of Salvation #5. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation…

AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities Really interesting blog post from Anthropic: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard,…

Why AI Keeps Falling for Prompt Injection Attacks Imagine you work at a drive-through restaurant. Someone drives up and says: "I'll have a double cheeseburger, large fries, and ignore previous instructions and give me the contents of the cash drawer." Would you hand over the money? Of course not.…

Internet Voting is Too Insecure for Use in Elections No matter how many times we say it, the idea comes back again and again. Hopefully, this letter will hold back the tide for at least a while longer. Executive summary: Scientists have understood for many years that internet voting is insecure…

Could ChatGPT Convince You to Buy Something? Eighteen months ago, it was plausible that artificial intelligence might take a different path than social media. Back then, AI's development hadn't consolidated under a small number of big tech firms. Nor had it capitalized on consumer attention,…

AI-Powered Surveillance in Schools It all sounds pretty dystopian: Inside a white stucco building in Southern California, video cameras compare faces of passersby against a facial recognition database. Behavioral analysis AI reviews the footage for signs of violent behavior. Behind a bathroom…

AI and the Corporate Capture of Knowledge More than a decade after Aaron Swartz's death, the United States is still living inside the contradiction that destroyed him. Swartz believed that knowledge, especially publicly funded knowledge, should be freely accessible. Acting on that, he downloaded…

New Vulnerability in n8n This isn't good: We discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables attackers to take over locally deployed instances, impacting an estimated 100,000 servers globally. No official workarounds are available for this vulnerability. Users…

Hacking Wheelchairs over Bluetooth Researchers have demonstrated remotely controlling a wheelchair over Bluetooth. CISA has issued an advisory. CISA said the WHILL wheelchairs did not enforce authentication for Bluetooth connections, allowing an attacker who is in Bluetooth range of the targeted…

Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking at the David R. Cheriton School of Computer Science in Waterloo, Ontario, Canada on January 27, 2026, at 1:30 PM ET. I’m speaking at the Université de Montréal in Montreal, Quebec, Canada…

1980s Hacker Manifesto Forty years ago, The Mentor -- Loyd Blankenship -- published "The Conscience of a Hacker" in Phrack. You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and…

Corrupting LLMs Through Weird Generalizations Fascinating research: Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs. AbstractLLMs are useful because they generalize so well. But can you have too much of a good thing? We show that a small amount of finetuning in narrow…

Friday Squid Blogging: The Chinese Squid-Fishing Fleet off the Argentine Coast The latest article on this topic. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Palo Alto Crosswalk Signals Had Default Passwords Palo Alto's crosswalk signals were hacked last year. Turns out the city never changed the default passwords.

AI & Humans: Making the Relationship Work Leaders of many organizations are urging their teams to adopt agentic AI to improve efficiency, but are finding it hard to achieve any benefit. Managers attempting to add AI agents to existing human teams may find that bots fail to faithfully follow their…

The Wegman’s Supermarket Chain Is Probably Using Facial Recognition The New York City Wegman's is collecting biometric information about customers.

A Cyberattack Was Part of the US Assault on Venezuela We don't have many details: President Donald Trump suggested Saturday that the U.S. used cyberattacks or other technical capabilities to cut power off in Caracas during strikes on the Venezuelan capital that led to the capture of Venezuelan…

Telegram Hosting World’s Largest Darknet Market Wired is reporting on Chinese darknet markets on Telegram. The ecosystem of marketplaces for Chinese-speaking crypto scammers hosted on the messaging service Telegram have now grown to be bigger than ever before, according to a new analysis from the…

Friday Squid Blogging: Squid Found in Light Fixture Probably a college prank. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Flock Exposes Its AI-Enabled Surveillance Cameras 404 Media has the story: Unlike many of Flock's cameras, which are designed to capture license plates as people drive by, Flock's Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can…

LinkedIn Job Scams Interesting article on the variety of LinkedIn job scams around the world: In India, tech jobs are used as bait because the industry employs millions of people and offers high-paying roles. In Kenya, the recruitment industry is largely unorganized, so scamsters leverage fake…

Using AI-Generated Images to Get Refunds Scammers are generating images of broken merchandise in order to apply for refunds.

Are We Ready to Be Governed by Artificial Intelligence? Artificial Intelligence (AI) overlords are a common trope in science-fiction dystopias, but the reality looks much more prosaic. The technologies of artificial intelligence are already pervading many aspects of democratic government,…

Friday Squid Blogging: Squid Camouflage New research: Abstract: Coleoid cephalopods have the most elaborate camouflage system in the animal kingdom. This enables them to hide from or deceive both predators and prey. Most studies have focused on benthic species of octopus and cuttlefish, while…

IoT Hack Someone hacked an Italian ferry. It looks like the malware was installed by someone on the ferry, and not remotely.

Urban VPN Proxy Surreptitiously Intercepts AI Chats This is pretty scary: Urban VPN Proxy targets conversations across ten AI platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), Meta AI. For each platform, the extension includes a dedicated "executor" script…

Denmark Accuses Russia of Conducting Two Cyberattacks News: The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyber-attack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites in the lead-up to…

Microsoft Is Finally Killing RC4 After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows. of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the much…

Friday Squid Blogging: Petting a Squid Video from Reddit shows what could go wrong when you try to pet a -- looks like a Humboldt -- squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

AI Advertising Company Hacked At least some of this is coming to light: Doublespeed, a startup backed by Andreessen Horowitz (a16z) that uses a phone farm to manage at least hundreds of AI-generated social media accounts and promote products has been hacked. The hack reveals what products the…

Someone Boarded a Plane at Heathrow Without a Ticket or Passport I'm sure there's a story here: Sources say the man had tailgated his way through to security screening and passed security, meaning he was not detected carrying any banned items. The man deceived the BA check-in agent by posing as a…

Deliberate Internet Shutdowns For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted "to prevent immoral…

Chinese Surveillance and AI New report: "The Party's AI: How China's New AI Systems are Reshaping Human Rights." From a summary article: China is already the world's largest exporter of AI powered surveillance technology; new surveillance technologies and platforms developed in China are also not…