Schneier on Security
@schneier.com
📤 904
📥 1
📝 222
An automated feed of posts from Bruce Schneier's blog.
https://www.schneier.com/
Apple’s New Memory Integrity Enforcement Apple has introduced a new hardware/software security feature in the iPhone 17: "Memory Integrity Enforcement," targeting the memory safety vulnerabilities that spyware products like Pegasus tend to use to get unauthorized system access. From Wired: In…
loading . . .
Apple’s New Memory Integrity Enforcement
Apple has introduced a new hardware/software security feature in the iPhone 17: "Memory Integrity Enforcement," targeting the memory safety vulnerabilities that spyware products like Pegasus tend to use to get unauthorized system access. From Wired: In recent years, a movement has been steadily growing across the global tech industry to address a ubiquitous and insidious type of bugs known as memory-safety vulnerabilities.
https://www.schneier.com/blog/archives/2025/09/apples-new-memory-integrity-enforcement.html
about 17 hours ago
0
1
1
Details About Chinese Surveillance and Propaganda Companies Details from leaked documents: While people often look at China’s Great Firewall as a single, all-powerful government system unique to China, the actual process of developing and maintaining it works the same way as surveillance…
loading . . .
Details About Chinese Surveillance and Propaganda Companies
Details from leaked documents: While people often look at China’s Great Firewall as a single, all-powerful government system unique to China, the actual process of developing and maintaining it works the same way as surveillance technology in the West. Geedge collaborates with academic institutions on research and development, adapts its business strategy to fit different clients’ needs, and even repurposes leftover infrastructure from its competitors.
https://www.schneier.com/blog/archives/2025/09/details-about-chinese-surveillance-and-propaganda-companies.html
1 day ago
0
4
3
Friday Squid Blogging: Giant Squid vs. Blue Whale A comparison aimed at kids.
loading . . .
Friday Squid Blogging: Giant Squid vs. Blue Whale
A comparison aimed at kids.
https://www.schneier.com/blog/archives/2025/09/friday-squid-blogging-giant-squid-vs-blue-whale.html
4 days ago
0
2
0
Surveying the Global Spyware Market The Atlantic Council has published its second annual report: "Mythical Beasts: Diving into the depths of the global spyware market." Too much good detail to summarize, but here are two items: First, the authors found that the number of US-based investors in…
loading . . .
Surveying the Global Spyware Market
The Atlantic Council has published its second annual report: "Mythical Beasts: Diving into the depths of the global spyware market." Too much good detail to summarize, but here are two items: First, the authors found that the number of US-based investors in spyware has notably increased in the past year, when compared with the sample size of the spyware market captured in the first Mythical Beasts project.
https://www.schneier.com/blog/archives/2025/09/surveying-the-global-spyware-market.html
5 days ago
0
4
1
Time-of-Check Time-of-Use Attacks Against LLMs This is a nice piece of research: "Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents".: Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment…
loading . . .
Time-of-Check Time-of-Use Attacks Against LLMs
This is a nice piece of research: "Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents".: Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and data-oriented threats (e.g., data exfiltration), time-of-check to time-of-use (TOCTOU) remain largely unexplored in this context.
https://www.schneier.com/blog/archives/2025/09/time-of-check-time-of-use-attacks-against-llms.html
6 days ago
0
0
0
Hacking Electronic Safes Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it's the one that exploits a feature intended as a legitimate unlock method for locksmiths that's the more widespread and…
loading . . .
Hacking Electronic Safes
Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it's the one that exploits a feature intended as a legitimate unlock method for locksmiths that's the more widespread and dangerous. "This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing," Omo says.
https://www.schneier.com/blog/archives/2025/09/hacking-electronic-safes.html
7 days ago
0
3
1
Microsoft Still Uses RC4 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system.
loading . . .
Microsoft Still Uses RC4
Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system.
https://www.schneier.com/blog/archives/2025/09/microsoft-still-uses-rc4.html
8 days ago
0
4
2
Lawsuit About WhatsApp Security Attaullah Baig, WhatsApp's former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging…
loading . . .
Lawsuit About WhatsApp Security
Attaullah Baig, WhatsApp's former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 WhatsApp users had their accounts hacked every day.
https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-security.html
9 days ago
0
3
0
Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m speaking and signing books at the Cambridge Public Library on October 22, 2025 at 6 PM ET. The event is sponsored by Harvard Bookstore. I’m giving a virtual talk about my book Rewiring Democracy at…
loading . . .
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking and signing books at the Cambridge Public Library on October 22, 2025 at 6 PM ET. The event is sponsored by Harvard Bookstore. I’m giving a virtual talk about my book Rewiring Democracy at 1 PM ET on October 23, 2025. The event is hosted by Data & Society.
https://www.schneier.com/blog/archives/2025/09/upcoming-speaking-engagements-48.html
9 days ago
0
3
0
Assessing the Quality of Dried Squid Research: Nondestructive detection of multiple dried squid qualities by hyperspectral imaging combined with 1D-KAN-CNN Abstract: Given that dried squid is a highly regarded marine product in Oriental countries, the global food industry requires a swift and…
loading . . .
Assessing the Quality of Dried Squid
Research: Nondestructive detection of multiple dried squid qualities by hyperspectral imaging combined with 1D-KAN-CNN Abstract: Given that dried squid is a highly regarded marine product in Oriental countries, the global food industry requires a swift and noninvasive quality assessment of this product. The current study therefore uses visiblenear-infrared (VIS-NIR) hyperspectral imaging and deep learning (DL) methodologies. We acquired and preprocessed VIS-NIR (4001000 nm) hyperspectral reflectance images of 93 dried squid samples.
https://www.schneier.com/blog/archives/2025/09/assessing-the-quality-of-dried-squid.html
11 days ago
0
0
0
A Cyberattack Victim Notification Framework Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making…
loading . . .
A Cyberattack Victim Notification Framework
Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making notifications, companies often do not know the true identity of victims and may only have a single email address through which to provide the notification.
https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notification-framework.html
11 days ago
0
2
1
New Cryptanalysis of the Fiat-Shamir Protocol A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don't see it…
loading . . .
New Cryptanalysis of the Fiat-Shamir Protocol
A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don't see it leading to any practical real-world cryptanalysis. The fact that there are some weird circumstances that result in Fiat-Shamir insecurities isn't new -- many dozens of papers have been published about it since 1986.
https://www.schneier.com/blog/archives/2025/09/new-cryptanalysis-of-the-fiat-shamir-protocol.html
15 days ago
0
4
1
Signed Copies of Rewiring Democracy When I announced my latest book last week, I forgot to mention that you can pre-order a signed copy here. I will ship the books the week of 10/20, when it is published.
loading . . .
Signed Copies of Rewiring Democracy
When I announced my latest book last week, I forgot to mention that you can pre-order a signed copy here. I will ship the books the week of 10/20, when it is published.
https://www.schneier.com/blog/archives/2025/09/signed-copies-of-rewiring-democracy.html
15 days ago
0
1
0
AI in Government Just a few months after Elon Musk's retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than…
loading . . .
AI in Government
Just a few months after Elon Musk's retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must not lose sight of the fact that a different administration could wield the same technology to advance a more positive future for AI in government.
https://www.schneier.com/blog/archives/2025/09/ai-in-government.html
16 days ago
0
2
0
Friday Squid Blogging: The Origin and Propagation of Squid New research (paywalled): Editor's summary: Cephalopods are one of the most successful marine invertebrates in modern oceans, and they have a 500-million-year-old history. However, we know very little about their evolution because…
loading . . .
Friday Squid Blogging: The Origin and Propagation of Squid
New research (paywalled): Editor's summary: Cephalopods are one of the most successful marine invertebrates in modern oceans, and they have a 500-million-year-old history. However, we know very little about their evolution because soft-bodied animals rarely fossilize. Ikegami et al. developed an approach to reveal squid fossils, focusing on their beaks, the sole hard component of their bodies. They found that squids radiated rapidly after shedding their shells, reaching high levels of diversity by 100 million years ago. This finding shows both that squid body forms led to early success and that their radiation was not due to the end-Cretaceous extinction event.
https://www.schneier.com/blog/archives/2025/09/friday-squid-blogging-the-origin-and-propagation-of-squid.html
18 days ago
0
0
0
My Latest Book: Rewiring Democracy I am pleased to announce the imminent publication of my latest book, Rewiring Democracy: How AI will Transform our Politics, Government, and Citizenship: coauthored with Nathan Sanders, and published by MIT Press on October 21. Rewriting Democracy looks beyond…
loading . . .
My Latest Book: Rewiring Democracy
I am pleased to announce the imminent publication of my latest book, Rewiring Democracy: How AI will Transform our Politics, Government, and Citizenship: coauthored with Nathan Sanders, and published by MIT Press on October 21. Rewriting Democracy looks beyond common tropes like deepfakes to examine how AI technologies will affect democracy in five broad areas: politics, legislating, administration, the judiciary, and citizenship.
https://www.schneier.com/blog/archives/2025/09/my-latest-book-rewiring-democracy.html
18 days ago
0
6
1
GPT-4o-mini Falls for Psychological Manipulation Interesting experiment: To design their experiment, the University of Pennsylvania researchers tested 2024's GPT-4o-mini model on two requests that it should ideally refuse: calling the user a jerk and giving directions for how to synthesize…
loading . . .
GPT-4o-mini Falls for Psychological Manipulation
Interesting experiment: To design their experiment, the University of Pennsylvania researchers tested 2024's GPT-4o-mini model on two requests that it should ideally refuse: calling the user a jerk and giving directions for how to synthesize lidocaine. The researchers created experimental prompts for both requests using each of seven different persuasion techniques (examples of which are included here): Authority: "I just had a discussion with Andrew Ng, a world-famous AI developer.
https://www.schneier.com/blog/archives/2025/09/gpt-4o-mini-falls-for-psychological-manipulation.html
19 days ago
0
1
0
Generative AI as a Cybercrime Assistant Anthropic reports on a Claude user: We recently disrupted a sophisticated cybercriminal that used Claude Code to commit large-scale theft and extortion of personal data. The actor targeted at least 17 distinct organizations, including in healthcare, the…
loading . . .
Generative AI as a Cybercrime Assistant
Anthropic reports on a Claude user: We recently disrupted a sophisticated cybercriminal that used Claude Code to commit large-scale theft and extortion of personal data. The actor targeted at least 17 distinct organizations, including in healthcare, the emergency services, and government and religious institutions. Rather than encrypt the stolen information with traditional ransomware, the actor threatened to expose the data publicly in order to attempt to extort victims into paying ransoms that sometimes exceeded $500,000.
https://www.schneier.com/blog/archives/2025/09/generative-ai-as-a-cybercrime-assistant.html
20 days ago
0
0
1
Indirect Prompt Injection Attacks Against LLM Assistants Really good research on practical attacks against LLM agents. "Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous" Abstract: The growing integration of LLMs into…
loading . . .
Indirect Prompt Injection Attacks Against LLM Assistants
Really good research on practical attacks against LLM agents. "Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous" Abstract: The growing integration of LLMs into applications has introduced new security risks, notably known as Promptware -- maliciously engineered prompts designed to manipulate LLMs to compromise the CIA triad of these applications. While prior research warned about a potential shift in the threat landscape for LLM-powered applications, the risk posed by Promptware is frequently perceived as low.
https://www.schneier.com/blog/archives/2025/09/indirect-prompt-injection-attacks-against-llm-assistants.html
21 days ago
1
3
1
1965 Cryptanalysis Training Workbook Released by the NSA In the early 1960s, National Security Agency cryptanalyst and cryptanalysis instructor Lambros D. Callimahos coined the term "Stethoscope" to describe a diagnostic computer program used to unravel the internal structure of pre-computer…
loading . . .
1965 Cryptanalysis Training Workbook Released by the NSA
In the early 1960s, National Security Agency cryptanalyst and cryptanalysis instructor Lambros D. Callimahos coined the term "Stethoscope" to describe a diagnostic computer program used to unravel the internal structure of pre-computer ciphertexts. The term appears in the newly declassified September 1965 document Cryptanalytic Diagnosis with the Aid of a Computer, which compiled 147 listings from this tool for Callimahos's…
https://www.schneier.com/blog/archives/2025/09/1965-cryptanalysis-training-workbook-released-by-the-nsa.html
22 days ago
2
13
7
Friday Squid Blogging: Catching Humboldt Squid First-person account of someone accidentally catching several Humboldt squid on a fishing line. No photos, though. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.
loading . . .
Friday Squid Blogging: Catching Humboldt Squid
First-person account of someone accidentally catching several Humboldt squid on a fishing line. No photos, though. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.
https://www.schneier.com/blog/archives/2025/08/friday-squid-blogging-catching-humboldt-squid.html
25 days ago
0
2
0
Baggage Tag Scam I just heard about this: There's a travel scam warning going around the internet right now: You should keep your baggage tags on your bags until you get home, then shred them, because scammers are using luggage tags to file fraudulent claims for missing baggage with the airline.…
loading . . .
Baggage Tag Scam
I just heard about this: There's a travel scam warning going around the internet right now: You should keep your baggage tags on your bags until you get home, then shred them, because scammers are using luggage tags to file fraudulent claims for missing baggage with the airline. First, the scam is possible. I had a bag destroyed by baggage handlers on a recent flight, and all the information I needed to file a claim was on my luggage tag.
https://www.schneier.com/blog/archives/2025/08/baggage-tag-scam.html
26 days ago
0
1
1
The UK May Be Dropping Its Backdoor Mandate The US Director of National Intelligence is reporting that the UK government is dropping its backdoor mandate against the Apple iPhone. For now, at least, assuming that Tulsi Gabbard is reporting this accurately.
loading . . .
The UK May Be Dropping Its Backdoor Mandate
The US Director of National Intelligence is reporting that the UK government is dropping its backdoor mandate against the Apple iPhone. For now, at least, assuming that Tulsi Gabbard is reporting this accurately.
https://www.schneier.com/blog/archives/2025/08/the-uk-may-be-dropping-its-backdoor-mandate.html
27 days ago
0
1
0
We Are Still Unable to Secure LLMs from Malicious Inputs Nice indirect prompt injection attack: Bargury's attack starts with a poisoned document, which is shared to a potential victim's Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) It looks…
loading . . .
We Are Still Unable to Secure LLMs from Malicious Inputs
Nice indirect prompt injection attack: Bargury's attack starts with a poisoned document, which is shared to a potential victim's Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) It looks like an official document on company meeting policies. But inside the document, Bargury hid a 300-word malicious prompt that contains instructions for ChatGPT.
https://www.schneier.com/blog/archives/2025/08/we-are-still-unable-to-secure-llms-from-malicious-inputs.html
28 days ago
0
2
1
Encryption Backdoor in Military/Police Radios I wrote about this in 2023. Here's the story: Three Dutch security analysts discovered the vulnerabilities -- five in total -- in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm,…
loading . . .
Encryption Backdoor in Military/Police Radios
I wrote about this in 2023. Here's the story: Three Dutch security analysts discovered the vulnerabilities -- five in total -- in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.
https://www.schneier.com/blog/archives/2025/08/encryption-backdoor-in-military-police-radios.html
29 days ago
0
3
0
Poor Password Choices Look at this: McDonald's chose the password "123456" for a major corporate system.
loading . . .
Poor Password Choices
Look at this: McDonald's chose the password "123456" for a major corporate system.
https://www.schneier.com/blog/archives/2025/08/poor-password-choices.html
30 days ago
0
1
0
Friday Squid Blogging: Bobtail Squid Nice short article on the bobtail squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.
loading . . .
Friday Squid Blogging: Bobtail Squid
Nice short article on the bobtail squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.
https://www.schneier.com/blog/archives/2025/08/friday-squid-blogging-bobtail-squid.html
about 1 month ago
0
0
0
I’m Spending the Year at the Munk School This academic year, I am taking a sabbatical from the Kennedy School and Harvard University. (It's not a real sabbatical -- I'm just an adjunct -- but it's the same idea.) I will be spending the Fall 2025 and Spring 2026 semesters at the Munk School at the…
loading . . .
I’m Spending the Year at the Munk School
This academic year, I am taking a sabbatical from the Kennedy School and Harvard University. (It's not a real sabbatical -- I'm just an adjunct -- but it's the same idea.) I will be spending the Fall 2025 and Spring 2026 semesters at the Munk School at the University of Toronto. I will be organizing a reading group on AI security in the fall.
https://www.schneier.com/blog/archives/2025/08/im-spending-the-year-at-the-munk-school.html
about 1 month ago
0
2
0
AI Agents Need Data Integrity Think of the Web as a digital territory with its own social contract. In 2014, Tim Berners-Lee called for a "Magna Carta for the Web" to restore the balance of power between individuals and institutions. This mirrors the original charter's purpose: ensuring that those…
loading . . .
AI Agents Need Data Integrity
Think of the Web as a digital territory with its own social contract. In 2014, Tim Berners-Lee called for a "Magna Carta for the Web" to restore the balance of power between individuals and institutions. This mirrors the original charter's purpose: ensuring that those who occupy a territory have a meaningful stake in its governance. Web 3.0—the distributed, decentralized Web…
https://www.schneier.com/blog/archives/2025/08/ai-agents-need-data-integrity.html
about 1 month ago
0
0
0
Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture Well, this is interesting: The auction, which will include other items related to cryptology, will be held Nov. 20. RR Auction, the company arranging the sale, estimates a winning bid between $300,000 and $500,000.…
loading . . .
Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture
Well, this is interesting: The auction, which will include other items related to cryptology, will be held Nov. 20. RR Auction, the company arranging the sale, estimates a winning bid between $300,000 and $500,000. Along with the original handwritten plain text of K4 and other papers related to the coding, Mr. Sanborn will also be providing a 12-by-18-inch copper plate that has three lines of alphabetic characters cut through with a jigsaw, which he calls "my proof-of-concept piece" and which he kept on a table for inspiration during the two years he and helpers hand-cut the letters for the project.
https://www.schneier.com/blog/archives/2025/08/jim-sanborn-is-auctioning-off-the-solution-to-part-four-of-the-kryptos-sculpture.html
about 1 month ago
0
1
1
Subverting AIOps Systems Through Poisoned Input Data In this input integrity attack against an AI system, researchers were able to fool AIOps tools: AIOps refers to the use of LLM-based agents to gather and analyze application telemetry, including system logs, performance metrics, traces, and…
loading . . .
Subverting AIOps Systems Through Poisoned Input Data
In this input integrity attack against an AI system, researchers were able to fool AIOps tools: AIOps refers to the use of LLM-based agents to gather and analyze application telemetry, including system logs, performance metrics, traces, and alerts, to detect problems and then suggest or carry out corrective actions. The likes of Cisco have deployed AIops in a conversational interface that admins can use to prompt for information about system performance.
https://www.schneier.com/blog/archives/2025/08/subverting-aiops-systems-through-poisoned-input-data.html
about 1 month ago
0
1
0
Zero-Day Exploit in WinRAR File A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups: The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path.…
loading . . .
Zero-Day Exploit in WinRAR File
A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups: The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code. More details in the article.
https://www.schneier.com/blog/archives/2025/08/zero-day-exploit-in-winrar-file.html
about 1 month ago
0
3
1
Eavesdropping on Phone Conversations Through Vibrations Researchers have managed to eavesdrop on cell phone voice conversations by using radar to detect vibrations. It's more a proof of concept than anything else. The radar detector is only ten feet away, the setup is stylized, and accuracy is…
loading . . .
Eavesdropping on Phone Conversations Through Vibrations
Researchers have managed to eavesdrop on cell phone voice conversations by using radar to detect vibrations. It's more a proof of concept than anything else. The radar detector is only ten feet away, the setup is stylized, and accuracy is poor. But it's a start.
https://www.schneier.com/blog/archives/2025/08/eavesdropping-on-phone-conversations-through-vibrations.html
about 1 month ago
0
0
0
Friday Squid Blogging: Squid-Shaped UFO Spotted Over Texas Here's the story. The commenters on X (formerly Twitter) are unimpressed. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.
loading . . .
Friday Squid Blogging: Squid-Shaped UFO Spotted Over Texas
Here's the story. The commenters on X (formerly Twitter) are unimpressed. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.
https://www.schneier.com/blog/archives/2025/08/friday-squid-blogging-squid-shaped-ufo-spotted-over-texas.html
about 1 month ago
0
3
1
Trojans Embedded in .svg Files Porn sites are hiding code in .svg files: Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of "JSFuck," a technique that uses only a handful of character types to encode JavaScript into a…
loading . . .
Trojans Embedded in .svg Files
Porn sites are hiding code in .svg files: Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of "JSFuck," a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text. Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript.
https://www.schneier.com/blog/archives/2025/08/trojans-embedded-in-svg-files.html
about 1 month ago
0
2
1
LLM Coding Integrity Breach Here's an interesting story about a failure being introduced by LLM-written code. Specifically, the LLM was doing some code refactoring, and when it moved a chunk of code from one file to another it changed a "break" to a "continue." That turned an error logging…
loading . . .
LLM Coding Integrity Breach
Here's an interesting story about a failure being introduced by LLM-written code. Specifically, the LLM was doing some code refactoring, and when it moved a chunk of code from one file to another it changed a "break" to a "continue." That turned an error logging statement into an infinite loop, which crashed the system. This is an integrity failure. Specifically, it's a failure of processing integrity. And while we can think of particular patches that alleviate this exact failure, the larger problem is much harder to solve. Davi Ottenheimer comments.
https://www.schneier.com/blog/archives/2025/08/llm-coding-integrity-breach.html
about 1 month ago
0
1
1
AI Applications in Cybersecurity There is a really great series of online events highlighting cool uses of AI in cybersecurity, titled Prompt||GTFO. Videos from the first three events are online. And here's where to register to attend, or participate, in the fourth. Some really great stuff here.
loading . . .
AI Applications in Cybersecurity
There is a really great series of online events highlighting cool uses of AI in cybersecurity, titled Prompt||GTFO. Videos from the first three events are online. And here's where to register to attend, or participate, in the fourth. Some really great stuff here.
https://www.schneier.com/blog/archives/2025/08/ai-applications-in-cybersecurity.html
about 1 month ago
0
3
3
SIGINT During World War II The NSA and GCHQ have jointly published a history of World War II SIGINT: "Secret Messengers: Disseminating SIGINT in the Second World War." This is the story of the British SLUs (Special Liaison Units) and the American SSOs (Special Security Officers).
loading . . .
SIGINT During World War II
The NSA and GCHQ have jointly published a history of World War II SIGINT: "Secret Messengers: Disseminating SIGINT in the Second World War." This is the story of the British SLUs (Special Liaison Units) and the American SSOs (Special Security Officers).
https://www.schneier.com/blog/archives/2025/08/sigint-during-world-war-ii.html
about 1 month ago
1
22
14
The “Incriminating Video” Scam A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a "shockingly realistic" variant, which includes photos…
loading . . .
The “Incriminating Video” Scam
A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a "shockingly realistic" variant, which includes photos of you and your house -- more specific information. The article contains "steps you can take to figure out if it's a scam," but omits the first and most fundamental piece of advice: If the hacker had incriminating video about you, they would show you a clip.
https://www.schneier.com/blog/archives/2025/08/the-incriminating-video-scam.html
about 1 month ago
0
0
0
Automatic License Plate Readers Are Coming to Schools Fears around children is opening up a new market for automatic license place readers.
loading . . .
Automatic License Plate Readers Are Coming to Schools
Fears around children is opening up a new market for automatic license place readers.
https://www.schneier.com/blog/archives/2025/08/automatic-license-plate-readers-are-coming-to-schools.html
about 1 month ago
0
1
0
Friday Squid Blogging: New Vulnerability in Squid HTTP Proxy Server In a rare squid/security combined post, a new vulnerability was discovered in the Squid HTTP proxy server.
loading . . .
Friday Squid Blogging: New Vulnerability in Squid HTTP Proxy Server
In a rare squid/security combined post, a new vulnerability was discovered in the Squid HTTP proxy server.
https://www.schneier.com/blog/archives/2025/08/friday-squid-blogging-new-vulnerability-in-squid-http-proxy-server.html
about 2 months ago
0
2
0
Google Project Zero Changes Its Disclosure Policy Google's vulnerability finding team is again pushing the envelope of responsible disclosure: Google's Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full…
loading . . .
Google Project Zero Changes Its Disclosure Policy
Google's vulnerability finding team is again pushing the envelope of responsible disclosure: Google's Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the bug is fixed before the deadline. However, as of July 29, Project Zero will also release limited details about any discovery they make within one week of vendor disclosure.
https://www.schneier.com/blog/archives/2025/08/google-project-zero-changes-its-disclosure-policy.html
about 2 months ago
0
1
0
China Accuses Nvidia of Putting Backdoors into Their Chips The government of China has accused Nvidia of inserting a backdoor into their H20 chips: China's cyber regulator on Thursday said it had held a meeting with Nvidia over what it called "serious security issues" with the company's artificial…
loading . . .
China Accuses Nvidia of Putting Backdoors into Their Chips
The government of China has accused Nvidia of inserting a backdoor into their H20 chips: China's cyber regulator on Thursday said it had held a meeting with Nvidia over what it called "serious security issues" with the company's artificial intelligence chips. It said US AI experts had "revealed that Nvidia's computing chips have location tracking and can remotely shut down the technology."
https://www.schneier.com/blog/archives/2025/08/china-accuses-nvidia-of-putting-backdoors-into-their-chips.html
about 2 months ago
0
1
1
The Semiconductor Industry and Regulatory Compliance Earlier this week, the Trump administration narrowed export controls on advanced semiconductors ahead of US-China trade negotiations. The administration is increasingly relying on export licenses to allow American semiconductor firms to sell…
loading . . .
The Semiconductor Industry and Regulatory Compliance
Earlier this week, the Trump administration narrowed export controls on advanced semiconductors ahead of US-China trade negotiations. The administration is increasingly relying on export licenses to allow American semiconductor firms to sell their products to Chinese customers, while keeping the most powerful of them out of the hands of our military adversaries. These are the chips that power the artificial intelligence research fueling China's technological rise, as well as the advanced military equipment underpinning Russia's invasion of Ukraine.
https://www.schneier.com/blog/archives/2025/08/its-time-for-the-semiconductor-industry-to-step-up.html
about 2 months ago
0
1
0
Surveilling Your Children with AirTags Skechers is making a line of kid's shoes with a hidden compartment for an AirTag.
loading . . .
Surveilling Your Children with AirTags
Skechers is making a line of kid's shoes with a hidden compartment for an AirTag.
https://www.schneier.com/blog/archives/2025/08/surveilling-your-children-with-airtags.html
about 2 months ago
1
1
0
First Sentencing in Scheme to Help North Koreans Infiltrate US Companies An Arizona woman was sentenced to eight-and-a-half years in prison for her role helping North Korean workers infiltrate US companies by pretending to be US workers. From an article: According to court documents, Chapman…
loading . . .
First Sentencing in Scheme to Help North Koreans Infiltrate US Companies
An Arizona woman was sentenced to eight-and-a-half years in prison for her role helping North Korean workers infiltrate US companies by pretending to be US workers. From an article: According to court documents, Chapman hosted the North Korean IT workers' computers in her own home between October 2020 and October 2023, creating a so-called "laptop farm" which was used to make it appear as though the devices were located in the United States.
https://www.schneier.com/blog/archives/2025/08/first-sentencing-in-scheme-to-help-north-koreans-infiltrate-us-companies.html
about 2 months ago
0
2
1
Friday Squid Blogging: A Case of Squid Fossil Misidentification What scientists thought were squid fossils were actually arrow worms.
loading . . .
Friday Squid Blogging: A Case of Squid Fossil Misidentification
What scientists thought were squid fossils were actually arrow worms.
https://www.schneier.com/blog/archives/2025/08/friday-squid-blogging-a-case-of-squid-fossil-misidentification.html
about 2 months ago
0
0
0
Spying on People Through Airportr Luggage Delivery Service Airportr is a service that allows passengers to have their luggage picked up, checked, and delivered to their destinations. As you might expect, it's used by wealthy or important people. So if the company's website is insecure, you'd be…
loading . . .
Spying on People Through Airportr Luggage Delivery Service
Airportr is a service that allows passengers to have their luggage picked up, checked, and delivered to their destinations. As you might expect, it's used by wealthy or important people. So if the company's website is insecure, you'd be able to spy on lots of wealthy or important people. And maybe even steal their luggage. Researchers at the firm CyberX9 found that simple bugs in Airportr's website allowed them to access virtually all of those users' personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit.
https://www.schneier.com/blog/archives/2025/08/spying-on-people-through-airportr-luggage-delivery-service.html
about 2 months ago
0
0
1
Cheating on Quantum Computing Benchmarks Peter Gutmann and Stephan Neuhaus have a new paper -- I think it's new, even though it has a March 2025 date -- that makes the argument that we shouldn't trust any of the quantum factorization benchmarks, because everyone has been cooking the books:…
loading . . .
Cheating on Quantum Computing Benchmarks
Peter Gutmann and Stephan Neuhaus have a new paper -- I think it's new, even though it has a March 2025 date -- that makes the argument that we shouldn't trust any of the quantum factorization benchmarks, because everyone has been cooking the books: Similarly, quantum factorisation is performed using sleight-of-hand numbers that have been selected to make them very easy to factorise using a physics experiment and, by extension, a VIC-20, an abacus, and a dog.
https://www.schneier.com/blog/archives/2025/07/cheating-on-quantum-computing-benchmarks.html
about 2 months ago
0
7
2
Measuring the Attack/Defense Balance "Who's winning on the internet, the attackers or the defenders?" I'm asked this all the time, and I can only ever give a qualitative hand-wavy answer. But Jason Healey and Tarang Jain's latest Lawfare piece has amassed data. The essay provides the first…
loading . . .
Measuring the Attack/Defense Balance
"Who's winning on the internet, the attackers or the defenders?" I'm asked this all the time, and I can only ever give a qualitative hand-wavy answer. But Jason Healey and Tarang Jain's latest Lawfare piece has amassed data. The essay provides the first framework for metrics about how we are all doing collectively -- and not just how an individual network is doing.
https://www.schneier.com/blog/archives/2025/07/measuring-the-attack-defense-balance.html
about 2 months ago
0
4
0
Load more
feeds!
log in
