Collaborate Disseminate
Article about the bigfin squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Blog moderation policy.
Continue reading Friday Squid Blogging: Bigfin Squid
Some AI-based video age-verification checks can be fooled with a fake mustache.
Continue reading Bypassing On-Camera Age-Verification Checks
This is a current list of where and when I am scheduled to speak:
Last month, Anthropic made a remarkable announcement about its new model, Claude Mythos Preview: it was so good at finding security vulnerabilities in software that the company would not release it to the general public. Instead, it would only be available to a select group of companies to scan and fix their own software.
The announcement requires context—but it contained an essential truth.
While Anthropic’s model is really good at finding software vulnerabilities, so are other models. The UK’s AI Security Institute found that OpenAI’s GPT-5.5, already generally available, is comparable in capability. The company Aisle …
The UK’s AI Security Institute evaluated GPT-5.5’s ability to find security vulnerabilities, and found that it is comparable to Claude Mythos. Note that the OpenAI model is generally available.
Here is the Institute’s evaluation of My… Continue reading OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities
This is the worst Linux vulnerability in years.
TL;DR
- copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC.
- It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own.
- The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets.
- The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing.
…
Turns out that LLMs are really good at hiding text messages in other text messages.
Continue reading LLMs and Text-in-Text Steganography
Evidence of them has been found by analyzing DNA in the seawater.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Blog moderation policy.
Continue reading Friday Squid Blogging: Giant Squid Live in the Waters of Western Australia
Insider trading is rife on Polymarket:
Analysis by the Anti-Corruption Data Collective, a non-profit research and advocacy group, found that long-shot bets—defined as wagers of $2,500 or more at odds of 35 percent or less—on the platform had an average win rate of around 52 percent in markets on military and defense actions.
That compares with a win rate of 25 percent across all politics-focused markets and just 14 percent for all markets on the platform as a whole.
It is absolutely insane that this is legal. We already know how insider betting warps sports. Insider betting warping politics—and military actions—is orders of magnitude worse…
ICE is developing its own version of smart glasses, with facial recognition tied to various databases.
Continue reading Smart Glasses for the Authorities