Collaborate Disseminate
A new bioadhesive makes it easier to attach trackers to squid.
Note: the article does not discuss squid privacy rights.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posti… Continue reading Friday Squid Blogging: Squid Trackers
After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor…
Continue reading Other Attempts to Take Over Open Source Projects
Canadian legislators proposed 19,600 amendments—almost certainly AI-generated—to a bill in an attempt to delay its adoption.
I wrote about many different legislative delaying tactics in A Hacker’s Mind, but this is a new one.
Continue reading Using AI-Generated Legislative Amendments as a Delaying Technique
Brian Krebs reported that X (formerly known as Twitter) started automatically changing twitter.com links to x.com links. The problem is: (1) it changed any domain name that ended with “twitter.com,” and (2) it only changed the link’s … Continue reading X.com Automatically Changing Link Text but Not URLs
A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems.
A few things to note. One, this paper has not yet been peer reviewed. As this comment points out: “We had already some cases where efficient quantum algorithms for lattice problems were discovered, but they turned out not being correct or only worked for simple special cases.” I expect we’ll learn more about this particular algorithm with time. And, like many of these algorithms, there will be improvements down the road…
This is a current list of where and when I am scheduled to speak:
I’m speaking twice at RSA Conference 2024 in San Francisco. I’ll be on a panel on software liability on May 6, 2024 at 8:30 AM, and I’m giving a keynote on AI and demo… Continue reading Upcoming Speaking Engagements
It’s a pretty awful story.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Continue reading Friday Squid Blogging: The Awfulness of Squid Fishing Boats
Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it…
Last week, I posted a short memorial of Ross Anderson. The Communications of the ACM asked me to expand it. Here’s the longer version.
EDITED TO ADD (4/11): Two weeks before he passed away, Ross gave an 80-minute interview where he told his life … Continue reading In Memoriam: Ross Anderson, 1956–2024
The US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior US government officials.
From the executive summary:
The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on:…
Continue reading US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack