Blogroll

DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS (Computers and Humans Exploring Software Security), and they're holding a proposers day in a week and a half. This is the kind of thing that can dramatically change the offense/defense balance.... Bruce Schneier

This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses -- if they're even valid.) Netflix doesn't ignore dots, so those are all unique e-mail addresses and... Bruce Schneier

This is interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier

This is a really interesting research result. This paper proves that two parties can create a secure communications channel using a communications system with a backdoor. It's a theoretical result, so it doesn't talk about how easy that channel is to create. And the assumptions on the adversary are pretty reasonable: that each party can create his own randomness, and... Bruce Schneier

The US Consumer Product Safety Commission is holding hearings on IoT risks: The U.S. Consumer Product Safety Commission (CPSC, Commission, or we) will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products. The information received from the public hearing will be used to inform future Commission risk... Bruce Schneier

Interesting history.... Bruce Schneier

Rising sea temperatures is causing market squid to move north into Alaskan waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier

It's routine for US police to unlock iPhones with the fingerprints of dead people. It seems only to work with recently dead people.... Bruce Schneier

In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us... Bruce Schneier

When Spectre and Meltdown were first announced earlier this year, pretty much everyone predicted that there would be many more attacks targeting branch prediction in microprocessors. Here's another one: In the new attack, an attacker primes the PHT and running branch instructions so that the PHT will always assume a particular branch is taken or not taken. The victim code... Bruce Schneier

Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions. Research paper. BoingBoing post.... Bruce Schneier

Ross Anderson has a really interesting paper on tracing stolen bitcoin. From a blog post: Previous attempts to track tainted coins had used either the "poison" or the "haircut" method. Suppose I open a new address and pay into it three stolen bitcoin followed by seven freshly-mined ones. Then under poison, the output is ten stolen bitcoin, while under haircut... Bruce Schneier

Yet another development in the arms race between facial recognition systems and facial-recognition-system foolers. BoingBoing post.... Bruce Schneier

Interesting research into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version," also available here: Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during... Bruce Schneier

An interesting hunting strategy: Off of northern Spain, giant squid often feed on schools of fish called blue whiting. The schools swim 400 meters or less below the surface, while the squid prefer to hang out around a mile deep. The squid must ascend to hunt, probably seizing fish from below with their tentacles, then descend again. In this scenario,... Bruce Schneier

Zeynep Tufekci is particularly cogent about Facebook and Cambridge Analytica. Several news outlets asked me to write about this issue. I didn't, because 1) my book manuscript is due on Monday (finally!), and 2) I knew Zeynep would say what I would say, only better.... Bruce Schneier

Some details about the iPhone unlocker from the US company Greyshift, with photos. Little is known about Grayshift or its sales model at this point. We don't know whether sales are limited to US law enforcement, or if it is also selling in other parts of the world. Regardless of that, it's highly likely that these devices will ultimately end... Bruce Schneier

Interesting analysis and speculation.... Bruce Schneier

Interesting paper "A first look at browser-based cryptojacking": Abstract: In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or... Bruce Schneier

A good warning, delivered in classic Dan Geer style.... Bruce Schneier