Schneier on Security

  1. Friday Squid Blogging: Squid Camouflage

    New research:

    Abstract: Coleoid cephalopods have the most elaborate camouflage system in the animal kingdom. This enables them to hide from or deceive both predators and prey. Most studies have focused on benthic species of octopus and cuttlefish, while studies on squid focused mainly on the chromatophore system for communication. Camouflage adaptations to the substrate while moving has been recently described in the semi-pelagic oval squid (Sepioteuthis lessoniana). Our current study focuses on the same squid’s complex camouflage to substrate in a stationary, motionless position. We observed disruptive, uniform, and mottled chromatic body patterns, and we identified a threshold of contrast between dark and light chromatic components that simplifies the identification of disruptive chromatic body pattern. We found that arm postural components are related to the squid position in the environment, either sitting directly on the substrate or hovering just few centimeters above the substrate. Several of these context-dependent body patterns have not yet been observed in...

  2. IoT Hack

    Someone hacked an Italian ferry.

    It looks like the malware was installed by someone on the ferry, and not remotely.

  3. Urban VPN Proxy Surreptitiously Intercepts AI Chats

    This is pretty scary:

    Urban VPN Proxy targets conversations across ten AI platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), Meta AI.

    For each platform, the extension includes a dedicated “executor” script designed to intercept and capture conversations. The harvesting is enabled by default through hardcoded flags in the extension’s configuration.

    There is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely.

    […]

    The data collection operates independently of the VPN functionality. Whether the VPN is connected or not, the harvesting runs continuously in the background...

  4. Denmark Accuses Russia of Conducting Two Cyberattacks

    News:

    The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyber-attack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites in the lead-up to the municipal and regional council elections in November.

    The first, it said, was carried out by the pro-Russian group known as Z-Pentest and the second by NoName057(16), which has links to the Russian state.

    Slashdot thread.

  5. Microsoft Is Finally Killing RC4

    After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows.

    of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the much more secure AES encryption standard. But by default, Windows servers have continued to respond to RC4-based authentication requests and return an RC4-based response. The RC4 fallback has been a favorite weakness hackers have exploited to compromise enterprise networks. Use of RC4 played a...

  6. Friday Squid Blogging: Petting a Squid

    Video from Reddit shows what could go wrong when you try to pet a—looks like a Humboldt—squid.

    As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

    Blog moderation policy.

  7. AI Advertising Company Hacked

    At least some of this is coming to light:

    Doublespeed, a startup backed by Andreessen Horowitz (a16z) that uses a phone farm to manage at least hundreds of AI-generated social media accounts and promote products has been hacked. The hack reveals what products the AI-generated accounts are promoting, often without the required disclosure that these are advertisements, and allowed the hacker to take control of more than 1,000 smartphones that power the company.

    The hacker, who asked for anonymity because he feared retaliation from the company, said he reported the vulnerability to Doublespeed on October 31. At the time of writing, the hacker said he still has access to the company’s backend, including the phone farm itself....

  8. Someone Boarded a Plane at Heathrow Without a Ticket or Passport

    I’m sure there’s a story here:

    Sources say the man had tailgated his way through to security screening and passed security, meaning he was not detected carrying any banned items.

    The man deceived the BA check-in agent by posing as a family member who had their passports and boarding passes inspected in the usual way.

  9. Deliberate Internet Shutdowns

    For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted “to prevent immoral activities.” No additional explanation was given. The timing couldn’t have been worse: communities still reeling from a major earthquake lost emergency communications, flights were grounded, and banking was interrupted. Afghanistan’s blackout is part of a wider pattern. Just since the end of September, there were also major nationwide internet shutdowns in...

  10. Chinese Surveillance and AI

    New report: “The Party’s AI: How China’s New AI Systems are Reshaping Human Rights.” From a summary article:

    China is already the world’s largest exporter of AI powered surveillance technology; new surveillance technologies and platforms developed in China are also not likely to simply stay there. By exposing the full scope of China’s AI driven control apparatus, this report presents clear, evidence based insights for policymakers, civil society, the media and technology companies seeking to counter the rise of AI enabled repression and human rights violations, and China’s growing efforts to project that repression beyond its borders...