Encryption can protect data at rest and data in transit, but does nothing for data in use. What we have are secure enclaves. I've written about this before: Almost all cloud services have to perform some computation on our data. Even the simplest storage provider has code to copy bytes from an internal storage system and deliver them to the user.

The second season of the Netflix reality competition show Squid Game: The Challenge has dropped. (Too many links to pick a few -- search for it.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Over the past few decades, it's become easier and easier to create fake receipts. Decades ago, it required special paper and printers -- I remember a company in the UK advertising its services to people trying to cover up their affairs. Then, receipts became computerized, and faking them required some artistic skills to make the page look realistic. Now, AI can…

The Department of Justice has indicted thirty-one people over the high-tech rigging of high-stakes poker games. In a typical legitimate poker game, a dealer uses a shuffling machine to shuffle the cards randomly before dealing them to all the players in a particular order. As set forth in the indictment, the rigged games used altered shuffling machines that contained hidden technology allowing the machines to read all the cards in the deck.

For many in the research community, it's gotten harder to be optimistic about the impacts of artificial intelligence. As authoritarianism is rising around the world, AI-generated "slop" is overwhelming legitimate media, while AI-generated deepfakes are spreading misinformation and parroting extremist messages. AI is making warfare more precise and deadly amidst intransigent conflicts. AI companies are exploiting people in the global South who work as data labelers, and profiting from content creators worldwide by using their work without license or compensation.

Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people's credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim to realize what is happening. I feel like this kind of thing is happening everywhere, with everything. As we move more of our personal and professional lives online, we enable criminals to subvert the very systems we rely on.

These days, the most important meeting attendee isn’t a person: It’s the AI notetaker. This system assigns action items and determines the importance of what is said. If it becomes necessary to revisit the facts of the meeting, its summary is treated as impartial evidence. But clever meeting attendees can manipulate this system’s record by speaking more to what the underlying AI weights for summarization and importance than to their colleagues.

I can't believe that I haven't yet posted this picture of a giant squid at the Smithsonian. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Listen to the Audio on NextBigIdeaClub.com Below, co-authors Bruce Schneier and Nathan E. Sanders share five key insights from their new book, Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship. What's the big idea? AI can be used both for and against the public interest within democracies. It is already being used in the governing of nations around the world, and there is no escaping its continued use in the future by leaders, policy makers, and legal enforcers.

Interesting article about the arms race between AI systems that invent/design new biological pathogens, and AI systems that detect them before they're created: The team started with a basic test: use AI tools to design variants of the toxin ricin, then test them against the software that is used to screen DNA orders. The results of the test suggested there was a risk of dangerous protein variants slipping past existing screening software, so the situation was treated like the equivalent of a zero-day vulnerability.

Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they allowed it to remain more or less the same as it had been. Then they used the new quantum-safe ratchet to implement a parallel secure messaging system.

Good Wall Street Journal article on criminal gangs that scam people out of their credit card information: Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York City Department of Finance for unpaid traffic violations. The texts are ploys to get unsuspecting victims to fork over their credit-card details.

I assume I don't have to explain last week's Louvre jewel heist. I love a good caper, and have (like many others) eagerly followed the details. An electric ladder to a second-floor window, an angle grinder to get into the room and the display cases, security guards there more to protect patrons than valuables -- seven minutes, in and out.

Mother Jones has a long article on surveillance arms manufacturers, their wares, and how they avoid export control laws: Operating from their base in Jakarta, where permissive export laws have allowed their surveillance business to flourish, First Wap's European founders and executives have quietly built a phone-tracking empire, with a footprint extending from the Vatican to the Middle East to Silicon Valley.

There is a new cigar named "El Pulpo The Squid." Yes, that means "The Octopus The Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Two people found the solution. They used the power of research, not cryptanalysis, finding clues amongst the Sanborn papers at the Smithsonian's Archives of American Art. This comes as an awkward time, as Sanborn is auctioning off the solution. There were legal threats -- I don't understand their basis -- and the solvers are not publishing their solution.

This is bad: F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a "sophisticated" threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a "long-term." Security researchers who have responded to similar intrusions in the past took the language to mean the hackers were inside the F5 network…

Interesting article on people with nonstandard faces and how facial recognition systems fail for them. Some of those living with facial differences tell WIRED they have undergone multiple surgeries and experienced stigma for their entire lives, which is now being echoed by the technology they are forced to interact with. They say they haven't been able to access public services due to facial verification services failing, while others have struggled to access financial services.

Scouting America (formerly known as Boy Scouts) has a new badge in cybersecurity. There's an image in the article; it looks good. I want one.

The OODA loop—for observe, orient, decide, act—is a framework to understand decision-making in adversarial situations. We apply the same framework to artificial intelligence agents, who have to make their decisions with untrustworthy observations and orientation. To solve this problem, we need new systems of input, processing, and output integrity. Many decades ago, U.S. Air Force Colonel John Boyd introduced the concept of the "OODA loop," for Observe, Orient, Decide, and Act.

Good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy.

Here's the summary: We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens' voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks.

CNN has a great piece about how cryptocurrency ATMs are used to scam people out of their money. The fees are usurious, and they're a common place for scammers to send victims to buy cryptocurrency for them. The companies behind the ATMs, at best, do not care about the harm they cause; the profits are just too good.

Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website: Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards, expanded research categories, and a flag system for researchers to objectively demonstrate vulnerabilities and obtain accelerated awards. We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks.

This is a current list of where and when I am scheduled to speak: I and Nathan E. Sanders will be giving a book talk on Rewiring Democracy at the Harvard Kennedy School’s Ash Center in Cambridge, Massachusetts, USA, on October 22, 2025 at noon ET. I and Nathan E. Sanders will be speaking and signing books at the Cambridge Public Library…