Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Why the Take9 Cybersecurity Campaign is Doomed to Fail

2025-05-30

The new Take9 cybersecurity awareness campaign encourages pausing for nine seconds before clicking links or downloading files. However, this article argues it's ineffective. The nine-second pause is unrealistic in daily life, similar past campaigns have failed, and it wrongly blames users, ignoring systemic design flaws. A successful campaign would guide users through a two-step process: triggering suspicion and then directing their attention to what to look for and how to evaluate it. Simply pausing isn't enough; cognitive scaffolding and system designs accounting for dynamic interactions are necessary. The author concludes that fixing the system, not the user, is key.

Read more
(www.schneier.com)
Tech user education

Cell Phone OPSEC at Borders: Data Deletion and Recovery

2025-04-05

Concerns are rising about stricter electronic device checks at US borders. The author asks about securely deleting data (files, photos) from phones to prevent recovery. Does a factory reset truly erase data, or is it recoverable? This question hinges on whether the reset removes the encryption key or just the access password. The article stresses the growing need for enhanced phone security globally, given increasing risks for those opposing state power.

Read more
(www.schneier.com)
Misc phone security border security

Passwordless Two-Person Authentication

2025-02-14

A simple and clever method for two-person remote authentication has emerged! Two individuals use a shared device to generate time-based one-time passcodes (TOTP) QR codes. Each person scans their respective code into a mobile authenticator app (like Authy or Google Authenticator). Later, during a phone or video call, one person simply asks the other for the 6-digit TOTP code to verify identity, effectively preventing digital impersonation. No complex passwords required – secure and convenient!

Read more
(www.schneier.com)
Tech security protocol

DOGE: An Unprecedented National Cyberattack

2025-02-13

A department called "DOGE" has gained unauthorized access to critical US government systems, including the Treasury Department, USAID, and the Office of Personnel Management. They obtained sensitive data, including trillions in federal payments, classified information, and personal data of millions of federal employees. This wasn't a sophisticated external hack, but an internal breach, unprecedented in its audacity and impact. While some access has been blocked, copied data and potential vulnerabilities remain. The situation poses a grave national security threat, demanding immediate action to restore system integrity and security protocols before irreversible damage occurs.

Read more
(www.schneier.com)
Tech

Massive Supply Chain Attack: Malware Delivered via Abandoned Amazon S3 Buckets

2025-02-12

Researchers registered roughly 150 abandoned Amazon S3 buckets for around $400, finding they contained software libraries still in use. These buckets received eight million requests in two months, highlighting a massive vulnerability. An attacker could easily inject malware into these libraries, spreading it widely through software updates – a SolarWinds-style attack on a much larger scale. The abandonment of these buckets leaves developers unable to automatically patch vulnerabilities, giving attackers control over updates and hindering vendor identification of affected software. This underscores the critical flaws in software supply chain security; fixing it will be both difficult and expensive.

Read more
(www.schneier.com)
Tech software supply chain S3 security

AI Mistakes: Unlike Human Errors, Harder to Predict

2025-01-23

Unlike human errors, Large Language Model (LLM) mistakes are random, unclustered, and made with high confidence. This article explores the unique characteristics of LLM errors and proposes two strategies: engineering more human-like LLMs and building new error-correction systems. Current research focuses on techniques like reinforcement learning with human feedback and methods like repeated questioning to improve AI reliability. While some quirks of LLMs mirror human behavior, their frequency and severity far exceed human error rates, demanding cautious use of AI decision-making systems and confining their application to suitable domains.

Read more
(www.schneier.com)
AI AI errors