The next three in this series on online events highlighting interesting uses of AI in cybersecurity are online: #4, #5, and #6. Well worth watching.

Scouting America (formerly known as Boy Scouts) has a new badge in cybersecurity. There’s an image in the article; it looks good. I want one.

This academic year, I am taking a sabbatical from the Kennedy School and Harvard University. (It’s not a real sabbatical—I’m just an adjunct—but it’s the same idea.) I will be spending the Fall 2025 and Spring 2026 semesters at the Munk School at the University of Toronto. I will be organizing a reading group on AI security in the fall. I will be teaching my cybersecurity policy class in the Spring. I will be working with Citizen Lab, the Law School, and the Schwartz Reisman Institute. And I will be enjoying all the multicultural offerings of Toronto...

There is a really great series of online events highlighting cool uses of AI in cybersecurity, titled Prompt||GTFO. Videos from the first three events are online. And here’s where to register to attend, or participate, in the fourth. Some really great stuff here.

Reuters is reporting that the White House has banned WhatsApp on all employee devices: > The notice said the “Office of Cybersecurity has deemed WhatsApp a high risk > to users due to the lack of transparency in how it protects user data, absence > of stored data encryption, and potential security risks involved with its > use.” TechCrunch has more commentary, but no more information.

Google has extended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users. Wired article, behind a paywall.

Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it’s nice to see Google add it to their phones.

Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of those pieces of common infrastructure that everyone benefits from. Losing it will bring us back to a world where there’s no single way to talk about vulnerabilities. It’s kind of crazy to think that the US government might damage its own security in this way—but I suppose no crazier than any of the other ways the US is working against its own interests right now...

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: > In other words, while the legally-mandated CALEA capability requirements have > changed little over the last three decades, the infrastructure that must > implement and protect it has changed radically. This has greatly expanded the > “attack surface” that must be defended to prevent unauthorized wiretaps, > especially at scale. The job of the illegal eavesdropper has gotten > significantly easier, with many more options and opportunities for them to > exploit. Compromising our telecommunications infrastructure is now little > different from performing any other kind of computer intrusion or data breach, > a well-known and endemic cybersecurity problem. To put it bluntly, something > like Salt Typhoon was inevitable, and will likely happen again unless > significant changes are made...

John Kelsey and I wrote a short paper for the Rossfest Festschrift: “Rational Astrologies and Security“: > There is another non-security way that designers can spend their security > budget: on making their own lives easier. Many of these fall into the category > of what has been called rational astrology. First identified by Randy Steve > Waldman [Wal12], the term refers to something people treat as though it works, > generally for social or institutional reasons, even when there’s little > evidence that it works—­and sometimes despite substantial evidence that it > does not...