惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
W
WeLiveSecurity
O
OpenAI News
N
News and Events Feed by Topic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
云风的 BLOG
云风的 BLOG
N
News | PayPal Newsroom
H
Hacker News: Front Page
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
The Last Watchdog
The Last Watchdog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Schneier on Security
宝玉的分享
宝玉的分享
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Y
Y Combinator Blog
Cyberwarzone
Cyberwarzone
Microsoft Security Blog
Microsoft Security Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
GbyAI
GbyAI
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
人人都是产品经理
人人都是产品经理
P
Palo Alto Networks Blog
M
MIT News - Artificial intelligence
G
GRAHAM CLULEY
C
Check Point Blog
Apple Machine Learning Research
Apple Machine Learning Research
Last Week in AI
Last Week in AI
T
Troy Hunt's Blog
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
量子位
博客园 - 聂微东
S
Securelist
博客园 - 三生石上(FineUI控件)
F
Full Disclosure
G
Google Developers Blog
L
LINUX DO - 热门话题
P
Proofpoint News Feed
AI
AI
PCI Perspectives
PCI Perspectives

Schneier on Security

Protecting Privacy in an AI Era - Schneier on Security A Video Screen That Is Also a Camera - Schneier on Security Upcoming Speaking Engagements - Schneier on Security Vulnerability in FIFA's Network - Schneier on Security AI Data Centers and the Concentration of Wealth - Schneier on Security Friday Squid Blogging: "Squidbleed" Vulnerability - Schneier on Security AI Surveillance and Social Progress - Schneier on Security The Language of AI Could Change How Humans Speak - Schneier on Security Cybersecurity and the Gap Between Skill and Ability - Schneier on Security Google Is Suing Chinese Scammers Who Are Using Gemini - Schneier on Security France to Stop Certifying Non-Quantum-Safe Encryption - Schneier on Security Flock Cameras Can Surveil Cars Without License Plates - Schneier on Security Cybersecurity Mission Creep in the US - Schneier on Security Papa Johns Surveillance-Based Advertising - Schneier on Security The Realities of AI Video Surveillance - Schneier on Security Factoring RSA Keys with Many Zeros - Schneier on Security Robot Police Officers - Schneier on Security The Chinese Control the Majority of Argentina's Squid Fleet - Schneier on Security Meta Is Testing Facial Recognition for Police and Military - Schneier on Security One Million Passports Leaked Online - Schneier on Security AI and Liability - Schneier on Security Interesting Paper Exploring Prompt Injection - Schneier on Security Embedding Forbidden Text in Spyware to Discourage AI Analysis - Schneier on Security Anthropic's Fable 5 Model Jailbroken Within Days - Schneier on Security Professional Athletes and Wearables - Schneier on Security Friday Squid Blogging: Victims of Unregulated Squid Fishing - Schneier on Security Anthropic's Fable and the State of AI - Schneier on Security Embedding Forbidden Text in Spyware to Discourage AI Analysis - Schneier on Security AI Use by the US Government - Schneier on Security Flock Cameras Are Being Used for Stalking - Schneier on Security The FCC Wants to Eliminate Burner Phones - Schneier on Security Upcoming Speaking Engagements - Schneier on Security Friday Squid Blogging: Squid-Inspired Fluid Pump Bernie Sanders’ AI Sovereign Wealth Fund Plan Enhanced License Plate Tracking NSO Group Hacking WhatsApp Despite Court Order GPS As a Key Distribution Platform - Schneier on Security Critical Zcash Vulnerability Found and Fixed Anthropic’s Project Glasswing Update AI Worm - Schneier on Security Hacking Meta's AI Chatbot - Schneier on Security AI Used to Decrypt Medieval Ciphers The Intersection of Encryption and AI Microsoft Threatening Security Researcher Vulnerability Disclosure in the Age of AI Friday Squid Blogging: Another Squid Chilling Effects FBI’s 2025 Internet Crime Report Identifying People Using Wi-Fi Routers Friday Squid Blogging: Regulating Squid Fishing in the South Pacific CISA Security Leak macOS Kernel Memory Corruption Exploit On AI Security Laurie Anderson Is Quoting Me Zero-Day Exploit Against Windows BitLocker Friday Squid Blogging: Bigfin Squid OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities Copy.Fail Linux Vulnerability LLMs and Text-in-Text Steganography Friday Squid Blogging: Giant Squid Live in the Waters of Western Australia Insider Betting on Polymarket Smart Glasses for the Authorities Rowhammer Attack Against NVIDIA Chips DarkSword Malware Hacking Polymarket A Ransomware Negotiator Was Working for a Ransomware Gang Fast16 Malware Claude Mythos Has Found 271 Zero-Days in Firefox What Anthropic’s Mythos Means for the Future of Cybersecurity Medieval Encrypted Letter Decoded Friday Squid Blogging: How Squid Survived Extinction Events Hiding Bluetooth Trackers in Mail FBI Extracts Deleted Signal Messages from iPhone Notification Database ICE Uses Graphite Spyware - Schneier on Security Mexican Surveillance Company - Schneier on Security Is “Satoshi Nakamoto” Really Adam Back? Friday Squid Blogging: New Giant Squid Video Mythos and Cybersecurity Human Trust of AI Agents Defense in Depth, Medieval Style
Bypassing On-Camera Age-Verification Checks
Bruce Schneier · 2026-05-15 · via Schneier on Security

Comments

K.S May 15, 2026 8:49 AM

The primary purpose of these checks is not age verification; they are intended to de-anonymize critics and enable governments to deny access to online platforms with a convenient pretext. Canada attempted de-banking protesters, but that was eventually ruled illegal. As such, complete failure to keep minors out of adult space is not at all surprising, as this is not the ultimate goal.

Clive Robinson May 15, 2026 11:15 AM

@ ALL,

This is not the “first step”…

It requires Client Side Scanning that will be AI augmented and a way to make Zero Knowledge Proofs better.

Last summer this paper was posted,

https://eprint.iacr.org/2025/1296

Gödel in Cryptography: Effectively Zero-Knowledge Proofs for NP with No Interaction, No Setup, and Perfect Soundness

Rahul Ilango, Massachusetts Institute of Technology.

A zero-knowledge proof demonstrates that a fact (like that a Sudoku puzzle has a solution) is true while, counterintuitively, revealing nothing else (like what the solution actually is). This remarkable guarantee is extremely useful in cryptographic applications, but it comes at a cost. A classical impossibility result by Goldreich and Oren [J. Cryptol. ’94] shows that zero-knowledge proofs must necessarily sacrifice basic properties of traditional mathematical proofs — namely perfect soundness (that no proof of a false statement exists) and non-interactivity (that a proof can be transmitted in a single message).

Contrary to this impossibility, we show that zero-knowledge with perfect soundness and no interaction is effectively possible. We do so by defining and constructing a powerful new relaxation of zero-knowledge. Intuitively, while the classical zero-knowledge definition requires that an object called a simulator actually exists, our new definition only requires that one cannot rule out that a simulator exists (in a particular logical sense). Using this, we show that **every falsifiable security property of (classical) zero-knowledge can be achieved with no interaction, no setup, and perfect soundness.** This enables us to remove interaction and setup from (classical) zero-knowledge in essentially all of its applications in the literature, at the relatively mild cost that such applications now have security that is “game-based” instead of “simulation-based.”“

Note what the title and abstract say with regards,

1, No Interaction
2, No Setup
3, Perfect Soundness

Three of the basic four[1] failings of current Zero Knowledge Proofs (it implicitly removes the fourth as well).

This has all sorts of benefits for those in an authoritative position with regards the likes of “age proof” etc.

I was wondering why what was published a year ago was suddenly getting interest in less technical and more mainstream reporting,

https://www.schneier.com/blog/archives/2026/05/friday-squid-blogging-giant-squid-live-in-the-waters-of-western-australia.html/#comment-454439

[1] The fourth failing often gets missed when talking about current Zero Knowledge Proofs which is the generation of randomness by the querying system. If the queries made are not random but predictable it opens up a number of security issues in current Zero Knowledge Proofs.

can you imagine what it's like??? May 15, 2026 11:46 AM

@ white goose,

“Someone you work with will get it first. And you’ll hold out for a while, the way you did with the smartphone. But eventually, you won’t,” said Phoenix, dressed in all black with a tiny mic attached to his ear. “The advantages of integration will be hard to compete with.”

The masses will adopt it as they creep it in through soap operas, popular geek shows, and more.

sweet tasty brain drippings May 15, 2026 11:54 AM

Hacking Hard Drive Firmware

https://hackaday.com/2026/05/15/hacking-hard-drive-firmware/

You probably flash new firmware on a variety of devices regularly, even though that’s rare for non-technical types. But what about your hard drive firmware? Most of us don’t want to touch our operating drives, so unless you are dealing with surplus drives or have a special project in mind, you may not think much about the firmware running your spinning rust storage. [I Code 4 Coffee] uses hard drives in an unusual way to exploit Xbox 360s, and wound up reverse engineering some drive firmware with an eye to making changes.

The analysis started with three hard drives and an SSD. Looking for people who’ve done similar work wasn’t as productive as you might think. There isn’t much call for modifying hard drive firmware, and what data there is can be outdated.

One thing that was available was firmware dumps taken with a PC-3000 data recovery tool. What follows is a deep dive down the hard drive rabbit hole. There are backdoor vendor commands and connections to the diagnostic RS-232 port on some drives. You can find the technical artifacts on GitHub.

We learned a few things, and we bet you will too. Another way to get into the hard drive’s firmware is via JTAG.

lurker May 15, 2026 3:00 PM

@sweet tasty

Peter Norton knew a lot about hard drive drivers for Macintosh, until Symantic bought him out with an NDA and dumped his product.

Nitram May 15, 2026 4:04 PM

@lurker

…until Symantic bought him out with an NDA and dumped his product.

They sure did! IMO, Symantec corresponds to “how to destroy fantastic software”.

Clive Robinson May 15, 2026 4:44 PM

@ sweet tasty, lurker,

With regards “spining rust” the microcontrollers can be quite problematic.

Some time ago I had reason to get “down and dirty” with an IDE hard drive and I was actually quite shocked by what I found…

Lets just say the total compute power was probably more than the motherboard CPU.

I discouvered that the microcontroller chip had three ARM CPU’s with a big chunk of shared memory.

The code written into it you could get access to via the J-Tag but it was somewhat difficult to get your head around. As in some respects it appeared it had been deliberately written to use “race conditions” as a part of it’s functioning.

Eventually I found that there were calls that were “high level function” for assembler code, but effectively low level for the motherboard OS Drivers.

Whilst I tracked things down on the hardware I had, the same model number drive but with a different manufacturing date had the equivalent of “start from scratch” new assembler and interface routines. The only thing that remained more or less the same was the “IDE interface standard” high level hooks. All the “factory level stuff” had changed in some way.

So my advice,

“Get a long pole with a sharp point at one end and ‘poke it with care'”.

Otherwise the ride could be more than wild…

Jon May 15, 2026 10:54 PM

@ Clive Robinson

There’s a legend about an engineer who discovered that by far the fastest CPU for running his simulations was the controlling processor for the office laser printer. So he wrote up a quick script to offload the processing there – only to be later informed that while his simulations were running, nobody in the office could print!

After some application priorities were re-ordered, all was well: Just an example of how much processing power there can be in otherwise innocuous accessories.

J.

Rontea May 16, 2026 9:54 AM

As with all security measures, the question isn’t whether you can make it difficult for honest users — it’s whether the system can withstand the creativity of attackers. Right now, the attackers are 12 years old with a makeup pencil, and they’re winning.

ResistDigital_ID_Save_Open_Source May 18, 2026 1:10 PM

Great work on bypassing illegitimate deanonymisation checks (popularly marketed as age verification)… well done to those who discovered it, careers in security research lie ahead of them and hopefully they’ll never be tempted to work for the “dark side” and use their skills for evil (for example taking 30 pieces of silver to cruel-ly patch this wonderful security hole they heroically exploited). … Now has anyone got an idea for a method (hopefully one which can never be patched against) to bypass the “hardware attestation” recapthca which Google is now working on, for which the only allowed (hence the need for a bypass) way to pass it is to own an Android or Apple Big-tech own-nothing-be-happy-serfdom phone? Like how can we cheat the new captcha when using nothing but a Linux desktop (emulated androids or apple lviing inside a VM would be acceptable solutions if they can convincingly fake what real androids and apples would do) or a GrapheneOS phone (preferable solutions would use either or, Linux PC or GrapheneOS phone, not both).

(Somehow the link to the GrapheneOS discussion about this stopepd my comment appearing)

ResearcherZero May 19, 2026 12:59 AM

You can format the partition in SPI for Intel ME amd AMD PSP to remove these on many motherboards. Intel ME amd AMD PSP run at Ring -3 below the operating system and for remote access will run network traffic using the same IP as host, bypassing all of the systems security. The default credentials for Intel ME amd AMD PSP are pretty rubbish too.

To do this it does require the right connectors and cables, plus a little know how, but it did work with many older boards. The only bug was some systems needed a reboot (warm boot) after power-on (cold boot) to load.

https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html

Atom Feed Subscribe to comments on this entry

Sidebar photo of Bruce Schneier by Joe MacInnis.