New Policy
Oct. 11th, 2025 11:26 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
james_davis_nicollAsking politely has failed for 20 years. Therefore, comments with naked urls will be deleted, as they break Recent Comments. To post links, follow the advice below.
james_davis_nicoll
Books Received, October 4 to October 10
Oct. 11th, 2025 08:51 amjames_davis_nicoll
13 works new to me. Four fantasy, two horror, one non-fiction, one thriller, and five SF, of which at least three are series.
Books Received, October 4 to October 10
Poll #33712 Books Received, October 4 to October 10
Open to: Registered Users, detailed results viewable to: All, participants: 34
Which of these look interesting?
View Answers
The Seed of Destruction by Rick Campbell (July 2026)
0 (0.0%)
Uncivil Guard by Foster Chamberlin (November 2025)
6 (17.6%)
Crawlspace by Adam Christopher (March 2026)
4 (11.8%)
The Girl With a Thouand Faces by Sunyi Dean (May 2026)
11 (32.4%)
Your Behavior Will Be Monitored by Justin Feinstein (April 2026)
4 (11.8%)
Blood Bound by Ellis Hunter (April 2026)
0 (0.0%)
Sublimation by Isabel J. Kim (June 2026)
11 (32.4%)
Wolf Worm by T. Kingfisher (March 2026)
17 (50.0%)
Year’s Best Canadian Fantasy and Science Fiction: Volume Three edited by Stephen Kotowych (October 2025)
12 (35.3%)
Rabbit Test and Other Stories by Samantha Mills (April 2026)
11 (32.4%)
The Body by Bethany C. Morrow (February 2026)
3 (8.8%)
I’ll Watch Your Baby by Neena Viel (May 2026)
4 (11.8%)
Nowhere Burning by Catriona Ward (July 2026)
6 (17.6%)
Some other option
0 (0.0%)
Cats!
24 (70.6%)
Friday Squid Blogging: Sperm Whale Eating a Giant Squid
Oct. 10th, 2025 09:02 pm![[syndicated profile]](https://www.dreamwidth.org/img/silk/identity/feed.png){kind=small}
bruce_schneier_feedAs usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Five Extremely Convincing Reasons We Should Build Armed Bases on the Moon
Oct. 10th, 2025 10:06 amjames_davis_nicoll
I mean, what could possibly go wrong?
Five Extremely Convincing Reasons We Should Build Armed Bases on the Moon
Roll For Initiative (The Last Session, volume 1) by Jasmine Walls & Dozerdraws
Oct. 10th, 2025 08:47 amjames_davis_nicoll
Old friends unite for one last adventure without fully understanding the implications of the group's latest recruit.
Roll For Initiative (The Last Session, volume 1) by Jasmine Walls & Dozerdraws
Autonomous AI Hacking and the Future of Cybersecurity
Oct. 10th, 2025 11:06 ambruce_schneier_feedAI agents are now hacking computers. They’re getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale. This is going to change everything.
Over the summer, hackers proved the concept, industry institutionalized it, and criminals operationalized it. In June, AI company XBOW took the top spot on HackerOne’s US leaderboard after submitting over 1,000 new vulnerabilities in just a few months. In August, the seven teams competing in DARPA’s AI Cyber Challenge collectively found 54 new vulnerabilities in a target system, in four hours (of compute). Also in August, Google announced that its Big Sleep AI found dozens of new vulnerabilities in open-source projects.
It gets worse. In July Ukraine’s CERT discovered a piece of Russian malware that used an LLM to automate the cyberattack process, generating both system reconnaissance and data theft commands in real-time. In August, Anthropic reported that they disrupted a threat actor that used Claude, Anthropic’s AI model, to automate the entire cyberattack process. It was an impressive use of the AI, which performed network reconnaissance, penetrated networks, and harvested victims’ credentials. The AI was able to figure out which data to steal, how much money to extort out of the victims, and how to best write extortion emails.
Another hacker used Claude to create and market his own ransomware, complete with “advanced evasion capabilities, encryption, and anti-recovery mechanisms.” And in September, Checkpoint reported on hackers using HexStrike-AI to create autonomous agents that can scan, exploit, and persist inside target networks. Also in September, a research team showed how they can quickly and easily reproduce hundreds of vulnerabilities from public information. These tools are increasingly free for anyone to use. Villager, a recently released AI pentesting tool from Chinese company Cyberspike, uses the Deepseek model to completely automate attack chains.
This is all well beyond AIs capabilities in 2016, at DARPA’s Cyber Grand Challenge. The annual Chinese AI hacking challenge, Robot Hacking Games, might be on this level, but little is known outside of China.
Tipping point on the horizon
AI agents now rival and sometimes surpass even elite human hackers in sophistication. They automate operations at machine speed and global scale. The scope of their capabilities allows these AI agents to completely automate a criminal’s command to maximize profit, or structure advanced attacks to a government’s precise specifications, such as to avoid detection.
In this future, attack capabilities could accelerate beyond our individual and collective capability to handle. We have long taken it for granted that we have time to patch systems after vulnerabilities become known, or that withholding vulnerability details prevents attackers from exploiting them. This is no longer the case.
The cyberattack/cyberdefense balance has long skewed towards the attackers; these developments threaten to tip the scales completely. We’re potentially looking at a singularity event for cyber attackers. Key parts of the attack chain are becoming automated and integrated: persistence, obfuscation, command-and-control, and endpoint evasion. Vulnerability research could potentially be carried out during operations instead of months in advance.
The most skilled will likely retain an edge for now. But AI agents don’t have to be better at a human task in order to be useful. They just have to excel in one of four dimensions: speed, scale, scope, or sophistication. But there is every indication that they will eventually excel at all four. By reducing the skill, cost, and time required to find and exploit flaws, AI can turn rare expertise into commodity capabilities and gives average criminals an outsized advantage.
The AI-assisted evolution of cyberdefense
AI technologies can benefit defenders as well. We don’t know how the different technologies of cyber-offense and cyber-defense will be amenable to AI enhancement, but we can extrapolate a possible series of overlapping developments.
Phrase One: The Transformation of the Vulnerability Researcher. AI-based hacking benefits defenders as well as attackers. In this scenario, AI empowers defenders to do more. It simplifies capabilities, providing far more people the ability to perform previously complex tasks, and empowers researchers previously busy with these tasks to accelerate or move beyond them, freeing time to work on problems that require human creativity. History suggests a pattern. Reverse engineering was a laborious manual process until tools such as IDA Pro made the capability available to many. AI vulnerability discovery could follow a similar trajectory, evolving through scriptable interfaces, automated workflows, and automated research before reaching broad accessibility.
Phase Two: The Emergence of VulnOps. Between research breakthroughs and enterprise adoption, a new discipline might emerge: VulnOps. Large research teams are already building operational pipelines around their tooling. Their evolution could mirror how DevOps professionalized software delivery. In this scenario, specialized research tools become developer products. These products may emerge as a SaaS platform, or some internal operational framework, or something entirely different. Think of it as AI-assisted vulnerability research available to everyone, at scale, repeatable, and integrated into enterprise operations.
Phase Three: The Disruption of the Enterprise Software Model. If enterprises adopt AI-powered security the way they adopted continuous integration/continuous delivery (CI/CD), several paths open up. AI vulnerability discovery could become a built-in stage in delivery pipelines. We can envision a world where AI vulnerability discovery becomes an integral part of the software development process, where vulnerabilities are automatically patched even before reaching production—a shift we might call continuous discovery/continuous repair (CD/CR). Third-party risk management (TPRM) offers a natural adoption route, lower-risk vendor testing, integration into procurement and certification gates, and a proving ground before wider rollout.
Phase Four: The Self-Healing Network. If organizations can independently discover and patch vulnerabilities in running software, they will not have to wait for vendors to issue fixes. Building in-house research teams is costly, but AI agents could perform such discovery and generate patches for many kinds of code, including third-party and vendor products. Organizations may develop independent capabilities that create and deploy third-party patches on vendor timelines, extending the current trend of independent open-source patching. This would increase security, but having customers patch software without vendor approval raises questions about patch correctness, compatibility, liability, right-to-repair, and long-term vendor relationships.
These are all speculations. Maybe AI-enhanced cyberattacks won’t evolve the ways we fear. Maybe AI-enhanced cyberdefense will give us capabilities we can’t yet anticipate. What will surprise us most might not be the paths we can see, but the ones we can’t imagine yet.
This essay was written with Heather Adkins and Gadi Evron, and originally appeared in CSO.
Update
Oct. 9th, 2025 01:15 amoyceterThank you to everyone for your kind thoughts, sharing experiences with international medical situations, and translation help! The hospital says CB can be discharged this weekend, yay! His facial paralysis has gotten a little worse in the past few days, though the doctors say this can happen. Right now we're trying to figure out how to get him home. Our travel insurance seemed like they might help, but now it sounds like nothing is covered, and the other private air ambulance service wants him to have a hospital bed ready back in California, but that is also proving difficult to get. From what the doctor said yesterday, he is probably okay to fly commercially but would need a medical escort, so we are figuring out how to get that arranged. Fingers crossed...
Cubs Win!
Oct. 8th, 2025 10:33 pmbillroperThe Cubs beat the Brewers tonight by a final of 4-3 so they survive for another day.
They scored four in the first, chasing the Brewers' starting pitcher, Quinn Priester, who had been quite good for them, but not tonight. The offense then pretty much went to sleep for the rest of the game, leaving the pitching staff to nurse what started as a 4-1 lead to the end of the game.
Remarkably, this trick worked.
Tomorrow's game is a night game, so I am hoping that the remote parking lot is open. :)
They scored four in the first, chasing the Brewers' starting pitcher, Quinn Priester, who had been quite good for them, but not tonight. The offense then pretty much went to sleep for the rest of the game, leaving the pitching staff to nurse what started as a 4-1 lead to the end of the game.
Remarkably, this trick worked.
Tomorrow's game is a night game, so I am hoping that the remote parking lot is open. :)
Candy Considerations
Oct. 8th, 2025 09:11 pmsumana_feedThis past weekend in New York City, the weather's oscillated in and out of crispness, sun and breeze cordially nudging each other out of the way. Talking with a newer volunteer at the outreach table …
The better to trust you with, my dear
Oct. 8th, 2025 01:20 pmmrissa New story! What a Big Heart You Have is out in Kaleidotrope. The more I thought about the Red Riding Hood story, the more I thought that the grandmother/granddaughter relationship was pretty sketched-in...and it's been one of the most important ones in my life. Hope you enjoy.
Bundle of Holding: Mystery Flesh Pit
Oct. 8th, 2025 02:15 pmjames_davis_nicoll
Welcome, visitor, to Mystery Flesh Pit National Park: The RPG, the Cypher System tabletop roleplaying game rulebook from Ganza Gaming about the Permian Basin Superorganism.
Bundle of Holding: Mystery Flesh Pit
Flok License Plate Surveillance
Oct. 8th, 2025 04:10 pmbruce_schneier_feedThe company Flok is surveilling us as we drive:
A retired veteran named Lee Schmidt wanted to know how often Norfolk, Virginia’s 176 Flock Safety automated license-plate-reader cameras were tracking him. The answer, according to a U.S. District Court lawsuit filed in September, was more than four times a day, or 526 times from mid-February to early July. No, there’s no warrant out for Schmidt’s arrest, nor is there a warrant for Schmidt’s co-plaintiff, Crystal Arrington, whom the system tagged 849 times in roughly the same period.
You might think this sounds like it violates the Fourth Amendment, which protects American citizens from unreasonable searches and seizures without probable cause. Well, so does the American Civil Liberties Union. Norfolk, Virginia Judge Jamilah LeCruise also agrees, and in 2024 she ruled that plate-reader data obtained without a search warrant couldn’t be used against a defendant in a robbery case.
Off to the Playoffs
Oct. 7th, 2025 09:51 pmbillroperAfter having managed to miss all three of the Wild Card games that the Cubs played at home due to work, I am (as the song says) "taking the afternoon off" tomorrow to go to game 3 of the NLDS tomorrow. The weather is going to be seasonally chilly from the look of things and I am trying to decide how much coat I need to wear.
The Cubs are currently trailing the Brewers 0-2 in the five-game series, so it will be win tomorrow or stay home. (I'd say "go home", but the Cubs *are* at home, so...)
We'll see how it goes.
The Cubs are currently trailing the Brewers 0-2 in the five-game series, so it will be win tomorrow or stay home. (I'd say "go home", but the Cubs *are* at home, so...)
We'll see how it goes.
Forty Thousand in Gehenna by C J Cherryh
Oct. 7th, 2025 08:51 amjames_davis_nicoll
Union technocrats had a plan for Gehenna, a plan that failed to take into account local conditions.
Forty Thousand in Gehenna by C J Cherryh