Comments

K.S May 15, 2026 8:49 AM

The primary purpose of these checks is not age verification; they are intended to de-anonymize critics and enable governments to deny access to online platforms with a convenient pretext. Canada attempted de-banking protesters, but that was eventually ruled illegal. As such, complete failure to keep minors out of adult space is not at all surprising, as this is not the ultimate goal.

Clive Robinson May 15, 2026 11:15 AM

@ ALL,

This is not the “first step”…

It requires Client Side Scanning that will be AI augmented and a way to make Zero Knowledge Proofs better.

Last summer this paper was posted,

https://eprint.iacr.org/2025/1296

Gödel in Cryptography: Effectively Zero-Knowledge Proofs for NP with No Interaction, No Setup, and Perfect Soundness

Rahul Ilango, Massachusetts Institute of Technology.

A zero-knowledge proof demonstrates that a fact (like that a Sudoku puzzle has a solution) is true while, counterintuitively, revealing nothing else (like what the solution actually is). This remarkable guarantee is extremely useful in cryptographic applications, but it comes at a cost. A classical impossibility result by Goldreich and Oren [J. Cryptol. ’94] shows that zero-knowledge proofs must necessarily sacrifice basic properties of traditional mathematical proofs — namely perfect soundness (that no proof of a false statement exists) and non-interactivity (that a proof can be transmitted in a single message).

Contrary to this impossibility, we show that zero-knowledge with perfect soundness and no interaction is effectively possible. We do so by defining and constructing a powerful new relaxation of zero-knowledge. Intuitively, while the classical zero-knowledge definition requires that an object called a simulator actually exists, our new definition only requires that one cannot rule out that a simulator exists (in a particular logical sense). Using this, we show that **every falsifiable security property of (classical) zero-knowledge can be achieved with no interaction, no setup, and perfect soundness.** This enables us to remove interaction and setup from (classical) zero-knowledge in essentially all of its applications in the literature, at the relatively mild cost that such applications now have security that is “game-based” instead of “simulation-based.”

Note what the title and abstract say with regards,

1, No Interaction
2, No Setup
3, Perfect Soundness

Three of the basic four[1] failings of current Zero Knowledge Proofs (it implicitly removes the fourth as well).

This has all sorts of benefits for those in an authoritative position with regards the likes of “age proof” etc.

I was wondering why what was published a year ago was suddenly getting interest in less technical and more mainstream reporting,

https://www.schneier.com/blog/archives/2026/05/friday-squid-blogging-giant-squid-live-in-the-waters-of-western-australia.html/#comment-454439

[1] The fourth failing often gets missed when talking about current Zero Knowledge Proofs which is the generation of randomness by the querying system. If the queries made are not random but predictable it opens up a number of security issues in current Zero Knowledge Proofs.

can you imagine what it's like??? May 15, 2026 11:46 AM

@ white goose,

“Someone you work with will get it first. And you’ll hold out for a while, the way you did with the smartphone. But eventually, you won’t,” said Phoenix, dressed in all black with a tiny mic attached to his ear. “The advantages of integration will be hard to compete with.”

The masses will adopt it as they creep it in through soap operas, popular geek shows, and more.

sweet tasty brain drippings May 15, 2026 11:54 AM

Hacking Hard Drive Firmware

https://hackaday.com/2026/05/15/hacking-hard-drive-firmware/

You probably flash new firmware on a variety of devices regularly, even though that’s rare for non-technical types. But what about your hard drive firmware? Most of us don’t want to touch our operating drives, so unless you are dealing with surplus drives or have a special project in mind, you may not think much about the firmware running your spinning rust storage. [I Code 4 Coffee] uses hard drives in an unusual way to exploit Xbox 360s, and wound up reverse engineering some drive firmware with an eye to making changes.

The analysis started with three hard drives and an SSD. Looking for people who’ve done similar work wasn’t as productive as you might think. There isn’t much call for modifying hard drive firmware, and what data there is can be outdated.

One thing that was available was firmware dumps taken with a PC-3000 data recovery tool. What follows is a deep dive down the hard drive rabbit hole. There are backdoor vendor commands and connections to the diagnostic RS-232 port on some drives. You can find the technical artifacts on GitHub.

We learned a few things, and we bet you will too. Another way to get into the hard drive’s firmware is via JTAG.

lurker May 15, 2026 3:00 PM

@sweet tasty

Peter Norton knew a lot about hard drive drivers for Macintosh, until Symantic bought him out with an NDA and dumped his product.

Nitram May 15, 2026 4:04 PM

@lurker

…until Symantic bought him out with an NDA and dumped his product.

They sure did! IMO, Symantec corresponds to “how to destroy fantastic software”.

Clive Robinson May 15, 2026 4:44 PM

@ sweet tasty, lurker,

With regards “spining rust” the microcontrollers can be quite problematic.

Some time ago I had reason to get “down and dirty” with an IDE hard drive and I was actually quite shocked by what I found…

Lets just say the total compute power was probably more than the motherboard CPU.

I discouvered that the microcontroller chip had three ARM CPU’s with a big chunk of shared memory.

The code written into it you could get access to via the J-Tag but it was somewhat difficult to get your head around. As in some respects it appeared it had been deliberately written to use “race conditions” as a part of it’s functioning.

Eventually I found that there were calls that were “high level function” for assembler code, but effectively low level for the motherboard OS Drivers.

Whilst I tracked things down on the hardware I had, the same model number drive but with a different manufacturing date had the equivalent of “start from scratch” new assembler and interface routines. The only thing that remained more or less the same was the “IDE interface standard” high level hooks. All the “factory level stuff” had changed in some way.

So my advice,

“Get a long pole with a sharp point at one end and ‘poke it with care'”.

Otherwise the ride could be more than wild…

Jon May 15, 2026 10:54 PM

@ Clive Robinson

There’s a legend about an engineer who discovered that by far the fastest CPU for running his simulations was the controlling processor for the office laser printer. So he wrote up a quick script to offload the processing there – only to be later informed that while his simulations were running, nobody in the office could print!

After some application priorities were re-ordered, all was well: Just an example of how much processing power there can be in otherwise innocuous accessories.

J.

Rontea May 16, 2026 9:54 AM

As with all security measures, the question isn’t whether you can make it difficult for honest users — it’s whether the system can withstand the creativity of attackers. Right now, the attackers are 12 years old with a makeup pencil, and they’re winning.

ResistDigital_ID_Save_Open_Source May 18, 2026 1:10 PM

Great work on bypassing illegitimate deanonymisation checks (popularly marketed as age verification)… well done to those who discovered it, careers in security research lie ahead of them and hopefully they’ll never be tempted to work for the “dark side” and use their skills for evil (for example taking 30 pieces of silver to cruel-ly patch this wonderful security hole they heroically exploited). … Now has anyone got an idea for a method (hopefully one which can never be patched against) to bypass the “hardware attestation” recapthca which Google is now working on, for which the only allowed (hence the need for a bypass) way to pass it is to own an Android or Apple Big-tech own-nothing-be-happy-serfdom phone? Like how can we cheat the new captcha when using nothing but a Linux desktop (emulated androids or apple lviing inside a VM would be acceptable solutions if they can convincingly fake what real androids and apples would do) or a GrapheneOS phone (preferable solutions would use either or, Linux PC or GrapheneOS phone, not both).

(Somehow the link to the GrapheneOS discussion about this stopepd my comment appearing)

ResearcherZero May 19, 2026 12:59 AM

You can format the partition in SPI for Intel ME amd AMD PSP to remove these on many motherboards. Intel ME amd AMD PSP run at Ring -3 below the operating system and for remote access will run network traffic using the same IP as host, bypassing all of the systems security. The default credentials for Intel ME amd AMD PSP are pretty rubbish too.

To do this it does require the right connectors and cables, plus a little know how, but it did work with many older boards. The only bug was some systems needed a reboot (warm boot) after power-on (cold boot) to load.

https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.