Forum: Too Lazy BBS

Who's Online

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	24
Nodes:	6 (0 / 6)
Uptime:	09:13:55
Calls:	600
Files:	1,157
Messages:	137,705

CRYPTO-GRAM, August 15, 2025

From Bruce Schneier@schneier@schneier.com to cryptogram@toolazy.synchro.net on Fri Aug 15 13:36:15 2025

This is a multi-part message in MIME format

--_----------=_MCPart_1857184867
Content-Type: text/plain; charset="utf-8"; format="fixed" Content-Transfer-Encoding: quoted-printable

** CRYPTO-GRAM
AUGUST 15=2C 2025
------------------------------------------------------------

by Bruce Schneier
Fellow and Lecturer=2C Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries=2C analyses=2C insights=2C a=
nd commentaries on security: computer and otherwise.

For back issues=2C or to subscribe=2C visit Crypto-Gram's web page [https= ://www.schneier.com/crypto-gram/].

Read this issue on the web [https://www.schneier.com/crypto-gram/archives= /2025/0815.html]

These same essays and news items appear in the Schneier on Security [http= s://www.schneier.com/] blog=2C along with a lively and intelligent comment=
section. An RSS feed is available.

** *** ***** ******* *********** *************

** IN THIS ISSUE:
------------------------------------------------------------

1. Report from the Cambridge Cybercrime Conference
2. Hacking Trains
3. Security Vulnerabilities in ICEBlock
4. New Mobile Phone Forensics Tool
5. Another Supply Chain Vulnerability
6. "Encryption Backdoors and the Fourth Amendment"
7. Google Sues the Badbox Botnet Operators
8. How the Solid Protocol Restores Digital Agency
9. Subliminal Learning in AIs
10. Microsoft SharePoint Zero-Day
11. That Time Tom Lehrer Pranked the NSA
12. Aeroflot Hacked
13. Measuring the Attack/Defense Balance
14. Cheating on Quantum Computing Benchmarks
15. Spying on People Through Airportr Luggage Delivery Service
16. First Sentencing in Scheme to Help North Koreans Infiltrate US Co= mpanies
17. Surveilling Your Children with AirTags
18. The Semiconductor Industry and Regulatory Compliance
19. China Accuses Nvidia of Putting Backdoors into Their Chips
20. Google Project Zero Changes Its Disclosure Policy
21. Automatic License Plate Readers Are Coming to Schools
22. The "Incriminating Video" Scam
23. SIGINT During World War II
24. AI Applications in Cybersecurity
25. LLM Coding Integrity Breach

** *** ***** ******* *********** *************

** REPORT FROM THE CAMBRIDGE CYBERCRIME CONFERENCE ------------------------------------------------------------

[2025.07.14] [https://www.schneier.com/blog/archives/2025/07/report-from= -the-cambridge-cybercrime-conference.html] The Cambridge Cybercrime Confer= ence [https://www.cambridgecybercrime.uk/conference2025.html] was held on=
23 June. Summaries of the presentations are here [https://www.lightbluet= ouchpaper.org/2025/06/25/cambridge-cybercrime-conference-2025-liveblog/].

** *** ***** ******* *********** *************

** HACKING TRAINS
------------------------------------------------------------

[2025.07.16] [https://www.schneier.com/blog/archives/2025/07/hacking-tra= ins.html] Seems like an old system system [https://gizmodo.com/hackers-ca= n-tamper-with-train-breaks-using-just-a-radio-feds-warn-2000629522] that p= redates any care about security:

The flaw has to do with the protocol used in a train system known as the=

End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED)=2C also=
known as an End-of-Train (EOT) device=2C is attached to the back of a tra=
in and sends data via radio signals to a corresponding device in the locom= otive called the Head-of-Train (HOT). Commands can also be sent to the FRE=
D to apply the brakes at the rear of the train.

These devices were first installed in the 1980s as a replacement for cab=

oose cars=2C and unfortunately=2C they lack encryption and authentication=
protocols. Instead=2C the current system uses data packets sent between t=
he front and back of a train that include a simple BCH checksum to detect=
errors or interference. But now=2C the CISA is warning that someone using=
a software-defined radio could potentially send fake data packets and int= erfere with train operations.

** *** ***** ******* *********** *************

** SECURITY VULNERABILITIES IN ICEBLOCK ------------------------------------------------------------

[2025.07.17] [https://www.schneier.com/blog/archives/2025/07/security-vu= lnerabilities-in-iceblock.html] The ICEBlock tool has vulnerabilities [ht= tps://www.theverge.com/cyber-security/707116/iceblock-data-privacy-securit= y-android-version]:

The developer of ICEBlock=2C an iOS app for anonymously reporting sighti=

ngs of US Immigration and Customs Enforcement (ICE) officials=2C promises=
that it =E2=80=9Censures user privacy by storing no personal data.=E2=80=
=9D But that claim has come under scrutiny. ICEBlock creator Joshua Aaron=
has been accused of making false promises regarding user anonymity and pr= ivacy=2C being =E2=80=9Cmisguided=E2=80=9D about the privacy offered by iO= S=2C and of being an Apple fanboy. The issue isn=E2=80=99t what ICEBlock s= tores. It=E2=80=99s about what it could accidentally reveal through its ti=
ght integration with iOS.

** *** ***** ******* *********** *************

** NEW MOBILE PHONE FORENSICS TOOL ------------------------------------------------------------

[2025.07.18] [https://www.schneier.com/blog/archives/2025/07/new-mobile-= phone-forensics-tool.html] The Chinese have a new tool called Massistant [= https://www.lookout.com/threat-intelligence/article/massistant-chinese-mo= bile-forensics].

* Massistant is the presumed successor to Chinese forensics tool=2C=

=E2=80=9CMFSocket=E2=80=9D=2C reported in 2019 and attributed to publicly=
traded cybersecurity company=2C Meiya Pico.

* The forensics tool works in tandem with a corresponding desktop s=

oftware.

* Massistant gains access to device GPS location data=2C SMS messag=

es=2C images=2C audio=2C contacts and phone services.

* Meiya Pico maintains partnerships with domestic and international=

law enforcement partners=2C both as a surveillance hardware and software=
provider=2C as well as through training programs for law enforcement pers= onnel.

From a news article [https://techcrunch.com/2025/07/16/chinese-authoritie= s-are-using-a-new-tool-to-hack-seized-phones-and-extract-data/]:

The good news=2C per Balaam=2C is that Massistant leaves evidence of its=

compromise on the seized device=2C meaning users can potentially identify=
and delete the malware=2C either because the hacking tool appears as an a= pp=2C or can be found and deleted using more sophisticated tools such as t=
he Android Debug Bridge [https://developer.android.com/tools/adb]=2C a co= mmand line tool that lets a user connect to a device through their compute=
r.

The bad news is that at the time of installing Massistant=2C the damage=

is done=2C and authorities already have the person=E2=80=99s data.

Slashdot thread [https://yro.slashdot.org/story/25/07/16/2042245/chinese-= authorities-are-using-a-new-tool-to-hack-seized-phones-and-extract-data].

** *** ***** ******* *********** *************

** ANOTHER SUPPLY CHAIN VULNERABILITY ------------------------------------------------------------

[2025.07.21] [https://www.schneier.com/blog/archives/2025/07/another-sup= ply-chain-vulnerability.html] ProPublica is reporting [https://www.propub= lica.org/article/microsoft-digital-escorts-pentagon-defense-department-chi= na-hackers]:

Microsoft is using engineers in China to help maintain the Defense Depar=

tment=E2=80=99s computer systems -- with minimal supervision by U.S. perso= nnel -- leaving some of the nation=E2=80=99s most sensitive data vulnerabl=
e to hacking from its leading cyber adversary=2C a ProPublica investigatio=
n has found.

The arrangement=2C which was critical to Microsoft winning the federal g=

overnment=E2=80=99s cloud computing business a decade ago=2C relies on U.S=
=2E citizens with security clearances to oversee the work and serve as a bar= rier against espionage and sabotage.

But these workers=2C known as =E2=80=9Cdigital escorts=2C=E2=80=9D often=

lack the technical expertise to police foreign engineers with far more ad= vanced skills=2C ProPublica found. Some are former military personnel with=
little coding experience who are paid barely more than minimum wage for t=
he work.

This sounds bad=2C but it=E2=80=99s the way the digital world works. Every= thing we do is international=2C deeply international. Making anything US-o=
nly is hard=2C and often infeasible.

EDITED TO ADD: Microsoft has stopped [https://www.reuters.com/world/us/mi= crosoft-stop-using-engineers-china-tech-support-us-military-hegseth-orders= -2025-07-18/] the practice.

** *** ***** ******* *********** *************

** "ENCRYPTION BACKDOORS AND THE FOURTH AMENDMENT" ------------------------------------------------------------

[2025.07.22] [https://www.schneier.com/blog/archives/2025/07/encryption-= backdoors-and-the-fourth-amendment.html] Law journal article [https://sch= olarship.law.marquette.edu/mulr/vol108/iss2/5/] that looks at the Dual_EC_= PRNG backdoor [https://www.schneier.com/blog/archives/2007/11/the_strange= _sto.html] from a US constitutional perspective:

Abstract: The National Security Agency (NSA) reportedly paid and pressur=

ed technology companies to trick their customers into using vulnerable enc= ryption products. This Article examines whether any of three theories remo=
ved the Fourth Amendment=E2=80=99s requirement that this be reasonable. Th=
e first is that a challenge to the encryption backdoor might fail for want=
of a search or seizure. The Article rejects this both because the Amendme=
nt reaches some vulnerabilities apart from the searches and seizures they=
enable and because the creation of this vulnerability was itself a search=
or seizure. The second is that the role of the technology companies might=
have brought this backdoor within the private-search doctrine. The Articl=
e criticizes the doctrine particularly its origins in Burdeau v. McDowella=
nd argues that if it ever should apply=2C it should not here. The last is=
that the customers might have waived their Fourth Amendment rights under=
the third-party doctrine. The Article rejects this both because the custo= mers were not on notice of the backdoor and because historical understandi=
ngs of the Amendment would not have tolerated it. The Article concludes th=
at none of these theories removed the Amendment=E2=80=99s reasonableness r= equirement.

** *** ***** ******* *********** *************

** GOOGLE SUES THE BADBOX BOTNET OPERATORS ------------------------------------------------------------

[2025.07.23] [https://www.schneier.com/blog/archives/2025/07/google-sues= -the-badbox-botnet-operators.html] It will be interesting to watch what wi=
ll come of this private lawsuit [https://www.securityweek.com/google-sues= -operators-of-10-million-device-badbox-2-0-botnet/]:

Google on Thursday announced filing a lawsuit against the operators of t=

he Badbox 2.0 botnet=2C which has ensnared more than 10 million devices ru= nning Android open source software.

These devices lack Google=E2=80=99s security protections=2C and the perp=

etrators pre-installed the Badbox 2.0 malware on them=2C to create a backd=
oor and abuse them for large-scale fraud and other illicit schemes.

This reminds me of Meta=E2=80=99s lawauit against Pegasus over its hack-fo= r-hire software (which I wrote about here [https://www.schneier.com/wp-co= ntent/uploads/2022/03/Platforms-Encryption-and-the-CFAA-1.pdf].) It=E2=80=
=99s a private company stepping into a regulatory void left by governments=
=2E

Slashdot thread [https://yro.slashdot.org/story/25/07/18/2212220/google-s= ues-operators-of-10-million-device-badbox-20-botnet].

** *** ***** ******* *********** *************

** HOW THE SOLID PROTOCOL RESTORES DIGITAL AGENCY ------------------------------------------------------------

[2025.07.24] [https://www.schneier.com/blog/archives/2025/07/how-solid-p= rotocol-restores-digital-agency.html] The current state of digital identit=
y is a mess. Your personal information is scattered across hundreds of loc= ations: social media companies=2C IoT companies=2C government agencies=2C=
websites you have accounts on=2C and data brokers you=E2=80=99ve never he=
ard of. These entities collect=2C store=2C and trade your data=2C often wi= thout your knowledge or consent. It=E2=80=99s both redundant and inconsist= ent. You have hundreds=2C maybe thousands=2C of fragmented digital profile=
s that often contain contradictory or logically impossible information. Ea=
ch serves its own purpose=2C yet there is no central override and control=
to serve you -- as the identity owner.

We=E2=80=99re used to the massive security failures resulting from all of=
this data under the control of so many different entities. Years of priva=
cy breaches have resulted in a multitude of laws -- in US states=2C in the=
EU=2C elsewhere -- and calls for even more stringent protections. But whi=
le these laws attempt to protect data confidentiality=2C there is nothing=
to protect data integrity.

In this context=2C data integrity refers to its accuracy=2C consistency=2C=
and reliability...throughout its lifecycle. It means ensuring that data i=
s not only accurately recorded but also remains logically consistent acros=
s systems=2C is up-to-date=2C and can be verified as authentic. When data=
lacks integrity=2C it can contain contradictions=2C errors=2C or outdated=
information -- problems that can have serious real-world consequences.

Without data integrity=2C someone could classify you as a teenager while s= imultaneously attributing to you three teenage children: a biological impo= ssibility. What=E2=80=99s worse=2C you have no visibility into the data pr= ofiles assigned to your identity=2C no mechanism to correct errors=2C and=
no authoritative way to update your information across all platforms wher=
e it resides.

Integrity breaches don=E2=80=99t get the same attention that confidentiali=
ty breaches do=2C but the picture isn=E2=80=99t pretty. A 2017 write-up in=
_The Atlantic_ found error rates exceeding 50% [https://www.theatlantic.= com/technology/archive/2017/06/online-data-brokers/529281/] in some catego= ries of personal information. A 2019 audit of data brokers found at least=
40% of data broker sourced user attributes are =E2=80=9Cnot at all [http= s://www.lix.polytechnique.fr/~goga/papers/databrokers-measurement_finalCam= eraReady.pdf]=E2=80=9D accurate. In 2022=2C the Consumer Financial Protect=
ion Bureau documented [https://web.archive.org/web/20250228230511/https:/= /www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-to-address-ju= nk-data-in-credit-reports/] thousands [https://web.archive.org/web/202502= 21180714/https://files.consumerfinance.gov/f/documents/cfpb_fair-credit-re= porting-facially-false-data_advisory-opinion_2022-10.pdf] of cases where c= onsumers were denied housing=2C employment=2C or financial services based=
on logically impossible data combinations in their profiles. Similarly=2C=
the National Consumer Law Center report called =E2=80=9CDigital Denials [= https://www.nclc.org/wp-content/uploads/2023/09/202309_Report_Digital-Den= ials.pdf]=E2=80=9D showed inaccuracies in tenant screening data that block=
ed people from housing.

And integrity breaches can have significant effects on our lives. In one 2=
024 British case=2C two companies blamed each other [https://www.theguard= ian.com/money/2024/oct/14/they-are-ruining-my-life-how-the-shadowy-world-o= f-debt-collection-can-wreck-your-finances] for the faulty debt information=
that caused catastrophic financial consequences for an innocent victim. B= reonna Taylor was killed in 2020 [https://www.congress.gov/117/meeting/ho= use/111301/documents/HHRG-117-JU08-20210311-SD011.pdf] during a police rai=
d on her apartment in Louisville=2C Kentucky=2C when officers executed a=
=E2=80=9Cno-knock=E2=80=9D warrant on the wrong house based on bad data.=
They had faulty intelligence connecting her address to a suspect who actu= ally lived elsewhere.

In some instances=2C we have rights to view our data=2C and in others=2C r= ights to correct it=2C but these sorts of solutions have only limited valu=
e. When journalist Julia Angwin attempted to correct her information acros=
s major data brokers for her book _Dragnet Nation_ [https://juliaangwin.c= om/books/]_=2C_ she found that even after submitting corrections through o= fficial channels=2C a significant number of errors reappeared within six m= onths.

In some instances=2C we have the right to delete our data=2C but -- again=
-- this only has limited value. Some data processing is legally required=
=2C and some is necessary for services we truly want and need.

Our focus needs to shift from the binary choice of either concealing our d=
ata entirely or surrendering all control over it. Instead=2C we need solut= ions that prioritize integrity in ways that balance privacy with the benef=
its of data sharing.

It=E2=80=99s not as if we haven=E2=80=99t made progress in better ways to=
manage online identity. Over the years=2C numerous trustworthy systems ha=
ve been developed that could solve many of these problems. For example=2C=
imagine digital verification that works like a locked mobile phone -- it=
works when you=E2=80=99re the one who can unlock and use it=2C but not if=
someone else grabs it from you. Or consider a storage device that holds a=
ll your credentials=2C like your driver=E2=80=99s license=2C professional=
certifications=2C and healthcare information=2C and lets you selectively=
share one without giving away everything at once. Imagine being able to s= hare just a single cell in a table or a specific field in a file. These te= chnologies already exist=2C and they could let you securely prove specific=
facts about yourself without surrendering control of your whole identity.=
This isn=E2=80=99t just theoretically better than traditional usernames a=
nd passwords; the technologies represent a fundamental shift in how we thi=
nk about digital trust and verification.

Standards to do all these things emerged during the Web 2.0 era. We mostly=
haven=E2=80=99t used them because platform companies have been more inter= ested in building barriers around user data and identity. They=E2=80=99ve=
used control of user identity as a key to market dominance and monetizati=
on. They=E2=80=99ve treated data as a corporate asset=2C and resisted open=
standards that would democratize data ownership and access. Closed=2C pro= prietary systems have better served their purposes.

There is another way. The Solid protocol=2C invented by Sir Tim Berners-Le= e=2C represents a radical reimagining of how data operates online. Solid s= tands for =E2=80=9CSOcial LInked Data.=E2=80=9D At its core=2C it decouple=
s data from applications by storing personal information in user-controlle=
d =E2=80=9Cdata wallets=E2=80=9D: secure=2C personal data stores that user=
s can host anywhere they choose. Applications can access specific data wit=
hin these wallets=2C but users maintain ownership and control.

Solid is more than distributed data storage. This architecture inverts the=
current data ownership model. Instead of companies owning user data=2C us=
ers maintain a single source of truth for their personal information. It i= ntegrates and extends all those established identity standards and technol= ogies mentioned earlier=2C and forms a comprehensive stack that places per= sonal identity at the architectural center.

This identity-first paradigm means that every digital interaction begins w=
ith the authenticated individual who maintains control over their data. Ap= plications become interchangeable views into user-owned data=2C rather tha=
n data silos themselves. This enables unprecedented interoperability=2C as=
services can securely access precisely the information they need while re= specting user-defined boundaries.

Solid ensures that user intentions are transparently expressed and reliabl=
y enforced across the entire ecosystem. Instead of each application implem= enting its own custom authorization logic and access controls=2C Solid est= ablishes a standardized declarative approach where permissions are explici=
tly defined through control lists or policies attached to resources. Users=
can specify who has access to what data with granular precision=2C using=
simple statements like =E2=80=9CAlice can read this document=E2=80=9D or=
=E2=80=9CBob can write to this folder.=E2=80=9D These permission rules re= main consistent=2C regardless of which application is accessing the data=
=2C eliminating the fragmentation and unpredictability of traditional auth= orization systems.

This architectural shift decouples applications from data infrastructure.=
Unlike Web 2.0 platforms like Facebook=2C which require massive back-end=
systems to store=2C process=2C and monetize user data=2C Solid applicatio=
ns can be lightweight and focused solely on functionality. Developers no l= onger need to build and maintain extensive data storage systems=2C surveil= lance infrastructure=2C or analytics pipelines. Instead=2C they can build=
specialized tools that request access to specific data in users=E2=80=99=
wallets=2C with the heavy lifting of data storage and access control hand=
led by the protocol itself.

Let=E2=80=99s take healthcare as an example. The current system forces pat= ients to spread pieces of their medical history across countless proprieta=
ry databases controlled by insurance companies=2C hospital networks=2C and=
electronic health record vendors. Patients frustratingly become a patchwo=
rk rather than a person=2C because they often can=E2=80=99t access their o=
wn complete medical history=2C let alone correct mistakes. Meanwhile=2C th=
ose third-party databases suffer regular breaches. The Solid protocol enab=
les a fundamentally different approach. Patients maintain their own compre= hensive medical record=2C with data cryptographically signed by trusted pr= oviders=2C in their own data wallet. When visiting a new healthcare provid= er=2C patients can arrive with their complete=2C verifiable medical histor=
y rather than starting from zero or waiting for bureaucratic record transf= ers.

When a patient needs to see a specialist=2C they can grant temporary=2C sp= ecific access to relevant portions of their medical history. For example=
=2C a patient referred to a cardiologist could share only cardiac-related=
records and essential background information. Or=2C on the flip side=2C t=
he patient can share new and rich sources of related data to the specialis= t=2C like health and nutrition data. The specialist=2C in turn=2C can add=
their findings and treatment recommendations directly to the patient=E2= =80=99s wallet=2C with a cryptographic signature verifying medical credent= ials. This process eliminates dangerous information gaps while ensuring th=
at patients maintain an appropriate role in who sees what about them and w=
hy.

When a patient -- doctor relationship ends=2C the patient retains all reco=
rds generated during that relationship -- unlike today=E2=80=99s system wh=
ere changing providers often means losing access to one=E2=80=99s historic=
al records. The departing doctor=E2=80=99s signed contributions remain ver= ifiable parts of the medical history=2C but they no longer have direct acc=
ess to the patient=E2=80=99s wallet without explicit permission.

For insurance claims=2C patients can provide temporary=2C auditable access=
to specific information needed for processing -- no more and no less. Ins= urance companies receive verified data directly relevant to claims but sho=
uld not be expected to have uncontrolled hidden comprehensive profiles or=
retain information longer than safe under privacy regulations. This appro=
ach dramatically reduces unauthorized data use=2C risk of breaches (privac=
y and integrity)=2C and administrative costs.

Perhaps most transformatively=2C this architecture enables patients to sel= ectively participate in medical research while maintaining privacy. They c= ould contribute anonymized or personalized data to studies matching their=
interests or conditions=2C with granular control over what information is=
shared and for how long. Researchers could gain access to larger=2C more=
diverse datasets while participants would maintain control over their inf= ormation -- creating a proper ethical model for advancing medical knowledg=
e.

The implications extend far beyond healthcare. In financial services=2C cu= stomers could maintain verified transaction histories and creditworthiness=
credentials independently of credit bureaus. In education=2C students cou=
ld collect verified credentials and portfolios that they truly own rather=
than relying on institutions=E2=80=99 siloed records. In employment=2C wo= rkers could maintain portable professional histories with verified credent= ials from past employers. In each case=2C Solid enables individuals to be=
the masters of their own data while allowing verification and selective s= haring.

The economics of Web 2.0 pushed us toward centralized platforms and survei= llance capitalism=2C but there has always been a better way. Solid brings=
different pieces together into a cohesive whole that enables the identity= -first architecture we should have had all along. The protocol doesn=E2=80= =99t just solve technical problems; it corrects the fundamental misalignme=
nt of incentives that has made the modern web increasingly hostile to both=
users and developers.

As we look to a future of increased digitization across all sectors of soc= iety=2C the need for this architectural shift becomes even more apparent.=
Individuals should be able to maintain and present their own verified dig= ital identity and history=2C rather than being at the mercy of siloed inst= itutional databases. The Solid protocol makes this future technically poss= ible.

_This essay was written with Davi Ottenheimer=2C and originally appeared o=
n The Inrupt Blog [https://www.inrupt.com/blog/return-to-identity-first-a= rchitecture-how-solid-protocol-restores-digital-agency]._

** *** ***** ******* *********** *************

** SUBLIMINAL LEARNING IN AIS ------------------------------------------------------------

[2025.07.25] [https://www.schneier.com/blog/archives/2025/07/subliminal-= learning-in-ais.html] Today=E2=80=99s freaky LLM behavior [https://alignm= ent.anthropic.com/2025/subliminal-learning/]:

We study subliminal learning=2C a surprising phenomenon where language m=

odels learn traits from model-generated data that is semantically unrelate=
d to those traits. For example=2C a =E2=80=9Cstudent=E2=80=9D model learns=
to prefer owls when trained on sequences of numbers generated by a =E2=80= =9Cteacher=E2=80=9D model that prefers owls. This same phenomenon can tran= smit misalignment through data that appears completely benign. This effect=
only occurs when the teacher and student share the same base model.

Interesting security implications.

I am more convinced than ever that we need serious research into AI integr=
ity [https://www.schneier.com/essays/archives/2025/06/the-age-of-integrit= y.html] if we are ever going to have trustworthy AI [https://www.schneier= =2Ecom/essays/archives/2025/06/ai-and-trust-2.html].

** *** ***** ******* *********** *************

** MICROSOFT SHAREPOINT ZERO-DAY ------------------------------------------------------------

[2025.07.28] [https://www.schneier.com/blog/archives/2025/07/microsoft-s= harepoint-zero-day.html] Chinese hackers are exploiting a high-severity vu= lnerability in Microsoft SharePoint to steal data [https://arstechnica.co= m/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-un= der-exploit-across-the-globe/] worldwide:

The vulnerability=2C tracked as CVE-2025-53770=2C carries a severity rat=

ing of 9.8 out of a possible 10. It gives unauthenticated remote access to=
SharePoint Servers exposed to the Internet. Starting Friday=2C researcher=
s began warning of active exploitation of the vulnerability=2C which affec=
ts SharePoint Servers that infrastructure customers run in-house. Microsof= t=E2=80=99s cloud-hosted SharePoint Online and Microsoft 365 are not affec= ted.

Here=E2=80=99s [https://msrc.microsoft.com/blog/2025/07/customer-guidance= -for-sharepoint-vulnerability-cve-2025-53770/] Microsoft on patching instr= uctions. Patching isn=E2=80=99t enough=2C as attackers have used the vulne= rability to steal authentication credentials. It=E2=80=99s an absolute mes=
s. CISA has more information [https://www.cisa.gov/news-events/alerts/202= 5/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnera= bilities]. Also [https://unit42.paloaltonetworks.com/microsoft-sharepoint= -cve-2025-49704-cve-2025-49706-cve-2025-53770/] these [https://www.akamai= =2Ecom/blog/security-research/sharepoint-vulnerability-rce-active-exploitati= on-detections-mitigations] four [https://www.wired.com/story/microsoft-sh= arepoint-hack-china-end-of-life-updates/] links [https://thehackernews.co= m/2025/07/hackers-exploit-sharepoint-zero-day.html]. Two Slashdot [https:= //it.slashdot.org/story/25/07/21/1523207/microsoft-releases-emergency-patc= hes-for-actively-exploited-sharepoint-zero-days] threads [https://news.sl= ashdot.org/story/25/07/23/1652240/us-nuclear-weapons-agency-among-400-orga= nizations-breached-by-chinese-hackers].

This is an unfolding security mess=2C and quite the hacking coup.

** *** ***** ******* *********** *************

** THAT TIME TOM LEHRER PRANKED THE NSA ------------------------------------------------------------

[2025.07.28] [https://www.schneier.com/blog/archives/2025/07/that-time-t= om-lehrer-pranked-the-nsa.html] Bluesky thread [https://bsky.app/profile/= opalescentopal.bsky.social/post/3luxxx27nos23]. Here=E2=80=99s the paper [= https://media.defense.gov/2021/Jul/14/2002762807/-1/-1/0/GAMBLERS-RUIN.PD= F/GAMBLERS-RUIN.PDF]=2C from 1957. Note reference 3.

** *** ***** ******* *********** *************

** AEROFLOT HACKED
------------------------------------------------------------

[2025.07.29] [https://www.schneier.com/blog/archives/2025/07/aeroflot-ha= cked.html] Looks [https://www.reuters.com/en/pro-ukrainian-hackers-claim-= massive-cyberattack-russias-aeroflot-2025-07-28/] serious [https://www.th= eguardian.com/business/2025/jul/28/russia-aeroflot-cancels-flights-pro-ukr= aine-hackers-cyber-attack].

** *** ***** ******* *********** *************

** MEASURING THE ATTACK/DEFENSE BALANCE ------------------------------------------------------------

[2025.07.30] [https://www.schneier.com/blog/archives/2025/07/measuring-t= he-attack-defense-balance.html] =E2=80=9CWho=E2=80=99s winning on the inte= rnet=2C the attackers or the defenders?=E2=80=9D

I=E2=80=99m asked this all the time=2C and I can only ever give a qualitat=
ive hand-wavy answer. But Jason Healey and Tarang Jain=E2=80=99s latest L= awfare piece has amassed data [https://www.lawfaremedia.org/article/are-c= yber-defenders-winning].

The essay provides the first framework for metrics about how we are all do=
ing collectively -- and not just how an individual network is doing. Heale=
y wrote to me in email:

The work rests on three key insights: (1) defenders need a framework (ba=

sed in threat=2C vulnerability=2C and consequence) to categorize the flood=
of potentially relevant security metrics; (2) trends are what matter=2C n=
ot specifics; and (3) to start=2C we should avoid getting bogged down in c= ollecting data and just use what=E2=80=99s already being reported by amazi=
ng teams at Verizon=2C Cyentia=2C Mandiant=2C IBM=2C FBI=2C and so many ot= hers.

The surprising conclusion: there=E2=80=99s a long way to go=2C but we=E2=

=80=99re doing better than we think. There are substantial improvements ac= ross threat operations=2C threat ecosystem and organizations=2C and softwa=
re vulnerabilities. Unfortunately=2C we=E2=80=99re still not seeing increa=
ses in consequence. And since cost imposition is leading to a survival-of-= the-fittest contest=2C we=E2=80=99re stuck with perhaps fewer but fiercer=
predators.

And this is just the start. From the report:

Our project is proceeding in three phases -- the initial framework prese=

nted here is only phase one. In phase two=2C the goal is to create a more=
complete catalog of indicators across threat=2C vulnerability=2C and cons= equence; encourage cybersecurity companies (and others with data) to repor=
t defensibility-relevant statistics in time-series=2C mapped to the catalo=
g; and drive improved analysis and reporting.

This is really good=2C and important=2C work.

** *** ***** ******* *********** *************

** CHEATING ON QUANTUM COMPUTING BENCHMARKS ------------------------------------------------------------

[2025.07.31] [https://www.schneier.com/blog/archives/2025/07/cheating-on= -quantum-computing-benchmarks.html] Peter Gutmann and Stephan Neuhaus have=
a new paper [https://eprint.iacr.org/2025/1237.pdf] -- I think it=E2=80=
=99s new=2C even though it has a March 2025 date -- that makes the argumen=
t that we shouldn=E2=80=99t trust any of the quantum factorization benchm= arks=2C because everyone has been cooking the books:

Similarly=2C quantum factorisation is performed using sleight-of-hand nu=

mbers that have been selected to make them very easy to factorise using a=
physics experiment and=2C by extension=2C a VIC-20=2C an abacus=2C and a=
dog. A standard technique is to ensure that the factors differ by only a=
few bits that can then be found using a simple search-based approach that=
has nothing to do with factorisation.... Note that such a value would nev=
er be encountered in the real world since the RSA key generation process t= ypically requires that |p-q| > 100 or more bits [9]. As one analysis puts=
it=2C =E2=80=9CInstead of waiting for the hardware to improve by yet furt=
her orders of magnitude=2C researchers began inventing better and better t= ricks for factoring numbers by exploiting their hidden structure=E2=80=9D=
[10].

A second technique used in quantum factorisation is to use preprocessing=

on a computer to transform the value being factorised into an entirely di= fferent form or even a different problem to solve which is then amenable t=
o being solved via a physics experiment...

Lots more in the paper=2C which is titled =E2=80=9CReplication of Quantum=
Factorisation Records with an 8-bit Home Computer=2C an Abacus=2C and a D= og.=E2=80=9D He points out the largest number that has been factored legit= imately by a quantum computer is 35.

I hadn=E2=80=99t known these details=2C but I=E2=80=99m not surprised. I h=
ave [https://www.schneier.com/essays/archives/2018/09/cryptography_after_= t.html] long [https://www.schneier.com/blog/archives/2019/10/factoring_20= 48.html] said [https://www.schneier.com/blog/archives/2024/01/quantum-com= puting-skeptics.html] that the engineering problems between now and a usef= ul=2C working quantum computer are hard. And by =E2=80=9Chard=2C=E2=80=9D=
we don=E2=80=99t know if it=E2=80=99s =E2=80=9Cland a person on the surfa=
ce of the moon=E2=80=9D hard=2C or =E2=80=9Cland a person on the surface o=
f the sun=E2=80=9D hard. They=E2=80=99re both hard=2C but very different.=
And we=E2=80=99re going to hit those engineering problems one by one=2C a=
s we continue to develop the technology. While I don=E2=80=99t think quant=
um computing is =E2=80=9Csurface of the sun=E2=80=9D hard=2C I don=E2=80=
=99t expect them to be factoring RSA moduli anytime soon. And -- even ther=
e -- I expect lots of engineering challenges in making Shor=E2=80=99s Algo= rithm work on an actual quantum computer with large numbers.

** *** ***** ******* *********** *************

** SPYING ON PEOPLE THROUGH AIRPORTR LUGGAGE DELIVERY SERVICE ------------------------------------------------------------

[2025.08.01] [https://www.schneier.com/blog/archives/2025/08/spying-on-p= eople-through-airportr-luggage-delivery-service.html] Airportr is a servic=
e that allows passengers to have their luggage picked up=2C checked=2C and=
delivered to their destinations. As you might expect=2C it=E2=80=99s use=
d by wealthy or important people. So if the company=E2=80=99s website is i= nsecure [https://www.wired.com/story/luggage-service-web-bugs-exposed-tra= vel-plans-users-diplomats-airportr/]=2C you=E2=80=99d be able to spy on lo=
ts of wealthy or important people. And maybe even steal their luggage.

Researchers at the firm CyberX9 found that simple bugs in Airportr=E2=80=

=99s website allowed them to access virtually all of those users=E2=80=99=
personal information=2C including travel plans=2C or even gain administra=
tor privileges that would have allowed a hacker to redirect or steal lugga=
ge in transit. Among even the small sample of user data that the researche=
rs reviewed and shared with WIRED they found what appear to be the persona=
l information and travel records of multiple government officials and dipl= omats from the UK=2C Switzerland=2C and the US.

=E2=80=9CAnyone would have been able to gain or might have gained absolu=

te super-admin access to all the operations and data of this company=2C=E2= =80=9D says Himanshu Pathak=2C CyberX9=E2=80=99s founder and CEO. =E2=80= =9CThe vulnerabilities resulted in complete confidential private informati=
on exposure of all airline customers in all countries who used the service=
of this company=2C including full control over all the bookings and bagga=
ge. Because once you are the super-admin of their most sensitive systems=
=2C you have have [sic] the ability to do anything.=E2=80=9D

** *** ***** ******* *********** *************

** FIRST SENTENCING IN SCHEME TO HELP NORTH KOREANS INFILTRATE US COMPANIE=
S
------------------------------------------------------------

[2025.08.04] [https://www.schneier.com/blog/archives/2025/08/first-sente= ncing-in-scheme-to-help-north-koreans-infiltrate-us-companies.html] An Ari= zona woman was sentenced [https://www.justice.gov/opa/pr/arizona-woman-se= ntenced-17m-information-technology-worker-fraud-scheme-generated-revenue]=
to eight-and-a-half years in prison for her role helping North Korean wor= kers infiltrate US companies by pretending to be US workers.

From an article [https://www.bleepingcomputer.com/news/security/us-woman-= sentenced-to-8-years-in-prison-for-running-laptop-farm-helping-north-korea= ns-infiltrate-300-firms/]:

According to court documents [https://www.justice.gov/usao-dc/media/135=

2191/dl]=2C Chapman hosted the North Korean IT workers=E2=80=99 computers=
in her own home between October 2020 and October 2023=2C creating a so-ca= lled =E2=80=9Claptop farm=E2=80=9D which was used to make it appear as tho=
ugh the devices were located in the United States.

The North Koreans were hired as remote software and application develope=

rs with multiple Fortune 500 companies=2C including an aerospace and defen=
se company=2C a major television network=2C a Silicon Valley technology co= mpany=2C and a high-profile company.

As a result of this scheme=2C they collected over $17 million in illicit=

revenue paid for their work=2C which was shared with Chapman=2C who proce= ssed their paychecks through her financial accounts.

=E2=80=9CChapman operated a =E2=80=98laptop farm=E2=80=99 where she rece=

ived and hosted computers from the U.S. companies her home=2C so that the=
companies would believe the workers were in the United States=2C=E2=80=9D=
the Justice Department said [https://www.justice.gov/usao-dc/pr/arizona-= woman-sentenced-17m-it-worker-fraud-scheme-illegally-generated-revenue-nor=
th] on Thursday.

=E2=80=9CChapman also shipped 49 laptops and other devices supplied by U=

=2ES. companies to locations overseas=2C including multiple shipments to a c= ity in China on the border with North Korea. More than 90 laptops were sei=
zed from Chapman=E2=80=99s home following the execution of a search warran=
t in October 2023.=E2=80=9D

** *** ***** ******* *********** *************

** SURVEILLING YOUR CHILDREN WITH AIRTAGS ------------------------------------------------------------

[2025.08.05] [https://www.schneier.com/blog/archives/2025/08/surveilling= -your-children-with-airtags.html] Skechers is making a line of kid=E2=80=
=99s shoes with a hidden compartment [https://techcrunch.com/2025/07/30/s= kechers-is-making-kids-shoes-with-a-hidden-airtag-compartment/] for an Air= Tag.

** *** ***** ******* *********** *************

** THE SEMICONDUCTOR INDUSTRY AND REGULATORY COMPLIANCE ------------------------------------------------------------

[2025.08.06] [https://www.schneier.com/blog/archives/2025/08/its-time-fo= r-the-semiconductor-industry-to-step-up.html] Earlier this week=2C the Tru=
mp administration [https://www.ft.com/content/a13ba438-3b43-46dd-b332-4b8= 1b3644da0] narrowed export controls [https://nationalinterest.org/blog/te= chland/export-controls-arent-enough-to-beat-chinas-ai] on advanced semicon= ductors ahead of US-China trade negotiations. The administration is increa= singly relying on export licenses to allow American semiconductor firms to=
sell their products to Chinese customers=2C while keeping the most powerf=
ul of them out of the hands of our military adversaries. These are the chi=
ps that power the artificial intelligence research fueling China=E2=80=99s=
technological rise=2C as well as the advanced military equipment underpin= ning Russia=E2=80=99s invasion of Ukraine.

The US government relies on private-sector firms to implement those export=
controls [https://nationalinterest.org/blog/techland/digital-borders-bid= en-administrations-final-ai-rule-214416]. It=E2=80=99s not working. US-man= ufactured semiconductors have been found in Russian weapons [https://www.= hsgac.senate.gov/wp-content/uploads/09.10.2024-Majority-Staff-Report-The-U= =2ES.-Technology-Fueling-Russias-War-in-Ukraine.pdf]. And China is skirting=
American export controls [https://www.wsj.com/tech/the-underground-netwo= rk-sneaking-nvidia-chips-into-china-f733aaa6] to accelerate AI research an=
d development=2C with the explicit goal of enhancing its military capabili= ties [https://media.defense.gov/2024/Dec/18/2003615520/-1/-1/0/MILITARY-A= ND-SECURITY-DEVELOPMENTS-INVOLVING-THE-PEOPLES-REPUBLIC-OF-CHINA-2024.PDF]=
=2E

American semiconductor firms are unwilling or unable to restrict the flow=
of semiconductors. Instead of investing in effective compliance mechanism= s=2C these firms have consistently prioritized their bottom lines -- a rat= ional decision=2C given the fundamentally risky nature of the semiconducto=
r industry.

We can=E2=80=99t afford to wait for semiconductor firms to catch up gradua= lly. To create a robust regulatory environment in the semiconductor indust= ry=2C both the US government and chip companies must take clear and decisi=
ve actions today and consistently over time.

Consider the financial services industry [https://nationalinterest.org/fe= ature/how-capital-markets-can-revive-the-defense-industrial-base]. Those c= ompanies are also heavily regulated=2C implementing US government regulati=
ons ranging from international sanctions to anti-money laundering. For dec= ades=2C these companies have invested heavily in compliance technology. La=
rge banks maintain teams of compliance employees=2C often numbering in the=
thousands [https://www.reuters.com/business/finance/key-citis-regulatory= -woes-staff-need-skills-enhancement-2024-10-15/].

The companies understand that by entering the financial services industry=
=2C they assume the responsibility [https://news.bloomberglaw.com/mergers= -and-acquisitions/matt-levines-money-stuff-td-was-convenient-for-criminals=
] to verify their customers=E2=80=99 identities and activities=2C refuse s= ervices to those engaged in criminal activity=2C and report certain activi= ties to the authorities. They take these obligations seriously [https://w= ww.bruegel.org/system/files/2024-05/WP%2010%202024_1.pdf] because they kno=
w they will face massive fines when they fail. Across the financial sector=
=2C the Securities and Exchange Commission imposed a whopping $6.4 billion=
in penalties [https://www.sec.gov/newsroom/press-releases/2022-206] in 2=
022. For example=2C TD Bank recently paid almost $2 billion in penalties [= https://www.justice.gov/opa/pr/td-bank-pleads-guilty-bank-secrecy-act-and= -money-laundering-conspiracy-violations-18b] because of its ineffective an= ti-money laundering efforts

An executive order [https://www.federalregister.gov/documents/2025/01/15/= 2025-00636/framework-for-artificial-intelligence-diffusion] issued earlier=
this year applied a similar regulatory model to potential =E2=80=9Cknow y=
our customer=E2=80=9D obligations for certain cloud service providers.

If Trump=E2=80=99s new license-focused export controls are to be effective=
=2C the administration must increase the penalties for noncompliance. The=
Commerce Department=E2=80=99s Bureau of Industry and Security (BIS) needs=
to more aggressively enforce its regulations by sharply increasing penalt=
ies for export control violations.

BIS has been working to improve enforcement=2C as evidenced by this week= =E2=80=99s news of a $95 million penalty [https://www.bis.gov/press-relea= se/cadence-design-systems-pay-95-million-penalty-bis-unauthorized-exports-= chinese-entities-tied-development] against Cadence Design Systems for viol= ating export controls on its chip design technology. Unfortunately=2C BIS=
lacks the people=2C technology=2C and funding [https://www.hsgac.senate.= gov/wp-content/uploads/The-U.S.-Technology-Fueling-Russias-War-in-Ukraine-= Examing-BISs-Enforcement-of-Semiconductor-Export-Controls.pdf] to enforce=
these controls across the board.

The Trump administration should also use its bully pulpit=2C publicly nami=
ng companies that break the rules and encouraging American firms and consu= mers to do business elsewhere. Regulatory threats and bad publicity are th=
e only ways to force the semiconductor industry to take export control reg= ulations seriously and invest in compliance.

With those threats in place=2C American semiconductor firms must accept th=
eir obligation to comply with regulations and cooperate. They need to inve=
st in strengthening their compliance teams and conduct proactive audits of=
their subsidiaries=2C their customers=2C and their customers=E2=80=99 cus= tomers.

Firms should elevate risk and compliance voices onto their executive leade= rship teams=2C similar to the chief risk officer role found in banks. Seni=
or leaders need to devote their time to regular progress reviews focused o=
n meaningful=2C proactive compliance with export controls and other critic=
al regulations=2C thereby leading their organizations to make compliance a=
priority.

As the world becomes increasingly dangerous and America=E2=80=99s adversar=
ies become more emboldened=2C we need to maintain stronger control over ou=
r supply of critical semiconductors. If Russia and China are allowed unfet= tered access to advanced American chips for their AI efforts [https://nat= ionalinterest.org/blog/techland/jd-vance-unveils-americas-ai-doctrine] and=
military equipment=2C we risk losing the military advantage and our abili=
ty to deter conflicts worldwide. The geopolitical importance of semiconduc= tors will only increase as the world becomes more dangerous and more relia=
nt on advanced technologies -- American security depends on limiting their=
flow.

_This essay was written with Andrew Kidd and Celine Lee=2C and originally=
appeared in The National Interest [https://nationalinterest.org/blog/tec= hland/its-time-for-the-semiconductor-industry-to-step-up]._

** *** ***** ******* *********** *************

** CHINA ACCUSES NVIDIA OF PUTTING BACKDOORS INTO THEIR CHIPS ------------------------------------------------------------

[2025.08.07] [https://www.schneier.com/blog/archives/2025/08/china-accus= es-nvidia-of-putting-backdoors-into-their-chips.html] The government of Ch=
ina has accused Nvidia of inserting a backdoor [https://arstechnica.com/g= adgets/2025/07/china-claims-nvidia-built-backdoor-into-h20-chip-designed-f= or-chinese-market/] into their H20 chips:

China=E2=80=99s cyber regulator on Thursday said it had held a meeting w=

ith Nvidia over what it called =E2=80=9Cserious security issues=E2=80=9D w=
ith the company=E2=80=99s artificial intelligence chips. It said US AI exp= erts had =E2=80=9Crevealed that Nvidia=E2=80=99s computing chips have loca= tion tracking and can remotely shut down the technology.=E2=80=9D

** *** ***** ******* *********** *************

** GOOGLE PROJECT ZERO CHANGES ITS DISCLOSURE POLICY ------------------------------------------------------------

[2025.08.08] [https://www.schneier.com/blog/archives/2025/08/google-proj= ect-zero-changes-its-disclosure-policy.html] Google=E2=80=99s vulnerabilit=
y finding team is again pushing the envelope [https://www.infosecurity-ma= gazine.com/news/google-report-new-vulnerabilities/] of responsible disclos= ure:

Google=E2=80=99s Project Zero team will retain its existing 90+30 policy=

regarding vulnerability disclosures=2C in which it provides vendors with=
90 days before full disclosure takes place=2C with a 30-day period allowe=
d for patch adoption if the bug is fixed before the deadline.

However=2C as of July 29=2C Project Zero will also release limited detai=

ls about any discovery they make within one week of vendor disclosure. Thi=
s information will encompass:

* The vendor or open-source project that received the report
* The affected product
* The date the report was filed and when the 90-day disclosure dead=

line expires

I have mixed feelings about this. On the one hand=2C I like that it puts m=
ore pressure on vendors to patch quickly. On the other hand=2C if no indic= ation is provided regarding how severe a vulnerability is=2C it could easi=
ly cause unnecessary panic.

The problem is that Google is not a neutral vulnerability hunting party. T=
o the extent that it finds=2C publishes=2C and reduces confidence in compe= titors=E2=80=99 products=2C Google benefits as a company.

** *** ***** ******* *********** *************

** AUTOMATIC LICENSE PLATE READERS ARE COMING TO SCHOOLS ------------------------------------------------------------

[2025.08.11] [https://www.schneier.com/blog/archives/2025/08/automatic-l= icense-plate-readers-are-coming-to-schools.html] Fears around children is=
opening up a new market [https://therecord.media/flock-safety-raptor-tec= hnologies-schools-surveillance] for automatic license place readers.

** *** ***** ******* *********** *************

** THE "INCRIMINATING VIDEO" SCAM ------------------------------------------------------------

[2025.08.12] [https://www.schneier.com/blog/archives/2025/08/the-incrimi= nating-video-scam.html] A few years ago=2C scammers invented a new phishin=
g email. They would claim to have hacked your computer=2C turned your webc=
am on=2C and videoed you watching porn or having sex. BuzzFeed has an arti=
cle [https://www.buzzfeed.com/poojashah1/new-email-scam-house-address-sc]=
talking about a =E2=80=9Cshockingly realistic=E2=80=9D variant=2C which i= ncludes photos of you and your house -- more specific information.

The article contains =E2=80=9Csteps you can take to figure out if it=E2=80= =99s a scam=2C=E2=80=9D but omits the first and most fundamental piece of=
advice: If the hacker had incriminating video about you=2C they would sho=
w you a clip. Just a taste=2C not the worst bits so you had to worry about=
how bad it could be=2C but something. If the hacker doesn=E2=80=99t show=
you any video=2C they don=E2=80=99t have any video. Everything else is wi= ndow dressing.

I remember when this scam was first invented. I calmed several people who=
were legitimately worried with that one fact.

** *** ***** ******* *********** *************

** SIGINT DURING WORLD WAR II ------------------------------------------------------------

[2025.08.13] [https://www.schneier.com/blog/archives/2025/08/sigint-duri= ng-world-war-ii.html] The NSA and GCHQ have jointly published a history of=
World War II SIGINT: =E2=80=9CSecret Messengers: Disseminating SIGINT in=
the Second World War [https://media.defense.gov/2025/Jul/25/2003761271/-= 1/-1/0/SECRET_MESSENGERS.PDF].=E2=80=9D This is the story of the British S=
LUs (Special Liaison Units) and the American SSOs (Special Security Office= rs).

** *** ***** ******* *********** *************

** AI APPLICATIONS IN CYBERSECURITY ------------------------------------------------------------

[2025.08.13] [https://www.schneier.com/blog/archives/2025/08/ai-applicat= ions-in-cybersecurity.html] There is a really great series of online event=
s highlighting cool uses of AI in cybersecurity=2C titled Prompt||GTFO. Vi= deos from the first [https://www.youtube.com/playlist?list=3DPLXz1MhBqAGJ= x3HHWtw-qIhHH7JvGpcimw] three [https://www.youtube.com/playlist?list=3DPL= Xz1MhBqAGJwNk8RkjfJ03G8E1N3OAKtV] events [https://www.youtube.com/playlis= t?list=3DPLXz1MhBqAGJzZBwp9ivB58N4XZtcBkbpP] are online. And here=E2=80=99=
s [https://forms.gle/5Q4EbV3FGUhKrUFJA] where to register to attend=2C or=
participate=2C in the fourth.

Some really great stuff here.

** *** ***** ******* *********** *************

** LLM CODING INTEGRITY BREACH ------------------------------------------------------------

[2025.08.14] [https://www.schneier.com/blog/archives/2025/08/llm-coding-= integrity-breach.html] Here=E2=80=99s [https://sketch.dev/blog/our-first-= outage-from-llm-written-code] an interesting story about a failure being i= ntroduced by LLM-written code. Specifically=2C the LLM was doing some code=
refactoring=2C and when it moved a chunk of code from one file to another=
it changed a =E2=80=9Cbreak=E2=80=9D to a =E2=80=9Ccontinue.=E2=80=9D Tha=
t turned an error logging statement into an infinite loop=2C which crashed=
the system.

This is an integrity failure [https://www.computer.org/csdl/magazine/sp/2= 025/03/11038984/27COaJtjDOM]. Specifically=2C it=E2=80=99s a failure of pr= ocessing integrity. And while we can think of particular patches that alle= viate this exact failure=2C the larger problem is much harder to solve.

Davi Ottenheimer comments [https://www.flyingpenguin.com/?p=3D71603].

** *** ***** ******* *********** *************

Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing sum= maries=2C analyses=2C insights=2C and commentaries on security technology.=
To subscribe=2C or to read back issues=2C see Crypto-Gram's web page [ht= tps://www.schneier.com/crypto-gram/].

You can also read these articles on my blog=2C Schneier on Security [http= s://www.schneier.com].

Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to colle= agues and friends who will find it valuable. Permission is also granted to=
reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist=2C cal=
led a security guru by the _Economist_. He is the author of over one dozen=
books -- including his latest=2C _A Hacker=E2=80=99s Mind_ [https://www.= schneier.com/books/a-hackers-mind/] -- as well as hundreds of articles=2C=
essays=2C and academic papers. His newsletter and blog are read by over 2= 50=2C000 people. Schneier is a fellow at the Berkman Klein Center for Inte= rnet & Society at Harvard University; a Lecturer in Public Policy at the H= arvard Kennedy School; a board member of the Electronic Frontier Foundatio= n=2C AccessNow=2C and the Tor Project; and an Advisory Board Member of the=
Electronic Privacy Information Center and VerifiedVoting.org. He is the C= hief of Security Architecture at Inrupt=2C Inc.

Copyright (c) 2025 by Bruce Schneier.

** *** ***** ******* *********** *************

Mailing list hosting graciously provided by MailChimp [https://mailchimp.= com/]. Sent without web bugs or link tracking.

This email was sent to: cryptogram@toolazy.synchro.net

_You are receiving this email because you subscribed to the Crypto-Gram ne= wsletter._

Unsubscribe from this list: https://schneier.us18.list-manage.com/unsubscr= ibe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e=3D70f249ec14&c=3D7= 9ea0a4e97

Update subscription preferences: https://schneier.us18.list-manage.com/pro= file?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D79ea0a= 4e97

Bruce Schneier
Harvard Kennedy School
1 Brattle Square
Cambridge=2C MA 02138
USA
--_----------=_MCPart_1857184867
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html lang=3D"en"><head><meta charset=3D"UTF-8"><title>Cryp= to-Gram=2C August 15=2C 2025</title></head><body>
<div class=3D"preview-text" style=3D"display:none !important;mso-hide:all;= font-size:1px;line-height:1px;max-height:0px;max-width:0px;opacity:0;overf= low:hidden;">A monthly newsletter about cybersecurity and related topics.<= /div>
<h1 style=3D"font-size:140%">Crypto-Gram 
August 15=2C=
2025</h1>

by Bruce Schneier
 Fellow and Lecturer=2C Harvard Kennedy School
 schneier@schneier.com
 <a href=3D"https://www.schneier.com">https://www.schneier.com</a>

A free monthly newsletter providing summaries=2C analyses=2C insights=
=2C and commentaries on security: computer and otherwise.

For back issues=2C or to subscribe=2C visit <a href=3D"https://www.schn= eier.com/crypto-gram/">Crypto-Gram's web page</a>.

<a href=3D"https://www.schneier.com/crypto-gram/archives/2025/0815.html= ">Read this issue on the web</a>

These same essays and news items appear in the <a href=3D"https://www.s= chneier.com/">Schneier on Security</a> blog=2C along with a lively and int= elligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"toc"><a name=3D"toc">I=
n this issue:</a></h2>

If these links don't work in your email client=2C try <a href=3D"ht= tps://www.schneier.com/crypto-gram/archives/2025/0815.html">reading this i= ssue of Crypto-Gram on the web.</a>

<li><a href=3D"#cg1">Report from the Cambridge Cybercrime Conference</a></=

<li><a href=3D"#cg2">Hacking Trains</a></li>
<li><a href=3D"#cg3">Security Vulnerabilities in ICEBlock</a></li>
<li><a href=3D"#cg4">New Mobile Phone Forensics Tool</a></li>
<li><a href=3D"#cg5">Another Supply Chain Vulnerability</a></li>
<li><a href=3D"#cg6">"Encryption Backdoors and the Fourth Amendment"</a></=

<li><a href=3D"#cg7">Google Sues the Badbox Botnet Operators</a></li>
<li><a href=3D"#cg8">How the Solid Protocol Restores Digital Agency</a></l=

<li><a href=3D"#cg9">Subliminal Learning in AIs</a></li>
<li><a href=3D"#cg10">Microsoft SharePoint Zero-Day</a></li>
<li><a href=3D"#cg11">That Time Tom Lehrer Pranked the NSA</a></li>
<li><a href=3D"#cg12">Aeroflot Hacked</a></li>
<li><a href=3D"#cg13">Measuring the Attack/Defense Balance</a></li>
<li><a href=3D"#cg14">Cheating on Quantum Computing Benchmarks</a></li>
<li><a href=3D"#cg15">Spying on People Through Airportr Luggage Delivery S= ervice</a></li>
<li><a href=3D"#cg16">First Sentencing in Scheme to Help North Koreans Inf= iltrate US Companies</a></li>
<li><a href=3D"#cg17">Surveilling Your Children with AirTags</a></li>
<li><a href=3D"#cg18">The Semiconductor Industry and Regulatory Compliance= </a></li>
<li><a href=3D"#cg19">China Accuses Nvidia of Putting Backdoors into Their=
Chips</a></li>
<li><a href=3D"#cg20">Google Project Zero Changes Its Disclosure Policy</a= ></li>
<li><a href=3D"#cg21">Automatic License Plate Readers Are Coming to School= s</a></li>
<li><a href=3D"#cg22">The "Incriminating Video" Scam</a></li>
<li><a href=3D"#cg23">SIGINT During World War II</a></li>
<li><a href=3D"#cg24">AI Applications in Cybersecurity</a></li>
<li><a href=3D"#cg25">LLM Coding Integrity Breach</a></li>
</ol>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg1"><a name=3D"cg1">R= eport from the Cambridge Cybercrime Conference</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/report-from-t= he-cambridge-cybercrime-conference.html">[2025.07.14]</a=

The <a href=3D"https://www.cambridgecybercrime.uk/conference2025.html">C=

ambridge Cybercrime Conference</a> was held on 23 June. Summaries of the p= resentations are <a href=3D"https://www.lightbluetouchpaper.org/2025/06/25= /cambridge-cybercrime-conference-2025-liveblog/">here</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg2"><a name=3D"cg2">H= acking Trains</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/hacking-train= s.html">[2025.07.16]</a> Seems like an old system <a hre= f=3D"https://gizmodo.com/hackers-can-tamper-with-train-breaks-using-just-a= -radio-feds-warn-2000629522">system</a> that predates any care about secur= ity:

<blockquote>The flaw has to do with the protocol used in a train system=
known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (= FRED)=2C also known as an End-of-Train (EOT) device=2C is attached to the=
back of a train and sends data via radio signals to a corresponding devic=
e in the locomotive called the Head-of-Train (HOT). Commands can also be s=
ent to the FRED to apply the brakes at the rear of the train.

These devices were first installed in the 1980s as a replacement for ca= boose cars=2C and unfortunately=2C they lack encryption and authentication=
protocols. Instead=2C the current system uses data packets sent between t=
he front and back of a train that include a simple BCH checksum to detect=
errors or interference. But now=2C the CISA is warning that someone using=
a software-defined radio could potentially send fake data packets and int= erfere with train operations.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">S= ecurity Vulnerabilities in ICEBlock</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/security-vuln= erabilities-in-iceblock.html">[2025.07.17]</a> The ICEBl=
ock tool has <a href=3D"https://www.theverge.com/cyber-security/707116/ice= block-data-privacy-security-android-version">vulnerabilities</a>:

<blockquote>The developer of ICEBlock=2C an iOS app for anonymously rep= orting sightings of US Immigration and Customs Enforcement (ICE) officials=
=2C promises that it =E2=80=9Censures user privacy by storing no personal=
data.=E2=80=9D But that claim has come under scrutiny. ICEBlock creator J= oshua Aaron has been accused of making false promises regarding user anony= mity and privacy=2C being =E2=80=9Cmisguided=E2=80=9D about the privacy of= fered by iOS=2C and of being an Apple fanboy. The issue isn=E2=80=99t what=
ICEBlock stores. It=E2=80=99s about what it could accidentally reveal thr= ough its tight integration with iOS.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">N=
ew Mobile Phone Forensics Tool</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/new-mobile-ph= one-forensics-tool.html">[2025.07.18]</a> The Chinese ha=
ve a new tool called <a href=3D"https://www.lookout.com/threat-intelligenc= e/article/massistant-chinese-mobile-forensics">Massistant</a>.

<blockquote>

<li>Massistant is the presumed successor to Chinese forensics tool=2C=
=E2=80=9CMFSocket=E2=80=9D=2C reported in 2019 and attributed to publicly=
traded cybersecurity company=2C Meiya Pico.</li>

<li>The forensics tool works in tandem with a corresponding desktop so= ftware.</li>

<li>Massistant gains access to device GPS location data=2C SMS message= s=2C images=2C audio=2C contacts and phone services.</li>

<li>Meiya Pico maintains partnerships with domestic and international=
law enforcement partners=2C both as a surveillance hardware and software=
provider=2C as well as through training programs for law enforcement pers= onnel.</li>
</ul>
</blockquote>

From a <a href=3D"https://techcrunch.com/2025/07/16/chinese-authorities= -are-using-a-new-tool-to-hack-seized-phones-and-extract-data/">news articl= e</a>:

<blockquote>The good news=2C per Balaam=2C is that Massistant leaves ev= idence of its compromise on the seized device=2C meaning users can potenti= ally identify and delete the malware=2C either because the hacking tool ap= pears as an app=2C or can be found and deleted using more sophisticated to=
ols such as the <a href=3D"https://developer.android.com/tools/adb">Androi=
d Debug Bridge</a>=2C a command line tool that lets a user connect to a de= vice through their computer.

The bad news is that at the time of installing Massistant=2C the damage=
is done=2C and authorities already have the person=E2=80=99s data.</b= lockquote>

Slashdot <a href=3D"https://yro.slashdot.org/story/25/07/16/2042245/chi= nese-authorities-are-using-a-new-tool-to-hack-seized-phones-and-extract-da= ta">thread</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">A= nother Supply Chain Vulnerability</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/another-suppl= y-chain-vulnerability.html">[2025.07.21]</a> ProPublica=
is <a href=3D"https://www.propublica.org/article/microsoft-digital-escort= s-pentagon-defense-department-china-hackers">reporting</a>:

<blockquote>Microsoft is using engineers in China to help maintain the=
Defense Department=E2=80=99s computer systems -- with minimal supervision=
by U.S. personnel -- leaving some of the nation=E2=80=99s most sensitive=
data vulnerable to hacking from its leading cyber adversary=2C a ProPubli=
ca investigation has found.

The arrangement=2C which was critical to Microsoft winning the federal=
government=E2=80=99s cloud computing business a decade ago=2C relies on U= =2ES. citizens with security clearances to oversee the work and serve as a b= arrier against espionage and sabotage.

But these workers=2C known as =E2=80=9Cdigital escorts=2C=E2=80=9D ofte=
n lack the technical expertise to police foreign engineers with far more a= dvanced skills=2C ProPublica found. Some are former military personnel wit=
h little coding experience who are paid barely more than minimum wage for=
the work.</blockquote>

This sounds bad=2C but it=E2=80=99s the way the digital world works. Ev= erything we do is international=2C deeply international. Making anything U= S-only is hard=2C and often infeasible.

EDITED TO ADD: Microsoft has <a href=3D"https://www.reuters.com/world/u= s/microsoft-stop-using-engineers-china-tech-support-us-military-hegseth-or= ders-2025-07-18/">stopped</a> the practice.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">"= Encryption Backdoors and the Fourth Amendment"</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/encryption-ba= ckdoors-and-the-fourth-amendment.html">[2025.07.22]</a>=
Law journal <a href=3D"https://scholarship.law.marquette.edu/mulr/vol108/= iss2/5/">article</a> that looks at the <a href=3D"https://www.schneier.com= /blog/archives/2007/11/the_strange_sto.html">Dual_EC_PRNG backdoor</a> fro=
m a US constitutional perspective:

<blockquote>Abstract: The National Security Agency (NSA) reporte=
dly paid and pressured technology companies to trick their customers into=
using vulnerable encryption products. This Article examines whether any o=
f three theories removed the Fourth Amendment=E2=80=99s requirement that t=
his be reasonable. The first is that a challenge to the encryption backdoo=
r might fail for want of a search or seizure. The Article rejects this bot=
h because the Amendment reaches some vulnerabilities apart from the search=
es and seizures they enable and because the creation of this vulnerability=
was itself a search or seizure. The second is that the role of the techno= logy companies might have brought this backdoor within the private-search=
doctrine. The Article criticizes the doctrine particularly its origins in=
Burdeau v. McDowelland argues that if it ever should apply=2C it should n=
ot here. The last is that the customers might have waived their Fourth Ame= ndment rights under the third-party doctrine. The Article rejects this bot=
h because the customers were not on notice of the backdoor and because his= torical understandings of the Amendment would not have tolerated it. The A= rticle concludes that none of these theories removed the Amendment=E2=80=
=99s reasonableness requirement.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">G= oogle Sues the Badbox Botnet Operators</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/google-sues-t= he-badbox-botnet-operators.html">[2025.07.23]</a> It wil=
l be interesting to watch what will come of this <a href=3D"https://www.se= curityweek.com/google-sues-operators-of-10-million-device-badbox-2-0-botne= t/">private lawsuit</a>:

<blockquote>Google on Thursday announced filing a lawsuit against the o= perators of the Badbox 2.0 botnet=2C which has ensnared more than 10 milli=
on devices running Android open source software.

These devices lack Google=E2=80=99s security protections=2C and the per= petrators pre-installed the Badbox 2.0 malware on them=2C to create a back= door and abuse them for large-scale fraud and other illicit schemes.</= blockquote>

This reminds me of Meta=E2=80=99s lawauit against Pegasus over its hack= -for-hire software (which I wrote about <a href=3D"https://www.schneier.co= m/wp-content/uploads/2022/03/Platforms-Encryption-and-the-CFAA-1.pdf">here= </a>.) It=E2=80=99s a private company stepping into a regulatory void left=
by governments.

Slashdot <a href=3D"https://yro.slashdot.org/story/25/07/18/2212220/goo= gle-sues-operators-of-10-million-device-badbox-20-botnet">thread</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">H=
ow the Solid Protocol Restores Digital Agency</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/how-solid-pro= tocol-restores-digital-agency.html">[2025.07.24]</a> The=
current state of digital identity is a mess. Your personal information is=
scattered across hundreds of locations: social media companies=2C IoT com= panies=2C government agencies=2C websites you have accounts on=2C and data=
brokers you=E2=80=99ve never heard of. These entities collect=2C store=2C=
and trade your data=2C often without your knowledge or consent. It=E2=80=
=99s both redundant and inconsistent. You have hundreds=2C maybe thousands=
=2C of fragmented digital profiles that often contain contradictory or log= ically impossible information. Each serves its own purpose=2C yet there is=
no central override and control to serve you -- as the identity owner.</p=

We=E2=80=99re used to the massive security failures resulting from all=
of this data under the control of so many different entities. Years of pr= ivacy breaches have resulted in a multitude of laws -- in US states=2C in=
the EU=2C elsewhere -- and calls for even more stringent protections. But=
while these laws attempt to protect data confidentiality=2C there is noth=
ing to protect data integrity.

In this context=2C data integrity refers to its accuracy=2C consistency=
=2C and reliability...throughout its lifecycle. It means ensuring that dat=
a is not only accurately recorded but also remains logically consistent ac= ross systems=2C is up-to-date=2C and can be verified as authentic. When da=
ta lacks integrity=2C it can contain contradictions=2C errors=2C or outdat=
ed information -- problems that can have serious real-world consequences.<=

Without data integrity=2C someone could classify you as a teenager whil=
e simultaneously attributing to you three teenage children: a biological i= mpossibility. What=E2=80=99s worse=2C you have no visibility into the data=
profiles assigned to your identity=2C no mechanism to correct errors=2C a=
nd no authoritative way to update your information across all platforms wh=
ere it resides.

Integrity breaches don=E2=80=99t get the same attention that confidenti= ality breaches do=2C but the picture isn=E2=80=99t pretty. A 2017 write-up=
in The Atlantic found error rates <a href=3D"https://www.theatla= ntic.com/technology/archive/2017/06/online-data-brokers/529281/">exceeding=
50%</a> in some categories of personal information. A 2019 audit of data=
brokers found at least 40% of data broker sourced user attributes are =E2= =80=9C<a href=3D"https://www.lix.polytechnique.fr/~goga/papers/databrokers= -measurement_finalCameraReady.pdf">not at all</a>=E2=80=9D accurate. In 20= 22=2C the Consumer Financial Protection Bureau <a href=3D"https://web.arch= ive.org/web/20250228230511/https://www.consumerfinance.gov/about-us/newsro= om/cfpb-takes-action-to-address-junk-data-in-credit-reports/">documented</=

<a href=3D"https://web.archive.org/web/20250221180714/https://files.con=

sumerfinance.gov/f/documents/cfpb_fair-credit-reporting-facially-false-dat= a_advisory-opinion_2022-10.pdf">thousands</a> of cases where consumers wer=
e denied housing=2C employment=2C or financial services based on logically=
impossible data combinations in their profiles. Similarly=2C the National=
Consumer Law Center report called =E2=80=9C<a href=3D"https://www.nclc.or= g/wp-content/uploads/2023/09/202309_Report_Digital-Denials.pdf">Digital De= nials</a>=E2=80=9D showed inaccuracies in tenant screening data that block=
ed people from housing.

And integrity breaches can have significant effects on our lives. In on=
e 2024 British case=2C two companies <a href=3D"https://www.theguardian.co= m/money/2024/oct/14/they-are-ruining-my-life-how-the-shadowy-world-of-debt= -collection-can-wreck-your-finances">blamed each other</a> for the faulty=
debt information that caused catastrophic financial consequences for an i= nnocent victim. <a href=3D"https://www.congress.gov/117/meeting/house/1113= 01/documents/HHRG-117-JU08-20210311-SD011.pdf">Breonna Taylor was killed i=
n 2020</a> during a police raid on her apartment in Louisville=2C Kentucky=
=2C when officers executed a =E2=80=9Cno-knock=E2=80=9D warrant on the wro=
ng house based on bad data. They had faulty intelligence connecting her ad= dress to a suspect who actually lived elsewhere.

In some instances=2C we have rights to view our data=2C and in others=
=2C rights to correct it=2C but these sorts of solutions have only limited=
value. When journalist Julia Angwin attempted to correct her information=
across major data brokers for her book <a href=3D"https://juliaangwin.com= /books/">Dragnet Nation</a>=2C she found that even after=
submitting corrections through official channels=2C a significant number=
of errors reappeared within six months.

In some instances=2C we have the right to delete our data=2C but -- aga=
in -- this only has limited value. Some data processing is legally require= d=2C and some is necessary for services we truly want and need.

Our focus needs to shift from the binary choice of either concealing ou=
r data entirely or surrendering all control over it. Instead=2C we need so= lutions that prioritize integrity in ways that balance privacy with the be= nefits of data sharing.

It=E2=80=99s not as if we haven=E2=80=99t made progress in better ways=
to manage online identity. Over the years=2C numerous trustworthy systems=
have been developed that could solve many of these problems. For example=
=2C imagine digital verification that works like a locked mobile phone --=
it works when you=E2=80=99re the one who can unlock and use it=2C but not=
if someone else grabs it from you. Or consider a storage device that hold=
s all your credentials=2C like your driver=E2=80=99s license=2C profession=
al certifications=2C and healthcare information=2C and lets you selectivel=
y share one without giving away everything at once. Imagine being able to=
share just a single cell in a table or a specific field in a file. These=
technologies already exist=2C and they could let you securely prove speci=
fic facts about yourself without surrendering control of your whole identi=
ty. This isn=E2=80=99t just theoretically better than traditional username=
s and passwords; the technologies represent a fundamental shift in how we=
think about digital trust and verification.

Standards to do all these things emerged during the Web 2.0 era. We mos=
tly haven=E2=80=99t used them because platform companies have been more in= terested in building barriers around user data and identity. They=E2=80=99=
ve used control of user identity as a key to market dominance and monetiza= tion. They=E2=80=99ve treated data as a corporate asset=2C and resisted op=
en standards that would democratize data ownership and access. Closed=2C p= roprietary systems have better served their purposes.

There is another way. The Solid protocol=2C invented by Sir Tim Berners= -Lee=2C represents a radical reimagining of how data operates online. Soli=
d stands for =E2=80=9CSOcial LInked Data.=E2=80=9D At its core=2C it decou= ples data from applications by storing personal information in user-contro= lled =E2=80=9Cdata wallets=E2=80=9D: secure=2C personal data stores that u= sers can host anywhere they choose. Applications can access specific data=
within these wallets=2C but users maintain ownership and control.

Solid is more than distributed data storage. This architecture inverts=
the current data ownership model. Instead of companies owning user data=
=2C users maintain a single source of truth for their personal information=
=2E It integrates and extends all those established identity standards and t= echnologies mentioned earlier=2C and forms a comprehensive stack that plac=
es personal identity at the architectural center.

This identity-first paradigm means that every digital interaction begin=
s with the authenticated individual who maintains control over their data.=
Applications become interchangeable views into user-owned data=2C rather=
than data silos themselves. This enables unprecedented interoperability=
=2C as services can securely access precisely the information they need wh=
ile respecting user-defined boundaries.

Solid ensures that user intentions are transparently expressed and reli= ably enforced across the entire ecosystem. Instead of each application imp= lementing its own custom authorization logic and access controls=2C Solid=
establishes a standardized declarative approach where permissions are exp= licitly defined through control lists or policies attached to resources. U= sers can specify who has access to what data with granular precision=2C us=
ing simple statements like =E2=80=9CAlice can read this document=E2=80=9D=
or =E2=80=9CBob can write to this folder.=E2=80=9D These permission rules=
remain consistent=2C regardless of which application is accessing the dat= a=2C eliminating the fragmentation and unpredictability of traditional aut= horization systems.

This architectural shift decouples applications from data infrastructur=
e. Unlike Web 2.0 platforms like Facebook=2C which require massive back-en=
d systems to store=2C process=2C and monetize user data=2C Solid applicati=
ons can be lightweight and focused solely on functionality. Developers no=
longer need to build and maintain extensive data storage systems=2C surve= illance infrastructure=2C or analytics pipelines. Instead=2C they can buil=
d specialized tools that request access to specific data in users=E2=80=99=
wallets=2C with the heavy lifting of data storage and access control hand=
led by the protocol itself.

Let=E2=80=99s take healthcare as an example. The current system forces=
patients to spread pieces of their medical history across countless propr= ietary databases controlled by insurance companies=2C hospital networks=2C=
and electronic health record vendors. Patients frustratingly become a pat= chwork rather than a person=2C because they often can=E2=80=99t access the=
ir own complete medical history=2C let alone correct mistakes. Meanwhile=
=2C those third-party databases suffer regular breaches. The Solid protoco=
l enables a fundamentally different approach. Patients maintain their own=
comprehensive medical record=2C with data cryptographically signed by tru= sted providers=2C in their own data wallet. When visiting a new healthcare=
provider=2C patients can arrive with their complete=2C verifiable medical=
history rather than starting from zero or waiting for bureaucratic record=
transfers.

When a patient needs to see a specialist=2C they can grant temporary=2C=
specific access to relevant portions of their medical history. For exampl= e=2C a patient referred to a cardiologist could share only cardiac-related=
records and essential background information. Or=2C on the flip side=2C t=
he patient can share new and rich sources of related data to the specialis= t=2C like health and nutrition data. The specialist=2C in turn=2C can add=
their findings and treatment recommendations directly to the patient=E2= =80=99s wallet=2C with a cryptographic signature verifying medical credent= ials. This process eliminates dangerous information gaps while ensuring th=
at patients maintain an appropriate role in who sees what about them and w= hy.

When a patient -- doctor relationship ends=2C the patient retains all r= ecords generated during that relationship -- unlike today=E2=80=99s system=
where changing providers often means losing access to one=E2=80=99s histo= rical records. The departing doctor=E2=80=99s signed contributions remain=
verifiable parts of the medical history=2C but they no longer have direct=
access to the patient=E2=80=99s wallet without explicit permission.

For insurance claims=2C patients can provide temporary=2C auditable acc=
ess to specific information needed for processing -- no more and no less.=
Insurance companies receive verified data directly relevant to claims but=
should not be expected to have uncontrolled hidden comprehensive profiles=
or retain information longer than safe under privacy regulations. This ap= proach dramatically reduces unauthorized data use=2C risk of breaches (pri= vacy and integrity)=2C and administrative costs.

Perhaps most transformatively=2C this architecture enables patients to=
selectively participate in medical research while maintaining privacy. Th=
ey could contribute anonymized or personalized data to studies matching th=
eir interests or conditions=2C with granular control over what information=
is shared and for how long. Researchers could gain access to larger=2C mo=
re diverse datasets while participants would maintain control over their i= nformation -- creating a proper ethical model for advancing medical knowle= dge.

The implications extend far beyond healthcare. In financial services=2C=
customers could maintain verified transaction histories and creditworthin=
ess credentials independently of credit bureaus. In education=2C students=
could collect verified credentials and portfolios that they truly own rat=
her than relying on institutions=E2=80=99 siloed records. In employment=2C=
workers could maintain portable professional histories with verified cred= entials from past employers. In each case=2C Solid enables individuals to=
be the masters of their own data while allowing verification and selectiv=
e sharing.

The economics of Web 2.0 pushed us toward centralized platforms and sur= veillance capitalism=2C but there has always been a better way. Solid brin=
gs different pieces together into a cohesive whole that enables the identi= ty-first architecture we should have had all along. The protocol doesn=E2= =80=99t just solve technical problems; it corrects the fundamental misalig= nment of incentives that has made the modern web increasingly hostile to b=
oth users and developers.

As we look to a future of increased digitization across all sectors of=
society=2C the need for this architectural shift becomes even more appare=
nt. Individuals should be able to maintain and present their own verified=
digital identity and history=2C rather than being at the mercy of siloed=
institutional databases. The Solid protocol makes this future technically=
possible.

This essay was written with Davi Ottenheimer=2C and originally appe= ared on <a href=3D"https://www.inrupt.com/blog/return-to-identity-first-ar= chitecture-how-solid-protocol-restores-digital-agency">The Inrupt Blog</a>= =2E

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">S= ubliminal Learning in AIs</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/subliminal-le= arning-in-ais.html">[2025.07.25]</a> Today=E2=80=99s fre=
aky <a href=3D"https://alignment.anthropic.com/2025/subliminal-learning/">=
LLM behavior</a>:

<blockquote>We study subliminal learning=2C a surprising phenomenon whe=
re language models learn traits from model-generated data that is semantic= ally unrelated to those traits. For example=2C a =E2=80=9Cstudent=E2=80=9D=
model learns to prefer owls when trained on sequences of numbers generate=
d by a =E2=80=9Cteacher=E2=80=9D model that prefers owls. This same phenom= enon can transmit misalignment through data that appears completely benign=
=2E This effect only occurs when the teacher and student share the same base=
model.</blockquote>

Interesting security implications.

I am more convinced than ever that we need serious research into <a hre= f=3D"https://www.schneier.com/essays/archives/2025/06/the-age-of-integrity= =2Ehtml">AI integrity</a> if we are ever going to have <a href=3D"https://ww= w.schneier.com/essays/archives/2025/06/ai-and-trust-2.html">trustworthy AI= </a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"= >Microsoft SharePoint Zero-Day</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/microsoft-sha= repoint-zero-day.html">[2025.07.28]</a> Chinese hackers=
are exploiting a high-severity vulnerability in Microsoft SharePoint to <=
a href=3D"https://arstechnica.com/security/2025/07/sharepoint-vulnerabilit= y-with-9-8-severity-rating-is-under-exploit-across-the-globe/">steal data<=

worldwide:

<blockquote>The vulnerability=2C tracked as CVE-2025-53770=2C carries a=
severity rating of 9.8 out of a possible 10. It gives unauthenticated rem=
ote access to SharePoint Servers exposed to the Internet. Starting Friday=
=2C researchers began warning of active exploitation of the vulnerability=
=2C which affects SharePoint Servers that infrastructure customers run in-= house. Microsoft=E2=80=99s cloud-hosted SharePoint Online and Microsoft 36=
5 are not affected.</blockquote>

<a href=3D"https://msrc.microsoft.com/blog/2025/07/customer-guidance-fo= r-sharepoint-vulnerability-cve-2025-53770/">Here=E2=80=99s</a> Microsoft o=
n patching instructions. Patching isn=E2=80=99t enough=2C as attackers hav=
e used the vulnerability to steal authentication credentials. It=E2=80=99s=
an absolute mess. CISA has <a href=3D"https://www.cisa.gov/news-events/al= erts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint= -vulnerabilities">more information</a>. <a href=3D"https://unit42.paloalto= networks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-5= 3770/">Also</a> <a href=3D"https://www.akamai.com/blog/security-research/s= harepoint-vulnerability-rce-active-exploitation-detections-mitigations">th= ese</a> <a href=3D"https://www.wired.com/story/microsoft-sharepoint-hack-c= hina-end-of-life-updates/">four</a> <a href=3D"https://thehackernews.com/2= 025/07/hackers-exploit-sharepoint-zero-day.html">links</a>. Two <a href=3D= "https://it.slashdot.org/story/25/07/21/1523207/microsoft-releases-emergen= cy-patches-for-actively-exploited-sharepoint-zero-days">Slashdot</a> <a hr= ef=3D"https://news.slashdot.org/story/25/07/23/1652240/us-nuclear-weapons-= agency-among-400-organizations-breached-by-chinese-hackers">threads</a>.</=

This is an unfolding security mess=2C and quite the hacking coup.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"= >That Time Tom Lehrer Pranked the NSA</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/that-time-tom= -lehrer-pranked-the-nsa.html">[2025.07.28]</a> Bluesky <=
a href=3D"https://bsky.app/profile/opalescentopal.bsky.social/post/3luxxx2= 7nos23">thread</a>. Here=E2=80=99s the <a href=3D"https://media.defense.go= v/2021/Jul/14/2002762807/-1/-1/0/GAMBLERS-RUIN.PDF/GAMBLERS-RUIN.PDF">pape= r</a>=2C from 1957. Note reference 3.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"= >Aeroflot Hacked</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/aeroflot-hack= ed.html">[2025.07.29]</a> <a href=3D"https://www.reuters= =2Ecom/en/pro-ukrainian-hackers-claim-massive-cyberattack-russias-aeroflot-2= 025-07-28/">Looks</a> <a href=3D"https://www.theguardian.com/business/2025= /jul/28/russia-aeroflot-cancels-flights-pro-ukraine-hackers-cyber-attack">= serious</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"= >Measuring the Attack/Defense Balance</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/measuring-the= -attack-defense-balance.html">[2025.07.30]</a> =E2=80=9C= Who=E2=80=99s winning on the internet=2C the attackers or the defenders?= =E2=80=9D

I=E2=80=99m asked this all the time=2C and I can only ever give a quali= tative hand-wavy answer. But Jason Healey and Tarang Jain=E2=80=99s lates=
t Lawfare piece has <a href=3D"https://www.lawfaremedia.org/article/are-cy= ber-defenders-winning">amassed data</a>.

The essay provides the first framework for metrics about how we are all=
doing collectively -- and not just how an individual network is doing. He= aley wrote to me in email:

<blockquote>The work rests on three key insights: (1) defenders need a=
framework (based in threat=2C vulnerability=2C and consequence) to catego= rize the flood of potentially relevant security metrics; (2) trends are wh=
at matter=2C not specifics; and (3) to start=2C we should avoid getting bo= gged down in collecting data and just use what=E2=80=99s already being rep= orted by amazing teams at Verizon=2C Cyentia=2C Mandiant=2C IBM=2C FBI=2C=
and so many others.

The surprising conclusion: there=E2=80=99s a long way to go=2C but we= =E2=80=99re doing better than we think. There are substantial improvements=
across threat operations=2C threat ecosystem and organizations=2C and sof= tware vulnerabilities. Unfortunately=2C we=E2=80=99re still not seeing inc= reases in consequence. And since cost imposition is leading to a survival-= of-the-fittest contest=2C we=E2=80=99re stuck with perhaps fewer but fierc=
er predators.</blockquote>

And this is just the start. From the report:

<blockquote>Our project is proceeding in three phases -- the initial fr= amework presented here is only phase one. In phase two=2C the goal is to c= reate a more complete catalog of indicators across threat=2C vulnerability=
=2C and consequence; encourage cybersecurity companies (and others with da=
ta) to report defensibility-relevant statistics in time-series=2C mapped t=
o the catalog; and drive improved analysis and reporting.</blockquote>

This is really good=2C and important=2C work.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"= >Cheating on Quantum Computing Benchmarks</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/07/cheating-on-q= uantum-computing-benchmarks.html">[2025.07.31]</a> Peter=
Gutmann and Stephan Neuhaus have a <a href=3D"https://eprint.iacr.org/202= 5/1237.pdf">new paper</a> -- I think it=E2=80=99s new=2C even though it ha=
s a March 2025 date -- that makes the argument that we shouldn=E2=80=99t t= rust any of the quantum factorization benchmarks=2C because everyone has=
been cooking the books:

<blockquote>Similarly=2C quantum factorisation is performed using sleig= ht-of-hand numbers that have been selected to make them very easy to facto= rise using a physics experiment and=2C by extension=2C a VIC-20=2C an abac= us=2C and a dog. A standard technique is to ensure that the factors differ=
by only a few bits that can then be found using a simple search-based app= roach that has nothing to do with factorisation.... Note that such a value=
would never be encountered in the real world since the RSA key generation=
process typically requires that |p-q| > 100 or more bits [9]. As one ana= lysis puts it=2C =E2=80=9CInstead of waiting for the hardware to improve b=
y yet further orders of magnitude=2C researchers began inventing better an=
d better tricks for factoring numbers by exploiting their hidden structure= =E2=80=9D [10].

A second technique used in quantum factorisation is to use preprocessin=
g on a computer to transform the value being factorised into an entirely d= ifferent form or even a different problem to solve which is then amenable=
to being solved via a physics experiment...</blockquote>

Lots more in the paper=2C which is titled =E2=80=9CReplication of Quant=
um Factorisation Records with an 8-bit Home Computer=2C an Abacus=2C and a=
Dog.=E2=80=9D He points out the largest number that has been factored leg= itimately by a quantum computer is 35.

I hadn=E2=80=99t known these details=2C but I=E2=80=99m not surprised.=
I <a href=3D"https://www.schneier.com/essays/archives/2018/09/cryptograph= y_after_t.html">have</a> <a href=3D"https://www.schneier.com/blog/archives= /2019/10/factoring_2048.html">long</a> <a href=3D"https://www.schneier.com= /blog/archives/2024/01/quantum-computing-skeptics.html">said</a> that the=
engineering problems between now and a useful=2C working quantum computer=
are hard. And by =E2=80=9Chard=2C=E2=80=9D we don=E2=80=99t know if it=E2= =80=99s =E2=80=9Cland a person on the surface of the moon=E2=80=9D hard=2C=
or =E2=80=9Cland a person on the surface of the sun=E2=80=9D hard. They= =E2=80=99re both hard=2C but very different. And we=E2=80=99re going to hi=
t those engineering problems one by one=2C as we continue to develop the t= echnology. While I don=E2=80=99t think quantum computing is =E2=80=9Csurfa=
ce of the sun=E2=80=9D hard=2C I don=E2=80=99t expect them to be factoring=
RSA moduli anytime soon. And -- even there -- I expect lots of engineerin=
g challenges in making Shor=E2=80=99s Algorithm work on an actual quantum=
computer with large numbers.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"= >Spying on People Through Airportr Luggage Delivery Service</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/spying-on-peo= ple-through-airportr-luggage-delivery-service.html">[2025.08.01]<= /strong></a> Airportr is a service that allows passengers to have their lu= ggage picked up=2C checked=2C and delivered to their destinations. As you=
might expect=2C it=E2=80=99s used by wealthy or important people. So if t=
he company=E2=80=99s website is <a href=3D"https://www.wired.com/story/lug= gage-service-web-bugs-exposed-travel-plans-users-diplomats-airportr/">inse= cure</a>=2C you=E2=80=99d be able to spy on lots of wealthy or important p= eople. And maybe even steal their luggage.

<blockquote>Researchers at the firm CyberX9 found that simple bugs in A= irportr=E2=80=99s website allowed them to access virtually all of those us= ers=E2=80=99 personal information=2C including travel plans=2C or even gai=
n administrator privileges that would have allowed a hacker to redirect or=
steal luggage in transit. Among even the small sample of user data that t=
he researchers reviewed and shared with WIRED they found what appear to be=
the personal information and travel records of multiple government offici=
als and diplomats from the UK=2C Switzerland=2C and the US.

=E2=80=9CAnyone would have been able to gain or might have gained absol=
ute super-admin access to all the operations and data of this company=2C= =E2=80=9D says Himanshu Pathak=2C CyberX9=E2=80=99s founder and CEO. =E2= =80=9CThe vulnerabilities resulted in complete confidential private inform= ation exposure of all airline customers in all countries who used the serv=
ice of this company=2C including full control over all the bookings and ba= ggage. Because once you are the super-admin of their most sensitive system= s=2C you have have [sic] the ability to do anything.=E2=80=9D</blockq= uote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >First Sentencing in Scheme to Help North Koreans Infiltrate US Companies<= /a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/first-sentenc= ing-in-scheme-to-help-north-koreans-infiltrate-us-companies.html">= [2025.08.04]</a> An Arizona woman was <a href=3D"https://www.jus= tice.gov/opa/pr/arizona-woman-sentenced-17m-information-technology-worker-= fraud-scheme-generated-revenue">sentenced</a> to eight-and-a-half years in=
prison for her role helping North Korean workers infiltrate US companies=
by pretending to be US workers.

From an <a href=3D"https://www.bleepingcomputer.com/news/security/us-wo= man-sentenced-to-8-years-in-prison-for-running-laptop-farm-helping-north-k= oreans-infiltrate-300-firms/">article</a>:

<blockquote>According to <a href=3D"https://www.justice.gov/usao-dc/med= ia/1352191/dl">court documents</a>=2C Chapman hosted the North Korean IT w= orkers=E2=80=99 computers in her own home between October 2020 and October=
2023=2C creating a so-called =E2=80=9Claptop farm=E2=80=9D which was used=
to make it appear as though the devices were located in the United States= =2E

The North Koreans were hired as remote software and application develop=
ers with multiple Fortune 500 companies=2C including an aerospace and defe=
nse company=2C a major television network=2C a Silicon Valley technology c= ompany=2C and a high-profile company.

As a result of this scheme=2C they collected over $17 million in illici=
t revenue paid for their work=2C which was shared with Chapman=2C who proc= essed their paychecks through her financial accounts.

=E2=80=9CChapman operated a =E2=80=98laptop farm=E2=80=99 where she rec= eived and hosted computers from the U.S. companies her home=2C so that the=
companies would believe the workers were in the United States=2C=E2=80=9D=
the Justice Department <a href=3D"https://www.justice.gov/usao-dc/pr/ariz= ona-woman-sentenced-17m-it-worker-fraud-scheme-illegally-generated-revenue= -north">said</a> on Thursday.

=E2=80=9CChapman also shipped 49 laptops and other devices supplied by=
U.S. companies to locations overseas=2C including multiple shipments to a=
city in China on the border with North Korea. More than 90 laptops were s= eized from Chapman=E2=80=99s home following the execution of a search warr=
ant in October 2023.=E2=80=9D</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >Surveilling Your Children with AirTags</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/surveilling-y= our-children-with-airtags.html">[2025.08.05]</a> Skecher=
s is making a line of kid=E2=80=99s shoes with a <a href=3D"https://techcr= unch.com/2025/07/30/skechers-is-making-kids-shoes-with-a-hidden-airtag-com= partment/">hidden compartment</a> for an AirTag.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >The Semiconductor Industry and Regulatory Compliance</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/its-time-for-= the-semiconductor-industry-to-step-up.html">[2025.08.06]=
</a> Earlier this week=2C<a href=3D"https://www.ft.com/content/a13ba438-3b=
43-46dd-b332-4b81b3644da0"> the Trump administration</a> narrowed <a href= =3D"https://nationalinterest.org/blog/techland/export-controls-arent-enoug= h-to-beat-chinas-ai">export controls</a> on advanced semiconductors ahead=
of US-China trade negotiations. The administration is increasingly relyin=
g on export licenses to allow American semiconductor firms to sell their p= roducts to Chinese customers=2C while keeping the most powerful of them ou=
t of the hands of our military adversaries. These are the chips that power=
the artificial intelligence research fueling China=E2=80=99s technologica=
l rise=2C as well as the advanced military equipment underpinning Russia= =E2=80=99s invasion of Ukraine.

The US government relies on private-sector firms to implement those <a=
href=3D"https://nationalinterest.org/blog/techland/digital-borders-biden-= administrations-final-ai-rule-214416">export controls</a>. It=E2=80=99s no=
t working. US-manufactured semiconductors have been<a href=3D"https://www.= hsgac.senate.gov/wp-content/uploads/09.10.2024-Majority-Staff-Report-The-U= =2ES.-Technology-Fueling-Russias-War-in-Ukraine.pdf"> found in Russian weapo= ns</a>. And China is<a href=3D"https://www.wsj.com/tech/the-underground-ne= twork-sneaking-nvidia-chips-into-china-f733aaa6"> skirting American export=
controls</a> to accelerate AI research and development=2C with<a href=3D"= https://media.defense.gov/2024/Dec/18/2003615520/-1/-1/0/MILITARY-AND-SECU= RITY-DEVELOPMENTS-INVOLVING-THE-PEOPLES-REPUBLIC-OF-CHINA-2024.PDF"> the e= xplicit goal of enhancing its military capabilities</a>.

American semiconductor firms are unwilling or unable to restrict the fl=
ow of semiconductors. Instead of investing in effective compliance mechani= sms=2C these firms have consistently prioritized their bottom lines -- a r= ational decision=2C given the fundamentally risky nature of the semiconduc=
tor industry.

We can=E2=80=99t afford to wait for semiconductor firms to catch up gra= dually. To create a robust regulatory environment in the semiconductor ind= ustry=2C both the US government and chip companies must take clear and dec= isive actions today and consistently over time.

Consider the <a href=3D"https://nationalinterest.org/feature/how-capita= l-markets-can-revive-the-defense-industrial-base">financial services indus= try</a>. Those companies are also heavily regulated=2C implementing US gov= ernment regulations ranging from international sanctions to anti-money lau= ndering. For decades=2C these companies have invested heavily in complianc=
e technology. Large banks maintain teams of compliance employees=2C often<=
a href=3D"https://www.reuters.com/business/finance/key-citis-regulatory-wo= es-staff-need-skills-enhancement-2024-10-15/"> numbering in the thousands<= /a>.

The companies understand that by entering the financial services indust= ry=2C<a href=3D"https://news.bloomberglaw.com/mergers-and-acquisitions/mat= t-levines-money-stuff-td-was-convenient-for-criminals"> they assume the re= sponsibility</a> to verify their customers=E2=80=99 identities and activit= ies=2C refuse services to those engaged in criminal activity=2C and report=
certain activities to the authorities.<a href=3D"https://www.bruegel.org/= system/files/2024-05/WP%2010%202024_1.pdf"> They take these obligations se= riously</a> because they know they will face massive fines when they fail.=
Across the financial sector=2C the Securities and Exchange Commission imp= osed <a href=3D"https://www.sec.gov/newsroom/press-releases/2022-206">a wh= opping $6.4 billion in penalties</a> in 2022. For example=2C TD Bank recen=
tly paid almost <a href=3D"https://www.justice.gov/opa/pr/td-bank-pleads-g= uilty-bank-secrecy-act-and-money-laundering-conspiracy-violations-18b">$2=
billion in penalties</a> because of its ineffective anti-money laundering=
efforts

An<a href=3D"https://www.federalregister.gov/documents/2025/01/15/2025-= 00636/framework-for-artificial-intelligence-diffusion"> executive order</a=

issued earlier this year applied a similar regulatory model to potential=

=E2=80=9Cknow your customer=E2=80=9D obligations for certain cloud servic=
e providers.

If Trump=E2=80=99s new license-focused export controls are to be effect= ive=2C the administration must increase the penalties for noncompliance. T=
he Commerce Department=E2=80=99s Bureau of Industry and Security (BIS) nee=
ds to more aggressively enforce its regulations by sharply increasing pena= lties for export control violations.

BIS has been working to improve enforcement=2C as evidenced by this wee= k=E2=80=99s news of a<a href=3D"https://www.bis.gov/press-release/cadence-= design-systems-pay-95-million-penalty-bis-unauthorized-exports-chinese-ent= ities-tied-development"> $95 million penalty</a> against Cadence Design Sy= stems for violating export controls on its chip design technology. Unfortu= nately=2C BIS<a href=3D"https://www.hsgac.senate.gov/wp-content/uploads/Th= e-U.S.-Technology-Fueling-Russias-War-in-Ukraine-Examing-BISs-Enforcement-= of-Semiconductor-Export-Controls.pdf"> lacks the people=2C technology=2C a=
nd funding</a> to enforce these controls across the board.

The Trump administration should also use its bully pulpit=2C publicly n= aming companies that break the rules and encouraging American firms and co= nsumers to do business elsewhere. Regulatory threats and bad publicity are=
the only ways to force the semiconductor industry to take export control=
regulations seriously and invest in compliance.

With those threats in place=2C American semiconductor firms must accept=
their obligation to comply with regulations and cooperate. They need to i= nvest in strengthening their compliance teams and conduct proactive audits=
of their subsidiaries=2C their customers=2C and their customers=E2=80=99=
customers.

Firms should elevate risk and compliance voices onto their executive le= adership teams=2C similar to the chief risk officer role found in banks. S= enior leaders need to devote their time to regular progress reviews focuse=
d on meaningful=2C proactive compliance with export controls and other cri= tical regulations=2C thereby leading their organizations to make complianc=
e a priority.

As the world becomes increasingly dangerous and America=E2=80=99s adver= saries become more emboldened=2C we need to maintain stronger control over=
our supply of critical semiconductors. If Russia and China are allowed un= fettered access to advanced American chips for their <a href=3D"https://na= tionalinterest.org/blog/techland/jd-vance-unveils-americas-ai-doctrine">AI=
efforts</a> and military equipment=2C we risk losing the military advanta=
ge and our ability to deter conflicts worldwide. The geopolitical importan=
ce of semiconductors will only increase as the world becomes more dangerou=
s and more reliant on advanced technologies -- American security depends o=
n limiting their flow.

This essay was written with Andrew Kidd and Celine Lee=2C and origi= nally appeared in <a href=3D"https://nationalinterest.org/blog/techland/it= s-time-for-the-semiconductor-industry-to-step-up">The National Interest</a= >.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= >China Accuses Nvidia of Putting Backdoors into Their Chips</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/china-accuses= -nvidia-of-putting-backdoors-into-their-chips.html">[2025.08.07]<= /strong></a> The government of China has accused Nvidia of inserting a <a=
href=3D"https://arstechnica.com/gadgets/2025/07/china-claims-nvidia-built= -backdoor-into-h20-chip-designed-for-chinese-market/">backdoor</a> into th=
eir H20 chips:

<blockquote>China=E2=80=99s cyber regulator on Thursday said it had hel=
d a meeting with Nvidia over what it called =E2=80=9Cserious security issu= es=E2=80=9D with the company=E2=80=99s artificial intelligence chips. It s=
aid US AI experts had =E2=80=9Crevealed that Nvidia=E2=80=99s computing ch=
ips have location tracking and can remotely shut down the technology.=E2= =80=9D</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg20"><a name=3D"cg20"= >Google Project Zero Changes Its Disclosure Policy</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/google-projec= t-zero-changes-its-disclosure-policy.html">[2025.08.08]<=

Google=E2=80=99s vulnerability finding team is again <a href=3D"https:=

//www.infosecurity-magazine.com/news/google-report-new-vulnerabilities/">p= ushing the envelope</a> of responsible disclosure:

<blockquote>Google=E2=80=99s Project Zero team will retain its existing=
90+30 policy regarding vulnerability disclosures=2C in which it provides=
vendors with 90 days before full disclosure takes place=2C with a 30-day=
period allowed for patch adoption if the bug is fixed before the deadline= =2E

However=2C as of July 29=2C Project Zero will also release limited deta=
ils about any discovery they make within one week of vendor disclosure. Th=
is information will encompass:

<ul><li>The vendor or open-source project that received the report

</li><li>The affected product

</li><li>The date the report was filed and when the 90-day disclosure dead= line expires </li></ul></blockquote>

I have mixed feelings about this. On the one hand=2C I like that it put=
s more pressure on vendors to patch quickly. On the other hand=2C if no in= dication is provided regarding how severe a vulnerability is=2C it could e= asily cause unnecessary panic.

The problem is that Google is not a neutral vulnerability hunting party=
=2E To the extent that it finds=2C publishes=2C and reduces confidence in co= mpetitors=E2=80=99 products=2C Google benefits as a company.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg21"><a name=3D"cg21"= >Automatic License Plate Readers Are Coming to Schools</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/automatic-lic= ense-plate-readers-are-coming-to-schools.html">[2025.08.11]</stro= ng></a> Fears around children is opening up a <a href=3D"https://therecord= =2Emedia/flock-safety-raptor-technologies-schools-surveillance">new market</=

for automatic license place readers.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg22"><a name=3D"cg22"= >The "Incriminating Video" Scam</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/the-incrimina= ting-video-scam.html">[2025.08.12]</a> A few years ago=
=2C scammers invented a new phishing email. They would claim to have hacke=
d your computer=2C turned your webcam on=2C and videoed you watching porn=
or having sex. BuzzFeed has an <a href=3D"https://www.buzzfeed.com/poojas= hah1/new-email-scam-house-address-sc">article</a> talking about a =E2=80= =9Cshockingly realistic=E2=80=9D variant=2C which includes photos of you a=
nd your house -- more specific information.

The article contains =E2=80=9Csteps you can take to figure out if it=E2= =80=99s a scam=2C=E2=80=9D but omits the first and most fundamental piece=
of advice: If the hacker had incriminating video about you=2C they would=
show you a clip. Just a taste=2C not the worst bits so you had to worry a= bout how bad it could be=2C but something. If the hacker doesn=E2=80=99t s=
how you any video=2C they don=E2=80=99t have any video. Everything else is=
window dressing.

I remember when this scam was first invented. I calmed several people w=
ho were legitimately worried with that one fact.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg23"><a name=3D"cg23"= >SIGINT During World War II</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/sigint-during= -world-war-ii.html">[2025.08.13]</a> The NSA and GCHQ ha=
ve jointly published a history of World War II SIGINT: =E2=80=9C<a href=3D= "https://media.defense.gov/2025/Jul/25/2003761271/-1/-1/0/SECRET_MESSENGER= S.PDF">Secret Messengers: Disseminating SIGINT in the Second World War</a>= =2E=E2=80=9D This is the story of the British SLUs (Special Liaison Units) a= nd the American SSOs (Special Security Officers).

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg24"><a name=3D"cg24"=

AI Applications in Cybersecurity</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/ai-applicatio= ns-in-cybersecurity.html">[2025.08.13]</a> There is a re=
ally great series of online events highlighting cool uses of AI in cyberse= curity=2C titled Prompt||GTFO. Videos from the <a href=3D"https://www.yout= ube.com/playlist?list=3DPLXz1MhBqAGJx3HHWtw-qIhHH7JvGpcimw">first</a> <a h= ref=3D"https://www.youtube.com/playlist?list=3DPLXz1MhBqAGJwNk8RkjfJ03G8E1= N3OAKtV">three</a> <a href=3D"https://www.youtube.com/playlist?list=3DPLXz= 1MhBqAGJzZBwp9ivB58N4XZtcBkbpP">events</a> are online. And <a href=3D"http= s://forms.gle/5Q4EbV3FGUhKrUFJA">here=E2=80=99s</a> where to register to a= ttend=2C or participate=2C in the fourth.

Some really great stuff here.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg25"><a name=3D"cg25"= >LLM Coding Integrity Breach</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2025/08/llm-coding-in= tegrity-breach.html">[2025.08.14]</a> <a href=3D"https:/= /sketch.dev/blog/our-first-outage-from-llm-written-code">Here=E2=80=99s</a=

an interesting story about a failure being introduced by LLM-written cod=

e. Specifically=2C the LLM was doing some code refactoring=2C and when it=
moved a chunk of code from one file to another it changed a =E2=80=9Cbrea= k=E2=80=9D to a =E2=80=9Ccontinue.=E2=80=9D That turned an error logging s= tatement into an infinite loop=2C which crashed the system.

This is an <a href=3D"https://www.computer.org/csdl/magazine/sp/2025/03= /11038984/27COaJtjDOM">integrity failure</a>. Specifically=2C it=E2=80=99s=
a failure of processing integrity. And while we can think of particular p= atches that alleviate this exact failure=2C the larger problem is much har=
der to solve.

Davi Ottenheimer <a href=3D"https://www.flyingpenguin.com/?p=3D71603">c= omments</a>.

** *** ***** ******* *********** *************<=

Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.

You can also read these articles on my blog=2C <a href=3D"https://www.s= chneier.com">Schneier on Security</a>.

Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

Bruce Schneier is an internationally=
renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do=
zen books -- including his latest=2C <a href=3D"https://www.schneier.com/b= ooks/a-hackers-mind/"><cite style=3D"font-style:normal">A Hacker=E2=80=99s=
Mind</cite></a> -- as well as hundreds of articles=2C essays=2C and acade=
mic papers. His newsletter and blog are read by over 250=2C000 people. Sch= neier is a fellow at the Berkman Klein Center for Internet & Society at Ha= rvard University; a Lecturer in Public Policy at the Harvard Kennedy Schoo=
l; a board member of the Electronic Frontier Foundation=2C AccessNow=2C an=
d the Tor Project; and an Advisory Board Member of the Electronic Privacy=
Information Center and VerifiedVoting.org. He is the Chief of Security Ar= chitecture at Inrupt=2C Inc.

Copyright © 2025 by Bruce Schneier.

** *** ***** ******* *********** *************<=

Mailing list hosting graciously provided by <a href=3D"https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.
This email was sent to: cryptogram@toolazy.synchro.net
 You are receiving this email because you subscribed to the Crypto-= Gram newsletter.

<a style=3D"display:inline-block" href=3D"https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e= =3D70f249ec14&c=3D79ea0a4e97">unsubscribe from this list</a>  &nbs= p; <a style=3D"display:inline-block" href=3D"https://schneier.us18.li= st-manage.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D79ea0a4e97">update subscription preferences</a>
 Bruce Schneier · Harvard Kennedy School · 1 Brattle Squa=
re · Cambridge=2C MA 02138 · USA

</body></html>
--_----------=_MCPart_1857184867--

Who's Online

System Info

CRYPTO-GRAM, August 15, 2025