• CRYPTO-GRAM, November 15, 2024 Part 1

    From Sean Rima@618:500/14.1 to All on Fri Nov 15 16:13:34 2024


    Crypto-Gram November 15, 2024

    by Bruce Schneier Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog,
    along with a lively and intelligent comment section. An RSS feed is
    available.

    ** *** ***** ******* *********** ************* In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies
    Cheating at Conkers Justice Department Indicts Tech CEO for Falsifying
    Security Certifications AI and the SEC Whistleblower Program No, the
    Chinese Have Not Broken Modern Encryption Systems with a Quantum
    Computer Are Automatic License Plate Scanners Constitutional?
    Watermark for LLM-Generated Text Criminals Are Blowing up ATMs in
    Germany Law Enforcement Deanonymizes Tor Users Simson Garfinkel on
    Spooky Cryptographic Action at a Distance Tracking World Leaders Using
    Strava Roger Grimes on Prioritizing Cybersecurity Advice Sophos Versus
    the Chinese Hackers AIs Discovering Vulnerabilities IoT Devices in
    Password-Spraying Botnet Subverting LLM Coders Prompt Injection
    Defenses Against LLM Cyberattacks AI Industry is Trying to Subvert the
    Definition of “Open Source AI” Criminals Exploiting FBI Emergency Data
    Requests Mapping License Plate Scanners in the US New iOS Security
    Feature Makes It Harder for Police to Unlock Seized Phones

    ** *** ***** ******* *********** ************* More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies

    [2024.10.15] The Washington Post has a long and detailed story about the operation that’s well worth reading (alternate version here).

    The sales pitch came from a marketing official trusted by Hezbollah
    with links to Apollo. The marketing official, a woman whose identity
    and nationality officials declined to reveal, was a former Middle East
    sales representative for the Taiwanese firm who had established her own
    company and acquired a license to sell a line of pagers that bore the
    Apollo brand. Sometime in 2023, she offered Hezbollah a deal on one of
    the products her firm sold: the rugged and reliable AR924.

    “She was the one in touch with Hezbollah, and explained to them why the
    bigger pager with the larger battery was better than the original
    model,” said an Israeli official briefed on details of the operation.
    One of the main selling points about the AR924 was that it was
    “possible to charge with a cable. And the batteries were longer
    lasting,” the official said.

    As it turned out, the actual production of the devices was outsourced
    and the marketing official had no knowledge of the operation and was
    unaware that the pagers were physically assembled in Israel under
    Mossad oversight, officials said. Mossad’s pagers, each weighing less
    than three ounces, included a unique feature: a battery pack that
    concealed a tiny amount of a powerful explosive, according to the
    officials familiar with the plot.

    In a feat of engineering, the bomb component was so carefully hidden as
    to be virtually undetectable, even if the device was taken apart, the
    officials said. Israeli officials believe that Hezbollah did
    disassemble some of the pagers and may have even X-rayed them.

    Also invisible was Mossad’s remote access to the devices. An electronic
    signal from the intelligence service could trigger the explosion of
    thousands of the devices at once. But, to ensure maximum damage, the
    blast could also be triggered by a special two-step procedure required
    for viewing secure messages that had been encrypted.

    “You had to push two buttons to read the message,” an official said. In
    practice, that meant using both hands.

    Also read Bunnie Huang’s essay on what it means to live in a world where people can turn IoT devices into bombs. His conclusion:

    Not all things that could exist should exist, and some ideas are better
    left unimplemented. Technology alone has no ethics: the difference
    between a patch and an exploit is the method in which a technology is
    disclosed. Exploding batteries have probably been conceived of and
    tested by spy agencies around the world, but never deployed en masse
    because while it may achieve a tactical win, it is too easy for weaker
    adversaries to copy the idea and justify its re-deployment in an
    asymmetric and devastating retaliation.

    However, now that I’ve seen it executed, I am left with the terrifying
    realization that not only is it feasible, it’s relatively easy for any
    modestly-funded entity to implement. Not just our allies can do this --
    a wide cast of adversaries have this capability in their reach, from
    nation-states to cartels and gangs, to shady copycat battery factories
    just looking for a big payday (if chemical suppliers can moonlight in
    illicit drugs, what stops battery factories from dealing in bespoke
    munitions?). Bottom line is: we should approach the public policy
    debate around this assuming that someday, we could be victims of
    exploding batteries, too. Turning everyday objects into fragmentation
    grenades should be a crime, as it blurs the line between civilian and
    military technologies.

    I fear that if we do not universally and swiftly condemn the practice
    of turning everyday gadgets into bombs, we risk legitimizing a military
    technology that can literally bring the front line of every conflict
    into your pocket, purse or home.

    ** *** ***** ******* *********** ************* Cheating at Conkers

    [2024.10.16] The men’s world conkers champion is accused of cheating with a steel chestnut.

    ** *** ***** ******* *********** ************* Justice Department Indicts
    Tech CEO for Falsifying Security Certifications

    ---
    * Origin: High Portable Tosser at my node (618:500/14.1)