惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
aimingoo的专栏
aimingoo的专栏
Microsoft Security Blog
Microsoft Security Blog
NISL@THU
NISL@THU
T
Threatpost
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
S
Securelist
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
S
Secure Thoughts
MyScale Blog
MyScale Blog
O
OpenAI News
P
Palo Alto Networks Blog
美团技术团队
C
Cyber Attacks, Cyber Crime and Cyber Security
TaoSecurity Blog
TaoSecurity Blog
量子位
L
Lohrmann on Cybersecurity
G
GRAHAM CLULEY
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Tailwind CSS Blog
Know Your Adversary
Know Your Adversary
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Simon Willison's Weblog
Simon Willison's Weblog
宝玉的分享
宝玉的分享
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tenable Blog
I
InfoQ
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Azure Blog
Microsoft Azure Blog
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
S
Schneier on Security
B
Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
The Cloudflare Blog
AWS News Blog
AWS News Blog
IT之家
IT之家
V
Vulnerabilities – Threatpost
The Hacker News
The Hacker News
H
Heimdal Security Blog
I
Intezer
A
Arctic Wolf
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Help Net Security
W
WeLiveSecurity

Schneier on Security

A Video Screen That Is Also a Camera - Schneier on Security Upcoming Speaking Engagements - Schneier on Security Vulnerability in FIFA's Network - Schneier on Security AI Data Centers and the Concentration of Wealth - Schneier on Security Friday Squid Blogging: "Squidbleed" Vulnerability - Schneier on Security AI Surveillance and Social Progress - Schneier on Security The Language of AI Could Change How Humans Speak - Schneier on Security Cybersecurity and the Gap Between Skill and Ability - Schneier on Security Google Is Suing Chinese Scammers Who Are Using Gemini - Schneier on Security France to Stop Certifying Non-Quantum-Safe Encryption - Schneier on Security Flock Cameras Can Surveil Cars Without License Plates - Schneier on Security Cybersecurity Mission Creep in the US - Schneier on Security Papa Johns Surveillance-Based Advertising - Schneier on Security The Realities of AI Video Surveillance - Schneier on Security Factoring RSA Keys with Many Zeros - Schneier on Security Robot Police Officers - Schneier on Security The Chinese Control the Majority of Argentina's Squid Fleet - Schneier on Security Meta Is Testing Facial Recognition for Police and Military - Schneier on Security One Million Passports Leaked Online - Schneier on Security AI and Liability - Schneier on Security Interesting Paper Exploring Prompt Injection - Schneier on Security Embedding Forbidden Text in Spyware to Discourage AI Analysis - Schneier on Security Anthropic's Fable 5 Model Jailbroken Within Days - Schneier on Security Professional Athletes and Wearables - Schneier on Security Friday Squid Blogging: Victims of Unregulated Squid Fishing - Schneier on Security Anthropic's Fable and the State of AI - Schneier on Security Embedding Forbidden Text in Spyware to Discourage AI Analysis - Schneier on Security AI Use by the US Government - Schneier on Security Flock Cameras Are Being Used for Stalking - Schneier on Security The FCC Wants to Eliminate Burner Phones - Schneier on Security Upcoming Speaking Engagements - Schneier on Security Friday Squid Blogging: Squid-Inspired Fluid Pump Bernie Sanders’ AI Sovereign Wealth Fund Plan Enhanced License Plate Tracking NSO Group Hacking WhatsApp Despite Court Order GPS As a Key Distribution Platform - Schneier on Security Critical Zcash Vulnerability Found and Fixed Anthropic’s Project Glasswing Update AI Worm - Schneier on Security Hacking Meta's AI Chatbot - Schneier on Security AI Used to Decrypt Medieval Ciphers The Intersection of Encryption and AI Microsoft Threatening Security Researcher Vulnerability Disclosure in the Age of AI Friday Squid Blogging: Another Squid Chilling Effects FBI’s 2025 Internet Crime Report Identifying People Using Wi-Fi Routers Friday Squid Blogging: Regulating Squid Fishing in the South Pacific CISA Security Leak macOS Kernel Memory Corruption Exploit On AI Security Laurie Anderson Is Quoting Me Zero-Day Exploit Against Windows BitLocker Friday Squid Blogging: Bigfin Squid Bypassing On-Camera Age-Verification Checks OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities Copy.Fail Linux Vulnerability LLMs and Text-in-Text Steganography Friday Squid Blogging: Giant Squid Live in the Waters of Western Australia Insider Betting on Polymarket Smart Glasses for the Authorities Rowhammer Attack Against NVIDIA Chips DarkSword Malware Hacking Polymarket A Ransomware Negotiator Was Working for a Ransomware Gang Fast16 Malware Claude Mythos Has Found 271 Zero-Days in Firefox What Anthropic’s Mythos Means for the Future of Cybersecurity Medieval Encrypted Letter Decoded Friday Squid Blogging: How Squid Survived Extinction Events Hiding Bluetooth Trackers in Mail FBI Extracts Deleted Signal Messages from iPhone Notification Database Mexican Surveillance Company - Schneier on Security Is “Satoshi Nakamoto” Really Adam Back? Friday Squid Blogging: New Giant Squid Video Mythos and Cybersecurity Human Trust of AI Agents Defense in Depth, Medieval Style
ICE Uses Graphite Spyware - Schneier on Security
Bruce Schneier · 2026-04-22 · via Schneier on Security

Comments

Rontea April 22, 2026 9:20 AM

Surveillance technology like zero-click tools such as Graphite is moving faster than our laws.

Clive Robinson April 22, 2026 10:46 AM

@ Bruce, ALL,

You just know it’s a honking great pile of “horse apples” when you read,

“ICE’s Homeland Security Investigations (HSI) is using various tools as part of its mission to disrupt and dismantle foreign terrorist organizations, “particularly those involved in the trafficking of fentanyl.””

This linking “terrorist organizations” with “trafficking fentanyl” is just the new,

“Think of the children”

Nonsense to “knee jerk people into cognitive bias”.

When you realise this you start to think about what the real purpose is …

So leaving your smart phone / tablet at home, and taking the dumbest “oldies brick” instead makes a lot of sense.

Also get “encryption/decryption” of of your smart devices the move to “client side scanning” should tell you this is a very very bad idea.

As I keep mentioning you need to go “off comms device” via a properly gapped method…

Thus ensure that,

1, The attackers can not see the user interface in any way.
2, The “security end point” is well clear of the communications end point.
3, Traffic flow is fully segregated and mandated.

Further I advise the use of “deniable encryption” that is also proof to betrayal by the second party to any third party.

Sadly such systems need more KeyMat than total message lengths envisioned so you can get “Shannon Perfect Secrecy” as a base step.

K.S April 22, 2026 12:41 PM

@Clive Robinson

Your advice is incomprehensible to anyone that would benefit from it. That is, you are preaching to the choir instead of helping people.

Clive Robinson April 22, 2026 8:27 PM

@ K.S.

With regards,

“you are preaching to the choir instead of helping people.”

Actually not true.

I have repeatedly posted to this blog how to go about doing it with just a pencil paper and a match.

But how many times do you think I should keep on saying it and getting complaints for doing so?

Come on come up with a number so every one can have an argument about it with you, it is what you are obviously after.

To disrupt this blog and basically attack our host.

What makes you so petty? So small minded? And well need I go on about your clear failings?

Clive Robinson April 22, 2026 10:01 PM

@ Rontea,

With regards,

“Surveillance technology like zero-click tools such as Graphite is moving faster than our laws.”

It’s not just our “laws” / legislation / regulation, it’s actually a “mindset” that is at fault.

Every change in technology no matter how seemingly small is going to effect society to some extent.

Whilst the technology is usually “agnostic to use” the ideas in the “directing mind” that puts the technology into play, how and to what extent are very much the opposite.

That is we have to act first as observers and think through as many of the pro points and con points as possible and importantly who benefits from them either way and how.

We also have to realise that sometimes the intent will find an outlet.

If you have a gun you can shoot, if you have a knife you can stab, if you have a bat you can bash, if you have something toxic you can poison and so on.

The intent is to harm/kill another individual the means does not matter only the desired outcome of the directing mind. To stop the crime you have to stop the mind.

Preventing access to a tool will not stop a mind, just make the intent marginally more difficult and actually considerably harder to prosecute in many cases.

But preventing access to a tool has downsides that can be rather more deadly in the long term.

In the UK politicians are trying to solve “knife crime” rather than the actual “crime”. So they want to ban knives in all shapes and forms.

Primarily knives are tools and are used in all sorts of trades, activities, and every day living. Not least of which being that knives save more lives than they take… though you rarely get to hear about “saved” rather than “taken”.

This highly biased reporting is due to the Press and the old “If it bleeds it leads” titillating / gossip / vengeance / hate / racism etc nonsense they quite deliberately “stir up”[1]. Which as a result causes significant further harm.

I used to carry a “Swiss Army Knife” on the key ring I carried on my belt. All quite legal and it had enabled me to make many simple repairs and similar many times for many people, as well as saving my own life in an accident at least once. However under “political pressure” from knee jerk politicians the quite legal knife became a “Police Harassment Target” for not legal “Stop and searches”, along with on one occasion the unfounded accusation of “going equipped to commit a crime” which is a charge that requires absolutely no factual evidence what so ever just the highly biased “opinion”[2] of the police officer making it up…

[1] It appears that this is currently happening in a “Market Town” in the UK south south west of London in the County of Surrey called “Epsom”. Where there are “protests” happening over something Surrey Police are investigating that if “the alleged crime” happened, might have had a racial component, of a type that currently causes tensions to be inflamed in the UK. With the result that two protests have caused significant issues,

https://www.bbc.co.uk/news/articles/clyxp4q5k93o

The reasons the police have said little is due to the nature of the UK Judicial Process and laws protecting all those involved, which are explained in,

‘https://www.getsurrey.co.uk/news/surrey-news/epsom-rape-investigation-protests-what-33808683

Unfortunately some have chosen to “stir it up” for various reasons, with the result that “vigilante crime is rising up”…

[2] The crime pf “Going equipped” is an offence defined by section 25 of the Theft Act 1968 and can result in three years detention. And it has three components,

1, You were not at your home (or place of work).
2, You had a tool or other article in / under your possession.
3, That the tool –in the officers opinion– was intended for use in the course of a burglary or theft –that in the officers opinion– you might have been going to carry out.

Under UK law you as the defendant are not allowed to call the officer’s opinion/motives into question at trial (see “gateway proceedings” brought in by Tony Blair PM and his “flat mate” Lord Faulkner to “up the conviction rate and lower the cost of running UK courts). Starting with,

https://www.cps.gov.uk/prosecution-guidance/hearsay

lurker April 22, 2026 11:34 PM

@Clive Robinsson
“To stop the crime you have to stop the mind.”

Ah. it’s eugenics now is it?
Isn’t that what ICE is up to?

Weather April 23, 2026 3:33 AM

@All
Good advice i got told when young is, at a work place don’t talk about sex,religion and politics.

Cheers

Winter April 23, 2026 3:44 AM

@Clive

I have repeatedly posted to this blog how to go about doing it with just a pencil paper and a match.

Which would reduce the bandwidth of your communication to about 1 email per day (workdays), to send or receive. But only if that email was not too long. Unless, of course, you would use a computer to do the en/decoding.

I am reminded of the contest between the Post Office and the Grand Trunk Semaphore Company in Terry Pratchett’s Going Postal. Especially the part where the Grant Trunk Semaphore Company had to device a way to encode images.

Ismar April 23, 2026 5:37 AM

This is mostly about endpoint security and , as Clive already states, it can only be guarded against by separating security from communication endpoint. I thank Clive for this and his explanation of how this could be achieved but would like to see it all done in one place including how to build electronic parts and connect them to a phone if that is not too much to ask as often the proof is in the pudding.
Here is also a brief summary of how Graphite achieves his goals:

Graphite, developed by the Israeli firm Paragon Solutions, represents a shift in the spyware arms race. While many are familiar with NSO Group’s Pegasus, Graphite gained notoriety for its specialized focus on bypassing encryption not by “breaking” the math, but by compromising the endpoints and cloud ecosystems where that data eventually rests in the clear.
Here is a technical breakdown of the vectors Graphite uses to intercept supposedly secure communications.

1. Endpoint Compromise: The “Pre-Encryption” Hook

The most effective way to defeat End-to-End Encryption (E2EE) like that found in Signal, WhatsApp, or iMessage is to reside on the device itself. Graphite utilizes high-end exploits to gain root or kernel-level access.
* Memory Scraping: Once Graphite achieves privilege escalation, it can monitor the memory space of messaging applications. Because a message must be decrypted to be displayed on the screen, Graphite captures the plaintext directly from the device’s RAM.
* Keylogging & Screen Capture: By hooking into the OS input/output buffers, the spyware logs keystrokes before they are encrypted and takes periodic screenshots of the “decrypted” chat interface.
* API Hooking: It intercepts the calls between the application and the operating system. When an app requests the “Send” function, Graphite captures the payload before the E2EE protocol wraps it in a secure layer.

2. Cloud Integration & The Microsoft Graph API

The name “Graphite” is widely believed to be a nod to its specialized ability to exploit the Microsoft Graph API. This is a significant differentiator from other spyware.
* OAuth Token Theft: Instead of just stealing passwords, Graphite focuses on harvesting authentication tokens. These tokens allow the spyware to impersonate the user to cloud services (Microsoft 365, OneDrive, Google Drive) without triggering Multi-Factor Authentication (MFA) prompts.
* Backdoor to Backups: Many E2EE apps offer “Cloud Backup” features. While the transmission is secure, the backups themselves are often stored in the cloud with keys managed by the provider (or the user’s account). By leveraging the Microsoft Graph API, Graphite can silently exfiltrate these backup databases and decrypt them offline using stolen keys or by exploiting configuration weaknesses.

3. Vulnerability Research and Zero-Clicks

Graphite relies on a chain of vulnerabilities to install itself without user interaction (Zero-Click).

Stage
Action
Technical Vector

Ingress
Silent Delivery
Often delivered via “invisible” SMS (Silent SMS) or protocol flaws in system services like iMessage (IMTranscoderAgent) or WhatsApp’s VoIP stack.

Exploitation
Sandbox Escape
Uses a “0-day” exploit to break out of the application sandbox and reach the OS kernel.

Persistence
Living off the Land
Graphite often attempts to remain “volatile” (running only in memory) to avoid detection by file-system scanners, though it can establish persistence if the target device reboots.

4. Bypassing Modern Defenses

Graphite is designed to circumvent modern mobile security features such as BlastDoor (iOS) and Advanced Memory Protection (Android).
* Jailbreak-less Operation: Modern spyware rarely performs a full “jailbreak” in the traditional sense, as that is too noisy. Instead, it uses Privilege Escalation (Privesc) vulnerabilities to grant itself “System” or “Root” permissions while leaving the rest of the OS appearing “Genuine” to integrity checks.
* Traffic Obfuscation: Exfiltrated encrypted messages are rarely sent to a Command & Control (C2) server directly. Graphite often hides its data traffic within legitimate HTTPS requests to high-reputation domains (like Cloudflare or AWS frontends) to blend in with normal background noise.

Note on E2EE: It is critical to understand that Graphite does not find a mathematical flaw in the AES or Signal Protocol algorithms. It simply waits for the user to unlock the door (the device) and then walks in to read the mail on the desk.

How does the emergence of these “cloud-native” spyware capabilities change your view on the security of synchronized mobile ecosystems?

Clive Robinson April 23, 2026 5:45 AM

@ lurker,

With regards,

“Ah. it’s eugenics now is it?”

That was tried in both Europe and the US a century ago. And whilst next to nobody talks about it, history shows it was a compleat failure for fairly obvious reasons.

What has been found to work is simple but certain people in the US really don’t want is,

“Good open education from around age 2”

Under repeated testing it has been shown to reduce crime of all types as well as improving “health score” and other “life issues”. Thus over all effecting positively all the “life score measures” that were made, and thus increasing “Average longevity” (remember the US is just about the only place in the western world where average life span is decreasing markedly).

In the US in many places it is clear that certain political types want “Cast/Class based Education” because it makes exploiting the population oh so much easier when they’ve been badly educated.

Need I say as a policy this is not going to “Make America Great Again” for anyone because this century Sovereign GDP very much depends on the base education level of the population… Oh and Current AI based on LLM and ML Systems is not going to fix the GDP issue no matter how much Sam Altman and Co might claim otherwise.

Clive Robinson April 23, 2026 6:10 AM

@ Winter,

“Which would reduce the bandwidth of your communication to about 1 email per day (workdays), to send or receive.”

Yes paper, pencil and match are slow, but have two major advantages,

1, You can see the security in progress.
2, You can see the function in progress.

So as a method of “teaching understanding” it is a good way to go. Importantly it is also about “as simple a system as it gets” and is very very easy to implement in clear stages, so gives an easy build path that delivers quickly.

So even a moderate beginner at “embedded system” programming could code it up in even assembler. Or a school kid using a higher level scripting language for an Arduino Nano or similar very small “single board computer” that is down in the “pocket money” level of expense…

I’ve even coded it up in a day using Apple Basic (that was originally written up by Microsoft using only integers). Likewise BBC Basic both of which you can get easily “emulators for” or “modern” computer kits.

A “scout troop” used it in part for many of the science, technology, digital, and maker related badges from basic Scouts upto Explorer and leader training.

Clive Robinson April 23, 2026 6:39 AM

@ ALL,

ICE think the Glass-Hole look is cool…

I mentioned on the previous thread,

https://www.kenklippenstein.com/p/exclusive-ice-glasses

Exclusive: ICE Glasses

Homeland Security is making “smart glasses” to collect intelligence on Americans

The Department of Homeland Security is developing specialized smart glasses that will allow federal agents on American streets to automatically identify “illegal aliens” from a distance, budget documents reveal.

These new ICE Glasses, building on available glasses that allow video recording and heads-up data display, will be able to pulse vast federal holdings of biometric data — from facial recognition to walking gait — to identify people in real-time.

For those with short memories or of a tender age the very derogatory term “Glass-Hole” came about due to one of the Silicon Valley Mega Corps designing and selling “Smart Glasses” that could “spy as you go” and could give the wearer the equivalent of a private “heads up display” it was touted as “never forget a face” technology for “constipated manglement types”.

Other more useful uses were for engineers and similar working on complex machine maintenance / repair.

But the wearing of such glasses in public very quickly became a Social “No No” and would get you shunned even by geeky types.

The potential for abuse with such glasses is so immense it’s crossed over into “unimaginable horror” territory.

And realistically the level of abuse they can be used for today, are going to be as nothing within a very short period of them being put into general use. As the author of the article notes,

“Though Congress has been notified of the project, no members have said anything publicly, including Homeland Security Committee leaders Bennie Thompson, Rand Paul, Andrew Garbarino, and Gary Peters.

When that federal agent near an ICE protest in Maine said, “We have a nice little database,” he wasn’t kidding. The only joke here is Congress.”

Winter April 23, 2026 7:08 AM

@Clive

So even a moderate beginner at “embedded system” programming could code it up in even assembler.

I am as vain as the next programmer, but I have internalized the message to not write my own cryptographic code.[1]

Sorry, but I stick to that.

[1] I even failed to design an encryption scheme I couldn’t break. Go figure.

Clive Robinson April 23, 2026 12:23 PM

@ Winter,

With regards,

“I have internalized the message to not write my own cryptographic code.”

This is one of the pieces of advice I really hate… Because,

1, As a general observation nearly all code has exploitable instances, in fact it has lots as it gets more complex (once given as the 1 line in every 5 has a vulnerability metric).

It’s not a product of the programming language or the programmer (which is why “flame wars” are such a waste of time). It’s a product of a “non engineering approach” as forced by “management and marketing” due to their wanton inability to apply “engineering techniques”… So as we’ve seen “aircraft fall out if the sky, and people die”…

2, Like all skills it takes about 20,000 hours as an adult to learn to write secure code over and above the hours spent learning a generic programming language for “production” coding.

But… considerably less than half that when you start as a pre-teen in a structured way the hours fold almost invisibly into learning a generic programming language to write cleanly and competently…

Many don’t realise that the alleged famous quote of Edsger Dijkstra against BASIC of,

“It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration.”

Was just one of many he made against popular programming languages for production code at the time. For instance,

“The use of COBOL cripples the mind; its teaching should, therefore, be regarded as a criminal offense.”

And so on with many more…

The reality is that Edsger Dijkstra just hated programming languages because he hated production code programming that did anything that people would pay money for…

“Progress is possible only if we train ourselves to think about programs without thinking of them as pieces of executable code.”

Thus he was railing not so much against the resource limited programming languages of the time, but the “Methods of Mangle-ment and Mark-hitting” to get “code out the door that brings in income quickly”.

Hence,

“Don’t blame me for the fact that competent programming, as I view it as an intellectual possibility, will be too difficult for ‘the average programmer’.

Along with,

“Computer science is no more about computers than astronomy is about telescopes.”

And worse about OOP indicates that he was actually mostly uninterested in the use of computers for anything tangibly practical, as emphasized by his statement of,

You must not fall into the trap of rejecting a surgical technique because it is beyond the capabilities of the barber in his shop around the corner.”

Ivory towers are there for people to be shouty about others from…

The problem is the person shouting can be missing the mark by a long way.

Look at it another way,

How do you become expert enough to write secure code, if you don’t put in the time “on the job” to get the experience?

Weather April 23, 2026 12:46 PM

@All

Substitute box Otp [16][16]
Rotate password and Otp, wrap around by 16, minimum password size 16
Xor Otp by data
Copy ,paste to communications channel

The Otp box needs to be known by both people, and a good random number

lurker April 23, 2026 1:38 PM

@Ismar, ALL
re OAuth Token Theft

There’s a lot of stes nowadays telling me
“You can stay logged in on this ‘Trusted Device'”

Heck, I don’t trust my device, so why should they?

Weather April 23, 2026 4:53 PM

@All
1 bit of information has 3 values on entropy, 2 for 0,1 and 1 for placement.
If you have 2 bits, 4 values of 0,1 and a Msb and Lsb placement.

Rotate minimize the placement area.

Math functions like add,sub,mul etc have different placement components, what ive been working on ,are not fit for purpose.

A small device that plugs into a phone that transfer using usb file transfer, which then sents from phone.

The device after encryption has to delete the Otp, before copying to cell phone.

Each 256bits of data has to have unique Otp and not reused, and destroyed after.

It would be better to use a 256 byte password, to minimize leakage.

Sha, all ,is 32,64 bit, but the char range is 256bit. All hashs at present will suffer the same attack.

Zig lighter with ultrasound random generator to produce white noise, or a cd player, crack the cd after.

Cheers weather

lurker April 24, 2026 2:47 AM

@Ismar, ALL

Shoot the messenger:
Save that linked Gemini page as html.
Open it in a text editor.
All the useful stuff is encoded,
But there’s a load of plaintext garbage in there that tells me Gemini’s output is not segregated or sanitised …

Atom Feed Subscribe to comments on this entry

Leave a comment

Sidebar photo of Bruce Schneier by Joe MacInnis.