aws have allowed their surveillance business to flourish, First Wap?s European
founders and executives have quietly built a phone-tracking empire, with a
footprint extending from the Vatican to the Middle East to Silicon Valley.

It calls its proprietary system Altamides, which it describes in promotional
materials as ?a unified platform to covertly locate the whereabouts of single or
multiple suspects in real-time, to detect movement patterns, and to detect
whether suspects are in close vicinity with each other.?

Altamides leaves no trace on the phones it targets, unlike spyware such as
Pegasus. Nor does it require a target to click on a malicious link or show any
of the telltale signs (such as overheating or a short battery life) of remote
monitoring.

Its secret is shrewd use of the antiquated telecom language Signaling System No.
7, known as SS7, that phone carriers use to route calls and text messages. Any
entity with SS7 access can send queries requesting information about which cell
tower a phone subscriber is nearest to, an essential first step to sending a
text message or making a call to that subscriber. But First Wap?s technology
uses SS7 to zero in on phone numbers and trace the location of their users.

Much more in this Lighthouse Reports analysis.

** *** ***** ******* *********** *************

Louvre Jewel Heist

[2025.10.27] I assume I don?t have to explain last week?s Louvre jewel heist. I
love a good caper, and have (like many others) eagerly followed the details. An
electric ladder to a second-floor window, an angle grinder to get into the room
and the display cases, security guards there more to protect patrons than
valuables -- seven minutes, in and out.

There were security lapses:

The Louvre, it turns out -- at least certain nooks of the ancient former palace
-- is something like an anopticon: a place where no one is observed. The world
now knows what the four thieves (two burglars and two accomplices) realized as
recently as last week: The museum?s Apollo Gallery, which housed the stolen
items, was monitored by a single outdoor camera angled away from its only
exterior point of entry, a balcony. In other words, a free-roaming Roomba could
have provided the world?s most famous museum with more information about the
interior of this space. There is no surveillance footage of the break-in.

Professional jewelry thieves were not impressed with the four. Here?s Larry
Lawton:

?I robbed 25, 30 jewelry stores -- 20 million, 18 million, something like
that,? Mr. Lawton said. ?Did you know that I never dropped a ring or an earring,
no less, a crown worth 20 million??

He thinks that they had a co-conspirator on the inside.

Museums, especially smaller ones, are good targets for theft because they rarely
secure what they hold to its true value. They can?t; it would be prohibitively
expensive. This makes them an attractive target.

We might find out soon. It looks like some people have been arrested

Not being out of the country -- out of the EU -- by now was sloppy. Leaving DNA
evidence was sloppy. I can hope the criminals were sloppy enough not to have
disassembled the jewelry by now, but I doubt it. They were probably taken apart
within hours of the theft.

The whole thing is sad, really. Unlike stolen paintings, those jewels have no
value in their original form. They need to be taken apart and sold in pieces.
But then their value drops considerably -- so the end result is that most of the
worth of those items disappears. It would have been much better to pay the
thieves not to rob the Louvre.

** *** ***** ******* *********** *************

Social Engineering People?s Credit Card Details

[2025.10.28] Good Wall Street Journal article on criminal gangs that scam people
out of their credit card information:

Your highway toll payment is now past due, one text warns. You have U.S. Postal
Service fees to pay, another threatens. You owe the New York City Department of
Finance for unpaid traffic violations.

The texts are ploys to get unsuspecting victims to fork over their credit-card
details. The gangs behind the scams take advantage of this information to buy
iPhones, gift cards, clothing and cosmetics.

Criminal organizations operating out of China, which investigators blame for the
toll and postage messages, have used them to make more than $1 billion over the
last three years, according to the Department of Homeland Security.

[...]

Making the fraud possible: an ingenious trick allowing criminals to install
stolen card numbers in Google and Apple Wallets in Asia, then share the cards
with the people in the U.S. making purchases half a world away.

** *** ***** ******* *********** *************

Signal?s Post-Quantum Cryptographic Implementation

[2025.10.29] Signal has just rolled out its quantum-safe cryptographic
implementation.

Ars Technica has a really good article with details:

Ultimately, the architects settled on a creative solution. Rather than bolt KEM
onto the existing double ratchet, they allowed it to remain more or less the
same as it had been. Then they used the new quantum-safe ratchet to implement a
parallel secure messaging system.

Now, when the protocol encrypts a message, it sources encryption keys from both
the classic Double Ratchet and the new ratchet. It then mixes the two keys
together (using a cryptographic key derivation function) to get a new encryption
key that has all of the security of the classical Double Ratchet but now has
quantum security, too.

The Signal engineers have given this third ratchet the formal name: Sparse Post
Quantum Ratchet, or SPQR for short. The third ratchet was designed in
collaboration with PQShield, AIST, and New York University. The developers
presented the erasure-code-based chunking and the high-level Triple Ratchet
design at the Eurocrypt 2025 conference. At the Usenix 25 conference, they
discussed the six options they considered for adding quantum-safe forward
secrecy and post-compromise security and why SPQR and one other stood out.
Presentations at the NIST PQC Standardization Conference and the Cryptographic
Applications Workshop explain the details of chunking, the design challenges,
and how the protocol had to be adapted to use the standardized ML-KEM.

Jacomme further observed:

The final thing interesting for the triple ratchet is that it nicely combines
the best of both worlds. Between two users, you have a classical DH-based
ratchet going on one side, and fully independently, a KEM-based ratchet is going
on. Then, whenever you need to encrypt something, you get a key from both, and
mix it up to get the actual encryption key. So, even if one ratchet is fully
broken, be it because there is now a quantum computer, or because somebody
manages to break either elliptic curves or ML-KEM, or because the implementation
of one is flawed, or..., the Signal message will still be protected by the
second ratchet. In a sense, this update can be seen, of course simplifying, as
doubling the security of the ratchet part of Signal, and is a cool thing even
for people that don?t care about quantum computers.

Also read this p

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)