cessors known as trusted execution environments (TEEs) or secure enclaves. TEEs
decouple who runs the chip (a cloud provider, such as Microsoft Azure) from who
secures the chip (a processor vendor, such as Intel) and from who controls the
data being used in the computation (the customer or user). A TEE can keep the
cloud provider from seeing what is being computed. The results of a computation
are sent via a secure tunnel out of the enclave or encrypted and stored. A TEE
can also generate a signed attestation that it actually ran the code that the
customer wanted to run.

Secure enclaves are critical in our modern cloud-based computing architectures.
And, of course, they have vulnerabilities:

The most recent attack, released Tuesday, is known as TEE.fail. It defeats the
latest TEE protections from all three chipmakers. The low-cost, low-complexity
attack works by placing a small piece of hardware between a single physical
memory chip and the motherboard slot it plugs into. It also requires the
attacker to compromise the operating system kernel. Once this three-minute
attack is completed, Confidential Compute, SEV-SNP, and TDX/SDX can no longer be
trusted. Unlike the Battering RAM and Wiretap attacks from last month -- which
worked only against CPUs using DDR4 memory -- TEE.fail works against DDR5,
allowing them to work against the latest TEEs.

Yes, these attacks require physical access. But that?s exactly the threat model
secure enclaves are supposed to secure against.

** *** ***** ******* *********** *************

Prompt Injection in AI Browsers

[2025.11.11] This is why AIs are not ready to be personal assistants:

A new attack called ?CometJacking? exploits URL parameters to pass to
Perplexity?s Comet AI browser hidden instructions that allow access to sensitive
data from connected services, like email and calendar.

In a realistic scenario, no credentials or user interaction are required and a
threat actor can leverage the attack by simply exposing a maliciously crafted
URL to targeted users.

[...]

CometJacking is a prompt-injection attack where the query string processed by
the Comet AI browser contains malicious instructions added using the
?collection? parameter of the URL.

LayerX researchers say that the prompt tells the agent to consult its memory and
connected services instead of searching the web. As the AI tool is connected to
various services, an attacker leveraging the CometJacking method could
exfiltrate available data.

In their tests, the connected services and accessible data include Google
Calendar invites and Gmail messages and the malicious prompt included
instructions to encode the sensitive data in base64 and then exfiltrate them to
an external endpoint.

According to the researchers, Comet followed the instructions and delivered the
information to an external system controlled by the attacker, evading
Perplexity?s checks.

I wrote previously:

Prompt injection isn?t just a minor security problem we need to deal with. It?s
a fundamental property of current LLM technology. The systems have no ability to
separate trusted commands from untrusted data, and there are an infinite number
of prompt injection attacks with no way to block them as a class. We need some
new fundamental science of LLMs before we can solve this.

** *** ***** ******* *********** *************

On Hacking Back

[2025.11.12] Former DoJ attorney John Carlin writes about hackback, which he
defines thus: ?A hack back is a type of cyber response that incorporates a
counterattack designed to proactively engage with, disable, or collect evidence
about an attacker. Although hack backs can take on various forms, they are -- by
definition -- not passive defensive measures.?

His conclusion:

As the law currently stands, specific forms of purely defense measures are
authorized so long as they affect only the victim?s system or data.

At the other end of the spectrum, offensive measures that involve accessing or
otherwise causing damage or loss to the hacker?s systems are likely prohibited,
absent government oversight or authorization. And even then parties should
proceed with caution in light of the heightened risks of misattribution,
collateral damage, and retaliation.

As for the broad range of other hack back tactics that fall in the middle of
active defense and offensive measures, private parties should continue to engage
in these tactics only with government oversight or authorization. These measures
exist within a legal gray area and would likely benefit from amendments to the
CFAA and CISA that clarify and carve out the parameters of authorization for
specific self-defense measures. But in the absence of amendments or
clarification on the scope of those laws, private actors can seek governmental
authorization through an array of channels, whether they be partnering with law
enforcement or seeking authorization to engage in more offensive tactics from
the courts in connection with private litigation.

** *** ***** ******* *********** *************

Book Review: The Business of Secrets

[2025.11.13] The Business of Secrets: Adventures in Selling Encryption Around
the World by Fred Kinch (May 24, 2024)

From the vantage point of today, it?s surreal reading about the commercial
cryptography business in the 1970s. Nobody knew anything. The manufacturers
didn?t know whether the cryptography they sold was any good. The customers
didn?t know whether the crypto they bought was any good. Everyone pretended to
know, thought they knew, or knew better than to even try to know.

The Business of Secrets is the self-published memoirs of Fred Kinch. He was
founder and vice president of -- mostly sales -- at a US cryptographic hardware
company called Datotek, from company?s founding in 1969 until 1982. It?s mostly
a disjointed collection of stories about the difficulties of selling to
governments worldwide, along with descriptions of the highs and (mostly) lows of
foreign airlines, foreign hotels, and foreign travel in general. But it?s also
about encryption.

Datotek sold cryptographic equipment in the era after rotor machines and before
modern academic cryptography. The company initially marketed computer-file
encryption, but pivoted to link encryption -- low-speed data, voice, fax --
because that?s what the market wanted.

These were the years where the NSA hired anyone promising in the field, and
routinely classified -- and thereby blocked -- publication of academic
mathematics papers of those they didn?t hire. They controlled the fielding of
strong cryptography by aggressively using the International Traffic in Arms
regulation. Kinch talks about the difficulties in getting an expert license for
Datotek?s products; he didn?t know that the only reason he ever got that license
was because the NSA was able to break his company?s stuff. He had no idea that
his largest competitor, the Swiss company Crypto AG, was owned and controlled by
the CIA and its West German equivalent. ?Wouldn?t that have made our life easier
if we had known that back in the 1970s?? Yes, it would. But no one knew.

Glimmers of the

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)