rity implications.

I am more convinced than ever that we need serious research into AI integrity if we are ever going to have trustworthy AI.

** *** ***** ******* *********** *************

Microsoft SharePoint Zero-Day

[2025.07.28] Chinese hackers are exploiting a high-severity vulnerability in Microsoft SharePoint to steal data worldwide:

The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet. Starting Friday, researchers began warning of active exploitation of the vulnerability, which affects SharePoint Servers that infrastructure customers run in-house. Microsoft?s cloud-hosted SharePoint Online and Microsoft 365 are not affected.

Here?s Microsoft on patching instructions. Patching isn?t enough, as attackers have used the vulnerability to steal authentication credentials. It?s an absolute mess. CISA has more information. Also these four links. Two Slashdot threads.

This is an unfolding security mess, and quite the hacking coup.

** *** ***** ******* *********** *************

That Time Tom Lehrer Pranked the NSA

[2025.07.28] Bluesky thread. Here?s the paper, from 1957. Note reference 3.

** *** ***** ******* *********** *************

Aeroflot Hacked

[2025.07.29] Looks serious.

** *** ***** ******* *********** *************

Measuring the Attack/Defense Balance

[2025.07.30] ?Who?s winning on the internet, the attackers or the defenders??

I?m asked this all the time, and I can only ever give a qualitative hand-wavy answer. But Jason Healey and Tarang Jain?s latest Lawfare piece has amassed data.

The essay provides the first framework for metrics about how we are all doing collectively -- and not just how an individual network is doing. Healey wrote to me in email:

The work rests on three key insights: (1) defenders need a framework (based in threat, vulnerability, and consequence) to categorize the flood of potentially relevant security metrics; (2) trends are what matter, not specifics; and (3) to start, we should avoid getting bogged down in collecting data and just use what?s already being reported by amazing teams at Verizon, Cyentia, Mandiant, IBM, FBI, and so many others.

The surprising conclusion: there?s a long way to go, but we?re doing better than we think. There are substantial improvements across threat operations, threat ecosystem and organizations, and software vulnerabilities. Unfortunately, we?re still not seeing increases in consequence. And since cost imposition is leading to a survival-of-the-fittest contest, we?re stuck with perhaps fewer but fiercer predators.

And this is just the start. From the report:

Our project is proceeding in three phases -- the initial framework presented here is only phase one. In phase two, the goal is to create a more complete catalog of indicators across threat, vulnerability, and consequence; encourage cybersecurity companies (and others with data) to report defensibility-relevant statistics in time-series, mapped to the catalog; and drive improved analysis and reporting.

This is really good, and important, work.

** *** ***** ******* *********** *************

Cheating on Quantum Computing Benchmarks

[2025.07.31] Peter Gutmann and Stephan Neuhaus have a new paper -- I think it?s new, even though it has a March 2025 date -- that makes the argument that we shouldn?t trust any of the quantum factorization benchmarks, because everyone has been cooking the books:

Similarly, quantum factorisation is performed using sleight-of-hand numbers that have been selected to make them very easy to factorise using a physics experiment and, by extension, a VIC-20, an abacus, and a dog. A standard technique is to ensure that the factors differ by only a few bits that can then be found using a simple search-based approach that has nothing to do with factorisation.... Note that such a value would never be encountered in the real world since the RSA key generation process typically requires that |p-q| > 100 or more bits [9]. As one analysis puts it, ?Instead of waiting for the hardware to improve by yet further orders of magnitude, researchers began inventing better and better tricks for factoring numbers by exploiting their hidden structure? [10].

A second technique used in quantum factorisation is to use preprocessing on a computer to transform the value being factorised into an entirely different form or even a different problem to solve which is then amenable to being solved via a physics experiment...

Lots more in the paper, which is titled ?Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog.? He points out the largest number that has been factored legitimately by a quantum computer is 35.

I hadn?t known these details, but I?m not surprised. I have long said that the engineering problems between now and a useful, working quantum computer are hard. And by ?hard,? we don?t know if it?s ?land a person on the surface of the moon? hard, or ?land a person on the surface of the sun? hard. They?re both hard, but very different. And we?re going to hit those engineering problems one by one, as we continue to develop the technology. While I don?t think quantum computing is ?surface of the sun? hard, I don?t expect them to be factoring RSA moduli anytime soon. And -- even there -- I expect lots of engineering challenges in making Shor?s Algorithm work on an actual quantum computer with large numbers.

** *** ***** ******* *********** *************

Spying on People Through Airportr Luggage Delivery Service

[2025.08.01] Airportr is a service that allows passengers to have their luggage picked up, checked, and delivered to their destinations. As you might expect, it?s used by wealthy or important people. So if the company?s website is insecure, you?d be able to spy on lots of wealthy or important people. And maybe even steal their luggage.

Researchers at the firm CyberX9 found that simple bugs in Airportr?s website allowed them to access virtually all of those users? personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit. Among even the small sample of user data that the researchers reviewed and shared with WIRED they found what appear to be the personal information and travel records of multiple government officials and diplomats from the UK, Switzerland, and the US.

?Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company,? says Himanshu Pathak, CyberX9?s founder and CEO. ?The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have [sic] the ability to do anything.?

** *** ***** ******* *********** **

--- BBBS/LiR v4.10 Toy-7
* Origin: TCOB1: https/binkd/telnet binkd.rima.ie (21:1/229)