Nvidia?s computing chips have location tracking and can remotely shut down the technology.?

** *** ***** ******* *********** *************

Google Project Zero Changes Its Disclosure Policy

[2025.08.08] Google?s vulnerability finding team is again pushing the envelope of responsible disclosure:

Google?s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the bug is fixed before the deadline.

However, as of July 29, Project Zero will also release limited details about any discovery they make within one week of vendor disclosure. This information will encompass:

The vendor or open-source project that received the report The affected product The date the report was filed and when the 90-day disclosure deadline expires I have mixed feelings about this. On the one hand, I like that it puts more pressure on vendors to patch quickly. On the other hand, if no indication is provided regarding how severe a vulnerability is, it could easily cause unnecessary panic.

The problem is that Google is not a neutral vulnerability hunting party. To the extent that it finds, publishes, and reduces confidence in competitors? products, Google benefits as a company.

** *** ***** ******* *********** *************

Automatic License Plate Readers Are Coming to Schools

[2025.08.11] Fears around children is opening up a new market for automatic license place readers.

** *** ***** ******* *********** *************

The "Incriminating Video" Scam

[2025.08.12] A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a
?shockingly realistic? variant, which includes photos of you and your house -- more specific information.

The article contains ?steps you can take to figure out if it?s a scam,? but omits the first and most fundamental piece of advice: If the hacker had incriminating video about you, they would show you a clip. Just a taste, not the worst bits so you had to worry about how bad it could be, but something. If the hacker doesn?t show you any video, they don?t have any video. Everything else is window dressing.

I remember when this scam was first invented. I calmed several people who were legitimately worried with that one fact.

** *** ***** ******* *********** *************

SIGINT During World War II

[2025.08.13] The NSA and GCHQ have jointly published a history of World War II SIGINT: ?Secret Messengers: Disseminating SIGINT in the Second World War.? This
is the story of the British SLUs (Special Liaison Units) and the American SSOs (Special Security Officers).

** *** ***** ******* *********** *************

AI Applications in Cybersecurity

[2025.08.13] There is a really great series of online events highlighting cool uses of AI in cybersecurity, titled Prompt||GTFO. Videos from the first three events are online. And here?s where to register to attend, or participate, in the fourth.

Some really great stuff here.

** *** ***** ******* *********** *************

LLM Coding Integrity Breach

[2025.08.14] Here?s an interesting story about a failure being introduced by LLM-written code. Specifically, the LLM was doing some code refactoring, and
when it moved a chunk of code from one file to another it changed a ?break? to a ?continue.? That turned an error logging statement into an infinite loop, which crashed the system.

This is an integrity failure. Specifically, it?s a failure of processing integrity. And while we can think of particular patches that alleviate this exact failure, the larger problem is much harder to solve.

Davi Ottenheimer comments.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, A Hacker?s Mind -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

Copyright ¸ 2025 by Bruce Schneier.

--- BBBS/LiR v4.10 Toy-7
* Origin: TCOB1: https/binkd/telnet binkd.rima.ie (21:1/229)