cessors known as trusted execution environments (TEEs) or secure enclaves. TEEs decouple who runs the chip (a cloud provider, such as Microsoft Azure) from who secures the chip (a processor vendor, such as Intel) and from who controls the data being used in the computation (the customer or user). A TEE can keep the cloud provider from seeing what is being computed. The results of a computation are sent via a secure tunnel out of the enclave or encrypted and stored. A TEE can also generate a signed attestation that it actually ran the code that the customer wanted to run.

Secure enclaves are critical in our modern cloud-based computing architectures. And, of course, they have vulnerabilities:

The most recent attack, released Tuesday, is known as TEE.fail. It defeats the latest TEE protections from all three chipmakers. The low-cost, low-complexity attack works by placing a small piece of hardware between a single physical memory chip and the motherboard slot it plugs into. It also requires the attacker to compromise the operating system kernel. Once this three-minute attack is completed, Confidential Compute, SEV-SNP, and TDX/SDX can no longer be trusted. Unlike the Battering RAM and Wiretap attacks from last month -- which worked only against CPUs using DDR4 memory -- TEE.fail works against DDR5, allowing them to work against the latest TEEs.

Yes, these attacks require physical access. But that?s exactly the threat model secure enclaves are supposed to secure against.

** *** ***** ******* *********** *************

Prompt Injection in AI Browsers

[2025.11.11] This is why AIs are not ready to be personal assistants:

A new attack called ?CometJacking? exploits URL parameters to pass to Perplexity?s Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar.

In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users.

[...]

CometJacking is a prompt-injection attack where the query string processed by the Comet AI browser contains malicious instructions added using the
?collection? parameter of the URL.

LayerX researchers say that the prompt tells the agent to consult its memory and connected services instead of searching the web. As the AI tool is connected to various services, an attacker leveraging the CometJacking method could exfiltrate available data.

In their tests, the connected services and accessible data include Google Calendar invites and Gmail messages and the malicious prompt included instructions to encode the sensitive data in base64 and then exfiltrate them to an external endpoint.

According to the researchers, Comet followed the instructions and delivered the information to an external system controlled by the attacker, evading Perplexity?s checks.

I wrote previously:

Prompt injection isn?t just a minor security problem we need to deal with. It?s a fundamental property of current LLM technology. The systems have no ability to separate trusted commands from untrusted data, and there are an infinite number of prompt injection attacks with no way to block them as a class. We need some new fundamental science of LLMs before we can solve this.

** *** ***** ******* *********** *************

On Hacking Back

[2025.11.12] Former DoJ attorney John Carlin writes about hackback, which he defines thus: ?A hack back is a type of cyber response that incorporates a counterattack designed to proactively engage with, disable, or collect evidence about an attacker. Although hack backs can take on various forms, they are -- by definition -- not passive defensive measures.?

His conclusion:

As the law currently stands, specific forms of purely defense measures are authorized so long as they affect only the victim?s system or data.

At the other end of the spectrum, offensive measures that involve accessing or otherwise causing damage or loss to the hacker?s systems are likely prohibited, absent government oversight or authorization. And even then parties should proceed with caution in light of the heightened risks of misattribution, collateral damage, and retaliation.

As for the broad range of other hack back tactics that fall in the middle of active defense and offensive measures, private parties should continue to engage in these tactics only with government oversight or authorization. These measures exist within a legal gray area and would likely benefit from amendments to the CFAA and CISA that clarify and carve out the parameters of authorization for specific self-defense measures. But in the absence of amendments or clarification on the scope of those laws, private actors can seek governmental authorization through an array of channels, whether they be partnering with law enforcement or seeking authorization to engage in more offensive tactics from the courts in connection with private litigation.

** *** ***** ******* *********** *************

Book Review: The Business of Secrets

[2025.11.13] The Business of Secrets: Adventures in Selling Encryption Around the World by Fred Kinch (May 24, 2024)

From the vantage point of today, it?s surreal reading about the commercial cryptography business in the 1970s. Nobody knew anything. The manufacturers didn?t know whether the cryptography they sold was any good. The customers didn?t know whether the crypto they bought was any good. Everyone pretended to know, thought they knew, or knew better than to even try to know.

The Business of Secrets is the self-published memoirs of Fred Kinch. He was founder and vice president of -- mostly sales -- at a US cryptographic hardware company called Datotek, from company?s founding in 1969 until 1982. It?s mostly a disjointed collection of stories about the difficulties of selling to governments worldwide, along with descriptions of the highs and (mostly) lows of foreign airlines, foreign hotels, and foreign travel in general. But it?s also about encryption.

Datotek sold cryptographic equipment in the era after rotor machines and before modern academic cryptography. The company initially marketed computer-file encryption, but pivoted to link encryption -- low-speed data, voice, fax -- because that?s what the market wanted.

These were the years where the NSA hired anyone promising in the field, and routinely classified -- and thereby blocked -- publication of academic mathematics papers of those they didn?t hire. They controlled the fielding of strong cryptography by aggressively using the International Traffic in Arms regulation. Kinch talks about the difficulties in getting an expert license for Datotek?s products; he didn?t know that the only reason he ever got that license was because the NSA was able to break his company?s stuff. He had no idea that his largest competitor, the Swiss company Crypto AG, was owned and controlled by the CIA and its West German equivalent. ?Wouldn?t that have made our life easier if we had known that back in the 1970s?? Yes, it would. But no one knew.

Glimmers of the

--- BBBS/LiR v4.10 Toy-7
* Origin: TCOB1: https/binkd/telnet binkd.rima.ie (21:1/229)