Cell Phone Security and Heads of State

Earlier this week, the New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump’s personal cell phone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potential security vulnerabilities in Trump’s cell phone use since he became president. And President Barack Obama bristled at—but acquiesced to—the security rules prohibiting him from using a “regular” cell phone throughout his presidency.

Three broader questions obviously emerge from the story. Who else is listening in on Trump’s cell phone calls? What about the cell phones of other world leaders and senior government officials? And—most personal of all—what about my cell phone calls?

There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cell phone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet’s major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing “target selectors”: phone numbers the NSA searches for and records. These included senior government officials of Germany—among them Chancellor Angela Merkel—France, Japan, and other countries.

Other countries don’t have the same worldwide reach that the NSA has, and must use other methods to intercept cell phone calls. We don’t know details of which countries do what, but we know a lot about the vulnerabilities. Insecurities in the phone network itself are so easily exploited that 60 Minutes eavesdropped on a US congressman’s phone live on camera in 2016. Back in 2005, unknown attackers targeted the cell phones of many Greek politicians by hacking the country’s phone network and turning on an already-installed eavesdropping capability. The NSA even implanted eavesdropping capabilities in networking equipment destined for the Syrian Telephone Company.

Alternatively, an attacker could intercept the radio signals between a cell phone and a tower. Encryption ranges from very weak to possibly strong, depending on which flavor the system uses. Don’t think the attacker has to put his eavesdropping antenna on the White House lawn; the Russian Embassy is close enough.

The other way to eavesdrop on a cell phone is by hacking the phone itself. This is the technique favored by countries with less sophisticated intelligence capabilities. In 2017, the public-interest forensics group Citizen Lab uncovered an extensive eavesdropping campaign against Mexican lawyers, journalists, and opposition politicians—presumably run by the government. Just last month, the same group found eavesdropping capabilities in products from the Israeli cyberweapons manufacturer NSO Group operating in Algeria, Bangladesh, Greece, India, Kazakhstan, Latvia, South Africa—45 countries in all.

These attacks generally involve downloading malware onto a smartphone that then records calls, text messages, and other user activities, and forwards them to some central controller. Here, it matters which phone is being targeted. iPhones are harder to hack, which is reflected in the prices companies pay for new exploit capabilities. In 2016, the vulnerability broker Zerodium offered $1.5 million for an unknown iOS exploit and only $200K for a similar Android exploit. Earlier this year, a new Dubai start-up announced even higher prices. These vulnerabilities are resold to governments and cyberweapons manufacturers.

Some of the price difference is due to the ways the two operating systems are designed and used. Apple has much more control over the software on an iPhone than Google does on an Android phone. Also, Android phones are generally designed, built, and sold by third parties, which means they are much less likely to get timely security updates. This is changing. Google now has its own phone—Pixel—that gets security updates quickly and regularly, and Google is now trying to pressure Android-phone manufacturers to update their phones more regularly. (President Trump reportedly uses an iPhone.)

Another way to hack a cell phone is to install a backdoor during the design process. This is a real fear; earlier this year, US intelligence officials warned that phones made by the Chinese companies ZTE and Huawei might be compromised by that government, and the Pentagon ordered stores on military bases to stop selling them. This is why China’s recommendation that if Trump wanted security, he should use a Huawei phone, was an amusing bit of trolling.

Given the wealth of insecurities and the array of eavesdropping techniques, it’s safe to say that lots of countries are spying on the phones of both foreign officials and their own citizens. Many of these techniques are within the capabilities of criminal groups, terrorist organizations, and hackers. If I were guessing, I’d say that the major international powers like China and Russia are using the more passive interception techniques to spy on Trump, and that the smaller countries are too scared of getting caught to try to plant malware on his phone.

It’s safe to say that President Trump is not the only one being targeted; so are members of Congress, judges, and other senior officials—especially because no one is trying to tell any of them to stop using their cell phones (although cell phones still are not allowed on either the House or the Senate floor).

As for the rest of us, it depends on how interesting we are. It’s easy to imagine a criminal group eavesdropping on a CEO’s phone to gain an advantage in the stock market, or a country doing the same thing for an advantage in a trade negotiation. We’ve seen governments use these tools against dissidents, reporters, and other political enemies. The Chinese and Russian governments are already targeting the US power grid; it makes sense for them to target the phones of those in charge of that grid.

Unfortunately, there’s not much you can do to improve the security of your cell phone. Unlike computer networks, for which you can buy antivirus software, network firewalls, and the like, your phone is largely controlled by others. You’re at the mercy of the company that makes your phone, the company that provides your cellular service, and the communications protocols developed when none of this was a problem. If one of those companies doesn’t want to bother with security, you’re vulnerable.

This is why the current debate about phone privacy, with the FBI on one side wanting the ability to eavesdrop on communications and unlock devices, and users on the other side wanting secure devices, is so important. Yes, there are security benefits to the FBI being able to use this information to help solve crimes, but there are far greater benefits to the phones and networks being so secure that all the potential eavesdroppers—including the FBI—can’t access them. We can give law enforcement other forensics tools, but we must keep foreign governments, criminal groups, terrorists, and everyone else out of everyone’s phones. The president may be taking heat for his love of his insecure phone, but each of us is using just as insecure a phone. And for a surprising number of us, making those phones more private is a matter of national security.

This essay previously appeared in the Atlantic.

EDITED TO ADD: Steven Bellovin and Susan Landau have a good essay on the same topic, as does Wired. Slashdot post.

Posted on October 30, 2018 at 6:38 AM29 Comments


Phaete October 30, 2018 7:04 AM

The old problem of security versus ease of use.
A problem since the first door lock was invented.

M Welinder October 30, 2018 7:36 AM

You seem to imply that a higher price for an iphone 0-day means the iphone is better secured.

That is not a valid deduction.

What it means is that the value of breaking into an iphone is higher. That could be because fewer people can do it, but it could equally well be because the amount of money that can be fraudulently extracted from iphone users is higher. Or that the number of phones you reach with one exploit is higher because there is less fragmentation in the iphone world.

uh, Mike October 30, 2018 9:48 AM

President Trump is so predictable, you don’t need his cellphone to influence his behavior. Just don’t expect him to be rational.

Jeffrey Friedl October 30, 2018 10:07 AM

About the NYT article, I can understand how they assume that the President’s calls are being eavesdropped on, but it’s presented as if it’s a known, established fact that it has and continues to be ocurreing. Is it?

echo October 30, 2018 10:50 AM


This is why the current debate about phone privacy, with the FBI on one side wanting the ability to eavesdrop on communications and unlock devices, and users on the other side wanting secure devices, is so important. Yes, there are security benefits to the FBI being able to use this information to help solve crimes, but there are far greater benefits to the phones and networks being so secure that all the potential eavesdroppers — including the FBI — can’t access them. We can give law enforcement other forensics tools, but we must keep foreign governments, criminal groups, terrorists, and everyone else out of everyone’s phones. The president may be taking heat for his love of his insecure phone, but each of us is using just as insecure a phone. And for a surprising number of us, making those phones more private is a matter of national security.

I like the shift of emphasis from a top down hierarchial view and acknowledging that a flatter and more interconnected hierarchial arrangement is another perhaps more valid way of viewing security.

On the issue of “going dark” it has been a longstanding problem that both state and private organisations can be opaque both to regulators and the public. In some sectors most notably those affecting vulnerable people and discrimination some are especially opaque and very resistant to enquiry. It bothers me how thinsg are tilted in favour of organisations and away from civic society. This has always been a tug of war. I wonder if somewhere in the “going dark” argument whether the issue of “equity” can be leveraged to make things fair. Stronger protections which create positive obligations can work if adequately policed. The issue which I’m poorly articulating is that a good civic society should be seen as a helpful partner in building a better soiety rather than indirectly as a potential enemy which the advocates of “going dark” seem to forget.

vas pup October 30, 2018 11:44 AM

The bigger danger for head of state is coming out of GPS function of the phone. President of rebel Chechnya Dudayev was killed by precision air strike when using his satellite phone many years ago. Pablo Escobar was pinpointed by usage of his satellite phones as well. Now, when you have weaponized drones + intercepted precise GPS location of the phone (even is looks like for you not on, but actually function activated without your knowledge) head of state/CEO/other VIPs or just cheating spouse could become easy target – just observation. Recently President of Venezuela Maduro was lucky when attacked by drones. I suggest he should not use any smart phone devices as precaution against future attacks.
Conclusion: physical security jeopardized as well as information security when using those phones.

Clive Robinson October 30, 2018 12:11 PM

@ Bruce,

Back in 2005, unknown attackers targeted the cell phones of many Greek politicians by hacking the country’s phone network and turning on an already-installed eavesdropping capability.

That’s not quite what the Greek authorities think, they issued various pieces of information about a man and his wife that worked for the CIA[1] liasing for the NSA. Due to over confidence etc they were tied by several different chains of evidence to the “burner phones” used to monitor the politicians calls.

As you will find on Wikipedia and other places,

    As a result of the investigation, Greek authorities have issued an arrest warrant for a certain William George Basil, a NSA operative from a Greek immigrant background.

Some say CIA some NSA if you read James Bamford’s piece for the Intercept[1] you will see how the confussion arose.

Based on the information and evidence available, the case against Bill Basil is way way stronger than it is for those “hacking” indictments the US DoJ keep issuing for Chinese and Russian citizens.

@ ALL,

As for the rest of us, it depends on how interesting we are.

It’s not just “interesting” but “convenient” you need to consider as well…

You can go through considerable history of “wrongfull convictions” and nearly all boil down to lazy, incompetent, or malicious police behaviour.

Put simply the authorities start with no suspects that they have any evidence for, just a list of “likely candidates” based on statistics, experience, MO and hunches. In essence the closer you are to the crime, the victim, or the scene of the crime the more likely it is that you were involved.

As people get struck off the list due to having a reasonable alibi etc those lower down the list become more interesting. However there are limits on what resources the police have. Thus the more serious the crime the more the police will work their way down the list. At some point they will either stop investigating or they will find somebody without an alibi or who the police believe did it. At this point the investigation changes from eliminating people to trying to build a case against an individual etc. The further they go with building a case the more and more reluctant they are to drop the individual from their enquiries and go back to the list. Thus a cognative bias builds up where circumstantial evidence is given more weight than it deserves, and this can easily spiral to the point where contradictory evidence is ignored or even hidden.

The problem is a phone can put you close to the scene of the crime at the time. Thus the suspect list can get built out by including everyone who’s phone was communicating with cell masts adjacent to the crime scene…

There is nothing an innocent person can do about being in an area where a crime is being committed, it’s just the luck of the draw, much like being at home when a “robocaller” dials your landline as you are eating a meal.

But your phone can “place you at the scene” supposadly therefore you must have seen something etc. Even if you have not, you are going to look guilty thus be “convenient”…

Also the chances are better than you think that you can be linked to a victim… All of a sudden you might be rising up the list to being the police favourite…

Every day even creatures of habit to the point of OCD and beyond do things differently than they do on other days, mostly they are unworthy of comment. But that does not stop someone who is looking for something deciding it is suspicious behaviour. Cognative bias by the investigator just makes it that way, and so the process goes on.

Which is why sometimes innocent people that were just “convenient” end up in jail despite the fact they were innocent, honest and truthful… It’s why there is fairly solid advice that talking to the police is not a good idea at any time as you have nothing to gain and everything to loose…

[1] The James Bamford story for the Intercept is fairly easy to find on the Internet along with the man’s photo,


Vadim October 30, 2018 12:21 PM

I wonder if the dilemma between security versus law enforcement access could be solved with Shamir secret sharing.
I mean to distribute the parts of secret phone key between N other phone so that M less than N parts are needed to restore the key.

The Manufacturer will have have to maintain the list of N IMEI’s for each phone of course….

VRK October 30, 2018 12:53 PM

That is a key point @echo;

Whether “user / supplier / government rights equity” can ever reliably pivot on policing supplied by those most biased… is already a no go, as I see it.

Being that “helpful partner” is more likely to mean a choke hold, where we regulate the blood flow based on performance?

Instead, presently, I think your idea means getting a handle on these grotesque endpoint issues, taking security right out of the reach of human control, possibly by exploiting inaccessibly intimate, yet non-invasive, but massively mutating factors, who (or which) are captive at those endpoints. Some hook that no one can pull out of Mr. Fishy’s mouth in trade for a case of beer.

Which is precisely what got CSIS so cranky lately, it seems: (if a target is inconveniently hard, smash it with a very large rock, repeatedly, for years after it turns to powder).

NotAiPhoneFan October 30, 2018 6:03 PM

“Unlike computer networks, for which you can buy antivirus software, network firewalls, and the like, your phone is largely controlled by others.”
In android, you have option to install third-party antivirus and firewall, but in iOS I am yet to find a functional version of each. So, considering that, I don’t know how we can say androids are more vulnerable than iOS devices.

Sancho_P October 30, 2018 6:32 PM

Hilarious story, but very sad from a different point of view:
Donald Trump, winner of a democratic presidential election, therefore clearly the finest politician in the whole US of A, the most brilliant in big money, lobbying, conspiracy and bribery, actually the chief commander of this exceptional, world leading nation in economy, technology, liberty, and more, his highness,
is suspected to be dumb on the iPhone?
Suspected not to play the flute according to his (personal) agenda?
¿ Are_you_kidding ?

He is extremely suspicious, he knows about phone vulnerabilities, he knows about all kind of possible leaks, be it technical or human.

Oh boy.
No doubt he will have his second term, not only because the now headless Democrats eventually have forgotten what they are supposed to do (to foster an opponent, hint hint).

No, it is simply because in the US politics (and the here cited media) there is no one as clever as the croc.

The technical part is obvious:
We don’t know how to make general communication secure.

Sancho_P October 30, 2018 6:35 PM

@vas pub, re GPS function of a phone

In this particular case, wouldn’t some consider that fact as an advantage?

echo October 30, 2018 7:22 PM


This is the kind of thing I have been trying to articulate when discussing instititional issues and statistics and outcomes. You may love the example I am saving for a squid topic of a lawyers this week who made every mistake in the book before I walked in the door.

@VRK, @Clive

Yes, there is a problem with “investigations” and “but fors” with certain types of boneheaded organsations. They can turn into a vicious self-reinforcing loop. This can expand too as each “inadequate” organisation “passes the buck” to the point where there is “no effective remedy” or “fair hearing” and each reinforces the other to the point where “access to justice is possible only in theory”. It can take time for the truth to leak out directly or indirectly, and even then relatively low ranking staff in the same organisations who have no connection with the original case can still prejudge a case before reviewing the evidence or giving a hearing.

While the case I want to bring is fairly straightforward in practice it’s complex and difficult due to a number of reasons any expert in the field will be familiar with. At the extreme end of the spectrum it includes allegations against establishment figures and the police of corporate manslaughter and perverting the course of justice and fraud. These last three allegations have all been the attention of mostly unremarked media coverage or which I have given examples on this blog as they arose. It maybe that I am seeing things but there is sufficient evidence and official published reports and “community intelligence” which suggests something is awry enough to deserve a preliminary investigation at the very least.

I don’t believe I have been hacked although it did cross my mind. I believe it’s just a very long run of bad luck and coincidence caused by improperly resourced lazy organisations and individuals.

I’m fairly confident I have the science and law on my side but this is getting off topic.

Connie October 30, 2018 7:43 PM



blockquote>The old problem of security versus ease of use.



That’s an oversimplification at best. Proper security engineering, combined with good user interface design, can produce very secure systems that are still usable. The catch is that it’s not cheap. People rarely use formal verification, or even thorough code reviews; hell, nobody will even pay for ECC RAM, so you can probably still attack VMs by waiting for a target’s phone to get hot (cf. Sudhakar+Appel 2003).

(The iPhone is a good example of a usable and reasonably secure system, though obviously not secure enough for some users or for Apple to feel safe in opening it up.)

But, I’m pretty sure SS7 isn’t insecure for ease of use. Maybe for ease of development, i.e., because nobody was willing to pay to do better (plus people still had the idea of a “trusted network” in mind). GSM’s A5/2 cipher was broken not for ease of use, but because of the USA’s boneheaded crypto policy—keep that in mind when the FBI whines we’re “going dark”. A5/1 was arguably broken by politics, specifically the closed nature of the standards group that proposed it (it’s similarly been said that the IEEE paywall contributes to wifi insecurity). Buffer overflows are never added for ease of use; that’s sloppy coding with poor review. Probably most of the exploits on the market have little relation to ease of use.

jdgalt October 30, 2018 8:21 PM

The biggest security risk I’m concerned about with my cell phone is that both of the major phone operating system publishers made their fortunes reselling data gathered unnoticeably from the users of their products. What we need is an open-source phone operating system we can use to get out from under both Apple and Google.

echo October 30, 2018 8:31 PM


I agree that design and verification areissues. I completely agree with the idea that instititional paywalls are a barrier to informed discussion and in some cases believe this is deliberately so to enhance “guild status”. IEEE is by no means the worst. The so-called establishment professions are worse by orders of magnitude.

Z.Lozinski October 31, 2018 7:07 AM


But, I’m pretty sure SS7 isn’t insecure for ease of use. Maybe for ease of development, i.e., because nobody was willing to pay to do better (plus people still had the idea of a “trusted network” in mind).

If you think SS7 was designed for ease of development, then you’ve never had the pleasure of implementing or testing it! The design of MTP-2 pretty much mandates a mixed hardware/software implementation. The higher layers are not so bad. Remember SS7 was designed in the late 1970s to fix the blue-box vulnerabilities re-discovered and exploited multiple times in the 1960s. At that time, countries only had one network. The conceptual model is that the telephone exchange / central office acts as a firewall between the insure world of pulse and tone dialling and the secure world of SS7.

Going back to the topic of secure phones for heads of state. About 12-14 years ago, the team that implemented one of the secure GSM handsets (GSMK) gave technical presentations at Fifth HOPE and Hope Number Six on what was required to secure the underlying platform they were using for the first version of the Cryptophone secure handset. They had to strip modules out of the kernel to avoid exploits. Reported on this very blog:


With modern smartphones, if the vendor hasn’t thought this through at design time, and paid careful attention during implementation and test, it is probably beyond most countries abilities to secure their head of government’s smartphone. (Exceptions for the Usual Suspects, but that is 10 countries at most).

Jack October 31, 2018 7:53 AM

What evidence exists that mobile-phone “on-air” encryption is secure ?
In my (western) country you can not get a license to operate as a telephone-company if you do not provide LEA access to listening in on and record calls .

Z.Lozinski October 31, 2018 10:44 AM


Remember that Lawful Intercept is performed within the mobile core network, not on the air interface. LI is nothing new: I have the (British) GPO manual from 1937 that describes how it was implemented back then.

As regards the security of the air-interface, the 4G standards give operators a choice of four encryption algorithms, with 128 bit key values: no-encryption, SNOW (University of Lund, Sweden), AES-128 (NIST, University of Louvain) and ZUC (China Academy of Sciences). The operator chooses which algorithm to use, which may be a requirement of the license or regulator. So, what is the strength of a 128 bit symmetric key algorithm, and what confidence do you have in the selected algorithms? Brute force attacks on 128 bit algorithms will not work. For 4G, the algorithms are all published, and have been evaluated by the international community, which is an improvement over 2G and 3G where the algorithms were confidential.

The on-going debate is about the vulnerability of mobile devices to IMSI catchers (which are fake base stations) since there is no 2-way authentication. This potentially exposes the IMSI, and allows the mobile device to be tracked. There is pretty much nothing you can do to prevent this other than turning the phone off.

There is a summary of the security issues with 4G mobile by the US NIST, here:


Skizzo October 31, 2018 2:23 PM

Regarding ZTE and Huawei, is there concrete proof any of their devices have been compromised? The same kind of proof many are asking for with regards SuperMicro?

And as to the selling of exploits…how do those deals go down? I mean, any NDA can be broken, but we’re talking about the dark, seedy underground hacking scene here. How could you prove that the next hacker who exposes the same exploit you just paid $1.5M for, a week after you acquired it, didn’t discover it on his own, especially if he’s ‘anonymous’? Seems like a risky investment…

Clive Robinson November 1, 2018 5:24 AM

@ Skizzo,

Regarding ZTE and Huawei, is there concrete proof any of their devices have been compromised? The same kind of proof many are asking for with regards SuperMicro?

I don’t know about ZTE but Huawei have gone quite a distance to allay any suspicion they are doing so. In fact way more so than any other major telco company that I’m aware of. They have setup the “Huawei Cyber Security Evaluation Centre” (HCSEC) with the UK Government via an interface with GCHQ’s commercial interface organisation which was at the time CESG but is now “The National Cyber Security Centre” (NCSC).

Which is why quite a few “industry insiders” think the US behaviour is entirely political in nature (which it is). Initially for “trade protection reasons” (supposadly Huawei stoll US IP) but later as a “big scary monster” political fabrication, and back to trade protection again as apparently they have knocked Apple back into second place on the smart phone front…

The reality is if China realy wanted to backdoor technology they have more than sufficient research brains in mathmatics and the like to be the equall of both GCHQ and the NSA in making mathmatical and logical trap doors in algorithms etc.

Depending on how paranoid you want to make your thinking processes, you could make argument that the current Chinese APT “hacking” that gets caught is just a “cover” to protect other more secret methods. That is much as the British did during WWII with Ultra to protect the Enigma breaking secret.

The fun of such thinking is “How far down the rabbit hole do you want to go?”, I’m betting not as far as some IC and SigInt entities have already sailed through at a vast rate of knots, leaving much devistation and destruction in their wake.

It’s part of the “We are the Good Guys” thinking which uses the excuse of “The Greater Good” to excuse doing “bad things”. Because the axiom of their thinking is, “We are the Good Guys” thus as “They are the Bad Guys” they must by definition “Be worse a lot lot worse than we are”. Thus whizz down the spiral you go trying to play catchup with your worst nightmares.

That’s not to say someone might not actually be further down the spiral… Look at the history of MAD, the ultimate conclusion of which is a “Doomsday Device” of such magnitude it will asuradly annihilate everybody… Well we now know that Russian scientists actually went ahead and designed not just the “Tsar Bomb” but actually proposed putting them or larger devices into a ship that would sail in fairly shallow seas with all sorts of automatic triggers such that it would go off if Russia was attacked. In what for many politicos must have been a rare moment of sanity the then Russian leader decided that such power was too much and too dangerous and stopped the idea dead.

Hence people play “Hunt da Wabbit” in what to humans appears a never ending spirall… Some days it supprises me we are still here 😉

[1] https://www.theguardian.com/technology/2016/aug/07/china-huwaei-cell-uk-national-security-cyber-surveillance-hacking

[2] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/525761/huawei_cyber_security_evaluation_centre_oversight_board_2nd_annual_report_2016.pdf

Givon Zirkind November 1, 2018 6:30 AM

Careful now. Suggesting Venezuelan President should ditch his cell to avoid assassination attempts could earn your cellphone’s place on “We Have To Listen To This Subversive Guy” list. 🙂

itsjustobvious November 2, 2018 7:06 AM

I looked through the responses for the obvious reason that president Trump does not use a secure phone, which of course would be issued by one of the three letter agencies with which he currently has an ongoing quarrel. It’s plain that the president fears for the “lawful interception” of his communications if he in practice relies on a TLA supplied phone.

He seems to be saying that he’d rather take his chances with Apple. He does get advice from tech savvy people, while it’s somewhat obvious he himself may not be in that group of people. It’s not known whether or not he uses an over-the-top protocol of encryption to encapsulate the likely-to-be vulnerable protocols that are the main protocols of the phone system. If he has such advisors as I imagine, they could implement out-of-band OTT methods for him.

Given that he seems to fear being under an investigation, it’s really doubtful he’d want the investigators to supply his phone. Seems really simple to me.

bbhack November 7, 2018 1:11 AM


That level of snark, analysis, humor, subversiveness, subterfuge, and self awareness is not allowed around here. #OrangeManBad

But you are exactly right. It’s great to be underestimated – the more the better.

Cincinnatus_SPQR November 8, 2018 7:30 AM

Using a cellular telephone is the same as running around naked in front a supercomputer with five thousand cameras and antennae sucking in and processing your data in all its ugliness and glory. The question is: who is processing your data, why?

An old-school phone is much less fun to exploit, and it has much less information.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.