Comments

Rontea April 22, 2026 9:20 AM

Surveillance technology like zero-click tools such as Graphite is moving faster than our laws.

Clive Robinson April 22, 2026 10:46 AM

@ Bruce, ALL,

You just know it’s a honking great pile of “horse apples” when you read,

“ICE’s Homeland Security Investigations (HSI) is using various tools as part of its mission to disrupt and dismantle foreign terrorist organizations, “particularly those involved in the trafficking of fentanyl.””

This linking “terrorist organizations” with “trafficking fentanyl” is just the new,

“Think of the children”

Nonsense to “knee jerk people into cognitive bias”.

When you realise this you start to think about what the real purpose is …

So leaving your smart phone / tablet at home, and taking the dumbest “oldies brick” instead makes a lot of sense.

Also get “encryption/decryption” of of your smart devices the move to “client side scanning” should tell you this is a very very bad idea.

As I keep mentioning you need to go “off comms device” via a properly gapped method…

Thus ensure that,

1, The attackers can not see the user interface in any way.
2, The “security end point” is well clear of the communications end point.
3, Traffic flow is fully segregated and mandated.

Further I advise the use of “deniable encryption” that is also proof to betrayal by the second party to any third party.

Sadly such systems need more KeyMat than total message lengths envisioned so you can get “Shannon Perfect Secrecy” as a base step.

K.S April 22, 2026 12:41 PM

@Clive Robinson

Your advice is incomprehensible to anyone that would benefit from it. That is, you are preaching to the choir instead of helping people.

Clive Robinson April 22, 2026 8:27 PM

@ K.S.

With regards,

“you are preaching to the choir instead of helping people.”

Actually not true.

I have repeatedly posted to this blog how to go about doing it with just a pencil paper and a match.

But how many times do you think I should keep on saying it and getting complaints for doing so?

Come on come up with a number so every one can have an argument about it with you, it is what you are obviously after.

To disrupt this blog and basically attack our host.

What makes you so petty? So small minded? And well need I go on about your clear failings?

Clive Robinson April 22, 2026 10:01 PM

@ Rontea,

With regards,

“Surveillance technology like zero-click tools such as Graphite is moving faster than our laws.”

It’s not just our “laws” / legislation / regulation, it’s actually a “mindset” that is at fault.

Every change in technology no matter how seemingly small is going to effect society to some extent.

Whilst the technology is usually “agnostic to use” the ideas in the “directing mind” that puts the technology into play, how and to what extent are very much the opposite.

That is we have to act first as observers and think through as many of the pro points and con points as possible and importantly who benefits from them either way and how.

We also have to realise that sometimes the intent will find an outlet.

If you have a gun you can shoot, if you have a knife you can stab, if you have a bat you can bash, if you have something toxic you can poison and so on.

The intent is to harm/kill another individual the means does not matter only the desired outcome of the directing mind. To stop the crime you have to stop the mind.

Preventing access to a tool will not stop a mind, just make the intent marginally more difficult and actually considerably harder to prosecute in many cases.

But preventing access to a tool has downsides that can be rather more deadly in the long term.

In the UK politicians are trying to solve “knife crime” rather than the actual “crime”. So they want to ban knives in all shapes and forms.

Primarily knives are tools and are used in all sorts of trades, activities, and every day living. Not least of which being that knives save more lives than they take… though you rarely get to hear about “saved” rather than “taken”.

This highly biased reporting is due to the Press and the old “If it bleeds it leads” titillating / gossip / vengeance / hate / racism etc nonsense they quite deliberately “stir up”[1]. Which as a result causes significant further harm.

I used to carry a “Swiss Army Knife” on the key ring I carried on my belt. All quite legal and it had enabled me to make many simple repairs and similar many times for many people, as well as saving my own life in an accident at least once. However under “political pressure” from knee jerk politicians the quite legal knife became a “Police Harassment Target” for not legal “Stop and searches”, along with on one occasion the unfounded accusation of “going equipped to commit a crime” which is a charge that requires absolutely no factual evidence what so ever just the highly biased “opinion”[2] of the police officer making it up…

[1] It appears that this is currently happening in a “Market Town” in the UK south south west of London in the County of Surrey called “Epsom”. Where there are “protests” happening over something Surrey Police are investigating that if “the alleged crime” happened, might have had a racial component, of a type that currently causes tensions to be inflamed in the UK. With the result that two protests have caused significant issues,

https://www.bbc.co.uk/news/articles/clyxp4q5k93o

The reasons the police have said little is due to the nature of the UK Judicial Process and laws protecting all those involved, which are explained in,

‘https://www.getsurrey.co.uk/news/surrey-news/epsom-rape-investigation-protests-what-33808683

Unfortunately some have chosen to “stir it up” for various reasons, with the result that “vigilante crime is rising up”…

[2] The crime pf “Going equipped” is an offence defined by section 25 of the Theft Act 1968 and can result in three years detention. And it has three components,

1, You were not at your home (or place of work).
2, You had a tool or other article in / under your possession.
3, That the tool –in the officers opinion– was intended for use in the course of a burglary or theft –that in the officers opinion– you might have been going to carry out.

Under UK law you as the defendant are not allowed to call the officer’s opinion/motives into question at trial (see “gateway proceedings” brought in by Tony Blair PM and his “flat mate” Lord Faulkner to “up the conviction rate and lower the cost of running UK courts). Starting with,

https://www.cps.gov.uk/prosecution-guidance/hearsay

lurker April 22, 2026 11:34 PM

@Clive Robinsson
“To stop the crime you have to stop the mind.”

Ah. it’s eugenics now is it?
Isn’t that what ICE is up to?

Weather April 23, 2026 3:33 AM

@All
Good advice i got told when young is, at a work place don’t talk about sex,religion and politics.

Cheers

Winter April 23, 2026 3:44 AM

@Clive

I have repeatedly posted to this blog how to go about doing it with just a pencil paper and a match.

Which would reduce the bandwidth of your communication to about 1 email per day (workdays), to send or receive. But only if that email was not too long. Unless, of course, you would use a computer to do the en/decoding.

I am reminded of the contest between the Post Office and the Grand Trunk Semaphore Company in Terry Pratchett’s Going Postal. Especially the part where the Grant Trunk Semaphore Company had to device a way to encode images.

Ismar April 23, 2026 5:37 AM

This is mostly about endpoint security and , as Clive already states, it can only be guarded against by separating security from communication endpoint. I thank Clive for this and his explanation of how this could be achieved but would like to see it all done in one place including how to build electronic parts and connect them to a phone if that is not too much to ask as often the proof is in the pudding.
Here is also a brief summary of how Graphite achieves his goals:

Graphite, developed by the Israeli firm Paragon Solutions, represents a shift in the spyware arms race. While many are familiar with NSO Group’s Pegasus, Graphite gained notoriety for its specialized focus on bypassing encryption not by “breaking” the math, but by compromising the endpoints and cloud ecosystems where that data eventually rests in the clear.
Here is a technical breakdown of the vectors Graphite uses to intercept supposedly secure communications.

1. Endpoint Compromise: The “Pre-Encryption” Hook

The most effective way to defeat End-to-End Encryption (E2EE) like that found in Signal, WhatsApp, or iMessage is to reside on the device itself. Graphite utilizes high-end exploits to gain root or kernel-level access.
* Memory Scraping: Once Graphite achieves privilege escalation, it can monitor the memory space of messaging applications. Because a message must be decrypted to be displayed on the screen, Graphite captures the plaintext directly from the device’s RAM.
* Keylogging & Screen Capture: By hooking into the OS input/output buffers, the spyware logs keystrokes before they are encrypted and takes periodic screenshots of the “decrypted” chat interface.
* API Hooking: It intercepts the calls between the application and the operating system. When an app requests the “Send” function, Graphite captures the payload before the E2EE protocol wraps it in a secure layer.

2. Cloud Integration & The Microsoft Graph API

The name “Graphite” is widely believed to be a nod to its specialized ability to exploit the Microsoft Graph API. This is a significant differentiator from other spyware.
* OAuth Token Theft: Instead of just stealing passwords, Graphite focuses on harvesting authentication tokens. These tokens allow the spyware to impersonate the user to cloud services (Microsoft 365, OneDrive, Google Drive) without triggering Multi-Factor Authentication (MFA) prompts.
* Backdoor to Backups: Many E2EE apps offer “Cloud Backup” features. While the transmission is secure, the backups themselves are often stored in the cloud with keys managed by the provider (or the user’s account). By leveraging the Microsoft Graph API, Graphite can silently exfiltrate these backup databases and decrypt them offline using stolen keys or by exploiting configuration weaknesses.

3. Vulnerability Research and Zero-Clicks

Graphite relies on a chain of vulnerabilities to install itself without user interaction (Zero-Click).

Stage
Action
Technical Vector

Ingress
Silent Delivery
Often delivered via “invisible” SMS (Silent SMS) or protocol flaws in system services like iMessage (IMTranscoderAgent) or WhatsApp’s VoIP stack.

Exploitation
Sandbox Escape
Uses a “0-day” exploit to break out of the application sandbox and reach the OS kernel.

Persistence
Living off the Land
Graphite often attempts to remain “volatile” (running only in memory) to avoid detection by file-system scanners, though it can establish persistence if the target device reboots.

4. Bypassing Modern Defenses

Graphite is designed to circumvent modern mobile security features such as BlastDoor (iOS) and Advanced Memory Protection (Android).
* Jailbreak-less Operation: Modern spyware rarely performs a full “jailbreak” in the traditional sense, as that is too noisy. Instead, it uses Privilege Escalation (Privesc) vulnerabilities to grant itself “System” or “Root” permissions while leaving the rest of the OS appearing “Genuine” to integrity checks.
* Traffic Obfuscation: Exfiltrated encrypted messages are rarely sent to a Command & Control (C2) server directly. Graphite often hides its data traffic within legitimate HTTPS requests to high-reputation domains (like Cloudflare or AWS frontends) to blend in with normal background noise.

Note on E2EE: It is critical to understand that Graphite does not find a mathematical flaw in the AES or Signal Protocol algorithms. It simply waits for the user to unlock the door (the device) and then walks in to read the mail on the desk.

How does the emergence of these “cloud-native” spyware capabilities change your view on the security of synchronized mobile ecosystems?

Clive Robinson April 23, 2026 5:45 AM

@ lurker,

With regards,

“Ah. it’s eugenics now is it?”

That was tried in both Europe and the US a century ago. And whilst next to nobody talks about it, history shows it was a compleat failure for fairly obvious reasons.

What has been found to work is simple but certain people in the US really don’t want is,

“Good open education from around age 2”

Under repeated testing it has been shown to reduce crime of all types as well as improving “health score” and other “life issues”. Thus over all effecting positively all the “life score measures” that were made, and thus increasing “Average longevity” (remember the US is just about the only place in the western world where average life span is decreasing markedly).

In the US in many places it is clear that certain political types want “Cast/Class based Education” because it makes exploiting the population oh so much easier when they’ve been badly educated.

Need I say as a policy this is not going to “Make America Great Again” for anyone because this century Sovereign GDP very much depends on the base education level of the population… Oh and Current AI based on LLM and ML Systems is not going to fix the GDP issue no matter how much Sam Altman and Co might claim otherwise.

Clive Robinson April 23, 2026 6:10 AM

@ Winter,

“Which would reduce the bandwidth of your communication to about 1 email per day (workdays), to send or receive.”

Yes paper, pencil and match are slow, but have two major advantages,

1, You can see the security in progress.
2, You can see the function in progress.

So as a method of “teaching understanding” it is a good way to go. Importantly it is also about “as simple a system as it gets” and is very very easy to implement in clear stages, so gives an easy build path that delivers quickly.

So even a moderate beginner at “embedded system” programming could code it up in even assembler. Or a school kid using a higher level scripting language for an Arduino Nano or similar very small “single board computer” that is down in the “pocket money” level of expense…

I’ve even coded it up in a day using Apple Basic (that was originally written up by Microsoft using only integers). Likewise BBC Basic both of which you can get easily “emulators for” or “modern” computer kits.

A “scout troop” used it in part for many of the science, technology, digital, and maker related badges from basic Scouts upto Explorer and leader training.

Clive Robinson April 23, 2026 6:39 AM

@ ALL,

ICE think the Glass-Hole look is cool…

I mentioned on the previous thread,

https://www.kenklippenstein.com/p/exclusive-ice-glasses

Exclusive: ICE Glasses

Homeland Security is making “smart glasses” to collect intelligence on Americans

The Department of Homeland Security is developing specialized smart glasses that will allow federal agents on American streets to automatically identify “illegal aliens” from a distance, budget documents reveal.

These new ICE Glasses, building on available glasses that allow video recording and heads-up data display, will be able to pulse vast federal holdings of biometric data — from facial recognition to walking gait — to identify people in real-time.

For those with short memories or of a tender age the very derogatory term “Glass-Hole” came about due to one of the Silicon Valley Mega Corps designing and selling “Smart Glasses” that could “spy as you go” and could give the wearer the equivalent of a private “heads up display” it was touted as “never forget a face” technology for “constipated manglement types”.

Other more useful uses were for engineers and similar working on complex machine maintenance / repair.

But the wearing of such glasses in public very quickly became a Social “No No” and would get you shunned even by geeky types.

The potential for abuse with such glasses is so immense it’s crossed over into “unimaginable horror” territory.

And realistically the level of abuse they can be used for today, are going to be as nothing within a very short period of them being put into general use. As the author of the article notes,

“Though Congress has been notified of the project, no members have said anything publicly, including Homeland Security Committee leaders Bennie Thompson, Rand Paul, Andrew Garbarino, and Gary Peters.

When that federal agent near an ICE protest in Maine said, “We have a nice little database,” he wasn’t kidding. The only joke here is Congress.”

Winter April 23, 2026 7:08 AM

@Clive

So even a moderate beginner at “embedded system” programming could code it up in even assembler.

I am as vain as the next programmer, but I have internalized the message to not write my own cryptographic code.[1]

Sorry, but I stick to that.

[1] I even failed to design an encryption scheme I couldn’t break. Go figure.

Clive Robinson April 23, 2026 12:23 PM

@ Winter,

With regards,

“I have internalized the message to not write my own cryptographic code.”

This is one of the pieces of advice I really hate… Because,

1, As a general observation nearly all code has exploitable instances, in fact it has lots as it gets more complex (once given as the 1 line in every 5 has a vulnerability metric).

It’s not a product of the programming language or the programmer (which is why “flame wars” are such a waste of time). It’s a product of a “non engineering approach” as forced by “management and marketing” due to their wanton inability to apply “engineering techniques”… So as we’ve seen “aircraft fall out if the sky, and people die”…

2, Like all skills it takes about 20,000 hours as an adult to learn to write secure code over and above the hours spent learning a generic programming language for “production” coding.

But… considerably less than half that when you start as a pre-teen in a structured way the hours fold almost invisibly into learning a generic programming language to write cleanly and competently…

Many don’t realise that the alleged famous quote of Edsger Dijkstra against BASIC of,

“It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration.”

Was just one of many he made against popular programming languages for production code at the time. For instance,

“The use of COBOL cripples the mind; its teaching should, therefore, be regarded as a criminal offense.”

And so on with many more…

The reality is that Edsger Dijkstra just hated programming languages because he hated production code programming that did anything that people would pay money for…

“Progress is possible only if we train ourselves to think about programs without thinking of them as pieces of executable code.”

Thus he was railing not so much against the resource limited programming languages of the time, but the “Methods of Mangle-ment and Mark-hitting” to get “code out the door that brings in income quickly”.

Hence,

“Don’t blame me for the fact that competent programming, as I view it as an intellectual possibility, will be too difficult for ‘the average programmer’.

Along with,

“Computer science is no more about computers than astronomy is about telescopes.”

And worse about OOP indicates that he was actually mostly uninterested in the use of computers for anything tangibly practical, as emphasized by his statement of,

You must not fall into the trap of rejecting a surgical technique because it is beyond the capabilities of the barber in his shop around the corner.”

Ivory towers are there for people to be shouty about others from…

The problem is the person shouting can be missing the mark by a long way.

Look at it another way,

How do you become expert enough to write secure code, if you don’t put in the time “on the job” to get the experience?

Weather April 23, 2026 12:46 PM

@All

Substitute box Otp [16][16]
Rotate password and Otp, wrap around by 16, minimum password size 16
Xor Otp by data
Copy ,paste to communications channel

The Otp box needs to be known by both people, and a good random number

lurker April 23, 2026 1:38 PM

@Ismar, ALL
re OAuth Token Theft

There’s a lot of stes nowadays telling me
“You can stay logged in on this ‘Trusted Device'”

Heck, I don’t trust my device, so why should they?

Weather April 23, 2026 4:53 PM

@All
1 bit of information has 3 values on entropy, 2 for 0,1 and 1 for placement.
If you have 2 bits, 4 values of 0,1 and a Msb and Lsb placement.

Rotate minimize the placement area.

Math functions like add,sub,mul etc have different placement components, what ive been working on ,are not fit for purpose.

A small device that plugs into a phone that transfer using usb file transfer, which then sents from phone.

The device after encryption has to delete the Otp, before copying to cell phone.

Each 256bits of data has to have unique Otp and not reused, and destroyed after.

It would be better to use a 256 byte password, to minimize leakage.

Sha, all ,is 32,64 bit, but the char range is 256bit. All hashs at present will suffer the same attack.

Zig lighter with ultrasound random generator to produce white noise, or a cd player, crack the cd after.

Cheers weather

lurker April 24, 2026 2:47 AM

@Ismar, ALL

Shoot the messenger:
Save that linked Gemini page as html.
Open it in a text editor.
All the useful stuff is encoded,
But there’s a load of plaintext garbage in there that tells me Gemini’s output is not segregated or sanitised …

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.