at explains the results.

This is a pretty exciting paper from a theoretical perspective, but I don't see
it leading to any practical real-world cryptanalysis. The fact that there are
some weird circumstances that result in Fiat-Shamir insecurities isn't new --
many dozens of papers have been published about it since 1986. What this new
result does is extend this known problem to slightly less weird (but still
highly contrived) situations. But it's a completely different matter to extend
these sorts of attacks to "natural" situations.

What this result does, though, is make it impossible to provide general proofs
of security for Fiat-Shamir. It is the most interesting result in this research
area, and demonstrates that we are still far away from fully understanding what
is the exact security guarantee provided by the Fiat-Shamir transform.

** *** ***** ******* *********** *************

A Cyberattack Victim Notification Framework

[2025.09.12] Interesting analysis:

When cyber incidents occur, victims should be notified in a timely manner so
they have the opportunity to assess and remediate any harm. However, providing
notifications has proven a challenge across industry.

When making notifications, companies often do not know the true identity of
victims and may only have a single email address through which to provide the
notification. Victims often do not trust these notifications, as cyber criminals
often use the pretext of an account compromise as a phishing lure.

[...]

This report explores the challenges associated with developing the
native-notification concept and lays out a roadmap for overcoming them. It also
examines other opportunities for more narrow changes that could both increase
the likelihood that victims will both receive and trust notifications and be
able to access support resources.

The report concludes with three main recommendations for cloud service providers
(CSPs) and other stakeholders:

Improve existing notification processes and develop best practices for industry.
Support the development of "middleware" necessary to share notifications with
victims privately, securely, and across multiple platforms including through
native notifications.
Improve support for victims following notification. While further work remains
to be done to develop and evaluate the CSRB's proposed native notification
capability, much progress can be made by implementing better notification and
support practices by cloud service providers and other stakeholders in the near
term.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2025.09.14] This is a current list of where and when I am scheduled to speak:

I'm speaking and signing books at the Cambridge Public Library on October 22,
2025 at 6 PM ET. The event is sponsored by Harvard Bookstore. I'm giving a
virtual talk about my book Rewiring Democracy at 1 PM ET on October 23, 2025.
The event is hosted by Data & Society. More details to come. I'm speaking at the
World Forum for Democracy in Strasbourg, France, November 5-7, 2025.
I'm speaking and signing books at the University of Toronto Bookstore in
Toronto, Ontario, Canada on November 14, 2025. Details to come. I'm speaking
with Crystal Lee at the MIT Museum in Cambridge, Massachusetts, USA, on December
1, 2025. Details to come.
I'm speaking and signing books at the Chicago Public Library in Chicago,
Illinois, USA, on February 5, 2025. Details to come. The list is maintained on
this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, A Hacker's Mind -- as well as hundreds of articles,
essays, and academic papers. His newsletter and blog are read by over 250,000
people. Schneier is a fellow at the Berkman Klein Center for Internet & Society
at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy
School; a board member of the Electronic Frontier Foundation, AccessNow, and the
Tor Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.

Copyright (C) 2025 by Bruce Schneier.

** *** ***** ******* *********** *************

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)