The oldest known cephalopod—the ancestor of all modern octopuses, squid, cuttlefish and nautiluses—is 500 million years old.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Clive Robinson • April 2, 2021 5:35 PM
@ name.withheld…,
Kind of a priori with apriori as proof. You cannot make this stuff up.
Apparently ackording to some, the fact nobody has found the rim of the earth kind of provrs that the earth is flat but repeats infinitely… Or some such.
Then of course is the problem of verticle shafts in the ground…
As most of us know gravity pulls a blumb-bob down verticly. So taking great care you sink a deep but uniformly narrow shaft down it. You do this twice and make them a hundred or so miles appart on the same line of latitude in the range where the sun can be verticly overhead above the shafts once or twice a year (astronomers have done this or the equivalent tower to make zenith telescopes[1] for a few hundred years up untill the 1980’s with standard mirrors and more recently with parabolic spun liquid-mirrors[2]).
You then link the shafts together electronically and measure the transits recording the times. Most college kids can work out the earth’s circumference with pencil, paper and calculator based on three successive days of taking readings.
But apparently with the earth being flat the sun circles above the Earth in a conic pattern or dome such…
It makes you wonder how Galileo felt effectively locked up for life after he upset the pope by measuring the orbits of planets with sufficient accuracy to indicate the universe did not spin around the earth.
Matrix • April 2, 2021 7:11 PM
Wonderful technique on sensing the matrix:
http s://blog.can.ac/2021/03/22/speculating-x86-64-isa-with-one-weird-trick/
Nice write up on fine grain measurements of code gravity. Of particular amusement is dodging Mr Smith interrupts (SMI and NMI),
a black cat glitch of the matrix itself 😛
Also wonderful seeing people teaching their jujitsu in the open without the security argument “I should not teach because someone ill intended may use it.”
Paraphrasing the Peoples Computer Company [1] MOTD:
Computers are mostly
Used against people instead of for people
used to control people instead to free them
Time to change all that
[1] http s://en.wikipedia.org/wiki/People%27s_Computer_Company
Jonathan • April 2, 2021 9:01 PM
Bruce, your RSS feed links to XML metadata. eg: /blog/archives/2021/04/friday-squid-blogging-500-million-year-old-cephalopod.html/feed/atom/
I’ve now got to earase the last two path components every time I click a link in my RSS reader.
name.withheld.for.obvious.reasons • April 2, 2021 9:30 PM
@ Clive
You’d mention the difficulty of having access to online data, here is a simple way to use curl to get back the results of a google search to stdout. (did not encapsulate the string, hope this works)
curl –raw –url ‘https://www.google.com/search?q=USENIX’ | more
Weather • April 2, 2021 11:09 PM
@name…
What about SSL?
name.withheld.for.obvious.reasons • April 3, 2021 2:31 AM
@ Weather
What about SSL?
Notices the URL/URI is consistent with an SSL/TLS connection. Any recent version of curl or lynx should suffice. I use such tools to touch sites that are questionable at best. Either one should have library support via openssl.
Of course it also means you either need to digest the stdout with a parser or analyzer/beautify application. I often use hexdump or xxd to process a file as opposed to have the terminal session interpret the stream. So paranoia requires that I redirect to a file and process it with hexdump/xxd or pipe from the network stream. Again, just depends on your paranoia level.
Oh, and it worked–was afraid the html parsing would be a problem and would have to resort to Insert code here.
Czerno • April 3, 2021 4:05 AM
@Name : Tried your query, no joy. Google doesn’t like it/me :=(
Response code = 403.
That’s an error.Your client does not have permission to get URL /search?q=USENIX from this server. (Client IP address: xxx.xxx.xxx.xxx)
Oh, well…
trish29 • April 3, 2021 6:05 AM
Hi, I know Bruce probably won’t read this comment/request so other readers’ help is appreciated too,
it’s been many years since this blog examined full disk encryption software (more than a decade ago!) and a lot has changed in regard, I was wondering if a new article is being considered which includes updated info relevant to this decade and Bruce’s personal suggestions, the article could take into account full disk encryption for pc’s and also mobile devices since the latters have seen a huge increase in usage from the last decade.
Czerno • April 3, 2021 7:06 AM
Former Pfizer VP and Chief Scientist, Dr. Mike Yeadon, to “American Frontline Doctors”:
‘Entirely possible this will be used for massive-scale depopulation’
hxxps://www.americasfrontlinedoctors.com/exclusive-former-pfizer-vp-to-aflds-entirely-possible-this-will-be-used-for-massive-scale-depopulation/
What to think of his long address to AFLDS ? Is Dr Yeadon just another mad conspirationist type, or else… ? Also, see the letter addressed by Pr. Montagnier, virologist and Nobel prize, to the president and to the medical authorities of the state of Israel urging them to stop injecting the mRNA vaccines. Is prof. Montagnier just becoming senile, or else… ? Are these so-called vaccines (which however unlike “real” vaccines do not provide long term if not life-long immunity) as dangerous as the cited scientists, and others, are saying ? Is the benefit/risk balance really leaning the side our governments along with big pharma want us to believe ?
In earnest looking forward to some serious discussion of arguments, non political : pro or con.
hold my beer • April 3, 2021 7:41 AM
AMD Zen 3 CPUs vulnerable to Spectre-like attacks via PSF feature
US chipmaker AMD advised customers last week to disable a new performance feature if they plan to use CPUs for sensitive operations, as this feature is vulnerable to Spectre-like side-channel attacks.
Called Predictive Store Forwarding (PSF), this feature was added to AMD CPUs part of the company’s Zen 3 core architecture, a processor series dedicated to gaming and high-performance computing, which launched in November 2020. (full article)
Winter • April 3, 2021 10:18 AM
@Clive
“You do this twice and make them a hundred or so miles appart on the same line of latitude in the range where the sun can be verticly overhead above the shafts once or twice a year ”
That was used by Eratosthenes in Alexandria already in 200BC to calculate the circumference of the earth very accurately.
https://www.businessinsider.com/how-greek-eratosthenes-calculated-earth-circumference-2016-6
The story of Columbus is almost universally recounted incorrectly. In Columbus’ time, it was already widely known that the earth was round. It was even known that India over the western route was much too far to sail. Everybody would starve long before reaching India.
However, Columbus convinced enough people that the earth was much smaller, and he would be able to reach India in time. As we all know, he almost starved to death before reaching the Caribbean.
And Creationism is a fundamentalistic religious movement to exterminate the scientific method. The aim is to give religious leaders the final say in all matters of fact.
@Clive
“As most of us know gravity pulls a blumb-bob down verticly”
Well, not quite vertically.
“Global Positioning System (GPS) receivers show that the marking strip for the prime meridian at Greenwich is not exactly at zero degrees, zero minutes, and zero seconds but at approximately 5.3 seconds of arc to the west of the meridian (meaning that the meridian appears to be 102.478 metres east)… The actual reason for the discrepancy is that the difference between precise GNSS coordinates and astronomically determined coordinates everywhere remains a localized gravity effect due to vertical deflection.”
Clive Robinson • April 3, 2021 11:15 AM
@ Winter,
That was used by Eratosthenes in Alexandria already in 200BC to calculate the circumference of the earth very accurately.
Yup, and as @name.withheld… Was pointing out with “Creative Design” mumbojumbo I was pointing out in return that it was not the only “science denying” belief system that defies simple logic and basic scientific methodology…
So “no rim found” is used to bolster another weird belief to deny what science has found more than credible for many years, centuries, and as you point out millennia, oh and has been confirmed by direct observation more than half a century ago. So they have to keep doubling down with another pile of mumbojumbo dumped on top of previous mumbojumbo. Eventually the pile gets to the point where it can not support it’s own weight thus it just makes a big mess to br cleared up.
One of the downsides of the Internet is cuckoos can tweet out to each other and flock together and bounce the crazy back and forth whilst adding to the pile in a desperate attempt to out do each other…
Weather • April 3, 2021 12:11 PM
@name….
I haven’t used curl in ages, but what I type of remembered you needed to supply certs, public private, could of easily changed.
I tried experiment making a web login bruteforcer, assuming most admins would setup username plus three passwords, not 1k user plus one password, I just found it hard to get working.
Thanks for the idea about tilting pages.
Who? • April 3, 2021 3:58 PM
Another minor leak of PII today… 533 million Facebook users’ personal data leaked online (for free).
Ismar • April 3, 2021 4:23 PM
Global silicon chip shortage hits supply of phones, TVs, cars and Australia’s NBN
SpaceLifeForm • April 3, 2021 4:55 PM
@ Weather, name.withheld.for.obvious.reasons
Speaking of HTML parsing…
https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html
So I will know when you opened the TXT file I sent you. Not only that, but apparently AutoMount uses the kernel to make TCP connections so even if you were using a proxy, it was leaking your real IP address. I found another browser trick that lets force-downloaded TXT files to be opened without user interaction or warning (since Gatekeeper doesn’t exist for TXT) leaking IP straight out of Tor browser.
SpaceLifeForm • April 3, 2021 5:11 PM
@ Clive, ALL, Moderator
Did y’all notice what you did not notice in past 24 hours compared to multiples of 7 days ago?
Weather • April 3, 2021 5:45 PM
@slf
From that link, there’s another to a window Rce ,it interesting you can sendMessage command to other programs.
Good find 🙂
name.withheld.for.obvious.reasons • April 3, 2021 6:51 PM
@ Czerno
Looks as though there is a malformed URL from the client side generating a permissions problem server side.
The command args are double dash – -; take from the example the order of the arguments and insure that you’ve encapsulated the string for the URL via the open single quote and close single quote. And, if you can run TCPDUMP or ETHEREAL at the same time to inspect what is actually being sent to the server could help.
The reason I use it is that it eliminates all HTML and script processing on the client, the same thing can be accomplished with WGET as well.
name.withheld.for.obvious.reasons • April 3, 2021 7:02 PM
@ SpaceLifeForm
Thanks for that tidbit, or is it tidnibble/tidbyte?
As a rule of thumb I never trust the magic number associated with either the files metadata (typically a header) or the file’s supposed extension. When masking an extension with either ascii/unicode control sequences or through the really fun directory filters found on windows and macOS, and extension name can be masked quite easily (like .desktop).
I always inspect a file prior to opening it. This is where hexdump comes in, passing the filename arg to the application and piping it through a paging program (more or less) and inspecting it is my general practice. Never assume any file from any one is what it proclaims to be…
Oh, and if you want to inspect the contents of a directory prior to it being interpreted by a shell, use the echo command;
echo /bin/*
This will expose any masked directory and file names. OS’s lately have moved to more insidious forms of filesystem enumeration. It is just crazy to allow vendors to play gotcha games with filesystem behavior. macOS has recently done this without explanation and a really dismissive “It doesn’t mean anything” kind of response. What BS.
name.withheld.for.obvious.reasons • April 3, 2021 7:32 PM
What does Christian Law say About Cryptography?
In the state assembly of West Virginia a bill that was passed out of the assembly concerning LBGTQ+ rights and sports participation. A member of the assembly, Roger Connelly, stood arguing in favor of the bill, asking to speak to the bill, “…it’s a verification of a law already on the books”, and then he continues; “King James version, Genesis, starting with verse twenty six…”
Wow, so law is biblical? The Bible is law? Or, is it just another idiot using their belief system to impose law on others? Being directed by the speaker, was asked to clarify and in response in a form of contestation consisted of, “My god does not make mistakes.”
Rational thought seems to be an impediment to much in the United States. Does God approve or disapprove of cryptographic methods and tools, does ITAR need to be restated? Don’t know, as I am outside this circle of elliptical (or is it conical) thinking.
Anders • April 3, 2021 7:40 PM
@SpaceLifeForm
TXT files should be opened with proper tools.
First in hex editor and then, for example, in
OS/2 TEDIT 😉
lurker • April 3, 2021 8:07 PM
@Who? Quote of the day from the story:
Individuals signing up to a reputable company like Facebook are trusting them […]
Reputable looks like a typo; without asking why should anyone trust…
Fed.up • April 3, 2021 8:43 PM
So FireEye issued its final report on Accellion 33 days ago and said that Kiteworks was safe. https://finance.yahoo.com/news/mandiant-issues-final-report-regarding-213000258.html
Harvard said the same thing in their report yesterday. They blamed this breach on customers who didn’t migrate to the cloud. https://www.thecrimson.com/article/2021/4/2/experts-explain-hbs-data-breach/
BUT Accellion advertised all of the Universities that were on the Accellion’s CLOUD Kiteworks – and they’ve all been breached too
https://www.accellion.com/sites/default/files/resources/ds_top-10-reasons-universities-select-kiteworks.pdf
So Stanford and Berkeley did you hire Mandiant to investigate your Accellion breaches too? If so, can you ask them who stole their Red Team tools, how did they notice they were stolen and was there insider involvement and if so from which country?
And if Universities aren’t smart enough to disallow vendors from publicizing their tech then how can anyone expect the enterprise to know any better?
Fed.up • April 3, 2021 8:59 PM
and in other news
The USA’s Department of Homeland Security announced a plan to solve the cybersecurity issues and widespread attacks. He is enlisting the Girl Scouts!
Whew! So relieved.
I always knew those cookies were magic.
https://www.govtech.com/security/DHS-Secretary-Outlines-60-Day-Cybersecurity-Recovery-Plan.html
Weather • April 3, 2021 9:02 PM
@all
The program was run with 32 bytes input, missed one byte out of 159/255 .
I’ve got some better HW it only take 20 hours for a run, new HW would drop that down to one or two.
Trying to fix some bugs with the graph parser.
JonKnowsNothing • April 3, 2021 9:12 PM
@name.withheld @all
re: religious legal codes
I’m sure the query was rhetorical but just in case it wasn’t.
There are many hundreds or perhaps thousands of religions, non-religions, ethical views and philosophies in current existence. Probably as many that are no longer in use.
A good number of them have lists, lists of stuff you should do and lists of stuff you should not do. The lists of “Do Not Do” may be interpreted as laws, with punishments, penalties and sanctions. Such rules have been in play for centuries and are still actively enforced by a particular group.
That these laws maybe conflicting, no longer logical, no longer practical and no longer ethical does not seem to impact those groups and should you try “To Exit Saudi Arabia as a Female without a Male Guardian”, you can find yourself in prison; not necessarily a nice one.
George Carlin had a very humorous routine about religious hats: some on, some off.
RL anecdote tl;dr
I had occasion to accompany a friend to a Lutheran Church. I had never visited one before and didn’t know much about the setup.
It was startlingly plain.
I asked my friend, if they were re-modeling the church? Were they waiting for the stain glass window installers? What about the statues? Were they in storage?
My friend is quite forgiving…
ht tps://en.wikipedia.org/wiki/George_Carlin
(url fractured to prevent autorun)
SpaceLifeForm • April 3, 2021 10:19 PM
@ name.withheld.for.obvious.reasons
Oh, and if you want to inspect the contents of a directory prior to it being interpreted by a shell, use the echo command;
echo /bin/*
I’d go with /bin/echo or /usr/bin/echo
echo may be a builtin in your shell.
SpaceLifeForm • April 3, 2021 11:42 PM
@ Who?, lurker
re FB dump
Very low percentage email addys, but lots of phone numbers
If you have questions, you can call Mark Zuckerberg. His number is in there.
hxtps://twitter.com/troyhunt/status/1378463581604220931
John Cochran • April 4, 2021 2:47 AM
@name.withheld….
Best question to ask “Intelligent Design” proponents.
“Why are you advocating a theory, that at its root, implies that the deity you worship is an idiot?”
Then proceed to point out various idiotic aspects of our existing “design”, such as:
1. Retinas having nerves and blood vessels on the surface exposed to light, leading to blind spot. Poor attachment, leading to retinal detachment. Point out that having nerves and blood vessels on rear surface is what the octopus uses.
2. The rather humorously routed left recurrent laryngeal nerve. Sucker goes down to take a loop around the aorta, then back up to the larynx.
Winter • April 4, 2021 3:36 AM
@John Cochran
“Best question to ask “Intelligent Design” proponents.”
If Creationism is true, God is a very cruel sadist:
I cannot persuade myself that a benificient &omnipotent God would have designedly created the Ichneumonidae with the express intent of their feeding within the living bodies of caterpillars, or that cats should play with mice.
https://dwindlinginunbelief.blogspot.com/2009/02/did-god-create-ichneumonideae.html
@spacelifeform
I’d go with /bin/echo or /usr/bin/echo
echo may be a builtin in your shell.
Even then, reading the actual directory data and expanding the * to a list of file names will be done by the shell.
So in terms of ‘security’ nothing is gained by using the echo executable.
Clive Robinson • April 4, 2021 4:31 AM
@ Matrix,
With respect to,
https://blog.can.ac/2021/03/22/speculating-x86-64-isa-with-one-weird-trick/
@SpaceLifeForm brought it up March 25, 2021 3:11 AM,
In part in response to a conversation we were having where I described part of the underlying problem on March 22, 2021 11:22 PM
In part it is as a direct result of the Marketing “Go faster Stripes” mentality that has come out of Intel for one reason or another for many decades.
As the article notes Intel have an overly rich CISC system at the CPU ISA level, but in reality dropped the internal CISC von Numann architecture for a RISC Harvard architecture a very long time ago.
Thus the reality is the actual core CPU of registers and ALU are but a tiny fraction of the design. With in effect multiple state machines surrounding the RISC Harvard core, with branch prediction and other logic using massive resources to get a few percent at best more performance.
So much so that some of the state machines are Turing Compleate by design, but others accidently so, due to the complexity of the interaction of the CPU addressing and physical addressing of system memory.
The “go faster stripes” mentality is what has given us the joys of those low level hardware faults like Meltdown and Spector that to solve require not just major changes in the low level “Register Transfer Language”(RTL) that underlies even the most basic of microcode, it more importantly takes ten’s of percents of ISA level performance away from the user.
But there is a more interesting effect which is in part why those high resolution timers exist…
The Ia32/64 architecture is not fully determanistic in performance due to two main areas,
1, Cache Memory control.
2, Branch prediction control.
For example, take two basic instructions that read from memory and put the result in their own register. It should not matter what order you perform them in the number of CPU cycles should be the same. But due to cache issues they may well not, that is just reversing their order in the code has side effects at the cache level.
But worse rather than read from a memory location if the instructions read from registers… The same issue arises this time with branch prediction…
So to get a real measure of code performance you actually have to profile it in the CPU with those timers…
It’s this second issue that is being used to instrument the CPU instruction decode state machines to find out which instructions are,
1, Valid but undocumented.
2, Invalid and treated as such.
3, Invalid but treated as valid.
So not all of those “undocumented instructions” are valid by design, some are artifacts of design changes and the like that have not been cleaned up properly.
Which leaves the interesting prospect of the “side effects” of that third set of instructions, those that are not just undocumented but invalid but are treated as valid, and can those side effects be vulnerabilities in potentia…
Personally I think they can, Meltdown and Specter were “The Xmas Gifts that just keep giving”, undocumented invalid instructions that get treated by the CPU as valid are potentially “The Bunny that keeps giving Easter Eggs with sharp teeth”. After all not all eggs give cute fluffy chicks, some hatch crocodiles with realy shap teeth, others give forth a nest of snakes…
But as I’ve repeatedly noted, there are many other nasties that exist below the CPU level in the computing stack”. We’ve known about some such as Direct Memory Access(DMA) unit issues since before the 8080 and other 8bit computers were affordable[1].
Likewise the issues that alow “reach around attacks” like RowHammer and similar to work at the high level software levels on the computing stack, but act on hardware way below the CPU level, that the underlying mechanisms have been known about from before the days of the 1802 processor back in the first half of the 1970’s…
And as I found out with the 1802 it was not just “cosmic radiation” that caused problems, you could also make active attacks using not just EM Carrier Wave(CW) signals but those that were effectively Amplitude Modulated(AM) by amongst other things Pulse Modulation such that you could reliably and repeatedly cause a change in behaviour of the CPU.
So I’m fully expecting quite a few more attacks at below not just the CPU ISA level, but at further down the computing stack. In almost all cases the attacks alone will only make very basic bit changes and the like. But as RowHammer was later to show, if you can change just one bit in the page table for the MMU functioning, then the kernel code becomes available to user level code. It’s why I call such very low level vectors “bubbling up attacks” because like bubbles in a glass of Champaign, they start from nothing with the most primitive of changes, and as they rise up expand into way way larger things, those bit flips become major security vulnerabilities.
Currently we have no commercial computing systems that can defend against bubbling up attacks, which is why they are going to become bigger and bigger news as people start to investigate below the CPU ISA level in the computing stack…
There are ways to design hardware to solve such attacks, but they only go a little bit down the computing stack, “So move not solve the issue”. I know of other ways (search this blog for C-v-P) but they are a major design change I can not see the likes of Intel wanting to develop.
[1] Back in the early 1980’s when I was doing my first serious computer design job using “bit slice processors” and the like, I had the job of making sure the very high speed DMA from I/O did not cause issues. It was as part of a disk array design that was not only patented, but working but being sold, that also did all the things and more, half a decade before the team at University of California, Berkeley claimed “RAID” in their paper published in 1988 as “A Case for Redundant Arrays of Inexpensive Disks (RAID)”. The annoying thing is that all though the patent was granted, we were later told that “it was to obvious an idea” thus we would loose if we chased royalties in the US or Far East through the courts.
Czerno • April 4, 2021 5:01 AM
@Name-Withheld :
I am reasonably familiar with curl and tried to ensure the command was correct (w/ doubles-dashes and ASCII single-quotes) that yielded back a ‘403 forbidden’ answer from Google, as reported. Google has many servers and content-delivery networks worldwide AIUI, maybe this is why the curl command gets thru some and not others ? I’ll try again some time, anyway it’s no big deal. Happy Easter !
Clive Robinson • April 4, 2021 6:10 AM
@ Fed.up,
I always knew those cookies were magic.
And all in 60 days, that must be one heck of a merit badge…
More seriously though STEM suffers from a lack of women, not because men are brighter, or any other nonsense like that, but because,
1, The money is not good.
2, STEM is made dull and uninteresting in education.
3, The HE environment is not welcoming.
4, The work environment is not welcoming.
Whilst STEM is starting to change, the fringe parts such as those to do with IT are not, in some cases they are getting worse.
Basically IT tends to attract “non nuero typical” minds as engineering in general still does, but IT rather more so on the higher level of the scale.
The prevelance of Non-NT in the general Western population is about four times that in men than it is in women. More so in those areas that ICTsec tends to cover.
For NT people especially “those who network” etc being in a crowd of Non-NT people can be way more than annoying it can be highly stressful.
Especially with a group of people who can do the seemingly impossible routienly, but trip up over simple social conventions. Like the linguistic convention of “Don’t you think it’s…” they will take it at the language level, not the social convention level and give you a yes or no answer, rather than see it as a hint or order to do something. The fact that quite a few Non-NT people “Can not make heads nor tails” of “raining cats and dogs” or similar with both confusing them straight off can bring those who are outwardly as opposed to inwardly focussed to a “screaching halt”.
Let’s just say that all social conventions are not generally a strong suit when it comes to Non-NT people, and that is problematic for many NT people not just those who are outwardly focused.
There is a fun but true story that has become apocryphal on the retelling, and I’ve actually worked at a place where something similar almost happened.
As many know the EU has become rather strong on environmental issues, especially the wastage of energy, the UK especially so. Thus you might have seen “motion sensor lighting” in toilets and corridors, closets or sometimes other areas including meeting rooms. Usually there is no “on/off” switch with such lighting, because “why have an off switch when it will turn off automatically?”…
But there are occasions when you need to force the lights on or force them off, meeting rooms being one where forcing the lights off is required, so that “Death by viewfoil” can be inflicted on meeting participants, after all you don’t want the lights to come on because you yawned do you 😉
Well the company I was working for two decades ago moved into a “new build” office block in Trendy Chiswick West London, and it had all sorts of features like a hydrolic lift system solar foil windows and many other green ticks on the environmentally friendly check list. Part of which was “motion sensor lighting” without off switches in meeting rooms…
However unlike the apocryphal story we got the problem fixed in a few days, and cracked a few jokes about being a tough stoney faced audiance as we all had to play a game of statues.
In the apocryphal story, a company elects not to fix the problem thus in presentations given by outsiders when they ask for the lights to be turned off they get told “If you stand very still the lights will go off in a minute”…
Usually the story teller means for you to think that “All the employees think it’s the way to do things, so are weird Non-NT types etc” (forgetting a more rational argument that “managment don’t want to spend the money” as it does not effect them 😉
But it’s stories like that which are the thin edge of a rather large wedge that puts people off of working in STEM for Tec, ICT, and Cybersecurity companies.
Who? • April 4, 2021 6:19 AM
@ lurker
In general “reputable company” is an oxymoron, not to say in those cases company means Google, Facebook, Twitter…
Etienne • April 4, 2021 6:25 AM
When considering patents, it is noteworthy that Curtis owned Wright, and Westinghouse owned Tesla.
Patents were a side business that kept corrupt politicians and lawyers employed.
Weather • April 4, 2021 6:51 AM
@Fa self name….
It can be good practice not to relie on the Path environment variable, weather from the program or shell.
Clive Robinson • April 4, 2021 7:16 AM
@ John Cochran, ALL,
Best question to ask “Intelligent Design” proponents.
I generaly find not talking to Creationists, Flatearthers, etc is the best thing to do unless I’m in a particulary sadistic mood (though Pastafarians are generally good for a laugh 😉
Parasites come in many flavours with interesting life cycles.
For instance those like tapeworms who need two sepeate hosts, where one host spiecies eats the other. Generally most people finding out about the parasites in swine/pork flesh puts them right off eating meat (untill they next smell bacon cooking and going crispy 😉
But that life cycle makes eveloutionary sense, much as fruit with seeds that need stomach acid to enable them to germinate.
But to me the mind blowing parasites are those that not only grow inside a host creature by consuming it they then turn the host into a slave zombie, and own it and drive it to it’s death. On this blog before @Bruce has brought up the subject of a mold that attacks ants, makes them climb up grass stems, thrn erupts from their heads. And I’ve mentioned the lava in snails that grows and gets fat off of the snail flesh, then works it’s way into the snails left eye stalk and starts to pulsate, as well as causing the snail to climb up a grass stalk etc, so a bird will see the pulsation and think it’s a juicy caterpillar and byte the snail and eat it or just the eye stalk. Strangely if it’s just the eye stalk the snail returns to it’s ordinary habits, and if it gets the same parasite again later, the new parasite crawls up the right eye stalk and the process is repeated…
Sometimes however the poor mollusc has more than one parasite at the same time,
https://m.youtube.com/watch?v=15WD1K-nGf4
And this is the jeweled wasp doing it’s thing to a roach with two jabs of a neuro toxin,
https://m.youtube.com/watch?v=-ySwuQhruBo
But there are worse out there including “toxo” that is believed to effect human brains,
https://m.youtube.com/watch?v=uvdiYg6ZN-U
Try discusing these with any strongly religious person will almost certainly make the queasy 😉
Oh and something everyone should remember,
“Man made God in his likeness, not the other way around, so what does that say about mankind?”
I think various observers in the US especially are waking up to this realisation.
Armies of the night -- Evil taking flight • April 4, 2021 9:31 AM
Crashing through the sky
Comes a fear full cry
Cobra! Cobra! Cobra! Cobra!
Armies of the night
Evil taking flight
Cobra! Cobra! Cobra! Cobra!
No where to run
No where to hide
Panic spreading far and wide
Who can turn the tide?
Clive Robinson • April 4, 2021 10:22 AM
@ Czerno, name.withheld, weather,
… that yielded back a ‘403 forbidden’ answer from Google, as reported. Google has many servers and content-delivery networks worldwide AIUI, maybe this is why the curl command gets thru some and not others ?
You are about on the money.
@ ALL,
Google have decided for their search engine to enforce the EU’s GDPR “their way” or more precisely “their way or no way”.
In essence you have to send back not just valid cookies saying you’ve groveled on your knees and sucumbed to their button, you also need to have both the right “post” and “get” tags in your request without which you get the 403.
From experiments, there is a way to get some very limited service from Google’s search engine, and that is by pretending to be a Chrome browser with a failed URL. You get a response because you’ve handed over their coin of profit “information” about what you were searching for.
Whilst other Google services still work without pressing their button, you have to know what combination of browser settings to use.
Which means that whilst curl works for very many services Google is working hard to stop you getting any kind of anonymous service, if they can force you otherwise without legal risk.
I’ve used curl, wget, lynx and one or two others in my time including netcat, Perl and telnet, the world has grown in the meantime and certain people are determined that their “might is right” and come what may they will have supremacy at no legal risk…
So the tool I’ve used of more recent times is Python, yes I know it’s half a DVD of interpreter and libraries but it’s quicker than edit-compile with C to test things out as a “RAD” method.
Though I kind of expect Python to go the way of Perl in the not to distant future it’s showing many of the signs and symptoms.
Oh with regards “echo ” or “echo ../“, yes it uses the shell to expand it to match all the file names. It’s kind of handy to use when you are in some kind of striped down system or the drive with ls and the like has not mounted. It’s realy usefull when you are developing embedded systems where you get init to just kick off the sh program.
rrd • April 4, 2021 11:53 AM
Long time no read nor respond. Good day to you all!
Quotes are from the addressed commenter, unless otherwise specified.
@ name.withheld…
Does God approve or disapprove of cryptographic methods and tools, does ITAR need to be restated?
God approves of loving one’s neighbor as our own selves. How we design and use our tools is bound by that law, as are all our attitudes and behaviors.
Specifically: is the crypto being used to harm others or protect them from harm? Is it a waste of the Earth’s resources or does it serve a humanwide benefit?
I don’t know the answer to these questions with respect to the specific situations you reference, but I sure do concur with your surmise that “Rational thought seems to be an impediment to much in the United States.” except that I would extend it to the entire Earth and all her societies.
@ John Cochran
Why are you advocating a theory, that at its root, implies that the deity you worship is an idiot?
Your examples do not leave me feeling like the design is lacking. The reasons for how we develop the way we do are certainly not understood, as we barely understand the physiology of our adult morphology — e.g. we just learned that the brain has a lymphatic system. Regardless, no one seems to be impeded by the structures you mentioned, e.g. the blind spot in one eye is not in the same perceptual location as the other once the two are combined.
@ Winter
If Creationism is true, God is a very cruel sadist: …
The mechanisms for keeping any one species from dominating (and thus destroying) its ecosystem are sublime. Such checks and balances exist within a perfection evolved over millions upon millions of years. Only human beings — in our wantonly selfish short-sightedness — are out of balance.
But our petulance and willful ignorance is now being dealt with in a likewise manner: COVID-19 and its rapidly mutating variants, which is no more cruel than the Allies utterly destroying Axis’s ability to rape and murder those whom they consider lesser than themselves.
When one fails to understand the bigger picture, one is left misunderstanding specific components of the design. That is always the case for those who think they already understand it all. No one ever does, not in this complicated and sublime Creation, and not in one lifetime.
@ Clive
[Side note: Anyone who believes in the science of the Big Bang is a “Creationist”, whether they admit it or not, for even if there are an endless series of crunches and bangs, no information within the system will survive the singularity between the pulses. That which is outside of Creation is beyond our comprehension, but not our recognition that It Is. And the beauty is that we have scientific proof, thanks to a couple of microwave satellite techs investigating noise in their system!]
The molds that attack ants (and moths and other insects) are of the genus cordyceps. They sure are creepy. A guy named Steve Backshall (noted adventurer and naturalist that has appeared on various BBC documentaries and a personal favorite of my kids) in the 3-part “Lost Land of the Tiger”, actually did a shot of what appeared to be nearly pure alcohol with a cordyceps-fruiting mealworm dropped in it. He was told by the fine folks in Bhutan that it was a traditional remedy. Up until then, I had only seen them in tropical zones.
“Man made God in his likeness, not the other way around, so what does that say about mankind?”
Many — if not most — human beings surely feebly and incorrectly project their own qualities upon the Divine Nature and otherwise limit Its Nature, but the reality is that we are no more capable of comprehending 1% of God’s Nature than our computers will ever be able to comprehend ourselves.
Our being being made in God’s likeness refers specifically to our Conscience/Spirit/Ruh that serves as the “Good Angel on our shoulder” to counteract the “Devil on the other”. The two polar opposite sources of thoughts, emotions, and instincts meet within us where we choose which stream to reject and which to incorporate into our worldview of ideals, attitudes and behaviors.
It is actually our duty to sincerely ask our Creator/Maintainer/Destroyer to take Its Spirit back to Itself within our lifetime so that we can cleanse and purify our soul of our propensities to channel the negative stream. That “Wish to reach God” begins the transmutation of the soul that — if followed to completion — results in our actually being transformed into a pure-hearted (and thus pure-actioned) human being. This is the entire length of the positive religious path, as mentioned in the two Beatitudes:
Blessed are the poor in Spirit, for theirs shall be the Kingdom of Heaven.
and
Blessed are the pure in heart, for they shall see God.
If one doesn’t make that first, essential prayer to be relieved of one’s Spirit, one cannot actually even begin to transform the vices in our soul’s heart into their corresponding virtues. A person that dies with their Spirit is thus not granted entrance into the Kingdom of Heaven. Such persons also lack moral insight and are the ones termed, “Having eyes that do not see, ears that do not hear, and hearts that do not understand.” They fall prey to their vices, such as hypocrisy, hatred, envy, oppression, meanness, rebellion (against love), rage, lying, and all the rest, as per their individual predilection, mood at the time, and situation.
Seeing the Godhead is the reward for and indication of having purified one’s heart of all potential to sin. Only such a one can rightfully claim to be a true Teacher of God. I am not such a one, but I can pass along the teachings as I understand them as I continue to fight against my own heart’s vices.
Peace be with you all.
Fed.up • April 4, 2021 2:26 PM
@Clive
Re: motion sensor lighting. I formerly lived in a LEED certified building that had motion censor lighting in the hallways and underground garage. Motion sensors often don’t pick up short people. It is one thing to have to wave my arms while running on a treadmill to make the gym’s lights go back on. But when your arms are full of packages and the lights won’t go on when you are walking in pitch black hallway or the underground garage, that was too much for me.
I am female. I’ve been in tech for 25 years. Various roles. I never studied STEM.
When I went into tech, there were a lot more women than there are today. Also a lot more African American and Latino back then too.
GW University has identified at least 15 different roles involved in Cybersecurity. https://www.cs.seas.gwu.edu/cybersecurity-roles-and-job-titles
There should be different curriculum for each of these domains.
I think Cyber isn’t drawing women because tech education focuses too heavily on math and is viewed solely as scientific, when it can be a very creative and analytical field. UI Design requires artistic capability plus observational and intuitive skills. I also think that men are more apt to take risks, whereas most women are naturally cautious. I have an uncanny ability to identify and avoid risk.
When a recruiter interviews someone for a job, they aren’t trained to focus on the specific soft skills or communication styles required for cybersecurity. I have only interviewed with one company, Amazon, that understood candidates have different communication styles and sometimes, especially in risk or cyber roles, communication is not as important as their capacity for analysis. The Girl Scouts cannot solve this crisis. But candidates on the autism spectrum can. Recruiters needs to be retrained. https://www.wired.com/2016/11/autistic-people-can-solve-cybersecurity-crisis/
I don’t think India’s Tech Universities put any emphasis on math. Perhaps some data science and neural programming requires math. I grasp algebra now only because I analyze and design software. Not everyone can learn by rote, especially those on the spectrum (likely me). We are about to see how true this is as a result of COVID. The USA’s public schools are no longer performing aptitude testing because Zoom has failed. Some kids in the US haven’t been to school in over a year (High School). But the HS students cameras are off during class and lots of teachers record their lessons. Kids sit in front of pre-recorded videos for much of the day, unable to ask questions or interact with their fellow students. I am so dismayed that the tech industry has ignored this. This was an opportunity for FB to prove their capacity for engagement, but they entirely ignored it as did Microsoft. Even so, both organizations have pretended for years to be involved in educational philanthropy.
I am self-taught and became a technical trainer early in my career because I understand that there’s different learning styles. The most successful tech CEO’s are dropouts and Google just started their own technical educational program which will replace tech college degrees in 6 months. I asked Google to design a Cyber program. But I suspect they are reticent to do so because they may have to divulge their exceptional techniques. https://grow.google/certificates/
We need to acknowledge that India produces students ready to join the workforce who are 3 years younger than Americans when they graduate HS.
MIT et al also need to stop saying that the Cloud is safer. I was a somewhat well known cloud (ASP) evangelist 20 years ago. But I predicted that it would take a long time to mature. The problem then was bandwidth and software was not designed to be hosted. Now security is the issue. Not all data belongs in the cloud. Regulated and highly confidential data certainly not. We need the universities to understand that most of all.
If the software vendors want to discontinue their on-prem versions of dominant software supporting regulated institutions, then they should be prosecuted under anti-trust (RICO) and deceptive trade practices. Vendors need to protect their customers and their roadmaps need to reflect their customer’s best interest, not just increased profitability. The cloud is solely about growing data. But that’s not in the best interest of government, business or consumers. The more data you have, the more data you have to protect and the harder it is to protect it.
Now top university students have had their personal data leaked and it will haunt students for life. The reason this happened ultimately is because universities do not have mature Cyber curriculum and as a result there is a lot of misconception in the work force that tech experience is UNnecessary in 5 of the Cybersecurity roles identified by GW University. Cybersecurity Risk Management in the USA is based upon the COSO Risk Framework (as is NIST). But the COSO Risk Framework was developed in the mid-80’s by the Treadway Commission as a result of the US S&L banking crisis. It was developed for financial risk. It has nothing to do with technology. The only reason that COSO is dominant today, is so that the public and private sector can use non-technical people to assess technology and cyber risk. CPA’s perform audits on technology in the USA too. With all due respect to highly educated CPA’s, I couldn’t audit financials, so why are they assessing technology?
THIS is the #1 reason for all of the cyber attacks in the USA. Software is implemented without anyone qualified in technology risk ever assessing it. Third party risk assessment is thought to be a non-technical checkbox activity performed by non-technical clerks. COSO is the “3 Lines of Defense”, but the 2nd and 3rd Line is non-technical and they are assessing and conceptualizing Cybersecurity risk. That is ludicrous. The Universities need to step up and say so.
We also need to stop pretending that data mining is about advertising. The largest merchants in the world do not use any data mining at all. It does not result in conversion (sale). Data sales are about creating inequality – redlining people and putting them into buckets that they will never get out of. It is the reason why people of color or older people cannot get a job today. It is just bias.
The US Senate just figured out that this is a National Security risk. They are selling our passwords too. 65% use the same password everywhere. A compromised consumer is a compromised employer. Consumers are the just the conduit. Two days ago the US Senate started issuing RFI’s but they aren’t asking social media who they sell to or what data they are selling. If Congress wanted to know what’s going on they’d be asking the right people, the right questions.
https://www.wyden.senate.gov/news/press-releases/wyden-bipartisan-senators-question-online-ad-exchanges-on-sharing-of-americans-data-with-foreign-companies
Internet Individual • April 4, 2021 4:42 PM
Can’t something be “round” AND “flat” at the same time? Like a paper plate? If the Earth were really sphere shaped, how come those living on the underside such as Australia, don’t simply fall into space? Magnetic boots? Gravity? A small black hole in the center of the earth? Think of sitting on a Merry-go-round and going full speed. You will fly off the spinning ride if you dont hold on to something. These “scientists” have it all backwards. I bet they would say if the earth stopped moving everyone would fly off into space. I once had an exchange student from Australia, he confirmed everything wasn’t upside down overthere. I think we can put this comnspiracy to bed!
Who? • April 4, 2021 5:32 PM
@ Internet Individual
Anyone knows Australia is “umop apisdn”. Perhaps Sir Isaac was right after all.
Who? • April 4, 2021 5:47 PM
Have we talked about this new TrickBot feature before? If true, I have missed it: TrickBot now has a UEFI bootkit feature (dubbed “TrickBoot”) to achieve persistent storage, or even bricking a target device.
It is certainly worrying.
Any way to check UEFI firmware for compromises? Preferably from some sort of bootable media, for those of us that do not use Windows, OS X or Linux. I have only read about UEFITool, but there must be more advanced tools these days. Something like the Kaspersky Rescue Disk targeting firmware would be great.
Weather • April 4, 2021 5:55 PM
@Fed.up
If you aren’t doing so well in life you can attract others like that, and the social situation is normally easy, if you are intelligent then you become more picky.
I’m assuming you are married and annoyed at the market, but just like a boys club, how many intelligent maybe good looking are going to go out with a work mate, which you normal go out with friends of friend or workmate or a shop you visit regular.
About your advance ment, ask @bruce to give my email address and I’ll send you a file that might help with the former.
name.withheld.for.obvious.reasons • April 4, 2021 5:57 PM
@ Clive
Well you certainly are a masochist, any one using netcat is also someone using telnet to view web pages :’)
I know there are people know there are people here that have done so, admitting to such is not a sign of weakness but that you have been touched. By what, I cannot say.
I’ve avoided python due to library and binary vulnerabilities, seems I am just slightly more paranoid than you are.
Good catch on the GDPR, hadn’t considered it and thus problem determination would be limited to server side interrogation.
@ JonKnowsNothing
I’m sure the query was rhetorical but just in case it wasn’t.
Yes, and no. I was being sarcastic, rhetorical, and dismissive all in one. No sense in betting around the burning bush on this one.
@ALL
Still puzzling over Apple’s decision to modify a good portion of behavior with respect to macOS, what is the most troubling is the attitude towards updates and marking the filesystem with factual data–chosing arbitrary timestamps for i-node entries is suggests something less than honest/trustworthy.
Who? • April 4, 2021 6:08 PM
Another question related to UEFI attacks… does malware like TrickBot needs to infect a computer to scan the UEFI firmware for vulnerabilities or can it be done remotely?
All my computers are fully upgraded (including firmware), and configured following the advice given by the National Security Agency, so UEFI (and BIOS on old systems) should not have IPv4/IPv6 stacks, nor remote boot capability (e.g. preboot execution environment) enabled either. Obviously some of those UEFI and BIOS systems stop receiving updates from the manufacturer long time ago.
Most of these systems are airgapped, but obviously I need a few connected to the Internet, protected only by 64-bit MIPS-based firewalls that, being honest, are aging a bit these days.
Who? • April 4, 2021 6:13 PM
@ name.withheld.for.obvious.reasons
netcat is a true swiss army knife for communications. nc(1) is very valuable opening connections, sending packets, listening to ports and, these days, it even supports IPv6.
As useful and valuable as kermit!
Weather • April 4, 2021 6:20 PM
@Who
You can load int d8 or int db to get window to access uefi, but blocking that interrupt in most case will stop it, or you could have a clean copies and reload it.
Cassandra • April 4, 2021 6:25 PM
@Internet Individual
I once had an exchange student from Australia, he confirmed everything wasn’t upside down overthere.
Actually, the student was wrong. There is at least one thing upside down from the point of view of people in Australia: the Moon.
If you ask people to draw the phases of the Earth’s moon, people in Europe will show a crescent moon to be tilted. People from equatorial regions, such as Singapore, will draw a crescent moon as an bowl/smile, and people in Australia will again show it to be tilted, but the pattern of craters will be depicted upside down compared to the moon visible to Europeans. This is an elegant demonstration that the people’s orientation with respect to the Moon’s orbit varies by latitude.
Given that it is the same Moon visible both to people in Europe and Australia, it is difficult to reconcile this behaviour with the Flat Earth hypothesis.
Cassandra
name.withheld.for.obvious.reasons • April 4, 2021 6:57 PM
Theocratic Hijacking of Secular Governance
The current schism in the GOP party is not necessarily a Trumpist party. It is the alignment of Theonomic-based anti-democratic party with interests in not just eliminating Constitutional law, but install the Law of the Kingdom of God. This movement began in the 1970’s and came to power in a big way under the G.W. Bush administration. It wasn’t until 2017 that the reins of power were put in the hands of the religious cabal with a hidden agenda.
If you didn’t read the statements made by W. Barr, posted to the website of the U.S. Department of Justice, you need to do so. His statements clearly associated the theocratic rule of the state as necessary to cure the ills of the U.S. and society. The talk given by Barr to the National Religious Broadcasters convention is Christian fascism in the clear.
If this party, what could be considered the former GOP, is allowed to continue to assert relevancy and hold on to positions within the secular government, the threat to the democratic republic will be significant. These are not good faith actors, their organizing thesis includes outright lies as it justifies the means. No discourse can be considered to be from a place of “co-existence”. Nearly every U.S. Senator, two hundred and fifty members of the House of Representatives, and a majority of state governments.
What happened, rising up through the Neo-liberal Republican Party, the Theonomic elements were slowly but surely allowed to sit next to the more secular classic economic libertarian members of the party. Now, the theocratic wing of the party has done a hostile takeover of the Republican Party. Trump was just the spearhead, a symbolic rallying point that has emboldened and enabled the more fascist wing to make great inroads to U.S. political spaces.
Now ask yourself, how did president 45 manage to garner 74+ million votes when the combined audience of right wing media is approximately 25 million. Consider the pulpits where many involved in this movement push QAnon type conspiracies to their flock.
Bloated Cow • April 4, 2021 7:09 PM
@Czerno
What I found interesting is that Moderna says:
we set out to create an mRNA technology platform that functions very much like an operating system on a computer. It is designed so that it can plug and play interchangeably with different programs. In our case, the “program” or “app” is our mRNA drug – the unique mRNA sequence that codes for a protein.
[Source: hxxps://www.modernatx.com/mrna-technology/mrna-platform-enabling-drug-discovery-development]
Hmmm. Has it been hacked? Will it need an update? Is there a backdoor?
Considering Moderna’s track record (no previous product brought to market since 2010*) you can bet that I will not willingly let someone inject that product into me.
*[Source: hxxps://www.cnn.com/2020/05/01/us/coronavirus-moderna-vaccine-invs/index.html]
And don’t get me started on the fines that Pfizer and Johnson & Johnson have had to pay related to bad products and practices.
I’m fortunate enough not to have any pre-existing conditions and actually feel safer facing exposure to COVID than being injected with an experimental genetic therapy.
lurker • April 4, 2021 7:34 PM
@Cassandra:
& left-handed too. When I face the sun, east is to my right. It takes a few weeks in the Nth hemisphere to overcome that habit.
SpaceLifeForm • April 4, 2021 7:54 PM
@ name.withheld.for.obvious.reasons, Clive
Speaking of USENIX, I recently stumbled upon the article I was looking for some time back. Clive, recall we were both looking for a specific article but neither of us could find it?
Well, this is the one I was looking for. Regarding Signing and Encryption issues.
It’s 20 years old, but I believe is very useful information.
https://www.usenix.org/legacy/event/usenix01/full_papers/davis/davis_html/
In this paper, we analyze the naïve Sign & Encrypt flaw,we review the defective sign/encrypt standards,and we describe a comprehensive set of simple repairs.The various repairs all have a common feature:when signing and encryption are combined,the inner crypto layer must somehow depend on the outer layer,so as to reveal any tampering with the outer layer.
Fed.up • April 4, 2021 9:06 PM
@wEATHER
Cyber is at an inflection point. Much like medicine around the turn of the last century there is the preponderance of snake oil salesmen in our field.
Because there are no legal measurements or licensure the field is rife with people who have no talent or morals. This will soon change.
Why did FireEye claim that Accellion was safe a month ago when it wasn’t? Probably for the same reason they said that 2019 Paige Thompson’s hack of Capital One didn’t result in theft of SSN’s or account numbers.
But Capital One just announced that the 2019 forensics performed by Mandiant was not accurate that SSN’s and account numbers were stolen. Why did they re-examine the data? Perhaps the events over the last 2 months gave them cause for concern. 2 days ago: https://www.bleepingcomputer.com/news/security/capital-one-notifies-more-clients-of-ssns-exposed-in-2019-data-breach/
I assume that identifying SSN’s and account numbers in that Capital One dump was as easy as finding Zuckerberg’s phone number yesterday. Why didn’t Mandiant identify it 2 years ago? This court ruling from last summer speaks about FireEye being an existing vendor in Capital One’s cyber tech stack when they were assigned to perform forensics after the attack. https://www.natlawreview.com/article/federal-court-finds-cybersecurity-forensic-report-not-privileged-under-attorney-work
Sensitive data like this is legally required to be encrypted and anonymized while at rest.
Breach disclosure laws need to change. Disclosure must include the list of vendors and MSPs involved in the tech stack breach, so that they can be driven out of business for repeat infractions if the Government is unwilling to protect us. Approaching cybersecurity solely as a technical solution has been ineffective. We need to focus on architecture and controls. I cannot blame corporations for unwillingness to invest in Cybersecurity when they don’t see the ROI.
From 2019 — no PII was stolen: https://www.securitymagazine.com/articles/90622-capital-one-announces-data-breach-affecting-100-million-customers
SpaceLifeForm • April 4, 2021 10:34 PM
@ Fed.up, Clive
Re Kiteworks
Excellent questions.
One thing I keep observing is constant talk about moving to cloud. Over and over. Everywhere it is possible for someone to mention moving to cloud, you will hear it.
I say avoid cloud. There have been so many problems with cloud for years now, that I’ve have lost track. Especially AWS and buckets magically becoming global readable.
The only way I would use cloud is for offsite storage, totally encrypted on my end, and even if I were to go that route, it would have to be redundantly stored on multiple cloud providers.
Higher level RAID.
Naimisha • April 4, 2021 11:29 PM
Key Security Considerations with Serverless:
Besides having decade-old injection-based vulnerabilities, OWASP related issues with applications, and over-privileged functional permission sets and roles, there are other sophisticated challenges that organizations face with serverless deployments. It profoundly requires a fundamental shift in how organizations look at application security.
With multiple serverless frameworks and deployment models available across cloud platforms, there are a plethora of configuration settings that allow subscribers to customize their environment to specific requirements. There have been multiple instances identified wherein, misconfigurations across cloud storage, web application firewall, network policies, segregation of trust zones, etc. are exploited to introduce vulnerabilities into the serverless ecosystem.
The key challenges which organizations face emerge due to decentralized view of serverless especially via deployment settings – per function-related permissions, lack of comprehensive secrets and key management lifecycle plan, and inadequate visibility due to lack of security events logging and monitoring.
Some of the other key challenges which we have remediated include:
Anonymous • April 4, 2021 11:51 PM
hi sorry my english.
all the new device need bluetooth headphone. no more 3.5mm allowed by gov? or every manufacturer just that stupid?
please help educate people how disable remote firmware update to headphones! can they infect other stuff themselves once infected?
i only know way: use only old devices, and go without tech forever if anything ever breaks or needs replaced for any reason.
Fed.up • April 5, 2021 12:07 AM
@SpaceLifeForm
Yes to RAID. And bravo to Spectra Logic for masterfully handling a recent ransomware attack. They did not communicate with the attackers or pay a ransom.
I also admire their disclosure about the importance of offsite tape.
Cloud may be appropriate for some data. It is especially useful for data residency and storing data in the country of origin. But we both agree that alleged misconfigured buckets likely aren’t misconfigured.
Some industries outgrow their data centers every 5 years. Cloud appeared as a savior for capacity on demand. But if data growth is the problem, more capacity is not the answer.
The solution to out-of-control data growth is controlling the growth. Cloud is also not appropriate for structured regulated data. Unstructured data requires more space for storage, so perhaps the answer is that software should be designed for structured data wherever possible. Lots of problems would be solved by structuring data, using data dictionaries and semantic interoperability. Because then tools could automate, monitor and audit PII encryption.
IBM Fellows speak about this topic and Parquet Modular Encryption: https://www.ibm.com/cloud/blog/structured-data-and-hybrid-clouds
It also seems to me to be the only way to comply with GDPR and CCPA data portability.
C 4 Cat • April 5, 2021 12:31 AM
@Internet Individual:
“Can’t something be “round” AND “flat” at the same time? Like a paper plate?”
You need to read again what was said,
“Apparently ackording to some, the fact nobody has found the rim of the earth kind of provrs that the earth is flat but repeats infinitely… Or some such.”
Now consider the fact that no matter how apparently infinite your “paper plate” is, we know the universe is finite. So it would still have a “rim” by definition (draw a circle on a 2D plane to see this). Whilst your circle does enclose area, it does not, nor can it enclose volume, thus it is not a 3D object.
I think you missed the point of the reply that was made to name.withheld.for.obvious.reasons, that is on examination the logic in the argument given is wrong.
That is it is like the “Every Cat has three tails argument”, which is,
P1, No cat has 2 tails.
P2, Every cat has one more tail than no cat.
C, Therefore, every cat has 3 tails.
The two premises P1, P2, sound correct. But the conclusion C is not what we observe, thus conflicts with our perceived reality. So our brain says “no way Jose” or similar and rightly so.
The argument actually exploits an oddness in the way we use language, and how we use it “casually” to discuss certain ideas. Specifically the ideas of an empty set we might otherwise call nothingness, absence, or emptiness.
In premise P1, “No-Cat” appears to refer to an absence of cats with two tails. Which as our observed reality tells us do not exist appears “logically correct”. Therefore it is apparently an “empty set”.
However in the second premise P2, the “casual” use of language deludes us into understanding ‘No-Cat’ as someting that is an existent thing. Rather than as someting that is a nonexistance or absence or of a thing. The phrasing misleads us into thinking that a No-Cat could conceivably be that elusive creature that has 2 tails thus the set is not empty.
So this misleads us into the conclusion that, if the No-Cat has 2 tails, and every cat has one more tail than No-Cat does, then every cat must logically have 3 tails…
Which is clearly a nonsense by our observed reality… It’s a similar sort of argument that is used by anyone who believes in deities, and amongst many other things infinate sized plates with no rim in a finite universe that as a consequence must have very strange properties (which observed reality shows are very obviously false).
Weather • April 5, 2021 12:50 AM
@Fed.up
If the server’s broken into groups with each different one with different security, laws, and someone to communication between client’s, it would be hard to get the fresinic information.
Large company normally don’t know what the left to right hand is doing.
US Freedom Fighter • April 5, 2021 1:29 AM
I just drone struck your village.
FAQ
What does this mean?
The amount of people (you) in your village and country has decreased by many.
Why did you do this?
There are several reasons I may deem a village to be unworthy of existence. These include, but are not limited to:
Harbouring of terrorists,
Possible ownership of chemical weapons,
The people were minorities.
Am I banned from life?
No – not yet. But you should refrain from committing crimes against the US in the future. Otherwise I will be forced to issue an additional drone strike, which may put your family and life privileges in jeopardy.
I don’t believe my village deserved a drone strike. Can you help rebuild it?
Sure, mistakes happen. But only in exceedingly rare circumstances will I undo a drone strike. If you would like to issue an appeal, tell the media what I got wrong. I tend to respond to the media within several minutes. Do note, however, that over 99.9% of drone strike appeals are rejected, and yours is likely no exception.
How can I prevent this from happening in the future?
Accept the drone strike and move on. But learn from this mistake: your behavior will not be tolerated by the free world. I will continue to issue drone strikes until you improve your conduct. Remember: life is privilege, not a right.
Sure, mistakes happen. But only in exceedingly rare circumstances will I undo a drone strike. If you would like to issue an appeal, tell the media what I got wrong. I tend to respond to the media within several minutes. Do note, however, that over 99.9% of drone strike appeals are rejected, and yours is likely no exception.
Winter • April 5, 2021 4:49 AM
@Cassandra
“There is at least one thing upside down from the point of view of people in Australia: the Moon.”
It is even simpler. Ask your Australian informer to find the pole star. Or to draw the constellations around the rotation point of the sky.
Flat Earthers insist the sky rotates around the Pole star. Which is evidently nonsense if you live South of the equator.
South of the equator you cannot see the Pole star nor the constellations around it, and the whole sky rotates around a different point in the South.
Trust Flat Earthers to produce convoluted models that explain nothing.
Who? • April 5, 2021 6:03 AM
@ Weather
Thanks a lot for the advice. I am not sure blocking two interrupts will do some good on a generic operating system; if true, OpenBSD should have these interrupts blocked right now.
As I understand it, we need local access ⸺even if just unprivileged⸺ to the computer whose UEFI firmware we want to compromise. It is good to know it requires triggering an interrupt, this attack cannot be done over the network.
Of course I have copies of all UEFI and traditional BIOS updates for these computers, stored offline on a write-protected USB drive. I get them as soon as they are released by the manufacturer, usually from two different repositories ⸺iff posible⸺ together a document detailing two different hashes for each one of those files, stored on a different drive.
Who? • April 5, 2021 6:11 AM
@ Weather
I understand a well-written UEFI malware will block firmware updates. Fortunately, most computers here have an emergency recovery system ⸺intended to be used after flashing a non-working firmware⸺ that should be enough to get around this locking mechanism.
Clive Robinson • April 5, 2021 7:07 AM
@ Who?
Have we talked about this new TrickBot feature before?
Not as part of “TrickBot” but as I’ve pointed out in the past, the fundamental reason it happens goes back more than four decades to the late 1970’s and the Apple ][ computer design. Basically the Open I/O model for hardware is the root of the problem and it’s not going to go away any time soon (if ever I hope).
The Apple ][ Open I/O model was so successful that the idea was adopted/stolen by the team that did the skunkworks stuff that gave IBM the PC in the 1980’s. Which as an unfortunate result made both Intel and Microsoft the nemeseses of the Western World, and with the advent of Flash ROM, more recently the joy of malware writers… (but it could have been worse).
Whilst just about any engineer that had designed a hardware card for an Apple ][ or IBM PC/clone pre PCI bus could not avoid noticing the glaring security hole it created, but it did not get spoken about very much because back then ROM’s were realy Read Only, and networks had not got even close to personal computers. In fact this glaring security hole only realy surfaced in the ICTsec mind around the time of BadBIOS[1] and a couple of years later Lenovo using it to deliberate backdoor the BIOS of consumer grade laptops[2] back in 2015.
The ICT industry had not just been in denial, it was actively policed by the “NIH naysayers” who vigoursly attacked people with an avalanch of “Not Possible” and “You don’t know what you are talking about” postings often under non attributable handles (you can still see some on the blog). Who mysteriously disappered when the case was proven and shown to go back to the Apple ][ in the 1970’s and it’s clear path still in Microsoft documentation to this day.
So 2013 to 2015 the message started getting through to people BUT… as is typical of the ICT industry and in particular ICTsec it’s almost be compleatly forgoton again[3]…
So I guess this addition to “TrickBot” is a good thing in that it’s acting as a “Wakeup Call” to maybe stop much of the ICT industry “SleepWalking into another Nightmare of it’s own making due to not studying it’s own history[3]…
The problem is actually in effect unsolvable in a truely “Open Specification” due to not being able to have a “root of trust” in the earliest part of the BOOT sequence. This is because of a “chicken and egg” situation which originally was not an issue due to actuall PROM and EPROM usage but fell compleatly appart security/backdoor wise with Battery Backed RAM and later Flash ROM came to be standard.
The problem is this,
When you design an Open I/O system you have no idea what new or inovative hardware will be thought up tomorrow let alone a year or two down the line. With all inovative hardware you need software such as device drivers to match it into the hardware I/O and then later OS systems. This software needs to be available very early in the BOOT proces in system memory otherwise the hardware can not be accessed. This is especially true for main secondary memory systems such as hard drives that contain the OS etc. So you can not read the OS drivers off of the hard drive because the computer does not have drivers in it’s system memory to access the hardware to read the hard drive. Therefore you need a leaver loader process to get basic drivers into system memory. But there is no way driver software can be built into the BIOS with Open I/O systems. So you need a mechanism where the driver code is put into system memory prior to actually being required for booting… This is done by putting what was immutable ROM on the I/O card holding the driver code, and have it appear at a fixed location in the system memory map. The BIOS then looks for the ROM on each card and moves it into a different area of System memory that is RAM, hooks it’s routiens into the Device/interupt tables etc, then switches the on card ROM out of system memory.
For this system to work though, both the BIOS and the OS need to respect and not overwrite the I/O Card code that has been loaded into System RAM. Thus any broken or malicious code makes if from the Card ROM all the way through the boot process and bringing up of the OS lurking in the background waiting to be used in some way…
It just so happens that with conventional ROM that stored both the BIOS and I/O card drivers they could not be –easily– overwritten, unlike the use of modern Flash ROM where it’s near enough childs play to do so unless you take precautions. So you now need a second mechanism that provides a “Root of Trust” (which is as bad an idea as “walled Gardens”). In effect the solution is “code signing” of the ROM code. Fine for the BIOS ROM but not for the I/O Card ROM in an “Open Specification”…
I won’t go into details there are other readers and occasional blog posters who are way way closer to knowing the intimate details of UEFI but in essence for use as a “root of trust” the code signing needs to be done via a chaining method not to disimilar to the PKI CA infrastructure, which is far from “Open” and would put way to much power in the hands of those that have already proved themselves to be compleatly untrustworthy (hence it’s a bad idea).
As I’ve noted many times this problem is not going to go away any time soon… Because who want’s to give Intel or Microsoft more “locked in” control of computing or for that matter Far East chip manufacturers that might be as in the US rather to close to their counties security services?
[1] BadBIOS from 2013, https://en.wikipedia.org/wiki/BadBIOS
[2] Lenovo UEFI backdoor from 2015, https://www.techworm.net/2015/08/lenovo-pcs-and-laptops-seem-to-have-a-bios-level-backdoor.html
[3] Yes I know I keep banging on about this ICT “not learning from history” even living history (which it mostly still is). But this TrickBot is just another example of “give it less than a decade and the attack will work again”… In this case it’s only been half a decade since the Lenovo BIOS back door hit the news big style, but it all appears to have been forgoton… In short Lessons are not being learnt and everyone feels the pain.
Anders • April 5, 2021 7:59 AM
@Who?
Yes, we talked about it.
hxxps://www.schneier.com/blog/archives/2020/12/friday-squid-blogging-bigfin-squid-found-in-australian-waters.html/#comment-360090
Wow • April 5, 2021 10:38 AM
After undue pressure from extended family I created a FB account a few years ago. I used a unique email that I used nowhere else. I never used a phone # nor my real name.
I found FB annoying so I deactivated it in 2018 until 2020 when COVID hit. Then I deactivated it again in Nov 2020.
‘Have I been pawned’ shows that my account was leaked 3x while it was deactivated. It shows that my passwords and location were leaked.
Since FB isn’t reporting a breach, to me it seems obvious that they sold passwords to someone who leaked it. But they are also selling deactivated accounts.
My account was never leaked while it was active. The only info leaked was my location and password. Strange, no?
It says that Canva and Houzz leaked my data, but I never used those services and again this email address was solely used for FB and I allowed no apps or 3rd party access. I never used the FB app either. FB had it’s own device and browser with a lot of security.
I’m smart enough to use a unique password on FB but how many people don’t?
When breaches blame phishing or brute force I laugh. Compromised credentials really means our passwords were sold. This is the Golden SAML root cause too. They can identify dozens of exploits in software under attack, but ultimately that’s all nonsense to obfuscate the fact that we’ve all been pawned.
Wow • April 5, 2021 11:07 AM
Part II about Facebook leak via Canva
I never heard of Canva. It seems to be an Australian based startup that purportedly originally served schools and helped them make yearbooks.
I doubt schools use it. But if they are focused on schools could this be the point of compromise for both the Kiteworks and rash of ransomware schools throughout the US?
They talk about being funded by Mr Tai and attending MaiTai in Hawaii:
https://www.dailymail.co.uk/news/article-9379243/Canva-founders-Melanie-Perkins-Cliff-Obrecht-one-Australias-richest-couples.html
MaiTai in Hawaii is a party thrown by Bill Tai.
Bill Tai is a data miner – google it
Canva admits to being breached in 2019. Their wikipedia says they let schools use their software for free.
I bet something else is going on. The owner of Canva are purportedly one of the richest couples in Australia.
In 2011 their timeline shows they met with one of Facebook’s chief of Engineering – Lars Rasmussen.
JonKnowsNothing • April 5, 2021 11:40 AM
@Wow @All
re: Leaking Data like a faucet
tl;dr: Ancient Times
In the olden times when computers were just a big pile of vacuum tubes, people actually got information delivered to their doorstep or physical mailbox on a daily basis. News papers came daily with Sunday’s version being the Must Have weekly recap of events and magazines filled the in between spaces. In some countries mail came 2 or 3 times a day, hand delivered to the front door and outgoing mail was collected at the same time.
Along with the Wanted-Stuff came a bunch of UnWanted-Stuff. Wanted-Stuff like grocery market weekly price changes were much reviewed by those who did not share upper-crust ignorance of what it costs to feed a family. The unwanted stuff clogged up the mailbox and garbage cans faster than a FatBerg.
The question was:
Answer:
Companies like Dun and Bradstreet garnered huge lists, public records like tax data, and the phone book. These companies had folks standing at the court houses waiting for micro-fiche updates or hand copying addresses from ledgers.
Researchers used “altered spellings” to track which groups sold their lists to other groups. They knew it had been sold when the altered address showed up on another piece of “junk mail”.
Radio Shack had a corporate policy of Not Selling ANY customer information. They got a lot of business. In those days you often had to provide an address to pay by bank check and knowing it wasn’t going to result in an onslaught of new junk mail was good for business.
That lasted until the company went insolvent. The data finally was sold. It was likely the most valuable asset the company still had at the time it collapsed.
Such data has been collected for a long time.
The velocity of data transfers is partially what drives concerns. It’s not one mangled address, it’s millions of mangled addresses. It’s not used to send you unwanted mailings, it’s used to for unwanted solicitation/subscription, illegal uses and out right theft of property both physical and intangible.
We tolerate it because we do not hold the collectors of this data accountable. Any legal recourse is blocked or nullified. These companies pay big money for such protection, and they get the benefits for the money they pay.
If they don’t get what they pay for, they change who they pay it to.
Everyone loves a paycheck.
===
ht tps://en.wikipedia.org/wiki/Fatberg
ht tps://en.wikipedia.org/wiki/Dun_%26_Bradstreet
ht tps://en.wikipedia.org/wiki/RadioShack
ht tps://en.wikipedia.org/wiki/RadioShack#2015:_Bankruptcy
The acquisition did not include rights to RadioShack’s intellectual property (such as its trademarks), rights to RadioShack’s franchised locations, and customer records, which were to be sold separately.[164][165][166][167]
RadioShack was criticized for including the personally identifying information of 67 million of its customers as part of its assets for sale during the proceedings, despite its long-standing policy and a promise to customers that data would never be sold for any reason at any time.[168] The Federal Trade Commission and the Attorneys General of 38 states fought against this proposal. The sale of this data was ultimately approved, albeit greatly reduced from what was initially proposed.
(url fractured to prevent autorun)
JonKnowsNothing • April 5, 2021 12:18 PM
@All
re: To STEM or Not to STEM…
There are many historical and cultural reasons “why” some people do not get involved in “harder studies”. It’s clear there is a problem, but it’s also clear the solution isn’t going to be forthcoming anytime soon. The entire model of education or what constitutes education is a huge stumbling block.
It is similar to the problem gamers have of “To Raid or Not to Raid”.
Raids are larger group game activities, 3,6,12,24+ size groups of players working as a team to overcome the challenges set by the developers. Generally the more people you need the harder the content: faster interactions, more difficulties, more obstructions and better loots.
It can be good fun. It can also be a nightmare.
Hardly a gamer exists, that has not had one or more not-just-bad but truly-horrible experiences while in such a group.
After a few of these interactions over a bunch of pixels on a screen, you can see the results when players ask for others to “join up”.
There are two general groups that coalesce: one is a continuing team that plays regularly together and the other are fill in groups called PUGS (Pick Up Group).
The players already in a standardized team, rarely need another player to join them. They set their own goals, agendas, timing, and techniques.
The players who are causal participants to such events, have to go through a “Vetting Routine” to be invited. It’s called Gear Score. If you have enough of the right gear, the right weapons, the right junk, the right combos you get an invite. If not… dead air.
After a few bad experiences, players go Annon(ymous) and no longer respond to requests for fill in openings.
STEM is like Raiding. If you are IN you are golden. If you are Not In, you will be humiliated, denigrated and not invited. After a bit, you realize it’s not worth the trouble to deal with people who’s objectives are so different from your own.
Such discussions happen regularly in games, between gamers, with developers. No universal answers have been found.
The very activities that make raiding interesting are the very same activities that make raiding not-interesting for a large group of players.
STEM suffers from the same dynamics.
JonKnowsNothing • April 5, 2021 12:29 PM
re: Bad STEM-Raids
This is a very old video of a “bad raid”. It’s very funny. It’s rude/bad language.
It’s a very common experience.
How can you fix it? I dunno but the raid leader doesn’t know either…
ymmv:
MOAR DOTS! Onyxia Wipe / May 4, 2014
(url fractured to prevent autorun)
Planned planned planned planned • April 5, 2021 12:56 PM
Damn auto-correct, planned.
Wow • April 5, 2021 1:41 PM
@JonKnowsNothing
RE: leaking US data overseas
The Senate is investigating and rightly considers it a National Security Risk https://www.morningstar.com/news/dow-jones/202104024966/us-senators-ask-digital-ad-auctioneers-to-name-foreign-clients-amid-national-security-concerns-update
One of the USA’s biggest school district was hit with ransomware last week. The demand was so high the district didn’t have enough money to pay. So they may lose a lot of historical information. But who cares?
I feel bad for anyone that graduated HS in that district and may now have difficulty applying for a job or college without transcripts.
This Bill Tai fella is into Bitcoin too. There are easy solutions to these ransomware attacks. Outlaw Bitcoin
Last week Congress held a hearing about outlawing social media for kids. Ask a teacher what they think about it.
https://www.govtech.com/policy/Child-Safety-May-Unite-Lawmakers-Fuel-Social-Media-Regulation.html
I don’t think asking a parent is useful because Millennial’s will not want to have kids given the pandemic and the potential for them being required at some point to teach and raise their kids themselves. No one will sign up for that.
swordface • April 5, 2021 3:13 PM
@ hold my beer | April 3, 2021 7:41 AM
AMD Zen 3 CPUs vulnerable to Spectre-like attacks via PSF feature
Well isn’t that nice. So after I refuse to buy from Intel because of their IME I can’t trust AMD?
SpaceLifeForm • April 5, 2021 4:03 PM
@ Weather, Clive
Holy PageFault Batman!
Looks like a great Honeypot tool.
Anonymous • April 5, 2021 4:08 PM
PLEASE HELP
I WAS TOLD TO READ THE RESEARCH GATE ARTICLE FOR MORE INFO ON WHY TOR WAS BEING BLOCKED: https://www.researchgate.net/publication/282612470_The_Dark_Web_Dilemma_Tor_Anonymity_and_Online_Policing
BUT THE ARTICLE BLOCKS TOR ALSO.
SO I TRIED TO ASK IN https://WIKIPEDIA.ORG/WIKI/RESEARCHGATE IF ANYBODY COULD TELL ME SOME WAY TO READ THE ARTICLE ABOUT WHY TOR WAS BANNED.
BUT FOR SOME REASON WIKIPEDIA DOESN’T JUST BAN TOR FROM EDITING ARTICLES; NOW, IT BLOCKS TOR FROM PUTTING ANY COMMENTS IN THE “TALK:” PAGE THAT DOESN’T EVEN SHOW UP IN THE ARTICLE ANYWAYS.
IS THERE ANY PLACE ON ENTIRE WIKIPEDIA WHERE A PERSON FROM A COUNTRY WITH REPRESSIVE FIREWALLS/ISPS/WHATEVER… CAN MAKE ANY COMMUNICATION WHATSOEVER? MAYBE AN OPTION TO SHOW COMMENTS (JUST IN “TALK:” PAGES) FROM TOR EXIT NODES, AND HAVE IT SET TO BLOCK THEM BY DEFAULT (EXACTLY WHAT IT EFFECTIVELY DOES NOW, BUT THIS WAY SOMEONE CAN OPT-OUT OF THE FILTER IF THEY DON’T MIND SEEING OFFENSIVE COMMENTS. EVEN IF IT WAS LIMITED TO ascii ONLY — NO PICTURES/AUDIO/VIDEO — IT WOULD STILL BENEFIT A GREAT DEAL OF PEOPLE ALL OVER THE WORLD.)
SINCERELY,
Weather • April 5, 2021 5:08 PM
@slf
Thanks slf ,that quite a powerful RE tool/idea 😉
vas pup • April 5, 2021 5:52 PM
The color red influences investor behavior, financial research reveals
https://www.sciencedaily.com/releases/2021/03/210331130907.htm
“Visual Finance: The Pervasive Effects of Red on Investor Behavior” reveals that using the color red to represent financial ===>data influences individuals’ risk preferences,
expectations of future stock returns and trading decisions. The effects are not present in people who are colorblind, and ===>they’re muted in China, where red represents prosperity. Other colors do not generate the same outcomes.”
“Our findings suggest the use of color deserves careful consideration when it’s to be used on financial platforms, such as brokerage websites or by retirement service providers,” Bazley said. “For instance, the use of color could lead to investors avoiding the platform or delaying important financial decisions, which could have deleterious long-term consequences.”
“In Western cultures, conditioning of red color and experiences start in early schooling as students receive feedback regarding academic errors in red,” Bazley said.
Red is associated with alarms and stop signs that convey danger and command enhanced attention. Other examples include when California issues a “Red Flag Warning” that signals imminent danger of extreme fire or when the American Heart Association uses red in its guidelines to indicate hypertensive crisis (a blood pressure reading higher than 180/120) that necessitates medical care. Over time, ===>repeated pairings of a color with negative stimuli can influence subsequent behavior.
So what is Bazley’s favorite financial term involving the color red?
“I appreciate the phrase ‘red herring,'” he said.
“In finance, it refers to a preliminary prospectus that a company uses when issuing securities to the public. It is an important document for potential investors, but
===>it tends to omit key pieces of information; hence, it usually has a red disclaimer on the front. I also find fish to be delicious.”
My nickel: red is color of blood, and it is signaling danger or/and injury. That is in the root how red is initially flag a danger in prehistoric folks. That not support the idea why red has other meaning in China.
SpaceLifeForm • April 5, 2021 6:28 PM
@ Clive, lurker, Anders, Wesley Parish
RAM Refresh. Recall your memory.
It was not that long ago, right?
The signal is the noise.
Then, compare.
A switch has silently been flipped in millions of instances of Google Chrome: those browsers will begin sorting their users into groups based on behavior, then sharing group labels with third-party trackers and advertisers around the web. A random set of users have been selected for the trial, and they can currently only opt out by disabling third-party cookies.
Clive Robinson • April 5, 2021 6:29 PM
@ Anders, Who?,
Yes, we talked about it.
It was for months ago almost to the day… which is interesting in of it’s self. That is why has it taken so long to become more recognised?
As I said above, it’s not something that is going to go away any time soon if at all, so it might be “slow burner syndrome” getting to the point “it has passing the exponential knee”.
As I said it’s a double whamy of “chicken and egg”. That is we need the non-lockedin “Open I/O Specification” but likewise we very much need a “Root of trust mechanism” and those two are currently very much at odds with each other.
In the past to change real “read only” ROM, PROM, EPROM and similar required either taking the chips out or changing pin/jumper setings on the motherboard. With the advent of the various “electrically erasable” EEPROM etc technologies, whilst “rework costs” in manufacture and subsequently have dropped dramatically, so has security dropped dramatically as well, and it is definitely “causation not correlation”. Flash ROM in particular is so ubiquitous very very few actially know where all of it is in a modern PC and even if they did there is nothing they can do to stop it being altered.
It’s this lack of knowledge, combined with lack of ability to stop BIOS and I/O ROM and that Flash –tucked away in nearly all SoC microcircuits– being changed, that has become a nasty problem that is only going to get worse by being ignored.
In theory there are “software locks” that can be used. But design experience has taught me that “software locks” are like verbal contracts “not worth the paper they are written on”.
It’s something I’ve been going on about since the last century with “Security Tokens”. These things need to be both mutable for manufactuer / maintenance “rework” but immutable at all other times. The only advantage with security tokens is that being “locked-in” to one hardware supplier is not realy much of an issue currently[1], so they could in theory use “code signing” as we currently have it. Except the history of “games consoles”, “TI Calculators” and “set-top boxes” tells us that given even quite short periods of time such protection methods being essentially software will get bypassed.
So it can be seen that even if we come up with a beter solution than “Code Signing” that we realy desperatly needed way more than a decade or so ago, there can not be a “one size fits all” solution.
But even with “physical interlocks” such as PCB jumpers, we still have another issue, which is the lack of sufficiently secure and usable “tamper evident” systems. Whilst our host @Bruce has a sticker on his laptop indicating it is effectively a weapon of destruction. I somehow do not think he follows the old military maxim of “Eating, sleeping, drinking, etc with his “personal weapon” at all times”.
Thus varieties of unatended “Evil Maid” attacks become an increasing reality, and effective and reliably secure tamper evident solutions are needed, which we just do not have. For instance quite a few clever people thought long and hard about securing drug test samples from athletes, but we have good reason to believe that various Russian entities know how to quickly and easily get around them. How, we do not know, but the betting is once it is known, it will be a simple and obvious defect exploit that was not considered during the design phase. Similarly as many Truck Drivers have found to their cost, “People Smugglers” have found ways around all the fancy security systems used on lorries, trucks and trailers.
Security except in a few cases is a hard problem, a very hard problem, and anyone saying otherwise is shall we say “lacking” in more ways than one. But designing an effective security system that retains all the advantages of an “Open I/O System” I suspect is going to be a considerably harder problem, for which we currently have no idea how to achieve, nor will we do so for some time to come.
[1] Actually not true, as they are becoming an identifier to “Single Sign On”(SSO) systems where the user has no control over the “service covered” database in the SSO servers. Thus the person who controls the SSO database is the person who realy does have “The Keys to the Kingdom”. It does not have to be that way you can develop SSO systems that work differently… But it’s shall we say “Not in the interests of the SSO service providers to do so.”
Weather • April 5, 2021 6:38 PM
@clive slf
If I was going to make malware, I would use Rop plus alignment, I would have three line patch to a program that would run a here and now copy ,and copy it to keneral32 encyted, then bounce to functions that have five push then pop ,then add to esp to then build up the stack.
If really paranoid illd workout how to continued normal program function.
Slf
What would that program rev.ng do if you write to cr1,forgot the bit, would there general hook give me write access ?)
SpaceLifeForm • April 5, 2021 6:52 PM
@ Clive, lurker, Anders, Wesley Parish, Who?
There is an interesting dynamic happening.
Blue Checks are showing up on Twitter that should have never been denied.
802.11bff • April 5, 2021 9:43 PM
Give a man a phish, he reaps for a day.
But teach him?
Best Friends FOREVERsion.
SpaceLifeForm • April 5, 2021 11:15 PM
@ Wow, ALL
I strongly recommend you do NOT attempt to see if you are in the FB dump.
It is likely that you will be giving up PII to see if your PII is out there.
Assume yes, but do not confirm.
Clive Robinson • April 6, 2021 2:35 AM
@ SpaceLifeForm, Weather, ALL,
Holy PageFault Batman!
It’s an interesting approach, and gives similar “debug power” that you used to get with Hardware In Circuit Emulators(ICE).
But no matter how good it’s never going to put a fine polishvon the turd that ABI’s and loaders are. Of which there are three main families *nix, Microsoft and CMU/Apple.
Looking back on *nix, I sometimes think it’s a miracle that programs get loaded at all in modern OS’s thanks to Intel[1] and Microsoft[4].
In theory making a code loader is simple you just design the compiler tool chain to respect page boundries and one or two other things including making them position neutral and get the process to build a map of segment usage space that gets passed back to the OS. The least amount of information being needrd is the execution start place[2] and an address to call upon exit.
Then Intel decided it would come up with an “all purpose valid for ever” loader specification (iBCS) for Unix… That not only can few understand most would not go near without “an extreamly long spoon”.
The problem with the system is it’s flexibility, brings with it undue complexity that makes many places to not just hide information (orphaned bytes) but create vulnerabilities with as well.
This mess ended up via Linux compatability as the ELF standard by default[3].
But what of Microsoft, well… It has had several ABI’s thus loaders over the years which has resulted in a similar mess to that of *nix, with similar problems and the current devils brew incarnation is called the Portable Executable(PE) format[4].
I won’t go into PE’s details because it’s even more tedious than ELF, likewise I won’t go into CMU/Apple Mach-O other than to say it is used by most systems based on the Mach kernel. Including NeXTSTEP, macOS, and iOS which all use the Mach-O ABI format for the usual native executables, libraries and object code.
Suffice it to say that the “PageBuster” folks are going to have fun on their hands eapecially as they move it across to Microsoft OS’s. But for those who also want to have more powerful debugging tools it’s going to be on the “santa list”. However there is a down side, it is also going to give less experienced “code obfuscators” a helping hand.
[1] https://en.m.wikipedia.org/wiki/Intel_Binary_Compatibility_Standard
[2] In the oldest and simplest environments like early CP/M it was “assumed” that syscalls were at fixed locations at the top of memory and the execution point to always be 0x0000. Later the need to make things more flexible gave rise to a shared block of data between the environment and the program so the execution point was moved up to 0x0100. But that low block of memory was found to be insufficient, which was why many programs started with a ‘jmp’ over a non executable block of argv/envp and one or two other bits and bobs, such as an address to put a 16bit int return code value at.
[3] The ELF ABI is a creature of it’s inheritance which shows. In some respects it’s simple but… It’s widely used on many architectures and systems but care needs to be taken. Because it was effectively the “default option at the time”. Which means it has been augmented a couple of times and no doubt will do again at some point in time (it covers 32 and 64 bit CPU’s but there are more than one type of “Strange Brew CPU” out there the most obvious being GPU’s, but those with FPGA’s for building hardware algorithms are comming along).
https://wiki.osdev.org/ELF_Tutorial
[4] Microsoft according to it’s almost monkey brain behaviour, has of course got it’s own loader ABI which arived via a similar path to ELF. Called Portable Executable(PE) it is still a multi-CPU format (due to Win CE). Unfortunately it’s the ABI chosen bu those who came up with UEFI which is problematical,
Winter • April 6, 2021 2:43 AM
@Jonknowsnothing
“There are many historical and cultural reasons “why” some people do not get involved in “harder studies”.”
A very simple reason is that you get but one chance. If you fail, you end up without a degree. No degree means much less income later. If you have been let to believe STEM is over your head, you will try some more in reach.
I have actually seen this type of doubt in high school kids, even those who did a STEM study anyway and finished with flying colors.
IT-Consultant • April 6, 2021 6:00 AM
@Winter
A very simple reason is that you get but one chance.
+1. There are often not much forgiveness and possibility to attempt again.
Anonymous • April 6, 2021 7:15 AM
Wow • April 5, 2021 1:41 PM
@JonKnowsNothing
RE: leaking US data overseas
The Senate is investigating and rightly considers it a National Security Risk https://www.morningstar.com/news/dow-jones/202104024966/us-senators-ask-digital-ad-auctioneers-to-name-foreign-clients-amid-national-security-concerns-update
One of the USA’s biggest school district was hit with ransomware last week. The demand was so high the district didn’t have enough money to pay. So they may lose a lot of historical information. But who cares?
I feel bad for anyone that graduated HS in that district and may now have difficulty applying for a job or college without transcripts.
This Bill Tai fella is into Bitcoin too. There are easy solutions to these ransomware attacks. Outlaw Bitcoin
Last week Congress held a hearing about outlawing social media for kids. Ask a teacher what they think about it.
https://www.govtech.com/policy/Child-Safety-May-Unite-Lawmakers-Fuel-Social-Media-Regulation.htmlI don’t think asking a parent is useful because Millennial’s will not want to have kids given the pandemic and the potential for them being required at some point to teach and raise their kids themselves. No one will sign up for that.
I agree! Ransomeware attacks are being done with anonymous currency, so let’s just ban all anonymous currency (cash/crypto/bartering/etc.)
Let’s ban cars too. They help bank robbers rob banks.
And remember, the CIA wants to blow up an airliner full of random innocent U.S. citizens, just to use an excuse to kill 1 bad guy. The moral here: it’s worth killing ~400 good guys to kill 1 bad guy?
Is it also worth giving up ~400 rights to save 1 life over the next century?
And remember, car pollution kills ~300,000 U.S. citizens every year. Ie we definitely need to ban those evil cars!
And ban cops too. They are the ones responsible for most shooting deaths, and most of them kill themselves in car accidents anyways. Better to do it before that happens, like a prophlyactic.
Anonymous • April 6, 2021 7:58 AM
One of the USA’s biggest school district was hit with ransomware last week. The demand was so high the district didn’t have enough money to pay. So they may lose a lot of historical information. But who cares?
One of USA’s biggest school district was hit with a stabbing last week (probably at least once a week, right?) The demand for increased on-campus security guards sauntering around with assault weapons resulted in a reduction in funding to libraries and information systems. But who cares?
The culprit executed themselves, so people need an effigy to attack. And the Constitution is a hip target for whatever reasons (not up to date.)
I feel bad for anyone that graduated HS in that district and may now have difficulty applying for a job or college without transcripts.
Wow • April 5, 2021 1:41 PM
@JonKnowsNothing
RE: leaking US data overseas
The Senate is investigating and rightly considers it a National Security Risk https://www.morningstar.com/news/dow-jones/202104024966/us-senators-ask-digital-ad-auctioneers-to-name-foreign-clients-amid-national-security-concerns-update
This Bill Tai fella is into Bitcoin too. There are easy solutions to these ransomware attacks. Outlaw Bitcoin
Last week Congress held a hearing about outlawing social media for kids. Ask a teacher what they think about it.
https://www.govtech.com/policy/Child-Safety-May-Unite-Lawmakers-Fuel-Social-Media-Regulation.html
I agree! Ransomeware attacks are being done with anonymous currency, so let’s just ban all anonymous currency (cash/crypto/bartering/etc.)
Let’s ban cars too. They help bank robbers rob banks. And vans help child abductors abduct children!
And remember, the CIA wants to blow up an airliner full of random innocent U.S. citizens, just to use an excuse to kill 1 bad guy. The moral here: it’s worth killing ~400 good guys to kill 1 bad guy?
Is it also worth giving up ~400 rights to save 1 life over the next century?
And remember, car pollution kills ~300,000 U.S. citizens every year. Ie we definitely need to ban those evil cars!
And ban cops too. They are the ones responsible for most shooting deaths, and most of them kill themselves in car accidents anyways. Better to do it before that happens, like a prophylactic.
Remember:
while (it != NULL) {
puts(‘if it takes even one bad driver off the road, it is worth it!’);
}
*”while” (instead of “if“) is apparently a feature, not a bug.
I don’t think asking a parent is useful because Millennial’s will not want to have kids given the pandemic and the potential for them being required at some point to teach and raise their kids themselves. No one will sign up for that.
I don’t think asking a parent is useful because they are the least likely to offer objective, actionable information about such emotionally charged topics.
If you wanted to reduce child mortality you would ask a statistician “For under $xx,xxx dollars, what are the most likely ways to reduce child mortality by %yy (or zzPerCapita or whatever metric.)
PS I’m not implying that you’re one of those people who are just looking for excuses to remove as much power as possible from individuals, centralize everything as much as possible, and give as much power as possible to a Federal government (people trying to make America emulate China/Russia/N. Korea/Venezuela/etc., in other words.) I know that is not your wish.
God bless.
Clive Robinson • April 6, 2021 8:01 AM
@ SpaceLifeForm,
Regards “All Floc’d up” by Google, a curious point from the EFF,
“Turning off third-party cookies is not a bad idea in general. After all, cookies are at the heart of the privacy problems that Google says it wants to address. But turning them off altogether is a crude countermeasure, and it breaks many conveniences (like single sign-on) that web users rely on.”
I’ve been saying turn cookies off for a very long time, likewise JavaScript. But I’ve also pointed out the “Arbiter In The Middle”(AITM) systems of which SSO are just one of hundreds are bad news in very many ways, for almost as long.
Which is why I’ve been trying to find a way to replace them with a new form of “rendezvous protocol” to replace the likes of “Forced DNS” and similar that Google has lumped on people for decades.
Just about every thing Google and it’s parent Alphabet do has a very solid heart of psychopathic evil in it. Mostly their behaviours are carefully planed and can be likened to the behaviours required by someone not only giving a Type I diabetic child a sugar laced Easter Egg transfered into the wrapping that says it’s sugar free, but also planning to avoid all consequences coming back on them should things be investigated.
Anonymous • April 6, 2021 8:02 AM
One of the USA’s biggest school district was hit with ransomware last week. The demand was so high the district didn’t have enough money to pay. So they may lose a lot of historical information. But who cares?
One of USA’s biggest school district was hit with a stabbing last week (probably at least once a week, right?) The demand for increased on-campus security guards sauntering around with assault weapons resulted in a reduction in funding to libraries and information systems. But who cares?
The culprit executed themselves, so people need an effigy to attack. And the Constitution is a hip target for whatever reasons (not up to date.)
I feel bad for anyone that graduated HS in that district and may now have difficulty applying for a job or college without transcripts.
Wow • April 5, 2021 1:41 PM
@JonKnowsNothing
RE: leaking US data overseas
The Senate is investigating and rightly considers it a National Security Risk https://www.morningstar.com/news/dow-jones/202104024966/us-senators-ask-digital-ad-auctioneers-to-name-foreign-clients-amid-national-security-concerns-update
This Bill Tai fella is into Bitcoin too. There are easy solutions to these ransomware attacks. Outlaw Bitcoin
Last week Congress held a hearing about outlawing social media for kids. Ask a teacher what they think about it.
https://www.govtech.com/policy/Child-Safety-May-Unite-Lawmakers-Fuel-Social-Media-Regulation.html
I agree! Ransomeware attacks are being done with anonymous currency, so let’s just ban all anonymous currency (cash/crypto/bartering/etc.)
Let’s ban cars too. They help bank robbers rob banks. And vans help child abductors abduct children!
And remember, the CIA wants to blow up an airliner full of random innocent U.S. citizens, just to use an excuse to kill 1 bad guy. The moral here: it’s worth killing ~400 good guys to kill 1 bad guy?
Is it also worth giving up ~400 rights to save 1 life over the next century?
And remember, car pollution kills ~300,000 U.S. citizens every year. Ie we definitely need to ban those evil cars!
And ban cops too. They are the ones responsible for most shooting deaths, and most of them kill themselves in car accidents anyways. Better to do it before that happens, like a prophylactic.
Remember:
while (it != NULL) {
puts(‘if it takes even one bad driver off the road, it is worth it!’);
}
*”while” (instead of “if“) is apparently a feature, not a bug.
I don’t think asking a parent is useful because Millennial’s will not want to have kids given the pandemic and the potential for them being required at some point to teach and raise their kids themselves. No one will sign up for that.
I don’t think asking a parent is useful because they are the least likely to offer objective, actionable information about such emotionally charged topics.
If you wanted to reduce child mortality you would ask a statistician “For under $xx,xxx dollars, what are the most likely ways to reduce child mortality by %yy (or zzPerCapita or whatever metric.)
PS I’m not implying that you’re one of those people who are just looking for excuses to remove as much power as possible from individuals, centralize everything as much as possible, and give as much power as possible to a Federal government (people trying to make America emulate China/Russia/N. Korea/Venezuela/etc., in other words.) I know that is not your wish.
God bless.
I’m sorry, the formatting looked fine in the Preview, but after clicking Submit it lumped all the individual blockquotes into one giant heap. I’m not sure why exactly yet.
Honeywell got hacked?
https://www.honeywell.com/us/en/press/2021/03/update-on-honeywell-it-system
SpaceLifeForm • April 6, 2021 3:17 PM
@ Clive, Wow, ALL
You can now check if you are in the FB dump via phone number.
I still recommend you not do so.
hxtps://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/
Fed.up • April 6, 2021 4:00 PM
@N Honeywell sets the cyber standards by which all other companies can only hope to achieve.
I am buying the Honeywell noise cancelling Covid mask. Ingenious. The world is so much easier to deal with in silence.
https://www.cnet.com/health/xupermask-is-a-futuristic-face-mask-from-will-i-am-and-honeywell/
SpaceLifeForm • April 6, 2021 4:21 PM
@ JonKnowsNothing, MarkH, Clive
NCov2019 aerosols and ventilation.
Note: there is a very technical mathematical rabbit hole you can follow from this link.
Or, you just apply common sense and understand this.
JonKnowsNothing • April 6, 2021 4:51 PM
@SpaceLifeForm, MarkH, Clive, All
There is this report on B117 variant aerosolized particles in the environment. B117 doesn’t last any longer than the D614G COVID did in the environment.
Just like the Wuhan virus lineage, the B.1.1.7 virus lost 90 percent of its infectivity after about 6.2 hours in darkness. In simulated sunlight conditions, the two lost 90 percent of infectivity in about 11 minutes.
…
transmissible viruses are not spreading more easily because they linger longer in the air or can travel farther. Instead, the viruses are likely spreading more because they either produce more virus in people’s airways—meaning people are simply expelling more infectious virus at once or over time…
There is still the open question about how the virus was able to infect health workers in Australia that did not have any direct contact with the infected persons and were not on the same floor or in any other contact with other workers who got sick.
They shut down the hospital pending investigation. They expect the infection is an unknown fomite and/or from the ventilation system.
===
ht tps://arstechnica.com/science/2021/04/b-1-1-7-variant-is-not-better-at-surviving-in-air-than-other-coronaviruses/
ht tps://www.theguardian.com/australia-news/2021/apr/03/queensland-reports-one-new-case-of-locally-acquired-coronavirus
(url fractured to prevent autorun)
vas pup • April 6, 2021 5:17 PM
Russia May Have a Secret Main Battle Tank
https://finance.yahoo.com/news/russia-may-secret-main-battle-150700342.html
“But despite the lofty promises, the Armata project was mired in financial and technological difficulties that slowed development to a crawl. Today, the Russian Ground Forces have precisely zero Armata tanks, with serial deliveries now promised for later this year.
So what comes now? A Russian military blog recently uncovered another tank design that apparently lost out to the Armata in the late 2000s. The Burlak (seen in the Facebook post above), is an interesting compromise design that leverages Russia’s huge inventory of older tanks and existing tank technology to produce a vehicle that’s almost as good as the Armata.
The Burlak takes a new tank turret and puts in on a modified T-80 tank chassis. The turret’s hexagonal geometry is derived from the T-90A tank that’s currently in service, but lengthened considerably in the rear to accommodate a dual-feed auto loading system for the main gun. This would allow the 125-millimeter main gun, the same caliber as the Armata’s gun, to quickly load two types of ammunition.
The turret features additional armor plating on the front to both protect the smoke dischargers and add more armor to the turret’s frontal aspect in general. The Burlak would also have the same Afghanit active protection system fitted on the Armata, giving it protection against NATO anti-tank missiles and rockets.”
Clive Robinson • April 6, 2021 6:28 PM
@ Fed.up, ALL,
I am buying the Honeywell noise cancelling Covid mask. Ingenious. The world is so much easier to deal with in silence.
I note it’s in part “hard shell” that will,
1, Reduce ability of face recognition.
It also contains HEPR filters that will,
2, Reduce the effects of CS and other dibilitating agents used by Law enforcment.
Perhaps I should chat to Wil.I.am about designing RF proof jackets with micro fine woven copper or silver cloth lining, backed with Kevlar which will,
3, Stop hidden “nudy scanners” working.
4, Reduce the chance of your RFID cards being read.
5, Stop the average tasser shot dead in a short circuit.
Something tells me LEO’s are going to be getting quite twitchy about what COVID will do to reduce their technological lead.
Clive Robinson • April 6, 2021 7:13 PM
@ JonKnowsNothing, MarkH, SpaceLifeForm, ALL,
Re : Social distancing, masks, ventilation and viral load.
Whilst we can model the physics, of droplet drop fairly easily (variation of orbital mechanics in a regarding field).
Thus can model social distancing fairly easily, we still do not have a viral load model, which means we have a quite big assumption as to what is and is not a safe background level with time.
Masks are not mathematically modelable due to the variations in mask materials and construction. However we can say it’s safe to assume two things,
1, They do not stop viral particles, but they do reduce the size of any droplets down to the micron range.
2, They significantly reduce velocity, thus significantly reducing horizontal distance.
This is where aerodynamics start to come in. As particles get smaller nonlinear effects start to happen. Whilst larger droplets behave more like the “cannon balls” and smaller droplets like “feathers” of the “gravity experiment in air”, hydrodynamics kick in as the particles get smaller still thus can end up behaving like “smoke” suspended in a very complex way.
The result is whilst ventilation will suck small particles away, you want them to rise above people befor they get sucked horizontaly or when dropping thus having the equivalent of the velocity factor added back in which gives us the greater social distancing.
Unfortunately this brings both temprature and humidity into the calculations, making things even more complex.
I’ve tried modeling these things in the past using basic physics models, unfortunately as you start to add in other factors for reduced particle size and guestimates for viral load, the models start to develop issues in that they become overly sensitive to the input variations (ie chaotic).
Both aerodynamics and hydrodynamics get around these problems by assuning not particles but “working fluids” so are somewhat related to the ideas behind Brownian Motion. The problem with that is that it is way to much “steady state”. Which anyone who has watched at school the two glass bulb experiment where the bottom bulb is filled with water coloured with Potassium Permangenate a deep purple and the top clear water will have seen in the initial stages is most definately not steady state with complex vortex and circulation effects determining the actual movment of the potasium into the clear water.
Thus the sensible thing to do is not what the politicians want. Which is,
1, Maintain social distancing.
2, Mandate wearing of masks in all closed environments.
3, Mandate “correct” environmental control stratagies.
4, Mandate “correct” ventilation stratagies.
The third and fourth points need to be assessed on a case by case basis especially where “air reflow” or “heat exchangers” and other Air Conditioning is used (remember Legionnairs Disease?). Especially when people stay in that closed environment for more than a very short while.
This is definately a case of “More work needs to be done” otherwise people are going to needlessly be murdered on a political alter.
@name.withheld.for.obvious.reasons I often use hexdump or xxd to process a file Hey I do the same thing for files. I use 010 editor. It's scriptable and has file format plugins!!! keep doubling down with another pile o • April 6, 2021 9:50 PM
@Winter
Columbus convinced enough people that the earth was much smaller, and he would be able to reach India in time. As we all know, he almost starved to death before reaching the Caribbean.
Columbus took provisions on the Canary Islands. There are ledgers of them buying pigs and other livestock/ food. In spanish his name is Colon and as it turned out, he was pretty nasty.
Quid Pro Quo • April 6, 2021 10:41 PM
Special report: Microchip security continues to confound Pentagon
Congress and the Pentagon want to ensure that the chips, wherever they come from, are certified in tests to be trustworthy and reliable
IF there’s a Chinese backdoor, no amount of testing after the fact of manufacture can rule out the existence of the backdoor. There’s a heavy contingent in the United States of well-funded and highly organized “crime in blue” among law enforcement fraternal orders and police unions of officers who want a back door into all computer systems no matter what at all costs and will stop at nothing to ensure that they have the unlimited and unaudited access to everything they desire.
WE’re looking at this from the angle of vice, i.e., a certain “Las Vegas effect” (for lack of a better term) of overwhelming greed and desire giving way to compulsion on the part of unionized officers of the law. There’s too much lip from working cops on the beat to allow secure computing even for purposes financial accounting or business inventory control, let alone for personal use.
I had to post this to squid Friday. 🙂
SpaceLifeForm • April 7, 2021 1:46 AM
@ Rj
LOL. Very good.
I thought, wow, this would be worth printing out, but then I remembered I am out of ink.
So, to save some money, I’m thinking about spending the $50
hxtps://www.loosepartscomic.com/product-page/framed-personalized-loose-parts-cartoon
SpaceLifeForm • April 7, 2021 2:50 AM
@ Clive, ALL
Smaller, faster is not always better. Muon showers do exist.
In the olden daze, 128K of core memory in a box the size of a refrigerator was pretty stable.
Clive Robinson • April 7, 2021 5:10 AM
@ SpaceLifeForm, ALL,
Smaller, faster is not always better. Muon showers do exist.
It’s something I’ve known about since the 1970’s and “Rad Hardened” parts like the 1801 and 1802 CPU’s and memory chips.
The “smaller faster”aspect is why the RowHammer attack works on Dynamic Ram (DRAM). If you look up the fundamental way DRAM works you will find it’s not realy a digital circuit but an anolog circuit using capacitors as storage elements.
Oh Flash ROM also using an anolog effect that holds charge on a FET gate is also susceptible (as are other “erasable” ROM families).
No doubt someone will pop up going “That’s not true” as has happened before but discussions by CMOS semi manufacturers like Motorola, RCA, etc about the issues were happening publically in the early 1970’s in App Notes.
As for “gifts from out of space” some tend to follow certain paths, thus orientating chips can reduce but not stop the problem.
Oh and I’ve not read Slashdot in a long time they want both cookies and javascript and as I keep saying “I don’t do those”, nor am I going to.
Clive Robinson • April 7, 2021 5:38 AM
@ ALL,
If you also want to avoid “cookies and javascript” usage but find out a little more.
Strip the last part of the Slashdot link off and replace the hyphens with spaces and drop it as a search string in DuckDuck. You will find several links to the original story.
This one worked first time with both cookies and javascript turned off,
The reality of Slashdot is it’s a “cabbage reboiler site” and most of what gets put up on it comes from other sites, that are not so determined as Slashdot is to make your browsing process insecure.
My advice give Slashdot a big thumbs down and go elsewhere. Maybe if enough people say “Sayonara”[1] to them.
[1] Sayonara is often the first word non native Japanese speakers learn… Problem is it’s rarely used as it means rather more than the Western notion of a simple “goodbye” or just “bye” (many younger Japanese have taken “bye bye” as their own),
RealFakeNews • April 7, 2021 6:12 AM
@Clive Robinson:
That is true! 🙂
I was impressed how it (RowHammer) worked so reliably. I knew it was theoretically possible before then.
Fact isn’t always stranger than fiction. It just needs its simplicity to be demonstrated.
@All:
As an introvert, this whole lockdown business hasn’t been a problem. What is a problem are all the deniers that think it’s fake.
I’m not a vaccine denier, but in this specific instance I find myself questioning the motives of “vaccine for all” in conjunction with vaccine certificates to attend a large public gathering.
I don’t have the flu vaccine as I’m outside of any eligible demographic, so why it is necessary to have a vaccine for a disease that should be greatly reducing now the most at-risk have had it, doesn’t make much sense.
I had this back in late 2019, yet no-one around me apparently got it from me. I laid in bed for nearly two weeks straight, not least as to move so much as an arm would cause me to go dizzy. I passed out completely, twice, and had loss of taste and smell for around 4-5 days, that I’m aware of.
Looking back, I was perhaps a bit slow a month or two afterwards, but I otherwise felt (and feel) great.
A question I’m left asking myself is: given I had this so early (or at least before it was publicly acknowledged as a pandemic), I’m wondering what the true exposure rate to this virus has been, and why the desperate rush to vaccinate all, when a higher proportion of the population have likely already had it than we know?
name.withheld.for.obvious.reasons • April 7, 2021 11:55 AM
@ Clive
Another method that will for example put a sites top level pages up and as a cached copy, ie. you don’t directly touch the site is to send the domain from a search token:
site:schneier.com
This will return the site information but in a digest format. And, using curl, lynx, wget, or other command line tool it is easy to gather information and what might be useful to drill down into.
Wesley Parish • April 7, 2021 7:56 PM
@usual suspects
Happy happy joy joy!
Facebook Says It’s Your Fault That Hackers Got Half a Billion User Phone Numbers
https://www.vice.com/en/article/88awzp/facebook-says-its-your-fault-that-hackers-got-half-a-billion-user-phone-numbers
“This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” Clark explains.
ergo …
“Effectively, the attacker created an address book with every phone number on the planet and then asked Facebook if his ’friends’ are on Facebook,” security expert Mikko Hypponen explained in a tweet.
but wait, there’s more …
But for users whose phone numbers were being traded freely online, possibly the most aggravating part of Clark’s post is when he puts the onus on users to protect the data that Facebook itself required users to hand over in the name of “security.”
You can’t make this up. And believe me, I’ve tried.
Clive Robinson • April 7, 2021 8:49 PM
@ Wesley Parish, ALL,
I just love the irony in the last paragraph of the Vice article,
“But maybe everyone whose number is listed in the leaked database should follow Facebook founder and CEO Mark Zuckerberg’s lead: Zuckerberg uses the highly secure messaging app Signal, which isn’t owned by Facebook.”
Somebody is not prepared to “Eat their own dog…”.
JonKnowsNothing • April 7, 2021 9:37 PM
@All
re: Salting the Algorithms
A group of gig economy workers have discovered that they can game that delivery payment system by Rejecting App Assignments.
The algorithm is based on the concept that if $X doesn’t tempt you, another will take it for $X+(n), and if repeated enough times the value of $X becomes large enough you can feed your family (after expenses).
They are also able to see the company hidden payouts by using an older version of the app in parallel with the new version.
iirc(badly) a good while back, self-publishers on Amazon got paid by the number of page-views. If someone downloaded their book and read 10 pages they got very little, if they read to the end of the book the author got full price.
The authors figured that if they moved the “end of book flag” to the front of the book, they got full value or they put the “table of contents” at the back of the book to trigger the same payout effect.
afaik, Amazon blocked both of these practices.
The gig economy cab system isn’t picking up although demand for rides is higher. Those that can afford to pay for the services and are still employed are finding there are not that many drivers still interested in taking the Better Employed to and from work, to their Better Housing and Better Health Care appointments and Better Restaurants.
Since there are fewer drivers, the piece rate prices for driving services has gone up.
In the World of Banking, the old double switch up redefinition commission payroll game is back as a portion of general compensation. This practice was supposed to be terminated but the terminator always returns for the next episode. The Bankers have renamed their offending practices but the calculations, thresholds and ceilings remain in place. Sales and Banking were supposed to divorce after the various debacles.
Breaking up is Hard to Do.
===
ht tps://en.wikipedia.org/wiki/Salting_the_earth
Salting the earth, or sowing with salt, is the ritual of spreading salt on conquered cities to symbolize a curse on their re-inhabitation
ht tps://www.theregister.com/2021/04/07/doordash_drivers_rebel/
DoorDash drivers are encouraging one another to turn down food delivery jobs below a minimum threshold of $7 in an attempt to game the company’s in-app payment algorithm.
…
Drivers have figured out that they can boost the base pay by driving down the desirability. If they repeatedly decline trips in their area, the desirability value of those journeys decreases, and in turn DoorDash will try to make up for it by increasing the base pay. The idea behind the drivers’ #DeclineNow campaign is that if enough of their fellow colleagues promise to reject low-paying jobs, all drivers will benefit, since the algorithm will compensate them better for their time. Every time they reject an order, it will be offered to someone else for more money, and after time, these jobs start to offer a more acceptable level of pay.
ht tps://arstechnica.com/tech-policy/2021/04/uber-and-lyft-struggle-with-driver-shortage-as-demand-soars/
Uber and Lyft are struggling to recruit enough drivers to meet their needs
…
Many people who were working as Uber or Lyft drivers in early 2020 have moved on to other jobs.
…
Uber says that as a result of driver shortages, drivers can make a lot more money now than they did before the pandemic. … ride-hailing companies are facing shortages [of drivers] across the country …
ht tps://www.theguardian.com/australia-news/2021/apr/07/worse-than-ever-australian-bank-culture-has-not-improved-since-royal-commission-staff-say
MSM report recap:
The Banking System in Australia was found to be use illegal methods of compensation for their employees based on “sales and up-selling” of banking products (2016). Similar Banking-Scams happened in the USA (robo-signing, auto-subscriptions and tampering with account balances).
The are still “doing it” using the NSA’s favorite tactic: rename the offending practice so it can continue under a new word-phrase.
In Australia the change is “explicit sales targets” to “balanced scorecards”.
Results are predicable.
(url fractured to prevent autorun)
SpaceLifeForm • April 7, 2021 9:40 PM
@ Wesley Parish, Clive
As I noted above, you can check if you are in the FB dump.
I am sure my phone number is in there even though I’ve never used FB.
Why? Because of contacts that have used FB in the past and they have bad opsec.
Now, consider the outer join of the FB dump and the Signal dump via phone number.
Wait for it.
Clive Robinson • April 7, 2021 9:40 PM
@ name.withheld…, ALL,
Another method that will for example put a sites top level pages up and as a cached copy, ie. you don’t directly touch the site is to send the domain from a search token
Mentioning the same process in the past to implement a “Command and Control” service for bot-nets and APT that could not got it’s head chopped off, got me into trouble 😉
The same trick can if you think about it be used as a way to enable exfiltration of data to a remote controler.
However there is an even better technique for the data exfiltration that works rather well but maintains the disconnect that keeps you secure from having the packets traced. I mentioned this could be done on this site years ago when I mentioned the “Command and Control” trick. But unlike the C&C trick I did not mention how to do it.
Interestingly, whilst some black hats have since used the C&C trick, nobody has yet mentioned finding the exfiltration trick in the wild.
I guess proving two things,
1, Hats of all shades of grey read this site.
2, Some are not smart enough to reason things out.
Now I don’t know if the second point is down to the Black Hats not using such a trick/method, or the White Hats not seeing it in use.
I’m increasingly of the opinion as I’ve mentioned before that it’s there not being enough smart White Hats, thus a lot of tricks/methods are being missed.
As I note occasionaly 😉
“Attribution is hard, very hard”
But consider this… It’s even harder when you are not seeing what is happening because you are not looking for various reasons (think back to Stuxnet and why it was found, and why that gave rise to the older Flame, Duqu, and Gauss[1]).
Even though the clues and proof of the existance of malware may be in many AV companies databases they do not see them for quite some time if at all. In part this is due to lack of resources but others have questioned if the AV companies have been paid/told to “look the other way” by Government entities.
What the total truth is realy does not matter, what is clear is there are not enough Smart White Hats to go around. A problem I don’t see resolving it’s self sny time soon no matter how many “Girl Scout Merit Badges” in InfoSec you create. There are way to many other hurdles that need to be removed, not least being “reward”. As an indepenfent researcher finding a good attack method or zero day causes a dilema. Many have reported vulnerabilities to organisations and been denied reward, and others have had lawyers start chasing them. They can however sell what they have found to vulnarability brokers etc, no fame but a better pay off than most if not all software company schemes.
As has been noted before “Altruism does not put bread on the table, nor roof over your head” and “Fame it can be very fleeting”, as for legal bills well they can bankrupt even the wealthiest of people…
Clive Robinson • April 7, 2021 9:59 PM
@ SpaceLifeForm, ALL,
Now, consider the outer join of the FB dump and the Signal dump via phone number.
I don’t need to I did that a long time ago when “phone number” on a “Smart Phone” became an authentication factor. I had the feeling that “I had swallowed a lead kipper”.
For those that want hard proof of what an impending disaster it is going to become, I suggest they look at that “Universal Identifier” the “social security number” and what followed when people decided very foolishly to use it as a “shared secret security identifier”…
So the question is,
Social Security number, Phone number, what’s the next “Shared Public identifier”, some idiot is going to use next for security?
SpaceLifeForm • April 7, 2021 10:26 PM
@ JonKnowsNothing, MarkH, Clive
I said a year ago, they were committing genocide and profiting while doing so.
hxtps://www.vanityfair.com/news/2021/04/why-the-us-still-cant-donate-covid-19-vaccines-to-countries-in-need
The contracts the Trump administration signed with the vaccine manufacturers prohibit the U.S. from sharing its surplus doses with the rest of the world. According to contract language Vanity Fair has obtained, the agreements with Pfizer, Moderna, AstraZeneca, and Janssen state: “The Government may not use, or authorize the use of, any products or materials provided under this Project Agreement, unless such use occurs in the United States” or U.S. territories.
The clauses in question are designed to ensure that the manufacturers retain liability protection, but they have had the effect of projecting the Trump administration’s America First agenda into the Biden era. “That is what has completely and totally prohibited the U.S. from donating or reselling, because it would be in breach of contract,” said a senior administration official involved in the global planning effort. “It is a complete and total ban. Those legal parameters must change before we do anything to help the rest of the world.”
Clive Robinson • April 7, 2021 10:34 PM
@ SpaceLifeForm, ALL,
You might be surprised just how many people do not watch UDP properly either or for that matter ICMP.
If you look up UDP[1], you discover some intetesting facts such as that the length and Checksum in the header are not realy used in the main.
Thus you can send a simple service that only uses a few bytes, a whopping great block of data… Often the service will process the first few bytes of data and ignore the rest, thus not send back ICMP errors.
Thus Firewalls at one point used to let huge amounts of data out without seeing it.
But even modern firewalls don’t check timing… Years ago I wrote a simple UDP program that appeared to send DNS requests to a server. What was important was that it actually sent them using a “Morse Code” tempo thus could be used as a “port knocker” to send text messages.
I later upgraded it to do rather more than just knock, it would strongly authenticate as well as prevent replay attacks (think encrypted time based one time token).
But as the old saying has it,
“There’s a lot more from where that came from.”
[1] https://www.geeksforgeeks.org/user-datagram-protocol-udp/
SpaceLifeForm • April 8, 2021 12:09 AM
@ Clive
ICMP Tunnels have not been reliable since y2k.
May work, may not. Lots of upstream routers that drop.
Weather • April 8, 2021 12:32 AM
@slf Clive
Self I think he was meaning sending a UDP packet with a wrong header or data length, normally the client would drop it, but routers might not as its not tcp.
Ask for more clarification 😉
lurker • April 8, 2021 1:14 AM
New Zealand prevents its own citizens returning from India. Other MSM reports suggest Brazil and USA are next in line.
Weather • April 8, 2021 1:16 AM
@Clive
How do you break out of a shell? Market none exist. Box not good 🙁
Nik • April 8, 2021 5:00 AM
@Clive
designing RF proof jackets with micro fine woven copper
Vollebak makes a copper jacket for $1100USD
With over 11 kilometres of copper in every jacket, the Full Metal Jacket is designed to help us pioneer the future of intelligent and disease resistant clothing.
I used to work for a company that made a cellphone acquisition device for LE…. They had also a faraday bag into which to put the phone – you need to isolate it. But you also need to see the screen and be able to press buttons. Not easy.
The added kicker was that the across from the company building was a celltower. The signal made it though EVERY prototype. Thus The Baghad a local ‘cell phone jammer’ inside the bag; not strong enough to jam things by itself but the combination proved very effective.
But not cost effective due to the many special ‘FIRMWARE adapters” that hook up to pads by the battery, allowing special access to the flash storage. And the need to develop software for all the phone models.
name.withheld.for.obvious.reasons • April 8, 2021 9:39 AM
@ Clive
I likely know that you know where I come from in regard to the InfoSec hat I wear and the sensibilities I ascribe to myself. Malice is nowhere in my vocubulary, I take seriously my research and analysis in the InfoSEC space. I too see it as you, not a lot of white hats with the skills to dabble in the dark arts and remain principaled. Not much I can add to your screed but nevertheless we do what we can–through the trials and tribulations of our time. I may have to write a few things down, less retrospective and more prescriptive…imagine you feel similarly. As a design engineer I can say that I do not have much to report that is positive. The practices and methods that give value to ones efforts appear to bring into question the objective. I wouldn’t be here if I didn’t think there was a possibility for improvement or constructive and valuable conveyance of thoughts and ideas.
Clive Robinson • April 8, 2021 10:48 AM
@ name.withheld…,
I likely know that you know where I come from in regard to the InfoSec hat I wear
There have been a few small pieces over the years, not enough to finish the jigsaw, but enough to see what the picture probably is, thus maybe find the box with the rest of the puzzle pieces.
Like you,
I wouldn’t be here if I didn’t think there was a possibility for improvement or constructive and valuable conveyance of thoughts and ideas.
Sadly as I get older, I see more and more that technology is used to abuse people in various ways, not least of which is the new “class distinctions” which indicate the level of privacy to which you have access.
I suspect that like me you fall below the “class” where privacy in effectively inate, thus have to work at getting what privacy you can by aquired skills not by fourtune or by inbred birth right. To quote the words of the song,
“It ain’t me, It ain’t me, I ain’t no senetors son”[1]
I am not fortunate, apart from an inheritance of part of the house I was born in, I’ve worked not just for what I have but the knowledge I’ve built up.
Whilst I’m not financially altruistic, I do give freely of what I know and where I can my time. The reason is the old saying,
“Give a man a fish and you feed him for a day, teach him to fish and he feeds himself for a lifetime”
Nobody was around to teach me to fish when I was orphaned, I had the pain of learning to fish the hard way. If I can cut the pain for someone else, then hopefully they will pass the knowledge on and there will be less pain in the world, and more knowledge, neither of which I think is a bad thing.
Other people I know disagree but then I don’t happen to think their morals, ethics or behaviours are good for society. As I’ve said rather more of more recently people have choices and thus the question of “Personal rights -v- Social Responsability” arises and much as many think they do not need the support of society as COVID has pointed out, they very much do. In short society is what floats everybodies boat and enables them to fish, so they can have a life where rights have meaning.
That view is not Socialist or Communist or any other of the purjatives some like to shout out when they feel the wrongness of their parasitic existence of self entitlement threatened. People should where they can chat to the grandparents or grandparents to learn about social responsability and the rewards of helping thy neighbour. After the war my parents barely survived, and it was the kindness of ordinary people in the US sending food parcels over to the UK that kept them alive, whilst the politicians just… Well people should look at the history shortly prior to the Marshal Plan, lets just say it might be informative.
[1] https://www.songfacts.com/facts/creedence-clearwater-revival/fortunate-son
Winter • April 8, 2021 10:49 AM
@nik
“They had also a faraday bag into which to put the phone – you need to isolate it. ”
I once wrapped my mobile in two layers of aluminum foil. Could not call it anymore. Not Military/007 Grade, but I suppose enough for me, if the need arrived.
SpaceLifeForm • April 8, 2021 3:52 PM
@ Weather, Clive
Sorry for the confusion. Clive mentioned ICMP, so I was just pointing out the ICMP Tunnel issue.
UDP Tunnels are workable. And, as DNS typically is over UDP, then exfiltration via DNS is a problem area that most orgs fail to inspect. It is, in fact, difficult to catch. Especially if some malware is only exfiltrating one bit per DNS UDP packet.
Some try, but then they also don’t want DoH around. DoH being DNS over HTTPS.
Ultimately, all of the comms are via IP, so instead of trying to do DPI on domain names (large space), a good outbound firewall design may entail allow lists of destination IP address. To catch exfiltration. Also, run your own DNS recursive resolver.
name.withheld.for.obvious.reasons • April 8, 2021 5:57 PM
To echo and acknowledge your sentiment; as the effects are within the human domain such that even a secular humanist can understand the ethical and MORAL implications.
Quite a few years ago when attending a city hall meeting wherein the license and utility easements were up for renewal, it was at that moment I understood the disengagement from civics and in society generally. In an affluent, Oxford-style university town, the residents were more concerned about the rate structures and access issues than anything to do with the cable company’s structural monopoly as a provider. Never mind that the cable company controlled the infrastructure that lay within the city streets or that their hands went right into the garage door openers of the city council. The winner take all non-provisional arrangement did not come into question, nor any influence asserted by the cable company that was raking in the bucks and how that might affect services.
The second lesson, every other city hall meeting was essentially crickets. Maybe a handful (an affluent town where people have the leisure time and financial wherewithal to attend) showed, at best, a dozen in a town with a population of roughly 40K. That resultant disaffection, less than 0.05% found their way to local civic engagement. Ironically, ask one of the residence who is the latest top dog on the TV show “American Idol” and they will tell you that they have invested more than just set top time; they’ve done research, spent additional money voting, and jabbering on about it incessantly to the point of…
I say all this to confirm your observations from within the not so lovely halls of the U.S.A. and can attest that the situation has not improved whatsoever. There is no civic mind, there is only the internal–well you know the rest. I feel like what Dr. Martin Luther King, Jr. said:
And I’ve seen the promised land. I may not get there with you…
but possibly in reverse.
Clive Robinson • April 8, 2021 6:21 PM
@ SpaceLifeForm, Weather,
Sorry for the confusion. Clive mentioned ICMP, so I was just pointing out the ICMP Tunnel issue.
My point was that too many organisations ignore both DNS outbound and ICMP outbound pacjets effectively alowing both to go without checking them in any way, as well as in effect ignoring inbound ICMP packets as well.
Yes ICMP gets dropped by some routers and it realy should not because it can cause problems when using tunneling protocols where say IPv6 gets tunneled across an Ipv4 network[1] or a full size packet tries to get tunneled into another packet something has to give be it TCP, UDP, or GRE, often ICMP is the only way a router can send back a message to the originating host to reduce the MTU.
The problem with ICMP is realy historical, and goes back several generations of routers and Hosts, when there were network attacks that could exploit these historic failings. These old attacks were used for creating a means of Denial of Service disruption / attack such as the ICMP flood attack, the ping of death attack, and the Smurf attack.
From memory the trick used the failing of the assumption of a “Network Address” as opposed to a “Host Address”. So if you pinged with a spoofed network address a reply would get sent to every host address in that network range. As ICMP is not a connection oriented protocol spoofing was relatively trivial.
But hosts should nolonger respond to network addresses and propperly set up routers should stop any spoofed packet leaving a network. But do neywork Admins do this? Well lets just say “it depends…”.
Needless to say I try and avoid getting my hands dirty at layer three and below with the Internet these days, life is to short and the pay not large enough… At one time I got so frustrated I had the notion of writing a book called something like “Shooting yourself in the pes with a network protocol whilst swinging from a network cable neck tie”. Apparently according to an editor I worked with at the time, the title was not snappy enough.
Mind you the world has turned for the worse… If you want a security nightmare to consider look up the “Seamoby” “Candidate Access Router Discovery”(CARD) protocol. Thankfully it is still in the experimental stages and the protocol is outlined by RFC 4065 and RFC 4066. Overly simplistically it’s a way for wirless networks to discover adjacent wireless networks by asking the mobile devices what they can hear at their current location… Or how to turn everything into a location beacon… I can see certain Google types getting all hot and enthusiastic over it as in theory it could unmask networks that do not broadcast their presence.
[1] IPv4 and IPv6 do not play nicely with each other when it comes to errors. ICMP thus comes in two flavours so far. For IPv4 it is defined in RFC 792, whilst an entirely separate ICMPv6, for IPv6 is defined by RFC 4443. Bridging ICMP error messages from tunnels can be a frustrating experience and some avoid it by in effect breaking other functionality like deliberately making the MTU short for all packets. Worse “Path Maximum Transmission Unit”(PMTU) works very differently on IPv4 where fragmentation signalling by routers is alowed to IPv6 where it is not and only Hosts get to play.
Wesley Parish • April 8, 2021 11:51 PM
Build it and he will come … or so one of the characters in Married With Children was told …
Hackers scraped data from 500 million LinkedIn users – about two-thirds of the platform’s userbase – and have posted it for sale online
https://www.businessinsider.com.au/linkedin-data-scraped-500-million-users-for-sale-online-2021-4?r=US&IR=T
Data from 500 million LinkedIn users has been scraped and is for sale online, according to a report from Cyber News. A LinkedIn spokesperson confirmed to Insider that there is a dataset of public information that was scraped from the platform.
just when you thought it was safe to go back into the … (censored)
Paul Prudhomme, an analyst at security intelligence company IntSights, told Insider that the exposed data is significant because bad actors could use it to attack companies through their employees’ information.
Invasion of the Body Snatchers, v2.0
Security researchers told Insider that hackers could use the exposed data to impersonate them or scam them into revealing sensitive login information.
It ain’t half hot, Mum …
SpaceLifeForm • April 9, 2021 12:04 AM
Unplugged. Impressive. I was never that good at Pong.
JonKnowsNothing • April 9, 2021 1:15 AM
@SpaceLifeForm
re: Impressive
I am rather surprised at this comment. It’s not quite like you.
Elon Musk is a creepy dude, maybe creepier than Peter Thiel. That he is permitted to run such experiments must the from same authority used by the dude that put large snakes on top of monkey enclosures to watch them cower – all for scientific research of course.
I am not impressed. I am appalled.
It ranks right up there with the MSM report about a MD? who developed a “pelvic pain simulator” to train others/men to have compassion about female pelvic pain diseases by re-producing genital pain.
The MD could have simply used a cattle prod. It’s what all torturers do and electric shock is a favorite technique.
Weather • April 9, 2021 1:44 AM
@Jon slf
I bet its a two way interface, I doubt they will stop at helping paralyzed people walk again.
Clive Robinson • April 9, 2021 3:04 AM
@ Weather, JonKnowsNothing, SpaceLifeForm, ALL,
I doubt they will stop at helping paralyzed people walk again.
Back in Summer 2000 I gave a presentation at a European Union funded Security and Crypto summer school at Uppsala University in Stockholm (a very delightfull city I full intend to revisit as and when travel by train across the EU is permitted again).
In my talk I made a comment in answer to a question, and my comment was considered more than a little contentious by some… What was it the objected to?
Well it was that I said I would retire on the day Bill Gates required a five pin DIN connector[1] in the back of my head…
In essence they thought brain-computer interfacing would not be possible in their life time, and that to do it would require experiments that would be illegal long before then…
Well I’m sure the monkey would rather not have a hole in it’s head, and that it should be illegal, but…
Also officially I won’t be due to retired untill the end of this decade, so it looks like I might just have to carry out my statment, even though it won’t be a five pin DIN connector by then.
[1] There are actually two “five pin DIN connectors” when it comes to PC’s the original about half an inch across used for both the keyboard and the mouse, and the later smaller “PS/2” connector that replaced it prior to USB taking over the job of UI device interfacing and doing it badly, hence some fun security faults.
Clive Robinson • April 9, 2021 3:18 AM
@ ALL,
Apparently yesterday evening WhatsApp, Instergram etc were down,
Did anybody notice?
I didn’t but then I don’t use them or other social media.
MarkH • April 9, 2021 3:21 AM
@Clive:
In my dotage, the bandwidth for PS2 HID connections is more than sufficient to monitor all of my brain activity.
Anything approaching USB would be overkill!
Winter • April 9, 2021 4:04 AM
@Clive
“Well it was that I said I would retire on the day Bill Gates required a five pin DIN connector[1] in the back of my head…”
No one will require it. Just as no one requires you to carry a tracking device, aka smartphone*. People do that voluntary. If you cannot participate in social life without a brain-computer connection, people will use them.
*In Marock, dissidents will be beaten up by the police if they do not carry a trackable phone. In China and other East Asian countries, life without a smartphone is “difficult”.
Clive Robinson • April 9, 2021 5:32 AM
@ MarkH,
Anything approaching USB would be overkill!
I know that feeling… Even though my body is back on Sun Synchronous London time, I still feel that the better bits of my brain are elsewhere…
@ Winter,
No one will require it. Just as no one requires you to carry a tracking device, aka smartphone
It depends on what you mean by require.
I’m fairly happy with the command line and find a Windows interface anoying other than I can get six terminal windows open on a single screen (and the version I use means I can atleast still use key strokes to change focus close etc and highlight text).
However people want beyond requirment “MS Office” whilst some will accept RTF files they moan about having to send such back. Others claim “It’s the standard” which of course it is not in the slightest.
Thus whilst my choice is not to have anything to do with MS products, I’m effectively “required to”. Thus whilst at one point MS Windows and Office were usable without a mouse, each iteration makes that less and less possible.
So if Microsoft finally ditch windows control by keyboard in favour of touch screens or a plug or equivalent in the back of my head, that is Microsoft enforcing a “requirment” on their users which in their turn they try and enforce as a requirment on me.
I’m “pro choice” for many reasons, not least of which is a mouse or similar is totally inappropriate in many environments such as “out side all weathers” through to full on MilSpec bomb proof systems where all pointing devices will fail unless they are as crude as the 70’s & 80’s “Space Invader” type coin slot Games machines that used upto a half inch stainless steel shaft through a rubber boot, a gear stick sized knob on top and an arangment of four ruggadised micro-switch sealed units bolted to a 1/8th inch steel plate that was held in place by heavy duty rubber shock studs. Whilst not quite bomb proof it was mainly enraged user proof, but at a price, thst it was no device of fine control. Basically giving just eight basic directions of movment, it was not realy that much better than the four basic “EDZS” or similar keypad movments such as vi’s “HJKL”. But… the last time I counted vi had between fourty and fourty five keyboard based cursor movments most of which can not be done by a mouse or other pointing device, without lots of menu clicking at best. The same applies to other editors and even WordPros, I still use WordStar and it’s keyboard short cuts (used in the Borland and other programing IDE’s) and someone I know who writes voluminous amounts uses Linux because they can still get their old copy of WordPerfect to run on it unlike MS Windows…
The lesson is most things that come out of marketing departments are both “lock-in” and “forced-upgrade” to ensure that the money flows in. They of course will deny that this is a “forced-requirment” but then Upton Sinclair made a pithy comment about such behaviours long before computers were based on microchips, in fact around the same time Alan Turing and Kurt Gödel were doing their thing…
Clive Robinson • April 9, 2021 8:28 AM
@ JonKnowsNothing, MarkH, SpaceLifeForm, Winter,
A little more on the rare type of blood cloting and COVID jabs.
Firstly it needs to be noted that these rare blood clots with low platelet counts have do occured in the population long peior to covid. Whilst no definitive causal relattionship has been found due to their rareity, they have been associated with women on hormone medications, that is the oral contraceprive and HRT.
Secondly and importabtly similar problems are starting to be seen in not just the AZ vaccine but the Pfizer mRNA jab as well.
If this turns out to be confirmed then there is the distinct possibility the same will be true for the Moderna mRNA jab as well. As for other vaccines well, they are in the main not being administered in Europe so we don’t have data. As for the US what data they do or do not have is publically unknown.
Denmark suspects the issue is to do with the vaccines been given incorrectly such that they go pertially or fully into a blood vessel. What the EMA and UK agencies think about this is again not public information, and it has not been mentioned in any official communications to the public.
As I’ve said before there are a whole list of problem areas to be considered and it may not be specific jabs, it could be due to life style or environmental issues along with administration issue.
The fact that it has been seen with two different jabs could suggest that it is possible it is the way the human immune system responds to not just COVID but the analogs used for immunization.
As most of these revolve around the spike protein which for all we know about it we know very little, it could be an artifact of the interaction. We do after all know that one of the causes of death in sever COVID is various forms of blood clotting.
At the moment due to the limited information we have is that there is an age related crossover point with comparative risk.
The younger you are the lower your risk of death from the original COVID strains, although newer strains appear to be shifting the risk down the age range. Thus the point where the risks are comparable have gone from being about late fourties early fifties with the older strains appears to have shifted down to the early to mid thirties in Brazil and it’s VoC’s. The Brazilian strains are becoming prevelant in Contenental Europe and America and due to foolish air travel and deficient testing are starting to turn up in other places.
What is not clear is why predominantly younger women not men are getting these rare low platlet counts and blood clots, and publically there appears to be no intention of investigating this (which would be stupid to negligent if the actual case).
EU countries appear to be going entirely their own way on things thus there is a veritable mish-mash of approaches.
My concern is the “Shelter under a tree in a storm effect”[1] without knowing how many jabs of each type have been given and the occurance and fatality ratios, just switching from the AZ vaccine to the Pfizer mRNA jab or again the moderna mRNA jab as political or marketing whim dictates may not stop the occurances or fatalities. Which is why getting to the bottom of it as early as possible should be a very high priority.
[1] The sheler under a tree effect, describes a certain type of not realy logical thinking. That is you are under a tree and at first you are dry, then you start to get wet, so you run to another tree expecting that it is going to still be dry under there…The reason this is not logical is the simple fact that both trees are in the same storm thus are getting about the same amount of rain per square footage of area as each other. So unless there is a marked difference in the trees and their foliage most likely they are saturated to the same extent. So running from one tree to another similar tress is unlikely to keep you any drier than the tree you start out under.
Weather • April 9, 2021 9:05 AM
@Clive
I’m surprised people aren’t worried about giving a injection of a new vaccine to all the world’s population 🙁
JonKnowsNothing • April 9, 2021 10:11 AM
@ Clive, MarkH, SpaceLifeForm, Winter, All
re: Low Platelet Counts and blot clots
There are a number of blood cancers that cause low platelet counts and a few that cause excessive platelet counts. These are often from changes, damage or DNA alterations that affect the bone marrow where blood cells are formed. Many of them are life-limiting.
Low platelets and blood clots are an “odd” combination.
The prevalence of younger women (under 60) may indicated estrogen or birth control in the affected population.
What some may not realize is that a good number of prostate cancers require men to take quantities of estrogen to reduce testosterone levels as some cancers react aggressively if even a small amount of testosterone is present. These aggressive cancers require 0 (zero) testosterone for treatment and men have to take estrogen in quantity to achieve that.
There are other reasons biological men might take estrogen too. As in the case of the Guardian Male Reporter who had a baby to renew estrogen treatment.
Long before the current OH?s about Oxford/AZ, I had heard “reliable” anecdotes of severe clot (stroke) within 5-10 days of vaccination, related to the mRNA vaccines (which is all we have in the USA).
ht tps://en.wikipedia.org/wiki/Platelet
ht tps://en.wikipedia.org/wiki/Thrombocytopenia
ht tps://en.wikipedia.org/wiki/Essential_thrombocythemia
ht tps://en.wikipedia.org/wiki/Thrombophilia
ht tps://en.wikipedia.org/wiki/Coagulation_disorder
ht tps://en.wikipedia.org/wiki/Myeloproliferative_neoplasms
(url fractured to prevent autorun)
Czerno • April 9, 2021 10:23 AM
@Clive, @JKN, @All : J&J vaccine accidents.
Being reported today (as seen on a French news website), several cases of vein thrombosis (blood clots) investigated in the US post Johnson & Johnson vaccine administration. They didn’t mention whether associated w/ low plaquettes (or I missed the mention if any).
Czerno • April 9, 2021 2:01 PM
Correcting my previous inaccurate post.
It’s the EMA : European medications agency which is making a statement about several cases of blood clots and, yes, with depleted plaquette counts in patients vaccinated in the US with J&J’s Janssen vaccine.
EMA says it’s going to investigate. AFAIK this vaccine has been approved for use but not yet deployed in countries of the European Community (nor the united Kingdom).
SpaceLifeForm • April 10, 2021 12:43 AM
@ JonKnowsNothing, Weather, Clive
Yes, it does seem cruel.
If you were paralyzed, and could only communicate via eye blink I think you would prefer to have a better bandwidth option.
Especially if you could interact with a computer.
The macaque named “Pager” is impressive. He knows how to play and get banana stuff.
He has trained the staff well.
JonKnowsNothing • April 10, 2021 2:52 AM
@ SpaceLifeForm, Weather, Clive
re: Yes, it does seem cruel.
If you were paralyzed, and could only communicate via eye blink I think you would prefer to have a better bandwidth option.
It is not that it “seems cruel”, it is so.
As far as the second part, be cognizant that there are a great many conditions that result in serious reduction of human normal abilities. Multiple Sclerosis is one, cancers, accidents and even falling off your horse can result in “life changing events”. The Austrian State of Victoria Premier recently had a serious fall down some stairs and barely escaped such a permanent change; how well he will recover is still part of the rehab: 18 minutes of walking so far.
Cruelty comes in many forms. You do not have to wield the scalpel, tie the restraints, do the injections and limit the life of another to be in partnership. Cheering it on, is just a bad.
Reams have been written about passive vs active participation.
Not long ago, in a pre-COVID conversation about change, I pointed out that we change all the time. We change our minds and our views and our decisions reflect our changes at that moment. Change happens, even slowly.
First you have to take stock of what you accept. It’s all up to you. No one can do it for you. Others may take advantage of you, but it’s up to you what you will accept or reject.
What was, does not have to be what is, or become what will be.
===
ht tps://www.theguardian.com/australia-news/2021/apr/05/victoria-premier-daniel-andrews-walking-18-minutes-a-day-as-he-recovers-from-serious-back-injury
(url fractured to prevent autorun)
Clive Robinson • April 10, 2021 2:54 AM
@ Weather,
I’m surprised people aren’t worried about giving a injection of a new vaccine to all the world’s population
The simple answer is many are, and for what they condider good reason.
Lets be honest and say certain politicians failed misserably to do their jobs, they listened to their self interested moneyed frienfs rather than scientists who had experience.
If you read back on this blog the first quater of 2020 as COVID-19 spread you will see that several of “The Usual Suspects” here expressed considerable concerns at what we could clearly see was going wrong and some on the face of it very stupid policies that have now killed hundreds of thousands if not millions of people well before their time. Whilst in the same time these same self interrsted moneyed have significantly profited by. Likewise the government treasuries.
Whilst many of the Government and lobyists claim none of this could be predicted especially the cyclical lock downs that are destroying the social infrastructure and likes of local shops thus variety of products available, it’s not true at all.
As far as I can tell the only thing not predicted by scientists and the usuall suspects here was the speed these vaccines became available…
Why? Well we assumed that normal safty precautions would be taken and thus the approvals process would be lengthy. Well it appears that the normal safety protocols are consodered by some to be unnecessary because of “emergancy circumstances”.
I’ve expressed concerns that a fundementally new technology that has been stuck in the lab not getting to the point of trials for three decades is suddenly the first approved, whilst other more traditional vaccines where the technologies are known quantaties risk wise have been “back burnered”. Thus the jab where there is absolutly no knowledge about longterm effects is now the leading jab and most expensive based on US Gov owned technology for which the royalties are flowing in. So I can understand peoples concern and some but not all of the conspiracy theories that have surfaced.
But the problem of comparative risk still applies. Western Politicians having turned an outbreak into a near global pandemic created a very high risk situation which was killing people at an alarming rate. This created a “technical need” because they would not alow an effective “social solution” thus they significantly changed the comparative risk.
However as seen with these rare blood clots that appear to be happening with different jab technologies there are almost always risks with technological solutions to evolutionary risks. All drugs have side effects that range from mild, through serious, to fatal, many of which if known can be mittigated often fairly easily (as it looks like these low platelet blood clots now can be even though the cause and any contributing factors are still unknown).
The real problem though is “evolution” between compeating species. SARS-CoV-2 is very unusual as beta corona viruses goes. Firstly it effects humans, secondly the infection to infectious time is so incredibaly short that people are sheding virus significantly and infecting others before they develop symptoms if at all. Thus the usual evolutionary preasure that makes the mutations less virulent with time is not happening and “Varients of Concern”(VoC) are poping up all over the place.
The UK was and still is one of the worst places for COVID when looked at in terms of infections per million thus has a high prevalence made worse by having a highly mobile population as well as a high influx of trade related people from all over the world mixing with the general population. Many of whom are asymptomatic thus we have two problems,
1, Inate super spreaders.
2, High rate of prevelence.
This in effect “cooks things on higher heat” and mutations from far and wide quickly find a home here and spread rapidly, pushing evolutionary effects. The only saving graces are we have a functioning health care system and we have a little under half the worlds genomic testing capability on hand.
Contrast with Brazil where things are somewhat different, whilst travel is less the political will is against doing anything to help healthcare or the population they have had several VoC’s arise and become the leading infectious strains. Strains that at the very least are more virulent, effect the younger population more critically, are more pathogenic and the vaccines are less effective against.
Thus we are in a race to get “jabs in arms before virus in lungs”, and we are not winning currently as the new infection waves are indicating.
Thus we need to take in the short term the evolutionary response of not “survival of the individual” but “survival of the species”. That is accept the risk of jabs over the risks of infection to stop the rise in prevelance of COVID thus deaths/injuries and most importantly prevelence linked mutation rates.
The thing is we are not talking about COVID deaths/injuries, especially the injuries like “long COVID” which way way out number the rate of blood clot events/deaths. That is due to the mainstream media hyping one over the other…
Clearly the risk perceptions of the general public are without doubt being manipulated, thus people are asking the wrong qurstions and making the wrong choices. Which gives the virus more opportunities to win the race and make the human race the loosers not just short term but long term.
Clive Robinson • April 10, 2021 3:34 AM
@ JonKnowsNothing, MarkH, SpaceLifeForm, Winter, Weather, ALL,
Low platelets and blood clots are an “odd” combination.
Yes and no.
Yes we are told one heck of a lot about platelets in blood cloting, in part because of their role in what gives rise to heart attacks and strokes that kill us via arterial disease.
But actually blood cloting is so important to us as a species to get us beyond our breeding point that through evolution we actually have a multiple set of “cloting paths”…
I’m not going to go into them, because as long term readers might remember, I’ve had lots and lots of issues with blood cloting and hemorrhaging over the past decade or so that have regularly put me in hospital with clots in the legs(DVT’s), lungs(PE’s), brain(CE’s, TIA’s/ministrokes), and to have blood transfusions. As a result I’ve looked into all sorts of things to do with blood and it’s clotting, and to be honest it’s a veritable warren and thus a rabit hole you do not want to go down, unless you are aiming to pick up a PhD along the way.
The upshot is I’m full of blood thiners and anti cloting drugs and any bleading I have to take seriously which has some definate downsides when one of my “hobbies” is not just cooking but the preperation and storage of food stuffs. Including the turning of carcasses into joints, chops, and cuts known as butchery but also the more interesting area of presserving meat called charcuterie. Needless to say all of which involves lots of very sharp knives and similar very close to both fingers and the hand but also the lower arm including the wrist where lots of blood vessels are just skin deep… As has been pointed out to me “an accident waiting to happen”, but what is life without enjoyment spiced with a little risk?
Clive Robinson • April 10, 2021 4:18 AM
@ Czerno, ALL,
[T]he EMA : European medications agency which is making a statement about several cases of blood clots and, yes, with depleted plaquette counts in patients vaccinated in the US with J&J’s Janssen vaccine.
So yet another entirely different type of vaccine with the same issue…
What do we know they have in common,
1, The way they are administered.
2, The area of the viral pathogen they are attacking.
In Denmark their health authority has raised the first as an area of concern. Whilst it might well be a part of the problem, it does not on it’s own explain the age and sex ratio differences (unless there are some anatomical differences in the deltoid musscle that are more prevelant in women under fifty).
There have been comments off and on about the nature of the viral spike and just how it interacts with the human body and what that might do to the immune system.
But it’s becoming clearer it’s not an individual immunizing agent and it’s totality of component parts that is the root cause. Thus not a question of “pick and chose your jab of choice” because the risk is apparently there with all of them…
The question raised in Denmark, is however very easily mitigated by “aspiration” which used to be a part of giving any injection, but this century has been less and less taught[1]. Put simply you jab the needle in and pull back a little on the syringe plunger, if the tip of the needle is in a blood vessel you will get very visable back flow, thus resiting the needle can be done very quickly and easily in just a few seconds, especially with modern hyper fine needles.
[1] The reason for teaching it was that some injections you do not want being a shock to the system. If you inject into a blood vessel then it will be all over the body and it’s internal organs very quickly in just a few minutes. Injecting into a muscle, tends to hold it in one place and let it release into the body at a much reduced rate thus longer period of time. Also with vaccines it causes the effects to be localised to the muscle as many have noted with flu jabs it’s their arm that hurts, long before the body gets the aches. But with “live virus” and now mRNA injections there is the question of which body cells get infected thus sacrificed muscle cells are localised and as some have noticed with their BCJ jabs the scaring resulting is localised as well. If blood cells get infected then things will not be localised.
SpaceLifeForm • April 10, 2021 4:19 PM
@ Czerno, Clive, ALL
It may make more sense that to avoid a bad jab into vein, is to take it into hip upper butt area.
name.withheld.for.obvious.reasons • April 12, 2021 4:15 AM
@ Clive
Social Security number, Phone number, what’s the next “Shared Public identifier”, some idiot is going to use next for security?
That’s easy, Red! No, Blue…ahhh
E-mail addresses.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
name.withheld.for.obvious.reasons • April 2, 2021 4:31 PM
1 Apr 2021 — Lack of Proof, is Proof!
On a religious broadcast network, NRB, a recent science segment covering topics of interest that might include, in this example biological functions of evolutionary adaptation, manages to refocus specific scientific theories as “intelligent design”. The idea that goose bumps were a hold over from a time when hominids had more hair. But the rewrite of the scientific postulate regarding the use of the hair to “signal” specific conditions associate with threats looks at new information about sub-dermial muscle tensioning that is part of a perfect design and not an affectation of homo habilis or other early bifurcation in human evolution and the loss of bodily hair.
The argument was literally that as science has yet to describe the idiosyncratic function in terms of evolutionary biology and that fact is indeed proof of the “perfect design”. In other words, lacking clarity respecting a scientific definition, then the creationist hypothesis stands and proves the concept of “perfect design”. Kind of a priori with apriori as proof. You cannot make this stuff up.