Friday Squid Blogging: COVID Relief Funds

A town in Japan built a giant squid statue with its COVID relief grant.

One local told the Chunichi Shimbun newspaper that while the statue may be effective in the long run, the money could have been used for “urgent support,” such as for medical staff and long-term care facilities.

But a spokesperson for the town told Fuji News Network that the statue would be a tourist attraction and part of a long term strategy to help promote Noto’s famous flying squid.

I am impressed by the town’s sense of priorities.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags:

Posted on May 7, 2021 at 4:13 PM84 Comments

Comments

Mr. Peed Off May 7, 2021 4:30 PM

It seems that in the United States, at least, app developers and advertisers who rely on targeted mobile advertising for revenue are seeing their worst fears realized: Analytics data published this week suggests that US users choose to opt out of tracking 96 percent of the time in the wake of iOS 14.5.

This new data comes from Verizon-owned Flurry Analytics, which claims to be used in more than one million mobile apps. Flurry says it will update the data daily so followers can see the trend as it progresses.

Based on the data from those one million apps, Flurry Analytics says US users agree to be tracked only four percent of the time. The global number is significantly higher at 12 percent, but that’s still below some advertising companies’ estimates.

https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/

Ismar May 7, 2021 6:38 PM

https://wyss.harvard.edu/news/decoding-covid-19/

“Getting a complete picture of which genes, if any, affect human susceptibility to the new coronavirus will take a long time and the analysis of many thousands of people’s genomes. In the meantime, Wu and colleagues are getting a jump start by using an existing resource, the Personal Genome Project (PGP), and by looking at the edge cases, the extremes….

“We don’t necessarily need to do a deep dive on 7 billion people to help us predict who’s likelier to get sick or who’s asymptomatic but shouldn’t be exposed to other people because they’re still shedding virus,” he said.”

JonKnowsNothing May 7, 2021 7:47 PM

@All

MSM article about the stock price of Berkshire Hathaway A Stock caused a buffer overrun on the Nasdaq Stock Exchange. Seems they use 32bit unsigned and the price of the BRK shares exceeded the size and rolled over.

The report said they caught the error before anyone made a windfall. The report also indicated another stock exchange may have the same problem.

1 share BRK.A stock = $435,120.00 (£312,818.65)

Nasdaq multiply 1 share stock by 10,000 and stores them as 32-bit unsigned integers. Using 4 decimal precision.

BRK.A’s $435,120.0000 price would be stored as 4,351,200,000, which exceeds the 4,294,967,295 maximum, and would overflow… the value would wrap around from the maximum to zero, and in fact go past zero to 56,232,704, or $5,623.2704.

===

ht tps://www.theregister.com/2021/05/07/bug_warren_buffett_rollover/
(url fractured to prevent autorun)

JonKnowsNothing May 8, 2021 12:01 AM

@SpaceLifeForm

re: Finding the extra bits Y2K style

Zho, I’ve been considering which kludge they will opt for,’cause I doubt they will invert the entire database at NASDAQ to 64 bits over the weekend…

  • The flag it kludge / a flag to indicate that the calculations need to be include some fudge factor
  • The auxiliary database kludge / a second database with both 32 and 64 bit fields where the programs will pick 1 of 2
  • The Block it and Lock it kludge / already used by the stock exchange
  • The Buy Another Software Kit kludge / new is always a better fix with more emojis
  • The Hire Big Guns Contractor kludge / show that we hire the Best (of what?)
  • The Get A Lawyer QUICK kludge / do not touche anything! It’s evidence!

Clive Robinson May 8, 2021 2:40 AM

@ SpaceLifeForm, JonKnowsNothing, ALL,

Y2k just did not register with some people.

Oh what a lovely “supply and demand” problem even if it is just “bits” or the lack there of in this case.

But it’s a more general problem that also happens in the real world as well…

When you have something that works to a function that monotonically rises with time or in effect simply rises with time it should be obvious that there will at some point, over and over, there will be points when there never will be “enough” bits or other things such as bank notes in a case of hyperinflation. Which is what all modern economic systems are when you look with an appropriate time scale.

I’ve mentioned this difference between “fiscal” and “real” wealth before.

So they go from 32bit ints to 64bit ints, eventually they will need 128bits and so on…

With hyper inflation they never have enough bank notes, which it’s self acts as a driver to the inflation. The solution is often to madly “over print them at night”…

In the UK the politicians want to get rid of “coins” because they are getting to the point they are worth more in scrap value than they are their face value…

Now ask yourself the question, what happens when a country has gone all “electronic transactions” and the reconcilliation systems “run short on bits”?

There are known solutions to these problems that work, one such is the normalisation process of “floating point numbers” which we have actually done with currency over the years. We used to have lots of fractional coins like the half penny and so on down to about one hundredth of a penny and no high denomination coins above about 250 pennies. When it started to be a problem technology alowed for printed “promissory notes” that technically were not currancy as they were not based on intrinsic metal worth. These then became bank notes. We actually see the same sort of thing starting with current “gold certificates” and yes it’s known there are more of them than there is gold in vaults, but people do not talk about it especially the US Fed that in theory holds other countries gold…

The upshot is that in the past we had a range of coins based on a penny or equivalent which went up to 8bits and down by 7bits. Thus 16bits range was all that was required in most peoples everyday transactions for currency in the form of coinage.

If you think about it today most of our daily transactions are still within that 14-16bit range. That is appart from the 99cent gimmick most things are effectively in multiples of ten cents or pennies. And very very few items you would buy with “cash in your pocket” cost more than 1500 dollars/euros/pounds, that 14bits gives you let alone the 6500 16bits gives you.

As has been noted fairly frequently the value of “real wealth” items with “real wealth coins” has not realy changed much that is a house still costs about the same weight of gold as it did some years ago, likewise a hand tailored suit still cost about the same weight of silver. Even artisan bread etc.

What has changed is industrialisation has alowed manufactured goods to continuously drop in real cost. That is I can now buy finished trousers for less than I can by the same yardage of cloth they are made from… When you look at computers you see something as strange… For the past couple of decades computers which are hoghly industrialised in their manufacture have occupied the same fiscal price points 200/500/1000/1500 but each year what you get at that price point goes up by around 1.6 times (1.6^1.5 ~2 or double ever 18months). It’s even more odd with software which is just information and has no “physical worth” it effectively goes up in power every year simply by adding a few new features to the old and “re-skining the UI” there are also one or two “lockin features” added to ensure you keep buying. But even that does not make the revenues wanted… So now software has moved from the “leased model” to the “rent model” with the likes of “Online Office Applications”.

Thus getting back to currency if we could find a way of making what we realy need which is that 16bit range move by an “inflation multiplier” then it would cover what we actually need out of physical currency we carry in our pockets and use in our everyday lives…

Winter May 8, 2021 9:43 AM

@Uncle
“Meanwhile, as thing’s get worse, government gets bigger, along with big government spending, higher taxes, and it amazes me that people continue to support these con jobs in BOTH parties.”

What is strange?

In history, a smaller government has always been associated with a considerable decline in the health, security, and general wellbeing of the people, and a deteriorating infrastructure and economy.

The USA is a case in in point, with declining life expectancy, collapsing bridges and health care, and so on.

It is then not a surprise that people everywhere want universal health care, good accessible education, and good public transport when you ask them directly.

What they often do not want is that other people have these things too, because they fall for all the divide and conquer propaganda. Or they simply fear more to pay for someone else’s troubles than they want help for themselves.

Winter May 8, 2021 12:37 PM

@brauala
“except now everyone take care of or else global pndemic.”

Indeed, in a pandemic, no one is safe until we are all safe. And I have not seen a solution to pandemics that does not include “One for All and All for One”

SpaceLifeForm May 8, 2021 2:59 PM

@ Peter

It’s deja vu all over again

Apparently, Colonial Pipeline hired Mandiant, and Mandiant has already ID-ed the attackers as a group named Darkside.

This should be a good wake-up call to everyone to keep their SCADA isolated from the internet.

Even if you want to run your SCADA using ip protcols, there must be a gap that is not routable ip. Peferably, a pair of non-ip bridge boxes. For example, crossing the gap via x.25 protocol or some type of pure serial protocol(s).

https://www.zdnet.com/article/dhs-says-ransomware-hit-us-gas-pipeline-operator/

[Note: link is from 2020-02-18]

Clive Robinson May 8, 2021 3:09 PM

@ JonKnowsNothing,

or cladding that catches fire and torches the rest of the building.

You’ve probably not heard but,

Another tower block in London clad with the same or similar pannels as Grenfell Tower had a stairway fire yesterday morning and few heard the alarms that had been installed… Though residents were hurt, it appears they were lucky, it could have been a lot worse,

https://www.theguardian.com/uk-news/2021/may/07/fire-breaks-out-at-london-tower-block-with-grenfell-style-panels

@ ALL,

Oh for those of the “international set” looking to tuck their ill gotton or otherwise gains away in East London property developments of which there are thousands of units curently for sale (which is not a good sign in it’s self). Can I suggest you do your due dilligence carefully, those “Grenfell panels” or similar are being used all over the place. Some are safer than others but none are realy safe due to the chimney effect that can be created. Thus only by “on site inspection” during construction can you evaluate if they are safe-ish or not…

Oh and remember the probability of a fire at any given place increases approximately to the inverse square of the number of floors on it. So investing in high rises is not the best idea anyway, and that’s before an inexperienced architect or corner cutting contractor makes things a whole lot worse.

Remember metals oxidize, which also means they can burn as fuel under the right circumstances (thermite anyone?). As a very rough rule of thumb the less dense the metal structure the more likely it is to combust…

If you want to see how bad the chimney effect can be look up why “rocket stoves” are called that and why they are also considered by many to be low smoke producers with a very high conversion of fuel to thermal energy compared to other traditional wood burning stoves.

Clive Robinson May 8, 2021 3:31 PM

@ SpaceLifeForm, ALL,

This should be a good wake-up call to everyone to keep their SCADA isolated from the internet.

How long have we been saying that on this blog?

I know I’ve been saying it since the early 1990’s when bean counting managments first started putting such systems on the Internet, so they could save very large amounts of money by switching from “Manned on site” 24×365.25 to “On Call” at best 12hours a day (some 16hours,for five days a week and 24hours a day for weekends and holidays). As well as “down manning” by having a small central office staff manage hundreds of sites…

Anonymous May 8, 2021 3:33 PM

if whatsapp in the security/privacy world was dead before, what is it now?
https://www.reddit.com/r/Android/comments/n79n5r/whatsapp_will_progressively_kill_features_until/

decomposed to the point that all the bacteria eating it have died too?

i wish someone found a way to completely shut down or break/dos whatsapp, so that people would stop getting a false sense of security from it)

it’s self-defense if the company/entity is actively attacking my human rights isn’t it?

Clive Robinson May 8, 2021 4:08 PM

@ Anonymous,

if whatsapp in the security/privacy world was dead before, what is it now?

I find it ironic that you link to a post on reddit, about those who run whatsapp trying to foist a new User Level Agreement on them.

Reddit, if you read it has some very bad terms and conditions of it’s own it trys to foist on people using the same techniques…

As for what is happebing to WhatsApp you need to ask what is driving it?

Personally I think you need to be looking above Level 8-9 (managment) and off towards 11-12 regulators and politicians.

It’s fairly clear that those behind politicians are pushing for unlimited unwarranted data access on citizens, and the politicians appear to be quite happy going along for the ride. All whilst making faux protestations about the route, not the destination which will be in effect a dictatorship in the US with a President with the same “divine right” powers as Kings of old had, and the religions once more in the ascendant. Which means that corporates will become the Barons of old, and the US Citizens “slaves” or actually worse “surfs” kept in penuary as vasals not alowed to own assets etc.

Thus the owner of the systems that WhatsApp needs to function is mearly asserting what they see as their rights (and legaly they are correct). Nobody is currently legislating or regulating that you use WhatsApp or any other waste of resources Secure Messaging App. Just pick another one whilst you still can, because that freedom is likely to end in less than three years unless people fight for real security not the joke security of the current apps.

Why do I say “joke” for security apps being secure in use? Please have a think about the actual reality of “the system” not “the App”… All the apps have the confidential user interface use the insecure OS and drivers on the device. Thus the “weakest link” applies and no matter how many cleaver crypto algorithms the App uses, any attacker will just do an “end run attack” via the OS etc to the user interface, thus compleatly circumventing any security in the App…

Thus anyone looking at secure messenger Apps as they currently are on Smart Devices is being sold a “crock of sh1t”, which is what makes those buying into those “secure phones” from EncroChat etc so ironic. You would have thought that should have been a “wake up call” but no, users are happy to sleepwalk into a total loss of privacy, and thus society as it currently exists.

It’s about time people actually woke up to that and started demanding actual secure systems not some smoke and mirrors illusion of security.

But hey, just keep dancing whilst the music plays and don’t think of the price the piper will extort at the end of the day.

lurker May 8, 2021 4:21 PM

@Clive, All

Thus only by “on site inspection” during construction can you evaluate if they are safe-ish or not…

[my added bold]
The same could be said for any or all of the stuff that we are told is necessary to support modern society; from cpu chips to gas pipes and electric cables. How to ensure stuff gets built to spec also requires building the spec right. Do we need more lawyers? Should specs not be written by anyone without adequate hands on practical experience?

How do you stop contractors pulling rebar out after inspection, before concrete is poured? How do you stop people chucking rockets into space that will fall on my house?

SpaceLifeForm May 8, 2021 5:12 PM

@ Clive, ALL

Hmm now this is not posting even though it claims it is a duplicate…

You forgot to wait 5 minutes and force refresh. Do not forget batcache.

When it says duplicate, it is there in the database. Just not visible.

Weather May 8, 2021 5:20 PM

@lurker
Chinas government doesn’t give a hote to there population, why wouldn’t you expect they will treat you the same or worst.

SpaceLifeForm May 8, 2021 5:23 PM

@ Gonzalez

Yes, threaded replies are possible, but there is little reason to do so here.

SpaceLifeForm May 8, 2021 5:54 PM

@ Clive, ALL

Clarification

When it says duplicate, it is there in the database. Just may not be visible.

It could depend upon how you refresh your browser tabs.

Wait 5 minutes. Force Refresh. By tab.

SpaceLifeForm May 8, 2021 7:17 PM

@ JonKnowsNothing, Clive, MarkH, Winter, All

It’s now been 48 hours since I got my J&J jab.

The first 24 hours: Felt very tired, with annoying mild headache that kept me awake, even though I wanted to get sleep. Tried to sleep, but could not. Had to take regular aspirin to get some sleep.

I could tell within 2 hours of jab, my immune system was on top of it. Finally, got some sleep. Nearly 12 hours. Woke up, felt better, but still not great. I’ll have some coffee. Better, but still tired.

Can not even find the jab spot on arm. Even pressing on my arm.

Now, at 48 hours, pretty much back to normal.

It was an interesting experience.

I started my search. Found pharmacy doing J&J. But, website not so great. They were doing noon to 6pm, in hour slots. But, click on timeslot, and it says, it’s full. I try others. Same. Well, I’m not playing whack-a-mole. If the timeslot is full, why can I click on it? And why can I not pick one 5 days later?

So, I am devious, because, of course.

I have my plan, that I was certain would work. And it was flawless. Cause I am devious.

So, I show up in last half-hour at the pharmacy.

“Sign, sign, everywhere a sign. Blockin’ out the scenery, breakin’ my mind. Do this, don’t do that, can’t you read the sign?”

I played dumb. The signs said “you must have an appointment” and “no walkins”

“Bwahaha, I said to myself. Watch me”

So, I ask: I hear you are doing J&J vaccine here?

Yes, we are.

Can I get it?

Did you register?

No.

Pharmicist hands me paperwork, asks for ID.

A bit later, I get the jab.

Tells me I have to hang around for 15 minutes. Yeah, I know this.

We actually had a great discussion about Covid-19 and stuff. I was probably his most informed patient in some time.

After 10 minutes, he tells me that I can go. Yeah, I knew I was not going to have an allergic reaction.

So, I thanked them, and said “have a good night”

They said: “thanks for coming in. We would have had to thrown that dose away”

Be devious. Show up late.

Gonzalez May 8, 2021 7:23 PM

@SpaceLifeForm

Threaded replies allow you to collapse lengthy, uninteresting or irrelevant comments, and to keep digressions apart from the main conversation. It seems relatively simple to implement, and might improve the user experience.

Weather May 9, 2021 12:52 AM

Checking ‘ifconfig eth0’ to see if it is in half duplex mode, with a invisible cable splice tap on the cable.

ResearcherZero May 9, 2021 2:00 AM

@Clive Robinson

Exactly right, they are pushing for more and more access to data. Although the government often writes off intelligence collected with those powers as “conjecture”, and ignores very serious physical evidence collected meticulously over years (at quite serious personal risk to the people who collect it, and everyone else).

“ACIC observation shows there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communications platform.”
hxxps://www.itnews.com.au/news/crims-using-encrypted-platforms-almost-exclusively-acic-claims-564255

Other warrants will allow for data “disruption”, including the ability to “add, copy, delete or alter data”, and network intelligence gathering.
hxxps://www.aph.gov.au/DocumentStore.ashx?id=0cfd0e34-ae76-42e4-9438-d8218c70b760&subId=706935

Twitter made a submission on the proposed further data collection powers…

“If the account takeover warrant is to be used to access an online account regardless of the location of the server, and executed without the knowledge of a service provider, or foreign official, then all due process requirement and safeguards that typically surround warrant processes have essentially been removed,”
hxxps://www.itnews.com.au/news/twitter-worried-by-secret-account-takeover-data-access-powers-561127

These kinds of powers are proposed as the Department of Public Prosecutions often fails to prosecute, the serious and difficult cases (it takes time, and corruption, cough, cough), fails to prosecute misuse and abuse of powers.

“Of the 1713 individual accesses to LBS by ACT Policing for that period, we were only able to provide assurance that nine were fully compliant with the Telecommunications (Interception and Access) Act.”
hxxps://www.ombudsman.gov.au/__data/assets/pdf_file/0021/112476/Report-into-the-AFPs-use-and-administration-of-telecommunications-data-powers.pdf

So you spend all that time collecting evidence against very dangerous people, which the government ignores, and then those people try and kill you. Meanwhile the prosecutors go after all the innocent and unlucky witnesses who might possibly endanger their extra pocket money.

After a few decades of ignoring continued warnings from signals and intelligence you get the following.

“SVR cyber operators appear to have reacted […] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,”
hxxps://www.bleepingcomputer.com/news/security/russian-state-hackers-switch-targets-after-us-joint-advisories/

A bunch of alerts go out…

“These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.
hxxps://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf

Organisations are advised to follow the mitigation advice and guidance outlined, as well as the detection rules in the appendix in order to help protect against this activity.
hxxps://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors

Organisations should also follow the advice and guidance in the recently published NSA advisory
hxxps://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF

and the FBI and CISA alert, which detail further TTPs linked to SVR cyber actors.
hxxps://us-cert.cisa.gov/ncas/alerts/aa21-116a

Recent investigations have identified three new pieces of malware being used in late-stage activity by NOBELIUM.
hxxps://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

SUNSHUTTLE is a backdoor, written in GO, that reads an embedded or local configuration file, communicates with its C2 server over HTTPS and supports commands including remotely updating its configuration, file upload and download, and arbitrary command execution.
hxxps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

“OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible.”
hxxps://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF

The politicians contend that they passed some legislation (30 years after they were first asked, and it’s far from complete), and all the technical detail looks rather confusing, so it should be left to the largely
under resourced, untrained, unsupported, under funded and over stressed administrators.

Colonial is the largest refined products pipeline in the U.S. and transports approximately 45% of all fuel consumed by the East Coast. This fuel includes gasoline, diesel fuel, home heating oil, jet fuel and fuels for the U.S. military.
hxxps://www.colpipe.com/about-us/faqs

Similar to SPRITE SPIDER, CARBON SPIDER has gained access to ESXi servers using valid credentials. The adversary has typically accessed these systems via the vCenter web interface, using legitimate credentials, but has also logged in over SSH using the Plink utility to drop Darkside.
hxxps://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/

The malware named Tirion, which is thought to be developed to replace the Carbanak backdoor is the new loader tool of the Fin7 group.
hxxps://threatintel.blog/OPBlueRaven-Part1/

FIN7 typically employs spearphishing to gain a foothold into their target’s network and also reportedly abused the dynamic data exchange (DDE) feature in Windows and legitimate cloud-based services to deliver Carbanak.
hxxps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/carbanak-backdoor-s-source-code-leaked-what-this-means-for-enterprises

The adversary’s signature persistent access tools include the Sekur (aka Anunak) implant, which has been used since 2016, and the Harpy (aka Griffon) backdoor, which has been used from 2018 through 2020.
hxxps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html

Recently, 64 bit variants of the backdoor have been discovered. We shared details about such variants in a recent blog post. Some of these variants are programmed to sleep until a configured activation date when they will become active.

InfoKube/Cubehost also runs an entire swath of Internet addresses managed by Petersburg Internet Network (PIN) Ltd., an ISP in Saint Petersburg, Russia that has a less-than-stellar reputation for online badness.
hxxps://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/

“Hello, Carbanak!”
hxxps://videoshare.fireeye.com/watch/DdYPsctgEQQTK3yh971o8s

The following are the tactics and techniques that are employed by Carbanak
hxxps://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/#technique-scope

To maintain persistence, the groups create new services. They also add programs to a startup folder that can be referenced with a registry run key.
hxxps://www.trendmicro.com/en_us/research/21/d/carbanak-and-fin7-attack-techniques.html

They generate new keys for each campaign, but who knows it might work
hxxps://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/

And the agencies who don’t want to upset the politicians, again reiterate,

Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—continued targeting of U.S and foreign entities.
hxxps://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service

…and kindly ask, ‘can you please enable multi-factor authentication’ to make their job a little easier.

In one 2018 compromise of a large network, SVR cyber actors used password spraying to identify a weak password associated with an administrative account.
The organization unintentionally exempted the compromised administrator’s account from multi-factor authentication requirements.
hxxps://us-cert.cisa.gov/ncas/alerts/aa21-116a

Meanwhile a bunch of legislation still sits on desks, business still spends pennies on security and has a lax culture where all the same mistakes are repeated, and meanwhile the basic concepts have not been taught to students for the last three decades. And espionage, well that might as well not exist.

It’s OK says the politician, I use a pen (DOH)!

Personally I use encryption myself as I’m a little sick of being shot at and various other things I don’t enjoy, like funerals, considering the government does not provide any protection (or vaccines, if you are overseas) to the people who collect said intelligence (the stuff they ignore anyway). The cops, they love intelligence, as long as it is about meth heads other than themselves, leaking intelligence, the tools that collect it, bribes and not arresting non registered spies (no one arrests them).

Babuk hacks cops
hxxps://apnews.com/article/politics-district-of-columbia-police-russia-business-11a63398f9ce328d5c127b9a5e5f88c5

When I need the dog to go for a walk I say “Dog Go!”, but unfortunately it has not yet worked for the politicians, and if you get a good one, well there are a dozen who are compromised, but then Putin has Qanon, meth heads, anti-vaxx, incels, and people who burn down cell towers (which emit non-inonizing radiation, you know, the stuff that doesn’t kill you) to distract everyone.

If you can hear a ringing in your ears, that would be from three decades of everyone being played like a fiddle, or you have had your headphones up too loud.

This doesn’t happen to you when walk under a 5G Cell Tower
hxxps://www.theguardian.com/world/2021/may/02/havana-syndrome-nsa-officer-microwave-attacks-since-90s

or this

report on microwave
hxxps://www.nap.edu/download/25889

link from
hxxps://www.nationalacademies.org/news/2020/12/new-report-assesses-illnesses-among-us-government-personnel-and-their-families-at-overseas-embassies

Clive Robinson May 9, 2021 7:09 AM

@ ALL,

What goes up often comes down

It would appear that the core 100ft/30m lift stage of China’s Long March 5B launched late last month has finally made it’s grand reentry at 2.24am GMT over the Arabian penisular. It’s arc visable in the Middle East and hit the surface somewhere near or on the Maldives in the Indian Ocean. Interestingly nobody is yet saying where, including NASA[1] or US Space Command[2].

When launched on the 29th, the rocket had the payload, core and booster. The boosters dropped away as was expected and landed down range. The core continued and pushed the payload up which reached stable orbit at a similar low hight as the ISS (which is actually not a good orbit hight).

However the core it’s self achieved orbital velocity and thus started to orbit the earth, and would still be up there if not for the effects of the atmosphere creating “drag”.

So around and around it went, and a bit like a roulette wheel nobody knew when the ball was going to drop…

Any way as far as we know the core weighed between 17 and 27 tons and due to the shallow entry much of it will have ablated due to atmospheric friction (ie hundreds of kWhs of energy). So how much actually made it down to the Earth’s surface will be debatable. Likewise how much entered water and how much hit dry land…

Anyway if you had a few bucks on when or where, time to check if you got lucky or unlucky.

[1] Nasa administrator Bill Nelson, a former astronaut and senator who has only been in position for just over a month said,

“It is clear that China is failing to meet responsible standards regarding their space debris,” and “It is critical that China and all spacefaring nations and commercial entities act responsibly and transparently in space to ensure the safety, stability, security, and long-term sustainability of outer space activities.”.

Something that may well come back to haunt him, as the ISS is quite literaly falling appart currently, and at some point in the future somebody is going to have to decommission it a big chunk of which will be “burn up de-orbit”…

[2] In a statement a US Space Command spokes person said,

“The exact location of the impact and the span of debris, both of which are unknown at this time, will not be released by US Space Command.”

Which is kind of odd as they probably know very accurately.

Anders May 9, 2021 7:54 AM

@Clive @SpaceLifeForm @ALL

hxxps://www.reuters.com/world/uk/public-health-england-says-coronavirus-variant-b16172-is-variant-concern-2021-05-07/

hxxps://www.theguardian.com/world/2021/may/07/indian-covid-variant-is-variant-of-concern-says-public-health-england

Clive Robinson May 9, 2021 1:22 PM

@ Anders, JonKnowsNothing, MarkH, SpaceLifeForm, ALL,

With regards the three Indian related mutations of SARS-CoV-2.

They are decimating India by the hundreds of thousands a day.

With “official figures” showing,

1, 400,000 new cases a day.
2, 4,000 deaths a day.

You would think it was a cause of concern. But the real figures we know are way way worse than that as the number of burials (Muslims) and cremations (Hindus) sky rocket and deaths in large numbers are happening whilst people are trying to get into hospital and are then ordered to take the corpse away without it being recorded.

People with any knowledge of what was happening said “stop the flights” well over a month ago and as usuall were ignored by the UK Government, who later then had to do so.

They were warned about “flying through other nations” in Particular Turkey, as those taking bookings for flights saw many Indian/Asian travel agents booking flights to and from India and Pakistan that way to get around the travel ban.

Even when exposed these agents thought it a joke as they gleefully grabed the extra commissions.

So now only now after the indications of easy mass infections and death rate of atleast 1% (official) and probably nearer 2-3% (excess deaths) and much bad publicity with these varients with over fifty toe holds in UK populations where transmission is likely to be rife, do the politically motivated finally get around to “Stating the bl**dy obvious” way to late and again way to little.

As I’ve mentioned before and most do not seem to conciously recognize,

“The mutation rate is proportional to the numbers who are currently infectious.”

India whilst it does have fabulous wealth in places is mainly “dirt poor” those who do not work in that day do not eat that night. In cities most work places are cramped and so close quatered that infection is guarenteed to spread.

Estimates by some from excess deaths and known untreated fatality rates etc indicate that the real level of infection is over 25% of the at least 1.4 Billion “official” population (some say it is already the most populous nation on Earth beating China…).

Thus these three “known” Varients are likely to have quite a few more joining them every day. Based on simple evolution we can expect these new varients that become noticed to be more infectious, and due to the unusual phases of the SARS-CoV-2 disease progression more likely to be leathal. As the level of vaccination in India is so low, it’s a matter of probability as to if new Varients will be “vaccine escapping” however it’s odds on that they will evolve down the age range when finding viable hosts.

Politicians may not like this information and The WHO and other politically controled health agencies may try to pretend these things are not issues. But I suspect increasing numbers of the population are working out for themselves that those in charge are more interested in the health of those who make political donations and have well financed lobbyists than they are in the health of the citizens.

For instance in the UK you can not listen to a commetcial radio station without hearing adverts for foreign holidays… It’s complete and utter madness…

Oddly though the “medical proffession” appearing so reticent of the UK Government appears not to be so with India and the Modi Government. It’s very easy to find articles like,

https://www.republicworld.com/india-news/general-news/lancet-editorial-slams-modi-govt-on-indias-covid-crisis-stifling-criticism-inexcusable.html

Which quote an Editorial from the prestigious UK Medical Journal “The Lancet”. Personally though I think their estimate of another 3/4million dying in India over the next three months is probably going to be on the low side based on excess death information comming through.

However if other things mentioned are true then we can expect the “official” figures to be less than half that number, or even a lot lower as Modi holds more political rallies and alows more festivals and religious gatherings, but wants to remain apparently in “God like charge”…

Anders May 9, 2021 5:37 PM

@ALL

hxxps://www.reuters.com/business/energy/top-us-fuel-pipeline-operator-pushes-recover-cyberattack-2021-05-09/

Clive Robinson May 9, 2021 5:42 PM

@ Anders, JonKnowsNothing, MarkH, SpaceLifeForm, ALL,

Some of you are that since very early on before this was a “pandemic” I talked about ignoring official figures and looking at the “excess death” rates and comparing to those for the previous five years, including making alowances for like for like deaths. So as I indicated in lockdown you would expect workplace and traffic accident fatakities to drop. Likewise with all but critical emergancy surgery cancelled the deaths from “medical proceadures” to drop as well. All of which would bring up int the light the “hidden COVID deaths” that we know politicians were trying to hide.

Well doing that sort of thing is actually hardwork, which is fine to keep you occupied when you have nothing else to do, but like many others I do have other things to do so stopped doing it.

Well I know some people carried on which is why I said in my above post,

“Estimates by some from excess deaths and known untreated fatality rates etc indicate that the real level of infection is over 25% of the at least 1.4 Billion “official” population”

Well that was four and a half hours ago, imagine my supprise to see this on a smart device belonging to someone else less than an hour ago,

https://m.youtube.com/watch?v=XRtRJLRRnpU

Looks like others are doing the same sort of thing with “excess death” information that I was over a year ago, only they publish nice printed reports…

I must warn people that watching the video report all the way through does make sobering watching.

Clive Robinson May 9, 2021 6:16 PM

@ Anders, SpaceLifeForm, ALL,

With regards the report on the pipeline being held for ransom.

The following struck my eye,

“As the FBI and other government agencies worked with private companies to respond, the cloud computing system the hackers used to collect the stolen data was taken offline Saturday, the person said.”

Proving I guess my point about “agnostic to use technology” in the hands of “Directing Minds”.

However the report also indirectly mentions an anomaly with the way the alledged attackers have behaved. Which raises two points,

1, Premature accreditation, especially in public can be quite embarrassing.

2, The accreditation could be wrong due to a “false flag” attack.

As has become a bit of a meme with “the usuall suspects” we can say that,

“Accreditation is hard, very hard.”

Especially when some one is intentionaly trying to look like another group of attackers, to hide their own activities.

So we need to keep an open mind and ask the question,

“Was this actually a ransomware attack by the group accredited? Or was it by a different group?, or was the ransmoware asspect mearly a cover for a Level III attacker ‘sending a message’?”

There are four possabilities there and sorting out which is the correct one might, as with the Russian attack on the South Korean Olympic Games, take some months or more to sort out.

So keep an open mind, and sit back with a couple of bowls of popcorn and enjoy the show. Oh and if you live in the US just be thankfull this attack did not happen at the same time the Texas grid went down.

Anders May 9, 2021 8:09 PM

@Clive @SpaceLifeForm @ALL

Regarding this “cloud computing system” – this is
very used tactics by govt adversaries, Cobalt Strike
also supports this – Domain Fronting.

hxxps://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
hxxps://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/

Nothing new actually but makes attribution very hard.

JonKnowsNothing May 9, 2021 9:28 PM

@SpaceLifeForm, Clive, MarkH, Winter, All

re: JJ COVID jab update

Some reactions to the COVID-19 jab are starting to appear among personal friends who got them.

As SpaceLifeForm indicated they also have had varying degrees of symptoms:

Felt very tired, with annoying mild headache that kept me awake, even though I wanted to get sleep. Tried to sleep, but could not. [SpaceLifeForm]

One has had a more severe experience. They had the vaccine nearly 7 days ago and on day 6 was no longer able to stand up.

Severe weakness in legs and no longer able to stand unassisted. Cannot walk without assistance and support.

Checked for stroke, heart problems, embolisms, aneurysms. Run through CAT, MRI, Ultrasound, Xrays. Full blood work ups, including some rarer ones.

Results: All Normal. Not Stroke, Not Heart, Not Anything.

There is no way to “prove it was the jab” but all other indicators are normal.

While attribution may not be possible, the physical problems are serious. Not being able to ambulate (walk) causes a cascade of medical/social changes.

It is hoped that the “extreme and profound fatigue” will abate over the next few days.

SpaceLifeForm May 10, 2021 12:55 AM

@ JonKnowsNothing, Clive, MarkH, Winter, All

For me, headache slowly fading. Still tired.

Here’s an interesting case, female, over 80. After 2nd jab (Moderna), at about 6-7 days later, lost feeling in toes. Scared to walk. Yep, you need your toes for balance, especially your pinky toes. Could walk with a walker. After two more weeks, walking fine without walker.

I suspect there is something going on with T-cell development and nervous system for some people, even if they are otherwise healthy.

So, hopefully, your friend will be up and about in a week.

Note: Person is on various meds, so that could be a factor also.

Clive Robinson May 10, 2021 1:26 AM

@ Anders,

With regards FireEye and,

“Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites.”

If you look back on this blog, you will find I had described the technique of using Google about half a decade before FireEye published their paper. Basically the version I outlined in sufficient depth that people could implement it was very deliberately “inbound” not “outbound” as I did not think it wise to give the “data exfiltration” idea a public airing. Thus it allowed for the control of a botnet via Googles cach as the redirector and random blog sites “used just once” as the endpoints. that could not be taken down by the then favoured technique of decapitating the control head, and it did not require HTTPS that was not as popular back then.

If you read the paper from the Privacy Enhancing Techniques Symposium(PETS) back in 2015 you will see they missed quite a few tricks with regards redirecting data streams,

http://www.icir.org/vern/papers/meek-PETS-2015.pdf

The problem with most redirectors set up on Amazon and the like is that real world financial transactions are involved, and these leave not just primary and secondary direct “data-trails” but “meta-data” and “meta-meta-data” trails that can be not just seen but followed with the right analysis. Which are almost as good as “boots on the ground HumInt” for attribution.

There are other ways to set up reflectors without the financial issues that can also have other advantages.

For a Level III attacker with access to the actual network that forms the Internet on which both clients and servers are just leaf nodes they can do some interesting tricks by putting in “Data-Tees” on routers to slurp up data into “collect it all” repositories. Well “Data-Tees” work just as well for others.

As a simple example assume I have gained control of a router between your site and Amazon. If I put a data-tee on it the traffic for Amazon still goes to Amazon as expected, but a copy also goes off to where ever the data tee sends it.

Thus having data just end up on drives at Amazon but not get “read” does not mean that the data has not been copied via a data-tee and stored safely by the attackers somewhere else to read at their leisure.

I’ve mentioned the use of such data-tees in the past as part of “false flag” operations. If you can get access to a computer inside the network of your “chosen fall guy” then all you have to do is add a network listener that redirects any incoming data to /dev/null or equivalent. This can be done with some simple form of “shell scripting” on most modern consumer OS’s. If you put a data-tee in the path then you get a copy of the data that you can selectively release, further incriminating your fall guy but without realy releasing much that is harmfull to the chosen target.

But the same technique works at leaf nodes, if you apparently hack into say a Hotel network you can put a redirector into anyone of several hundred places. If you make it “obvious” it’s a redirector apparently being used to cover tracks by sending the data back out again to your fall guy you can also send it out via the WiFi on the redirector host to the boot of a car in the adjacent public car park…

These relatively simple tricks and many others are why I say “attribution is hard very hard”.

SpaceLifeForm May 10, 2021 1:39 AM

@ Anders, Clive, ALL

Speaking of Just-in-Time, Supply Chains, and Texas…

https://zetter.substack.com/p/biden-declares-state-of-emergency

A source who works for a large midstream oil company that feeds fuel into Colonial’s pipeline told Zero Day that the control systems for his company’s tank farms connect directly to control systems at Colonial Pipeline and that as soon as they learned about the ransomware incident on Saturday, they disconnected those systems to prevent the ransomware from traveling to their systems from Colonial’s networks.

He told Zero Day that his company has had to scramble to figure out what to do with the oil and fuel they have sitting in tanks and that they have received no word from Colonial about when the pipeline will be back online.

“We had a big batch scheduled today [to go to Colonial],” he told Zero Day. Instead they have to figure out other storage options for the fuel or reduce capacity in the refineries feeding the tanks. They also have to keep the material in the tanks moving with mixers or it will “stratify and affect product quality,” he said.

His company was told that Colonial’s main pipelines would “not be fixed in 1-2 days, but won’t take six weeks.” He’s not sure why Colonial would provide such a wide-ranging time period but said it’s “very concerning for our interests.”

“We gotta find storage for refineries [and we] might run out [of storage] it takes too long. Then refineries [will have to] cut back. Problem escalates,” he said.

Winter May 10, 2021 9:34 AM

@David Perkins
“They have been approved for emergency use only. However you will face the effects of this untested biotech for the rest of your life, even if they’re approval were to be pulled. We’ve already seen this happen with Johnson and Johnson in Denmark.”

Then tell me what is wrong with these vaccines? What science tells us that these vaccines are dangerous, more dangerous than contracting COVID-199?

Hundreds of millions of people have already obtained a COVID vaccine, and they are still alive. There are side-effects, but they are less common and less severe than the side effects of not getting vaccinated, i.e., getting COVID-19. Hundreds of times more people die of COVID than of vaccine side-effects.

Until any of these anti-vaxxers can show the opposite, this is all just propagating conspiracy theories intended to kill people.

This is nothing better than claiming COVID-19 is caused by 5G towers.

@David Perkins
“How do you determine what’s likely?”

By observation. Calculating probabilities of, e.g., the chance of a furan cleavage site being inserted into a genome along with protease markers, is just guesswork.

It is like calculating the probability of observing a specific license plate on the road after you have observed it, without any other knowledge.

JonKnowsNothing May 10, 2021 10:55 AM

@All

re: When is Phishing Not Phunny?

MSM report about a “West Midlands Trains” company that sent an email to 2,500 of their workers

with a message saying its managing director, Julian Edwards, wanted to thank them for their hard work over the past year under Covid-19. The email said they would get a one-off payment as a thank you after “huge strain was placed upon a large number of our workforce”.

Except… there was no bonus and no thank you.

It was claimed that it was a “phishing test” designed to “teach their workers” not to click links.

So what they got when they clicked the link was a “You’re Pwned” message.

A West Midlands Trains spokesperson said: “We take cybersecurity very seriously. We run regular training and it’s important to test your resilience.

“The design of the email was just the sort of thing a criminal organisation would use – and thankfully it was an exercise without the consequences of a real attack.”

Tech companies have spent years teaching people to “Follow the Link”,
it will be tech companies that have to remove “clickable” links,
because they cannot control the link destinations.

===

ht tps://www.theguardian.com/uk-news/2021/may/10/train-firms-worker-bonus-email-is-actually-cyber-security-test

(url fractured to prevent autorun)

JonKnowsNothing May 10, 2021 11:22 AM

@SpaceLifeForm, Clive, MarkH, Winter, All

re: JJ COVID jab

fwiw: So far, I have had no side effects from the jab.

Reports are that these may happen anytime in the next 3-4 weeks.

Plus, we get to do this again in a few months; hope they don’t try to do Flu+COVID at the same time. The cross over side effects might really put a damper in uptake.

An interesting social change: many people want to keep their masks ON, even after they have been told they can take them off.

While Governments try to convince the population that COVID-19 is over, regardless of what they see and read about India, Nepal and other countries where dead bodies are now just dumped in the river, people are opting to keep masks for social reasons.

Those social reasons, might save a few lives when the limited effectiveness of the vaccines against the variants/reinfections becomes noticeable.

Variants carrying the P681R Membrane Fusion mutation which increases transmission, like the 3 India variants, are coming.

===

ht tps://www.theguardian.com/us-news/2021/may/10/the-people-who-want-to-keep-masking-its-like-an-invisibility-cloak

ht tps://www.theguardian.com/world/2021/may/10/india-dozens-of-suspected-covid-victims-wash-up-on-ganges-river-banks
(url fractured to prevent autorun)

Winter May 10, 2021 12:11 PM

@Richard
“Also stop curtailing the freedom of speech of other people here,”

This is Bruce Schneier’s blog and here his rules govern. His moderator has the right, and duty, to remove all comments that not follow these rules. Other users can help the moderator to do her/his work. But it is Mr Schneier who decieds, not you, not me.

The fact that you feel you have rights on other peoples properties links you to the resident Troll that has expressed the same entitlement.

If you want to have Freedom of Speech, you have to set up your own website.

Winter May 10, 2021 12:15 PM

@Richard
“The term “anti-vaxx” is a false dichotomy and denies the reality that one can be “pro” some vaccines and “anti” others.”

Spreading disinformation and lies about vaccines is what characterizes anti-vaxxers. The disinformation and lies spread by the resident troll et al clearly designate them as anti-vaxxers. Disinformation and lies are easily recognized comparing it to published science.

There is no reason to assume the anti-vaxxers themselves believe these lies. Anti-vaxxers can be motivated by a strategical intend to harm and kill the receivers of the message. Which I believe is the case here.

Winter May 10, 2021 12:18 PM

@Richard
“Your innate immune system is usually able to better attack and kill on a broad scale as long as the viral load is low. ”

You obviously have no idea what the “innate immune system” is and how it interacts with the “acquired immune system”. Until you get your immunology correct, you will never be able to understand how, and why, these vaccines work.

You can start at wikipedia:
hxxps://en.wikipedia.org/wiki/Innate_immune_system

GRU May 10, 2021 12:21 PM

The BBC have done a really well researched 8 part podcast on the anti vax movement as part of their ongoing “trending” series to do with social media generally.

There’s some interesting stuff on the German Querdenken movement too, state actors, and the cult like psychology of those who have watched too many youtube videos and gone down the rabbit hole.

They also discuss the problem of social media enabling the spread of distortions and misinformation, sometimes with encrypted messaging ecosystems, such as with bundled, free Whatsapp use in Brazil in poorer socioeconomic groups.

The problem of coordinated trolling campaigns is also discussed.

You can download the audio too, if you don’t want to stream it.

hxxps://www.bbc.co.uk/programmes/w3ct2dmb

Winter May 10, 2021 12:24 PM

@Common Sense
“Obviously, it has to be identical in the key region where the spike binds the ACE2 receptor.”

You do not understand the principles behind vaccine design. There is no reason at all that the anti-bodies should target the active sites of the binding proteins. Any accessible site that is specific and stable enough will do. And only that part is necessary.

Also, although the spike protein might itself be unhealthy, it is not the reason SARS-2 kills people. People who are vaccinated are not killed except in very rare cases (1:200,000 and less). Meanwhile, 1:400 Americans have already died of COVID-19.

Winter May 10, 2021 12:28 PM

@Albert
“are still blueprints for the cells to start producing spike proteins which have known detrimental effects to the vascular system.”

And this holds for almost all vaccines. I have answered the nonsense about the spike proteins in vaccines above.

Winter May 10, 2021 12:48 PM

@GRU
“The problem of coordinated trolling campaigns is also discussed.”

We see this on this blog. Most of the anti-vaxxer and COVID-19 conspiracy comments are posted by a single agent under random handles, or as imposters.

This agent lies about everything and will insult and threaten other visitors and do everything to derail the blog and make comments unreadable. Typical anti-vaxxer conspiracy troll behavior.

But even any “genuine” anti-vaxxer posters cannot explain how they noticed a specialist security blog that addresses computer security and cryptography and only rarely follows the course of the pandemic. So we must ask, why are they coming here, posting on this blog?

Winter May 10, 2021 1:12 PM

@All

For thise interested in the topic.

8 Common Online Trolling Tactics and how to handle them.

hxxps://samanthanorth.com/8-common-online-trolling-tactics-and-how-to-handle-them/

(URL fractured for your protection)

Winter May 10, 2021 1:20 PM

@All
What motivates online trolls?

See the study:
hxxps://spsp.org/news-center/blog/buckels-internet-trolls
(URL fractured for your protection)

TL;DR: Online trolls are generally sadists. They enjoy the suffering of others

Clive Robinson May 10, 2021 5:47 PM

@ JonKnowsNothing, ALL,

An interesting social change: many people want to keep their masks ON, even after they have been told they can take them off.

Do you remember that terrible flu epidemic predicted for the 2019/2020 flu season in the Northern Hemisphere?

Likewise any flu in the 2020/2021 Northern Hemisphere flu season?

Some people have realised that the East Asian habit of the past decade or two of wearing masks in their Winter/Spring when respiritory diseases are prevelant is actually quite a good idea[1].

More importantly the previous “social shaming” of mask wearers by “Guard Labour” and others who are to stupid to consider the consequences of their “bullying behaviours” has been “Kicked to the curb side” for now.

Thus for the sake of the health of the general civilian population the continued wearing of face masks should continue.

However expect “kick back” via FUD etc from “Guard Labour” such as LEOs and FBI etc and the other idiots that align with them such as the DoJ and members of both houses.

Without doubt the past two seasons have shown that the guard labour rising mantra of “You must be bare faced in public” is a significant health hazard that based on the annual respiritory disease deaths in the years running up to 2019/2020 killed hundreds of thousands of people…

Of course there will be kick back, because a lot of people see “Facial Recognition Systems” as the new way to make a fourtune etc, and they will have lobbyists trying to ensure they become part of the billionair club of of tax dollars. My advice would be track the lobbyists down and make them social pariahs in their communities and social groups. They clearly do it to others, so “what goes around…” etc. Once upon a time they used to use “Rough Music”, “tarring and feathering” and “run them out of town on a rail/pale”, sometimes even “branding” so others could see they were bad news. I suspect many are thinking it’s time for some good old community justice again… Such is what can be expected when the pendulum swings to far in the crooks favour.

[1] Not just “masks” but taking to heart “Hands, Face, Space, Ventilate”, has without doubt reduced the non COVID respiratory disease deaths. Thus those who are a little thoughtful about there health rather than, guzzeling beer, puffing cancer sticks, and couch surfing with endless carb snacking, have decided they want to live longer and not go with the stupid mantra of “What does not kill you only makes you stronger”.

Winter May 11, 2021 5:57 AM

They found a bug in the Universal Turing Machine!

Intrinsic Propensity for Vulnerability in Computers? Arbitrary Code Execution in the Universal Turing Machine
hxxps://arxiv.org/abs/2105.02124

Yes, I was wondering too. But this is about the 1967 implementation of Marvin Minsky.

Jon May 11, 2021 9:56 AM

@ Winter

If you build a machine that will execute user input, you should expect that a user will input something you did not expect.

The solution is to use Harvard Architecture, not Von Neumann. Keep the program in a separate space than the inputs! Sharing memories is just asking for it! 😉

J.

xcv May 11, 2021 10:08 AM

@ Jon

The solution is to use Harvard Architecture, not Von Neumann. Keep the program in a separate space than the inputs! Sharing memories is just asking for it! 😉

There is something called W^X in the OpenBSD operating system which does implement some of the restrictions of a Harvard architecture.

On the other hand there are some programming languages such as Java or JavaScript that use a type “JIT” or just-in-time compilation which do depend on the ability to directlyexecute code in readable snd writable memory.

Clive Robinson May 11, 2021 10:45 AM

@ Jon,

The solution is to use Harvard Architecture, not Von Neumann. Keep the program in a separate space than the inputs! Sharing memories is just asking for it!

It’s an appealing hypothesis, only it fails because,

1, Memory holds “data”.
2, Data is defined by meta-data that is not stored in memory with the data.

This,is a very very fundemental security weakness below the CPU level in the computing stack.

To see why in your Harvard architecture build an interpreter in the “code memory bank” that takes it’s instructions from the “data memory bank”… Thus the information in the “data memory bank” is seen as “code”.

Even if you do not deliberately build an interpreter in the code memory bank, in any moderatly complex code there will be some form of decision logic that works on values held in the data memory bank, and that code can be perverted to become an interpreter (see the likes of BrainF*ck to see this).

Thus you have to write your code to never take different actions based on information in the data memory bank…

At first this might appear to be a pointless coding excercise. However think about Digital Signal Processing, this works this way as do other data value independent filters.

Life as they say can be fun, programing can also be like certain types of music, so much nicer when you stop banging your head 😉

Winter May 11, 2021 11:43 AM

@Jon
“If you build a machine that will execute user input, you should expect that a user will input something you did not expect.”

The amazing thing here is that it is a very simple program from 1967 that implements a Universal Turing Machine. And for 50 years, there was a hidden bug in it that nobody noticed.

The bug got its own CVE

Clive Robinson May 11, 2021 5:48 PM

PUFs come to carbon one atom thick

One hardware security device that has only been around about a decade is the “Physically Unclonable Function” or PUF.

Originally portrayed as “frozen randomness that could not be duplicated” it can be used to provide what appears to be random bits, unique to each chip even though made with the same mask. Thus it could be used as an identifier or as a seed for crypto key generation, and quite a few other foundation level security functions.

In essence the tolerance in the manufacturing process of silicon chips could be harnessed constructively for high security processes.

Unfortunately there was a fly in the ointment, it was found that there was an underlying structure in silicon PUFs that certain AI statistical algorithms could detect thus silicon PUFs could be determined… Also others found ways of duplicating them.

Well enter Graphene a one atom thick layer of carbon atoms linked in ring format to produce a stable platform on which transistors can be formed. Thus so can PUFs which a team at Penn State University has done.

They believe this Graphene based PUF is not susceptible to the statistical attack…

If you have a subscriprion to Nature then you can read the paper at,

https://www.nature.com/articles/s41928-021-00569-x

Otherwise you can read a brief writeup at,

https://www.electronicsweekly.com/news/research-news/graphene-physically-unclonable-function-2021-05/

Weather May 11, 2021 6:21 PM

@slf
Answer , use gravity constant, which can be updated over time.
I respect you but this shit has been going on for too long

Weather May 11, 2021 6:38 PM

Sh a Windows software that comes with corporate edition is been used to hack machine… Its not like they are descruvive zero days, they are doing what any teenage can do, so stop climbing, yes you food4hacks, more direct at you followers. Do you want a training cause in bug hunting , or system admin?

SpaceLifeForm May 11, 2021 6:43 PM

@ Moderator

comment-377436 and comment-377437 are obvious fakes

Maybe not to an AI, but they are fake.

Weather May 11, 2021 6:52 PM

@all
“@ Moderator

comment-377436 and comment-377437 are obvious fakes

Maybe not to an AI, but they are fake.”
Can you describe the post, not everyone wants to connect there network to this site.

Anders May 11, 2021 8:30 PM

@ALL

I now post in right place

hxxps://www.theregister.com/2021/05/12/krack_hack_wifi/
hxxps://www.fragattacks.com/

Clive Robinson May 12, 2021 5:27 AM

@ Anders, ALL,

With regards , and,

“One design flaw is in the frame aggregation functionality, and another two are in the frame fragmentation functionality,” explains Vanhoef in his paper.

It kind of explains it all

“As you break’m and we remake’m the way we want”…

The number of times we’ve seen attacks where frag/defrag is the basic “class” of so may “instances” of vulnerability should we really be surprised?

Kind of reinforces my point that the “industry” is “not learning from it’s living history”…

Clive Robinson May 12, 2021 5:37 AM

@ Ismar, ALL,

Software development in crisis

Thanks for the link, I got to listen to it late yesterday. Funny that the “E” word did not get mentioned untill just gone fifty minutes in. But in essence it’s what it is actually all about.

Likewise the use of the analogy of a screw/fastening… If you look back far enough on this blog you will find I used “bolts” and “bricks” as analogies for exactly the same reasoning…

I guess I might snag a copy of the book as “the shops” are coming out of lockdown, as I’ve mentioned before I’ve had enough trouble with the crooks called Amazon to go down the “online purchase” of books again. I know some might think “scum” is to strong a word for the supposedly richest man in the world, but as the old saying has it,

“If the cap fits, wear it!”

And it sure fits in his case.

Clive Robinson May 12, 2021 5:44 AM

@ SpaceLifeForm,

Another on to add to your list of “Calamities that will happen care of AWS”,

hxxps://www.theregister.com/2021/05/12/nhs_scotland_aws_contract/

Clive Robinson May 12, 2021 6:53 AM

@ Bruce, ALL,

Another one to add to the list of,

“Oh dear my car CAN-Bus, surely Can’t be doing that?”

https://www.theregister.com/2021/05/11/black_hat_asia_car_hacking/

This time it enables you to not pay at a recharging station or worse much worse fritz with the voltages and charging currents. Which with lithium batteries realy is not a god idea at all when you remember they have a “flame-buoyant” history of going up in smoke rather like a flare…

Clive Robinson May 13, 2021 2:33 AM

@ SpaceLifeForm,

The penultimate paragraph from the Forbes article,

“Taken together, then, quantum solutions can secure systems now and in the future against quantum computer attacks. It simply doesn’t make sense to spend billions on classical cyber protections that will be obsolete in 3-4 years as hackers inevitably find their way around those safeguards, instead of investing in quantum-based hack-proof protections that will last for decades.”

This is exactly the same “snake oil” the writers of all those “secure messaging apps” use to push their wares…

Either way you most definately do not end up with a “Secure System” and it’s highly debatable if you even end up with a very limited subset of the communications that is secure…

When you look at the credits, you see the author of the article suffers from that mental myopia Upton Sinclair so succinctly described before electronic computers had even been thought of,

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

Oh and if we actually follow his advice the systems will remain even more insecure than they currently are for the next half decade or so…

As for “quantum-based hack-proof protections that will last for decades” no they won’t be “hack-proof” and I very much doubt any practical system will be good for even half a decade. The reason,

Side Channel leakage

If you look at the original BB84 Quantum Key Distribution(QKD) system[1] Giles Brassard said of the practical implementation that he did not need to know the state of the system was, because he could hear what state the electromechanical polarizers were in… A very clear “side channel” that was “singing out loud” the very information the entire security of the system relied upon.

In fact theoretical attempts to remove side channel issues in QKD systems have the problem of “negative impact” on the practical systems, some times to the point they are not realistically usable[2].

But then again what is “realistically usable” with QKD? Firstly it’s very range restricted thus you have to build “secure nodes” or repeaters every few tens of kilometers appart which are not realy, secure, practical or cost effective. Secondly there is the issue of being “Point to Point” only so for N parties you need N^2 dedicated links.

I could go on but those two fences are high enough that no matter how you flog this dead horse you are not going to get it to complete the course let alone be competative. Because their are more cost effective systems you can build using HSM’s that don’t need those “secure nodes” to give you range or switching and don’t need dedicated single fiber links.

[1] https://file.scirp.org/pdf/16-2.24.pdf

[2] https://www.nature.com/articles/srep05236.pdf

Hugh S. Banks May 13, 2021 5:52 AM

@ David S. Webb

Except that even in this descriptive case, no one uses that definition except either in error or intentionally to obfuscate. I think in this case MW’s editorial board knows this to be the case, and not merely an innocent example of definitions shifting. To give you a more concrete example, the term “assault weapon” has been broadly and unofficially used by the media and also government to define semi-automatics with cosmetic features of true assault rifles. MW could have chosen to define this term. They did not. Instead they chose to redefine a term already in long term use, and furthermore has never been defined in this way by governments , experts, manufacturers or users.

JonKnowsNothing May 13, 2021 5:34 PM

@All,

re: Mind directed writing

Wonderful story about how tech may help disabled persons to communicate using “mindwriting”.

[note: This is not Musk’s Monkey Pong.]

After 200 electrodes were implanted in the participant’s premotor cortex, they mapped neural activity to areas of “imagined letters”. This was then mapped and activity in those areas were translated into a program that activated letters.

With the implants in the right place, the researchers asked the participant to imagine writing letters on a page and recorded the neural activity as he did so.

[Using a neural] implant, a paralyzed individual managed to type out roughly 90 characters per minute simply by imagining that he was writing those characters out by hand.

The man, known as T5, who is in his 60s and lost practically all movement below his neck after a spinal cord injury in 2007, was able to write 18 words a minute when connected to the system. On individual letters, his “mindwriting” was more than 94% accurate.

These parts should be noted:

  • imagine writing letters on a page
  • 60 yo

In the USA we no longer teach cursive writing, that’s the ability to write script. We only teach block letters primarily using a keyboard (no pen or pencil to hold).

A 60yo would know how to write cursive on paper, where a 20+yo might not know how.

===

ht tps://arstechnica.com/science/2021/05/neural-implant-lets-paralyzed-person-type-by-imagining-writing/

ht tps://www.theguardian.com/science/2021/may/12/paralysed-man-mindwriting-brain-computer-compose-sentences

ht tps://en.wikipedia.org/wiki/Cursive

  • Cursive (also known as script, among other names[a]) is any style of penmanship in which some characters are written joined together in a flowing manner, generally for the purpose of making writing faster, in contrast to block letters. Cursive handwriting is very functional, and is intended to be used in everyday writing.

ht tps://en.wikipedia.org/wiki/Block_letters

  • … the letters are individual glyphs, with no joining. In English-speaking countries, children are often first taught to write in block letters, and later may be taught cursive (joined) writing.
    On official forms, one is often asked to “please print”. This is because cursive handwriting is harder to read, and the glyphs are joined so they do not fit neatly into separate boxes.

ht tps://en.wikipedia.org/wiki/Pen

  • ballpoint, rollerball, fountain pen, felt-tip pen, marker, gel pen, stylus, dip pen (or nib pen), ink brush, quill, reed pen

(url fractured to prevent autorun)

JonKnowsNothing May 14, 2021 12:08 AM

@Clive, @All

re: USA claims 130+ affected by “microwave” weapon

Nothing particularly useful in the report of “we found more” except at the bottom of the article.

Cheryl Rofer, a former chemist at the Los Alamos National Laboratory, has questioned the study’s conclusions, and the claim by victims and some experts that some kind of microwave weapon developed by an adversary is responsible for Havana syndrome.

“The evidence for microwave effects of the type categorized as Havana syndrome is exceedingly weak,” Rofer wrote in Foreign Policy. “No proponent of the idea has outlined how the weapon would actually work. No evidence has been offered that such a weapon has been developed by any nation. Extraordinary claims require extraordinary evidence, and no evidence has been offered to support the existence of this mystery weapon.”

===

ht tps://www.theguardian.com/us-news/2021/may/13/havana-syndrome-brain-injury-130-incidents
(url fractured to prevent autorun)

Clive Robinson May 14, 2021 1:30 AM

@ JonKnowsNothing, ALL,

The so called “Havana Syndrome” is turning into one of those “problems”.

When only very few people were effected they could be written of as “crazy/deluded/hysterical” but the numbers are growing and mdical evidence is mounting.

If it were of “natural origin” normally epidemiological evidece would give up links that could be investigated. Likewise accidental of “manmade origin”.

About the only thing we know is that they are people known to work for the US Government, by direct official contact with foreign powers or who had their details “gathered” from the OPM incident or those related to them.

As far as I can acertain differential diagnosis points to some kind of “brain insult” unfortunatly as the US NFL found brain insults can happen and not be detectable in living humans (only autopsy) due to the limitations of imaging and other diagnostic systems.

Thus whilst the increasing numbers very much suggests there should be evidence, if there is it has either not been seen, recognised, or acknowledged.

We can make hypotheses, and as long as they are within the bounds of the laws of physics and current technology they could well be valid. But we can not realisticaly test them, because such experiments would be highly unethical (which is not to say that someone has not done them elsewhere where ethics are not a consideration).

The question is thus “Where do we go from here?”…

Winter May 15, 2021 12:33 PM

@-
“Chad”

Which Chad. This Chad?

hxxps://imdb.com/title/tt10338160/
Score 2.5/10

JonKnowsNothing May 16, 2021 11:39 AM

@Winter @Reality @All

re: [using] megaphones to drown out other voices

RL anecdote tl;dr

There was a time when one could tell the outcome of any engineering meeting or design session by the decibel level of the exchanges.

  The one who shouted loudest won

Often, “being loud” is equated with “assertiveness” or having “knowledge” (aka being “right”).

It isn’t true of course, it was done primarily to get “other views” to back down; to not challenge the alpha in the room.

Perhaps this is no longer common, but the principle remains the same and a lot of engineering meetings ended up needing ear protection.

===

ht tps://www.theguardian.com/uk-news/2021/feb/05/handforth-parish-council-jackie-weaver-internet-star

ht tps://www.theguardian.com/culture/2021/feb/10/dont-cry-for-me-jackie-weaver-lloyd-webber-writes-tribute-to-zoom-legend

ht tps://www.theguardian.com/politics/2021/apr/29/two-handforth-parish-council-members-quit-after-viral-zoom-call
(url fractured to prevent autorun)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.