Friday Squid Blogging: Nighttime Squid Fishing Seen from Space

Page 18 of this thesis explains that squid fishing is done at night, and the lighting is so bright shows up in the satellite surveys of planetary lighting. This video shows the phenomenon off the coast line of Argentina.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 5, 2013 at 4:08 PM • 32 Comments

Comments

Civil LibertarianApril 5, 2013 5:00 PM

The piece doesn't contain anything that Bruce hasn't already said repeatedly, but Mark Maiffret has an op-ed in The New York Times: Closing the Door on Hackers

The unspoken truth is that for the most part, large software companies are not motivated to make software secure. It’s a question of investment priorities: they care more about staying competitive with their products, and that means developing the latest features and functions that consumers and businesses are looking to buy. Security issues are often treated more as a marketing challenge than an engineering one.

Clive RobinsonApril 5, 2013 5:44 PM

@ Civil Libertarian,

Security issues are often treated more as a marketing challenge than an engineering one.

Which is another way of saying from an economic perspective for these organisations security is an "externalality".

Sadly this is nothing new, it does not matter how many dollars security saves a customer or other party, not one cent will be spent on it by the companies developers as long as senior managment see no profit in it.

It was this sort of thinking that gave rise to cars flipping over at 30MPH when cornering and others exploding in a fireball when rear end shunted etc etc, which gave rise to the "Lemon Laws" that flipped the externalality back into the company.

I know a lack of regulation is a "libertarian dream" but the real life waking nightmare of it is organisations externalising issues which is just one of those steps along the footpath that gives rise to "a race to the bottom".

A race to the bottom almost always destroys a viable market, by taking out profit for the seller and confidence for the buyer and others. Oddly "appropriate regulation" (history has shown us) actually makes the market more profitable and viable for both the seller and buyer as well as other third parties involved such as insurers...

The question then becomes "What is appropriate legislation?" and currently due to various peculiarities of "information markets" this is a very difficult question to answer.

paranoia destroys yaApril 5, 2013 5:50 PM

Is there a way to filter the search results on the site by date? Older stories tend to show up as at the top but may be outdated.

For example, I'm trying to fact check how prevalent or likely hacking via bluetooth is vs the warning a news story is making. If this is something to worry about in small towns or a medium sized city?

Civil LibertarianApril 5, 2013 7:33 PM

@ Clive Robinson

I agree entirely.

I fear that my moniker gave the wrong impression. It is intended to indicate my somewhat left-of-center devotion to bedrock civil liberties and human rights. It does not mean that I am a polite Libertarian. :-)

Clive RobinsonApril 6, 2013 4:41 PM

@ Massimiliano Lincetto,

Yes it's a bit silly of the French authorities, they could just have gone in and re-edited it etc etc which would have made the problem go away with little noise.

Now however their "National Security" actions have been heard outside of their jurisdiction, and the chances are likewise the offending pages have been cached outside their jurissdiction as well.

Which means there is a fair old chance that the information will re-surface again on a non French Wiki somewhere.

It would appear that one of the French Wikipedia Sysops has already re-iinstated the article (but with some changes) so the chances are the changes will highlight the parts the French authorities don't like, making the problem even worse.

I know France has a bad reputation about "due process" etc but the authorities should by now realise there is always going to be blowback when they do things in such a ham fisted manner against what is in effect a global volunteer network (think back to the sinking of the Rainbow Warrior).

BobbyApril 7, 2013 12:30 AM

Anonymous will supposedly attack the state of Israel starting tomorrow. can this be called a war or simply an attack? individuals, against state or rebels against state. cyber guerilla war.

Chris WApril 7, 2013 4:12 AM

@Bobby

No, just a hacker-vs-hacker slugfest, there will be opposing factions not agreeing with Anonymous. Even inside anonymous you'll find enough people disagreeing and not participating.
Using these kind of attacks to protest against Israels foreign/internal (lets not debate that) policies is pointless because there is too much politics involved. Anon should stick with the internet and free cyber-speech.

Still, could be interesting to watch what IZ hacker groups are gonna do. As I said, probably just a slugfest for a few days and then nothing.


Reminds me of 'Hacker', you know, with Acid & Zero duking it out remotely in the broadcast center control systems?

Clive RobinsonApril 7, 2013 5:23 AM

@ Ac2,

Interesting article on the Spamhaus DDOS attack

As one of those with interests involving the London INX all I can say is the effect of the attack was marginal at best, which is good news for users as it shows that packet storms of the deliberate type can be catered for.

But the article does provide an interesting read for those more concerned with Internnet Surveillance as it shows ways of moving traffic to and away from choke points that have been the natural home of the gatherers. That said there is not a lot of published info on Tier1 and Tier2 interconnects so finding where to put your nodes to excercise the desired low risk paths around potential surveillance points is going to be hard won knowledge.

Mind you the whole event does rise a question about resilience... Ask yourself if there are other infrastructures we absolutly rely on (power, water, roads etc) that are anything as close to resiliant or for that matter capable of reparing themselves so quickly...

Clive RobinsonApril 7, 2013 5:54 AM

@ Bobby,

Anonymous will supposedly attack the state of Israel starting tomorrow. can this be called a war or simply an attack?

It rather depends on who you ask.

If you belive the latest viewpoint published by NATO then they will in all probability be commiting an act of war for which a kinettic response is allowed...

However there have been howls of outrage over this interpretation in some quaters.

The real problem is we have still not come to terms with the fact that what appear as the normal laws of our physical world realy don't hold in the way we expect in the information world.

Specificaly "localisation" and cost of "force multipliers" and the consiquence of all out attack at exactly the same time all over the globe, all designed built and deployed by a single individual.

Politico's and the War Hawk types appear to want to do the wrong thing (fight back with guns blazing) rather than the rather more sensible "knock the bugs out", "restructure" and remove "dependance" in our existing systems. Which is oddly part of the comercial response to the STOPhaus attacks which certainly appeared to work well, fairly quietly and with out fuss or the bruharr yould expect of the saber rattlers in tax funded positions...

paranoia destroys yaApril 7, 2013 3:18 PM

Any updates on the FTC robocall challenge?
Up until at least Saturday, March 30, their website was saying the winners would be announced on April 16.
An email dated as April 1 at 5:00 moved it to 11:00 the next morning.
Technology is not perfect, the text from the streamed live video announcement was in ALL CAPS and spellcheck ironically changed the word lawbreakers to lawmakers.

Clive RobinsonApril 7, 2013 5:01 PM

@ paranoia destroys ya,

Any updates on the FTC robocall challenge?

Not unexpectedly it's all gone horibly wrong for Steve Bellovin and Co.

It would appear the two winning solutions are anything but viable solutions for various reasons and actually based on ideas belonging to other people (who have the right to patent etc).

So all the challenge has realy produced is controversy and embarrassment for the FTC.

In the meen time RoboCallers are moving from strength to strength.

The actual solution has been known for many many years I even wrote up a proposal to implement it and manufacture it back in 1992 when I was working in the Telcomms FMCE industry and I believe there are already patents to that effect.

Interestingly those who wrote a popular VoIP system have provided a working solution as well based on the same idea...

The real problem iis the supposed "legal RoboCallers" and here the FTC has obviously bowed to political pressure rather than allow all Robo Callers to be blocked at the recipients discretion.

FigureitoutApril 7, 2013 8:18 PM

@Bruce S. Re: Ocean hunts
--Since apparently, according to schneierFACTS.com, you can draw a perfect circle w/ an Etch-A-Sketch, so you've probably heard of "Bubble-Net Fishing" by sperm whales. Personally, was pretty blown away at the amount of thought that is necessary to carry out that technique; look into it if not, pretty neat.

signalsnatcherApril 7, 2013 10:03 PM

What this isn’t.

Learning remote http://www.jaycar.com.au/productView.asp?ID=LA8992
This has a broadband receiver and a digital recorder. Placed in ‘learn’ mode it records the trinary code signals from a car or garage remote operated nearby (

I first ran into these about ten years ago when a retirement village north of Sydney reported a number of thefts from residents’ garages. The local teenagers were using the learning remote to steal the garage door code and raid the garage.

As these began to be used for car theft, local automobile manufacturers shifted to ‘rolling block’ codes for keyless entry where the same code is never used consecutively.

What this might be

Keyless entry uses either radio signals (308 MHz in Australia – 315 or 433 elsewhere) or infra-red to send a sequence of binary or trinary bits.

It is not too difficult to build a brute-force device. If you let it run in a car park there will always be one or two hits if you let the device run for half an hour or so. Not much profit there, though. Maybe the car stereo, otherwise just small change. And this IS the sort of thing a bright kid could put together.

name.withheld.for.obvious.reasonsApril 8, 2013 6:25 AM

The permanent militarization of the United States federal government-coming
to a local government near you. Irrespective of the fact the United States
constitution, and the framers, never intended to have or maintain a standing
army-it's thought to be the tool of tyrants. It is also the reason for the
selective service draft, the maintenance of a standing army is less sustainable when only calling on citizens to serve and then return to their regular lives. A military career is an anathema to civil democratic societies...and the pentagon could give a crap.

Given just a half an hour, a gap analysis between the authority, and primarily, the authorizing law, and the exercise that is the United States government in action; one can only conclude that all is lost.

DoD has a plan in place, it is the overthrow of the civilian authority and
the realignment of the United States into an military hanta. It may not be
directly recognizable but it will be a real danger in the near future. After
the DoD has pressed the NDI to push the department of Commerce, and the
National Telecommunications and Information Administration (NTIA is probably already designated as a CIN) to deploy FirstNET then the DEXCOM
executive(s) will wield totalitarian level power. So the cyber security EO
doesn't really need a vehicle-it will be across budgets-and DoD has figured
out how to take taxpayers money (the FCC licensing fees). The NDI and the
rest of the cabal believe that the program pays for itself (they forget that
the taxpayer is the wallet of last resort). I am paraphrasing, but in essence this is in their documentation!!!

Their whole SAPCO governance structure is DoD's wet dream of managing
projects government wide-and it gets worse. DoD has compartmentalized the
strategy (thus the pentagon is employing terrorist tactics) that makes it nearly impossible to discern,, but all the glue is there...Look at the DoD's new management directives, the cyber security EO (and substitute companies with local governments). Just ;ook at what the republican party has done with the governors-when they speak I cannot tell them apart...and they tend to be the largest Fed whores.

SJApril 8, 2013 9:02 AM

@Ronnie, @signalsnatcher,

Wasn't there a reference to a different method more than a year ago?

The mechanism was thought to be some sort of jammer that keeps the car electronics from detecting whether or not the keyfob has left the car.

https://www.schneier.com/blog/archives/2010/10/electronic_car.html

The design in the auto-lock appears to be based on detecting whether the keyfob is outside the car after the doors are all closed. The fail-safe mode is to leave the vehicle unlocked if key detection fails on door-close.

Busy BeeApril 8, 2013 2:00 PM

Finnish prosecutors are trying to hold management accountable for covering up a security breach. They are actually seeking prison terms for the CEO of Fujitsu Finland and five other executives.

Clive RobinsonApril 9, 2013 1:58 AM

OFF Topic :

Even in the realms of Blue Sky Thinking this one comes in on the far far end of the "What the.... were they thinking?" scale.

The article subtitled,

Robots confused about what they encounter in the world of humans can now get help online

Describes a web based system called "Rapyuta" that has just gone online in Europe. Apparently,

The online "brain" describes objects robots have met and can also carry out complicated computation on behalf of a robot...

http://www.bbc.co.uk/news/technology-21714191

Rapyuta's creators hope it will make robots cheaper as,

... they wil not need all their processing power on-board.

Mohanarajah Gajamohan, the technical head of the project at the Swiss Federal Institute of Technology in Zurich has been quoted as saying the following,

The system could be particularly useful for drones, self-driving cars or other mobile robots who have to do a lot of number crunching just to get round

OK so what happens when your (less than) friendly drone cann't get through to it's online brain?

Likewise when your self-driving car cann't figure what to do about that Moose that just walked out in front of it?...

Clive RobinsonApril 9, 2013 2:30 AM

@

I fear that my moniker gave the wrong impression.

In this case your fears are groundless. I kind of work on a backwards version of the old rhyme,

Sticks and stones may break my bones but names will never harm me"

I kind of assume a name is no more or less than a label to try and uniquely identify an individual and read no more or less into it than that (as my own name had caused me problems at school due to both a manufacturer of Jam and another of soft drinks).

Sometimes others don't, many years ago whilst I was wearing the green I happened to come across another soldier who was born in late 1962 shortly after the film Dr No was released. His family name was Bond and they decided to give him the first name of James. Having personaly gone through a lot of name calling when I was at school I can only imagine the grief he must have had. Well as adults I'd got away from the "childish" behaviour, but unfortunatly he had not.

You may or may not know that on certain parades such as first muster and pay, when they call out your name rather just replying "Sir" you call out your "last three" as well. The last three being the last three digits of your Army Number (and yes it's true you don"t forget it). Well somebody in the army records dept must have had a slightly warped sense of humour because they gave him an Army Number ending in 007...

Needless to say he had quickly learnt to say "Zero Zero Seven Sir" rather than "Double Oh Seven Sir" but even so some first muster parades did have badly suppressed laughter etc.

Nick PApril 9, 2013 1:18 PM

@ Bruce Schneier

I never saw you post a blog article about this so I'll comment on it for now.

http://www.extremetech.com/mobile/138606-huawei-offers-access-to-source-code

It was an unsurprising turn of events given Microsoft had to do the same thing. Like I told Cryptophone people on this blog, sharing source code actually proves almost nothing about the product's real security to a third party.

1. Source is compiled to binary. This can mess up security properties (deliberately or accidentally) and obscure intentional modifications.

2. Source can be swapped out. You vet the supposed source of the product, then another source is used in actual product.

3. Hardware can have backdoors. It's a hardware company, so that's worth considering. And there are many "legit" features that can be made into backdoors. (e.g. management interfaces)

4. Developers can "accidentally" leave a coding (eg kernel sploit) or configuration error (eg hardcoded passwords) in that defeats security. That developers screw things like that up all the time gives deniability.

5. One day they'll get extra smart and use a covert channel that's not obvious, but leaks keys. Identifying and closing those is the subject of entire PhD theses. I'm sure the code cutters at Huawei did what they could about them. ;)

So, these companies saying they'll give a copy of source code aren't proving anything. It takes an extraordinary amount of extra effort by trusted third parties to ensure the code, binary, configuration and subtle interactions result in a secure system.

(Note: I didn't mention software updates and security "hotfixes" from the conspicuous vendor. Oh, I just did. Oops.)

FigureitoutApril 11, 2013 12:41 AM

@Clive Robinson Re: Bond, James Bond
--Quite the story :)
Having personaly gone through a lot of name calling when I was at school
--Me too, I didn't really care about that though. It's when I would move and have no friends, then making fun of me for stupid reasons like "my American accent" (in Europe), or not watching some stupid t.v. show. Well, some bullies finally hit my limit and I gave a few an uppercut to the stomach and they didn't even fight back. The more I think about it, that may be the source of my extreme anger for people that attack vulnerable or weaker people (ie, those w/ less security); and I don't have much qualms letting them see how it feels.

EdApril 11, 2013 12:19 PM

Nice that the disclosure is ahead of any accountability, not that it will matter or that anything will be done until the next 9/11, 9/12, 9/13...

It appears the attacker does not need to fly to exploit this series of vulnerabilities.

I for one vote for criminal murder one prosecutions if any one dies due to the flawed RFC's starting with the writers of the RFC's all the way up to the FAA and CEO's and tech engineers of the airlines.

RonnieApril 11, 2013 3:02 PM

@SJ
Thanks for finding that mention.

The design in the auto-lock appears to be based on detecting whether the keyfob is outside the car after the doors are all closed. The fail-safe mode is to leave the vehicle unlocked if key detection fails on door-close.

I wonder what happens if you send a lock signal with no keyfob present??
That would be too simple wouldn't it?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.