Friday Squid Blogging: Squid Ink Pasta

Squid ink pasta is not hard to make, and is a really good side for a wide variety of fish recipes.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.


Posted on January 8, 2016 at 4:05 PM • 281 Comments

Comments

CamiloJanuary 8, 2016 5:00 PM

Totally off the main narrative of your security posts, but this one made my day, thanks. Will be cooking some really delicious pasta this weekend. Have a nice one!

Milo M.January 8, 2016 7:03 PM

Classic social engineering:

http://www.bbc.com/news/business-35250678

If a stranger calls and tells you the big kahuna wants you to transfer funds, of course you should blindly obey.

"In the US, the FBI's internet crime centre or IC3 has been tracking 'business email compromise' scams, as it calls them, and reckons about 7,000 companies have been defrauded of more than $740m over the last two years.

The real figure is likely to be much higher though, given how reluctant many companies are to admit being defrauded in this way."

CorbinJanuary 8, 2016 7:36 PM

Schneier on Security coming soon to a "dark" web near you?

ProPublica Launches the Dark Web’s First Major News Site

"The so-called dark web, for all its notoriety as a haven for criminals and drug dealers, is slowly starting to look more and more like a more privacy-preserving mirror of the web as a whole. Now it’s gained one more upstanding member: the non-profit news organization ProPublica."

Milo M.January 8, 2016 7:36 PM

Hazards of recycling passwords:

http://m.cardinals.mlb.com/news/article/161363154/chris-correa-pleads-guilty-to-hacking-astros

"According to charging documents obtained by MLB.com, Correa breached the Astros' system multiple times from March 2013 through June 2014. That included accessing an email account belonging to an Astros employee who had previously worked for the Cardinals and who had turned in his laptop and passwords to Correa upon leaving to join the Astros in December 2011. Correa, using a similar password, later accessed that individual's Astros email account."

Good CitizenJanuary 8, 2016 8:00 PM

https://www.schneier.com/blog/archives/2016/01/replacing_judgm.html#comments
--------------------------------------------------------------------------------
Dear Citizen,

Your current citizen score is at 268 points, please consider taking appropriate measures to increase it above 288 points within the next month, since falling at any value lower than 258 points and or remaining at 268 points or below for a period of more than 4 months, is going to increase your income tax level by 2 points.
Your current status is: low performer, tax category 5.8

In case of there being any questions regarding our policies, please feel free to contact your respective IRS representative at any time.

Yours sincerely
IRS

--------------------------------------------------------------------------------

Dear Job seeker,

Thanks for your profound interest in our company in conjunction with the submitted letter of application.
The vacant position you applied to requires a citizen score of at least 418, preferably above, hence please consider improving your current score of 412.
We would consider ourselves happy to be joined by such a qualified individual, once the score has been reached please feel free to contact us again.

Yours sincerely,
Vice human resource manager, DuPont

--------------------------------------------------------------------------------

Dear felon,

Your citizen score remains at -88 points, as a result your current status remains at: a burden to society.
Please consider taking all appropriate measures to increase it to any value above -60 points within the next month, since falling to -100 points and or remaining at -88 points or below for a period of more than 4 years, is going to change your status to: a waste of resources, which will lead to your immediate extermination and transformation into soylent green to partially reallocate the invested resources.

The detention facility managers are happy to assist you in this fruitful endeavor.

Yours sincerely,
Vice facility staff manager, Joint Detention Center, Camp IV Delta

--------------------------------------------------------------------------------

Dear Citizen,

Congratulations, your current citizen score remained at or above 1000 points for the past two years up to the time this letter has been issued.
Yours current status is: high performer, tax exempt.
To further remain tax exempt, please consider taking appropriate measures for your citizen score to always remain at any value at or above 1000 points.

In case of there being any questions regarding our policies, please feel free to contact your respective IRS representative at any time.

Yours sincerely
IRS

--------------------------------------------------------------------------------

Dear Citizen,

Your current citizen score is at 568 points, you have travelled to two Middle Eastern countries within the past two months for not specified reasons, which leads to the following change of your status:
Former status: medium performer, tax category 6.8
Current status: low performer, tax category 4.0, Addition: potential security risk.
The above addition results in the deduction of 100 points from your citizen score for each consecutive month, starting immediately. To change this trend and stop the deduction, it is necessary for your score to remain at any value of 600 points or above for a period of 2 years since the time of your last departure. To completely delete the addition and regain the right to fly it is necessary to achieve a citizen score of 808 points or above.
As an additional note the IRS is going to contact you about your changed tax category soon.

In case of there being any questions regarding our policies, please feel free to contact your respective DHS representative at any time.

Yours sincerely
Department of Homeland Security

Postscript: If you see something, say something, as useful evidence adds 60 points to you citizen score.

--------------------------------------------------------------------------------

A world powered by >>replaced judgment with Algorithms

VedanterJanuary 8, 2016 8:25 PM

How about David Chaum's PrivaTegrity proposal? Wired had a fascinating article on that.

kompromatJanuary 8, 2016 9:09 PM

Privategrity will go nowhere because it doesn't meet the government's needs: CIA can't blackmail you if they can't control release of adverse information. The point of the backdoor is not to catch criminals, but to coerce them with the threat of exposure. Look at it this way. If pedophile knobgobbler Denny Hastert stays bought, CIA is not going to take the chance that nine sanctimonious foreigners might burn such a useful tool. Look at the lengths the government goes to protect its blackmail capacity. Brennan needs privategrity like he needs a hole in the head.

ThothJanuary 8, 2016 11:40 PM

@Vedanter, kompromat
You did not consider OS and hardware access. The nation states with more than enough resources and time could also do psy-ops to get their agents in. Nine admins is not a whole lot difficult to kidnap/control considering US ICs and Mossad have been conducting their operations on people and states for years and getting away with it. What can a nation do if US or Israel kidnaps a cutizen. US and Israel could simply wave their hands and say they don't have the people but in fact they could have locked their victims in their hidden bases.

"Three Rings for the Elven-kings under the sky,
Seven for the Dwarf-lords in their halls of stone,
Nine for Mortal Men doomed to die,
One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie.
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the Land of Mordor where the Shadows lie."

Now I wonder why the number nine is chosen for the amount of admins :) .

Keep Calm and Carry OnJanuary 9, 2016 1:33 AM

@ Corbin:

hXXp://www.propub3r6espa33w.onion/

"ProPublica Launches the Dark Web’s First Major News Site"

A good idea, but it still calls out to clearnet sites.

It does not appear to be 100% self contained. This is not something I would use.

TechnoSkepticalJanuary 9, 2016 6:56 AM

Bruce,

To avoid the dangers of cross-correlation of data you warn about in that podcast, the only way to win generally is not to play. Or majorly screw with each of their surveillance tools where possible as a means of resistance.

The 'Low Hanging Fruit':

1) Tracking of location data / SMS / eavesdropping? Don't use cell phones.
2) Social networking associations / feeds / profiling / manipulation? Don't use social networking.
3) Tracking of search history? Don't use Google, Yahoo etc. Use de-identified search engines e.g. Disconnect and co.
4) Tracking of browsing history? Using Tor in combination with VPNs.
5) Email content and meta-data? Use PGP, no subject headers & fake meta-data with time-syncing manipulation e.g. Whonix.
6) Privacy-invading proprietary software? Use open-source everything, especially operating systems.
7) Use of biometrics? Don't put anything personal into the public domain (although I note they can easily harvest that from occasional email attachments, unless PGP encrypted)

You are right - they won't stop using the tools, but people are not defenseless.

After developers pull their finger out and have most tech tools end-end encrypted by default, with data destroyed 5 mins after emails / messages are sent (and applying this to other digital trails as well) we will be in a much better place.

Further, once we have fully open-source hardware / firmware / CPUs and can avoid the collaborators like Intel, the golden age of surveillance will be well and truly over.

Ultimately, the government is the problem as you note re: secret rulings, courts etc. This is not democracy.

We need 'open-source government' where it is assumed all rulings, courts, discussions, decisions are public domain material, unless truly exceptional cases apply. Basically, the tables need to be turned on the current situation, where everything the totalitarians do is secret, and everything the public does is open to surveillance.

We also need prosecutions of the sociopaths breaching rules/laws with gay abandon and a return to representative democracy (if we ever had it). The elite corporate criminals, banksters and Pentagon simply run things right now and have done for many decades.

Finally, we need a 'personal data law' which stipulates that all data belongs to the USER, unless EXPLICIT consent is given by the user for a third-party to play with it. This law needs to be coupled with regulations that DATA MUST NOT BE KEPT IN PERPETUITY, unless exceptional circumstances apply. There is simply no reason for Google et al. to be keeping stuff forever.

Of course, none of this is necessary if Santa brings us just a few billionaires willing to put their stash into building a new Internet using experts from every major privacy-enhancing project out there (you included, your superior encryption algorithms could form part of the new standard)... but I won't hold my breath. ;-)

PS Does this ruin my future algorithmic-determined credit score? ha ha ha. Who gives a shit.

TechnoSkepticalJanuary 9, 2016 7:07 AM

Sorry, forgot to add:

8) Use cash whenever and where ever possible instead of credit cards, bpay, online purchases and the like. Including for transportation options (avoid electronic cards which are used by every form of Stasi to also track your movements)

Uh oh, credit score just went down another 50 points...

ianfJanuary 9, 2016 7:50 AM


OT: Clive James in one of his “Reports of his death:

[…] the email systems have no brains. On the other hand, they are frantically eager to help. Recently I was recommending the latest Andrew Marr novel to a friend, and I noticed, just before I clicked on the “Send” icon, that the machine had decided I must be talking about Andrew Marvell. The scope for confusion is already limitless.

So is the scope for abuse. I get regular online stink-bomb letters that accuse me of war crimes, racism, climate denial, elitism and sexism all at once. Letters like that must be exhausting to compose, especially when, as so often, the writer is illiterate. An abusive software package could make a fortune.

So here's your NEXT BIG IDEA. Get coding.

another citizenJanuary 9, 2016 9:34 AM

@Good Citizen

Check out Gary Shteyngart's fine (funny and sad) novel "Super Sad True Love Story," wherein everyone's financial and sexual ratings are publicly available, and continually updated, on phones and street displays.

kompromatJanuary 9, 2016 10:48 AM

@thoth,Thoth, v. true. When the UN was set up as a trusted public arbiter, the US just stuffed it with the biggest idiots they could find and cataloged all the skeletons in their closet. They would use the same approach with the nine nodes. CIA bought and blackmailed 535 touchy egomaniacs without breaking a sweat. Nine nodes, that's a joke.

Besides, nine nodes presumes that you can find nine incorruptible people who like to mix it up and do not give a shit. That describes... Alison Macrina, and there are not nine of her. CIA will hunt them down and keep them far from sensitive posts. Or kill them.

The only way out is non-hierarchical networks.

http://disco.ethz.ch/theses/ss05/freenet.pdf

And that paralyzes any kind of backdoor.

DanielJanuary 9, 2016 2:28 PM

@kompromat

Sure, Freenet is a good IDEA. Just like Qubes is a good IDEA. The problem for Freenet is that in order for it to work properly it needs a significant mass of users, something that in more than a decade of development it has never achieved. It has been easy for law enforcement to compromise enough computers so as to out various users over the years.

In the end, there is always a trade-off between security and convenience and the vast majority of users have--by their real world behavior--voted for convenience. If I won the current powerball lottery I'd give $100 million to Ian just for fun, to see what he and Matt could do if they had real funding for a change. But until such a generous benefactor appears on the scene, Freenet is only an quaint toy.

CzernoJanuary 9, 2016 4:29 PM

@Daniel, All - Freenet vs Tor :

Do you think it's a possibility that the reason Freenet is languishing
while Tor (relatively) thrives, is that the NSA/TLAs have free reach
over the latter (again, more or less) while being left in the "dark" by Freenet ?

If such were the case, they might wish to let Tor grow stronger, and even help it secretly, while ostensibly complaining they can't break it...

Does this scenario seem plausible, or more like one more absurd plot theory ?

AnuraJanuary 9, 2016 4:42 PM

@Czerno

I think it's because Tor is designed as a way to route TCP traffic to the existing internet anonymously, whereas Freenet is designed to be an alternative to the existing world wide web itself. It takes a lot less people to make Tor usable than it does to make Freenet usable.

tyrJanuary 9, 2016 6:38 PM


What a brave new world that has such people in it.

http://www.tomdispatch.com/

Alison Macrina is a good choice, Eben Moglen might be
a good second choice all we need is seven more. Clive
might be persuaded to take on the role of Sauron.

Maybe the surveillance is looking at the wrong places
if we really want general security. Instead of individuals
may it work better to surveill institutions and keep a
close eye on their policies and practices. Banks, courts,
schools, police forces things that effect everyone who
are now lacking the excruciating oversight applied to a
social media user.

DanielJanuary 9, 2016 7:42 PM

@Czerno

What Anura says has merit, that certainly is a factor. More broadly, though, it comes back to what I mean when I say that encryption itself has become a honeypot. By this I do not mean the math but rather the implementation. Whether it is Tor, or Freenet, or I2P all these are the functional equivalent of "home brew crypto". The home brew part isn't the math, the home brew part is the implementation. The reality is that Freenet, for example, has been mostly programmed by one person--toad (Matt). Tor has a very small group of core developers. That was OK back in 2005 when the NSA wasn't paying attention. But a decade on the NSA (as well as the CIA, FBI, DIA, etc etc) care a great deal and they have huge multi-billion dollar budgets. With all respect to Roger and his friends, they just can't compete.

You know, Tor right now has a fundraising pitch where if one donates a $100 one gets a tee-shirt that says, "THIS IS WHAT A TOR SUPPORTER LOOKS LIKE." If I had the skills I would Photoshop the image of Roger wearing one of those shirts to "PEDOPHILES TRUST THEIR LIVES TO ME." There is a real way in which Dread Private Roberts, Freedom Hosting, and all the rest are just the collateral damage in the war of Roger Dingledine's brain vs the NSA. Well, Roger and his pals are losing and taking major damage.

So until the asymmetry in resources is solved one doesn't need grand conspiracy theories to understand what is happening. Goliath is beating the shit out of Data. That's the reality.

CorbinJanuary 9, 2016 7:48 PM

@Keep Calm and Carry On

I was looking at it more from a "trend-towards" privacy perspective. To me, more major sites doing this will have positive implications going forward and will generally be a step in a beneficial direction for a variety of reasons beyond anonymity.

I have only a modest comprehension of the various Tor specific attack vectors, so I'll assume your concern with the calls out to clearnet sites is regarding traffic correlation attacks from a capable HSA. If so, I was wondering if you had seen this. Apparently, even if it's 100% self contained, hidden service users face a greater risk of targeted deanonymization than normal Tor users. If you had a some other attack in mind that takes advantage of calls out to the clearnet, I'd be interested in learning more about it if you'd care to explain.

...and I'll go ahead and understand your - "This is not something I would use." - to mean that you would not use it in a case where you felt the necessity to fully maximize your anonymity - because you're using (and posting comments to) this site which is completely on the clearnet. :)

ThothJanuary 9, 2016 7:58 PM

@Vedanter, kompromat, Anura, Czerno, Daniel, Clive Robinson
If you are to look from the bottom-up approach to inspect a network traffic (quote from @Clive Robinson), you have to look at the human and technical aspects.

The first thing to do is to look from the point of view of a prison warden or from the point of view of a network firewall (as though you are going to build a firewall).

We start to investigate network traffic as below:
1.) Packet shapes and sizes (including metadata, protocol flags and protocol ports)
2.) Frequency of data packets
3.) Simulation of natural human behaviours
4.) Point-to-Point vs. Broadcast/Mulitcast

The most tell tale sign of a protocol is it's obvious protocol flags, ports and leaking metadata. In order to remove traces of the use of a protocol, you can move in two directions namely removing flags by using some sort of cryptographic algorithm where parties send probabilistic messages that either decrypts and verifies (HMAC key) correctly or if does not, it gets dropped. If it verifies correctly, you decrypt and attempt to extract the encrypted flags and contents and try to make sense of it in a stateful endpoint environment. The other route is a mimicking or tunneling within legitimate common protocols (HTTPS, Bittorrent...etc...) and then apply the probabilistic crypto method on the tunneled message.

If you are to use your own ports and protocols, someone is going to come along and build some new rules to detect and deny your ports and protocol (especially relevant to open source projects). Thus, if you tunnel through a common protocol (better if it has an external layer of encryption), you can make most filtering engines think you are the "legitimate" protocol. Some might attempt to do some form of deep packet inspection but they would need to decrypt the external layer first.

To increase survivability of a secure messaging in a hostile environment, the common method used in high assurance platforms is to simply send messages at constant time and to send messages in batches at a fix length of message size (including padding the message block before encryption is applied). This in itself is a tell tale sign as well and a signature of a protocol (because the regularity of the packet itself is a protocol behaviour). The better option I think is make message chunks into smaller packets and to send random amount of messages in random chunk batches at random time.

The reason is to mimick how human interacts via web browsers and messaging in general. Most people access web pages at a normally unpredictable timing and most web pages are served at different sizes according to the HTTPS encryption (if it has been used) and the different web pages that has been accessed.

Messages travel between points. A Point-to-Point messaging is rather obvious in terms of metadata and an example is Tor where you send messages to 3 consecutive nodes one after the other. This would enable easier tracking of nodes. If a multicast/broadcast approach is used, you see messages traveling between multiple nodes and it happens much more randomly and harder to track.

HTTPS is a good example of a Point-to-Point messaging although you could turn it into a multicast HTTPS application, it is less common to see HTTPS doing broadcast/multicast than a Bittorrent protocol (although Bittorrent lacks effective encryption) which provides a more natural broadcast/multicast environment as Bittorrent is designed from the core to take messaging (file sharing) in a Peer-to-Peer method over multiple peers where you could more effectively implement multicast/broadcast.

Lastly, hopping and splitting messages across different protocol tunnels would also pose a surprise element and also increase a higher survivability rate as you can't block all ports and all protocols used for tunneling (SFTP, SSH, Gnutella...etc...).

yawnJanuary 9, 2016 9:31 PM

Calamari on Pasta Recipe
http://www.foodnetwork.com/recipes/calamari-on-pasta-recipe.html

Cut squid bodies in half lengthwise and then cut in half widthwise.
If the tentacles are large, cut them in half lengthwise. Set aside.

Heat olive oil in a large saute pan. Add garlic and shallot and
cook over medium-high heat for about 5 minutes. Add tomato sauce,
1/4 cup water and white wine. Cook sauce over high heat for 5
minutes, until it reduces and thickens. Season with salt and
pepper, to taste.

Add all but 1 tablespoon of the parsley to the tomato sauce,
lower heat, and simmer, uncovered, for about 15 minutes.

Meanwhile, bring a large pot of salted water to a boil, then
add linguini or spaghetti and cook until tender (time will
vary according to freshness of pasta, but it should take at
least 7 minutes). Drain well, shaking colander gently to
remove excess moisture.

Add calamari to tomato sauce, and cook for 3 to 5 minutes,
or until just cooked through. Taste for seasoning, and add
more salt and pepper, if desired. Add the drained pasta and
toss well. To serve, garnish with remaining parsley.

Home Cook Recipe: A viewer or guest of the show, who may
not be a professional cook, provided this recipe. The
Food Network Kitchen have not tested this recipe and
therefore cannot make representation as to the results.

Recipe courtesy of Lou Marcelli

L. W. SmileyJanuary 10, 2016 1:01 AM

Is Sean Penn in deep shit? NYT's article: Mexico: Drug Lord Located Thanks to Interview With Sean Penn:

http://www.nytimes.com/aponline/2016/01/10/world/americas/ap-lt-mexico-drug-lord.html

"In the [Rolling Stone] article, Penn describes the elaborate security measures he took ahead of the clandestine meeting. But apparently they were not enough."

...

RockBoxed my iPod Classic 7th gen with 500GB ssd and new battery. Installed PortableApps with amongst other programs foobar2000 with dvda, sacd, hdcd, Monkey's Audio components, and the rest of the audio codecs, thunderbird with enigmail and the PortableApps gpg plugin. I don't know if any of it can be trusted. Will probably install stand alone gpg (integrity verified) to a folder. Oh I've got LibreOffice and LibreCad, Audacity, ffmpeg with fraunhofer codecs compiled with MSYS, some burner program, Evince, pdftk, some file synchronizer, some duplicate file analyser, VLC player, FireFox, Chrome, HashCalc, winMD5sum, pwsafe, bleachbit,...

ianfJanuary 10, 2016 3:49 AM


Some articles from The Guardian that deserve ATTN!

I read all the small print on the internet and it made me want to die

    Alex Hern decided not to do anything for a week – unless he’d read all the terms and conditions first. Seven days and 146,000 words later, what did he learn?

Facebook accused of deliberately breaking some of its Android apps

    Social network ran experiment to see how long users would wait before giving up and going elsewhere, but people ‘never stopped coming back’

A very fine bromance: when ‘Bud’ Bill Clinton and his mate Tony Blair ran the world

    Transcripts of Bill Clinton and Tony Blair’s small talk reveal them as shrinks, negotiators and a couple of flirts.

The man who exposed the lie of the war on drugs

    Roberto Saviano already lives under armed guard after writing about the Neapolitan mafia. Now he is determined to uncover capitalism’s complicity with the narco-lords of South America

Asking Silicon Valley to 'disrupt' terrorists is tech talk for 'surveillance'

    […] disturbed about the lengths the government is going to pressure tech companies. There are so many shady things going on with this meeting it’s hard to know where to start. First, tech companies were reportedly lured into the meeting with the promise that it was going to be about how to prevent Isis from using social media to amplify its message (we’ll get to that later on), but then US officials pulled a “bait and switch” on the tech companies and cornered them into discussing encryption as well. FBI director Jim Comey’s “participation in the meeting was on the condition of encryption being on the agenda.” […]

ThothJanuary 10, 2016 4:26 AM

@L.W.Smiley
It is known that nation states uses military techniques and resources to track wanted civilians that includes bugging and backdooring computers. Open source does not equals safe. Even if you can inspect the C codes, the machine can be subverted to ensure he C codes don't execute as expected. Always use paper, pencil fire as your best friend. When going to a highly sensitive meeting, do not bring a cellphone or any electronic devices. Even voice recording devices can log locations. Instead of going to a place of meeting directly, lurking and erasing traces as much as possible by blending into the environment is very useful. Apparently not enough security thoughts when into that meeting.

CuriousJanuary 10, 2016 6:00 AM

An amusing comment in the comment field at TechDirt was made re. David Chaum's & PrivaTegrity's idea for a backdoor, in which "Nine Server Administrators" sort of sounds like "NSA". :)

ianfJanuary 10, 2016 6:41 AM


    [ ADMINISTRIVIA: Tried to post it but it was BLOCKED for reasons unknown… unfortunately, by the time the Moderator gets around to unblock it, it will probably become outdated, therefore am posting it anew. Apologies for any later doubles. ]

For Ed Snowden-watchers:

UNTIL MIDNIGHT GMT+1 OF TODAY, 10th january, your last chance for watching the short online interview with a waïfy "true-life Lisbeth Salander" TOR hacker/ developer Runa Sandvik recall how Ed once tried to promote the use of TOR among his Hawaii spook colleagues by gifting them the official TOR laptop stickers ;-))

FOR THE STATISTICALLY-MINDED: since I posted the link on 12 Dec last year, it has been invoked 77 times (goo•gl doesn't lie); of which:

22 from France +
20 from USA +
  6 each from Canada and Britain (=12) +
  4 from Germany +
  2 from The Netherlands +
  2 from Malaysia +
  1 each from Italy and India (=2)

= 64 unique accesses (of 77 total captured; 73 from this, and 4 from another blog where I posted it last week).

Some factoids: that means that the (77-64=) 13 additional "clicks" came from terminals that hid their geographical origin even from the merely collating goo•gl. Given American infestation of the Internet, we can assume that the lion part of these came from the USA. The unexpectedly high number of French readers can only be explained by someone here reposting the link to some vibrant mailing list that is popular with the French.

There are two other inexplicable "anomalies" that formerly could be seen in goo•gl's own analytical link-tracker:

– fairly early on, there was a "BB10" symbol among platforms… never seen it before, wonder what it might be; now presumably folded under Other

– for a time, the map signaled 1 click each from Norway, South Africa, and Sweden. I believe fellow commenter here Curious posts from Norway, so one of these could have been her/his. But then all 3 suddenly disappeared… I presume they are still counted in among the Unaccounted 13, but "somehow" ended up stripped off from the graphic (perhaps the backbone script doing that wasn't able to distinguish between original clicks in given geo fences, and such intended to be wholly invisible… your guess as to who/why is as good as mine.)

Clive RobinsonJanuary 10, 2016 7:30 AM

@ Curious,

With regards David Chaum's proposal, jokes asside, and the obvious issue that "the nine" would become vulnerable to all sorts of attack, the protocol appears to be susceptible to side channel / meta data attacks.

So my advice with regards it is currently "get yourself a very very long spoon, or not accept the diner date in Hades".

The important thing is no mater what backdoor you put in for Law Enforcment there are going to be non crypto ways around it. In the case of David Chaum's system it only takes a tiny change in the law and refusal by one of the nine would mean "a big chunk of time in prison" if they are lucky, considerably worse if they are not.

ter all the US Gov amongst others has shown no reluctance to either torture or have tortured people for no justifiable reason as well as detaining innocent people with out charge, as they have become a political embarrassment, then there is of course the arguments about standing that judges go along with for a quiet life...

As Bruce has noted Backdoors are a bad idea, I'd add that they are not just a bad idea but a very bad and very dangerous idea, from which no good will come.

JG4January 10, 2016 7:44 AM


As usual, love the discourse and banter. I would have posted the El Chapo/Sean Penn story if Smiley weren't quicker than me. I think that I picked it up at NakedCapitalism, as well as this one. One of my comments may have been censored last week. Can't recall if I've seen any formal guidelines, but it wouldn't be a bad idea to have a reference frame.

This looks interesting enough to post. I was slow to realize that the US military-industrial complex was started by George Washington. You can find the literature citation at Popehat. It wasn't the M-I complex itself that Eisenhower warned about, it was "unwarranted influence, sought or unsought." National security is a worthy goal and one that the US is not actually pursuing with vigor. The worthy goal has been perverted to privatized gains and socialized losses. The root causes are documented reasonably well in the book and movie, The Pentagon Wars.

This is an interesting read and interesting history. The quest for resilience in the event of nuclear war left an imprint on the infrastructure.

http://www.nextgov.com/big-data/2016/01/70-percent-global-internet-traffic-goes-through-northern-virginia/124976/
...
Before I knew northern Virginia as the heart of the Internet, I knew it as spook country—that is, home to a constellation of intelligence agencies and defense contractors. While I didn’t plan my itinerary around the military-industrial complex, its many outposts remained in the back of my mind and frequently on the horizon—and, at least once during the drive, I just stumbled upon them. After missing an exit in McLean, I made a U-turn in a generically designed but improbably well-guarded office-park entrance that I later found out was the headquarters of the Office of the Directorate for National Intelligence.
The fact that northern Virginia is home to major intelligence operations and to major nodes of network infrastructure isn’t exactly a sign of government conspiracy so much as a confluence of histories (best documented by Paul Ceruzzi in his criminally under-read history Internet Alley: High Technology In Tysons Corner, 1945-2005). To explain why a region surrounded mostly by farmland and a scattering of American Civil War monuments is a central point of Internet infrastructure, we have to go back to where a lot of significant moments in Internet history take place: the Cold War.

G0January 10, 2016 9:19 AM

Thank you Smiley, for that sublime quote. Penn's techno-babble is just so heart-rendingly poignant. Let's hope Grauman's Chinese Theatre gets a cement impression of the surprised look on his severed head.

veritasJanuary 10, 2016 9:56 AM

@Blindem
Can we now please drop this ridiculous pretense that somebody at Juniper accidentally put in this great backdoor for NSA but NSA didn't ever use it, instead somebody else did, cuz, you know, Oops?

Juniper Networks makes me think of Bill Cosby. Anyway they are now telling an another kind of story for the public.

All in an attempt to minimize the damage to their bottom line:

http://boingboing.net/2016/01/10/juniper-blinks-firewall-will.html

In the month since network security giant Juniper Networks was forced to admit that its products had NSA-linked backdoors, the company's tried a lot of different strategies: minimizing assurances, apologies, firmware updates -- everything, that is, except for removing th Dual_EC random number generator that is widely understood to have been compromised by the NSA.

Now, having exhausted all other potential strategies, Juniper has announced that it will retire Dual_EC

K15January 10, 2016 12:11 PM

Is EFF our #1 anti-dystopia org? Where is the discussion about what sorts of changes the advent of ultra-cheap satellites will wreak?

Little MouseJanuary 10, 2016 2:08 PM

Re: "NSA-linked backdoors"

Anyone who looks under the hood of today's hardware and software understands there is a lot of shady stuff going on, but you can't quite put your finger on it, so you don't mention it. I'm convinced a great deal of hardware and software has been co-opted by our Stasi-nazi like military and police organizations. Lately, SSL is looking more like Swiss cheese, in particular the ebb and flow of certificates. And, let's not even mention the OS elephant in the living room. Last but not least, why are those AV's and firewalls ALWAYS phoning home.....?

One of their problems is some of their MASS SURVEILLANCE stuff would be so shocking if the word got out, they keep it secret even from their litter mates, thus minimizing the possibility of acting on something good when it appears.

Clearly, our elected representatives in Washington have abandoned the common man and the Constitution in order to seek out the highest bribe and kookiest right wing sound bite.

It's clear to me the USA and many countries of the former liberal west are going headfirst towards an extreme right wing totalitarian dictatorship. The latest free ride the so called Oregon militia, who in other times would be labelled domestic terrorists, is clear proof. The USA isn't the only country looking for their Hitler look alike.

In the end it appears the promise of an internet taking us to a new level of freedom, liberty and prosperity instead is taking us straight to hell. Literally.

About the only thing we have going for us is they want SO MUCH they can't possibly digest it all. Everyday must look like the End of the World EOW for the thousands of collaborators fly specking our electronics.

Nick PJanuary 10, 2016 2:24 PM

@ Clive Robinson

re jeffries

That was funny stuff. The tagged filesystem is only one I'm unsure of. It seems superior and all. Yet, one of main reasons we've been using hierarchical filesystems is that they work predictably and efficiently. Rather straight-forward to code, too. He's talking security and integrating with 3rd parties plus some privileged, tagging store? That has unknown risk written all over it.

Should be able to implement his idea in the interim as a user-level application on top of a hierarchical filesystem. That's already done for most app that use tags with user content. Let's us re-use secure filesystem and networking designs. Then, can gradually integrate that stuff into it.

re formal methods

HN exploded on a C thread with 400 something comments lol. One tangent was on formal methods where I tried to add stuff on practical side. One guy got smart and tried to pull a Clive bringing physics into play. He slipped when he said nobody mathematically models the physics of stuff when verifyign systems. I shut him up with: "EAL7 data diodes with octocouplers and EMSEC do. Oh, snap, you didnt see that coming! :)." Haha, these kids...

re old things being new

Someone said it would be great if a language could have properties like Go and Rust-like safety (esp concurrency). I replied:

"Go is of Pascal tradition of simple, efficient programming languages. Rust has memory and concurrency safety. So GoRust would be...

Concurrent Pascal (1975) by Brinch Hansen http://brinch-hansen.net/papers/

...Concurrent Pascal used in Solo OS. It supported human review via readable syntax, type safety, safe ops on memory, and a concurrency system that caught race conditions at compile time. The runtime underlying the OS was about 4K with the OS itself concise enough to put in one PDF in source form. So, Hansen for the [1975] win in the GoRust competition?"

re new things

Meanwhile, I tried to read Rust's guide on its Ownership, Borrowing, and Lifetimes concepts with a massive headache resulting. I think I identified why it's hard for many programmers, though, as Rust design appears to reuse some old concepts in 100% counter-intuitive ways. I emailed an experience report to them and plan to work on that to see if there's an easier way to get it across. Then, I might try coding some stuff in it. :)

Clive RobinsonJanuary 10, 2016 2:31 PM

@ Nick P, Wael,

Beware the ides of Trumpeting.

Not as widely known as it should be, Japan has a housing problem, their population is aging but their birth rate is incredibly low. Appart from issues with how pensions medicare etc are to be funded there is the problem of "Vacant Property" that has little or no worth, as there are not the people to live in them.

At first sight this is a "Japan Only Problem" but it's not. It infact effects most Western Countries including the US.

Put simply the average birth rate in those who have lived in the West for more than four generations has diped to or below the expected death rate at birth. Thus it is only those who are living beyond their life expectancy at birth that are holding those populations at close to unity. The problem being that in effect their "economicaly productive life" is now at best one third of their total life expectancy.

Thus for Western Countries the only cause for population stability or expansion is "immigration". Thus Japan's issues with property will quickly become the Wests problem with property. Then of course there is the cost of medicare and pensions to resolve, some say that if there is no jobs/immigration to pay for it there will be significant issues within a decade...

Thus Trumpeting on about keeping imigrants out is in effect "slow suicide" for Western Nations.

Any way an article on Japan's housing with appropriate info relating to the US,


http://www.citylab.com/housing/2015/12/what-the-us-needs-to-know-about-japans-vacant-property-crisis/422349/

meJanuary 10, 2016 3:17 PM

@ Nick P

> HN exploded ...

I don't know why you waste your time over there. It is infested with JTRIG types and anything of concern to us is flagged out-of-existence, buried and left for dead.

@ All

https://cseweb.ucsd.edu/~hovav/dist/rwc16.pdf

The above RWC16 slides show conclusively that Juniper backdoored their firewall product in 2008. Why are they still in business?

FigureitoutJanuary 10, 2016 4:10 PM

ALL
--Hi, just uploaded version 1.0 of my project, "nRF_Detekt" to github. If you have a couple arduino's and nRF24L01+'s handy and a sensor (preferably w/ a relay (connect Normally Open (NO) to digital pin 7, and Common to GND for the state change to work, you may have to invert the logic too (change HIGH to LOW etc.)), check it out. It's a pretty fun project to hack on.

I haven't configured it yet completely, I'm debating whether to really remove the "autoack" features and stuff like that. There's like 10-15 config things to change. Definitely going to change the channel for instance.

Uses XTEA encryption for now, encrypts a microsecond sample and a "random" sample using timer jitter, so the encrypted output is pretty much not going to be the same (I think..). You have to supply the encryption function with 8 bytes, so I just am doing 2 unsigned longs (4 bytes each). I really wanted to encrypt a struct completely, but couldn't get that to work. It's going to be a little trickier than I thought to send out an IV separately, for instance. I'll probably contact RF24 library author for hints.

Writes to internal EEPROM. You need to use EEPROM example sketches to read it out, and to clear it; I may integrate some of that code into it for easier/quicker reading.

Any constructive feedback or even better new features to add appreciated! I'll link pictures and pinouts to github page to make it easier to setup eventually. I also want more encryption supported and some kind of spread spectrum implementation.

https://github.com/Int-Mosfet/nRF_Detekt

Clive RobinsonJanuary 10, 2016 5:52 PM

@ Me,

It is infested with JTRIG types and anything of concern to us is flagged out-of-existence, buried and left for dead.

The UK GCHQ Joint Threat Research Intelligence Group (JTRIG) has existed for a long time, they were certainly knocking about back in the early 1980's "doing Maggie Thatcher's biding" as were some other organisations (hunt out the history of the Miners Strike and some of the farcical things that went on).

It has been said that JTRIG were successful at manipulating the US Gov over the Falklands war (it's no secret that the US promised the Argentineans the Falklands in return for turning a blind eye to what the US were upto in Chile and back and forth across the border).

The problem for the US was that Maggie was in favour of what was going on in Chile rather than Argentina, and rather disdainful of what the US were upto. It was for some time testing "The Special Relationship" to almost breaking point (again it is no secret Maggie Thatcher despised some of the US political machinations which is why she got rid of the War Debt that the US had used as a blackmail weapon against UK technical and scientific interests).

Various historians say it was Maggie's "Charm Offensive with Ronnie" that won over America, however I doubt that, that alone would have succeeded. So there may be some truth to the JTRIG Falklands War stories (but as always take with a "Lotts Wife" sized grain of salt).

The thing is ever since Sefton Delmer[1] put his foot in it and moved over to do "Black Propaganda" in WWII there have been various groups doing this sort of thing. They obviously, as such groups do, make outrageous claims about their supposed successes, but you don't hear about their failures etc, nor do you get to see how they calculate the magnitude of their supposed successes.

Which is why I suspect that if audited correctly they would prove to be an expensive but ineffectual organisation.

As for where they appear, I would not assume that this site is unvisited by them or their counterparts, in fact I actually think it's quite likely they do.

The art of Black Propaganda is to "tell the truth" but from a particular perspective, then put a further slant on it with unverifiable opinion etc. So you might have a comment consisting of verifiable facts that are both easy and hard to verify and an opinion that is neither supportable by the surounding facts or verifiable in it's assertions.

If you look at some of the comments people make on various threads you can see this behaviour, sometimes well sometimes not. Which leaves the question of if it is organised or just individual agenders, and further if organised if it is State or party political, NGO, Commercial, etc. Some of it is so. obvious that it gets called out by other posters and even this sites owner and moderator.

[1] https://en.m.wikipedia.org/wiki/Sefton_Delmer

Nick PJanuary 10, 2016 5:55 PM

@ me

Actually, it's this blog that's been overrun by spam and nutball comments recently with liw signal in the noise. Most of that gets moderated out on HN. Might be why I see some old regulars from here posting. Rest range from dsvelopers to security folks to ASIC people to founders. Far as downvotes, my comments piss a lot of people off but get more upvotes than downvotes.

So your analysis is pretty backwards if you even did an analysis of comment quality on key topics.

Dirk PraetJanuary 10, 2016 6:50 PM

@ Figureitout

Absolutely awesome that you're starting to put things out. Keep up the good work, and have fun doing so!

ianfJanuary 10, 2016 10:28 PM


ADMINISTRIVIA @ Moderator

17 hours ago, I attempted to post a followup notice to an earlier postingFor Snowden-watchers” signaling last chance to watch a video in the next 12 hours, but had it blocked on first and subsequent attempts with this message:

Comment Blocked

Your comment was blocked from appearing on the site. This may have happened for one of the following reasons:

  • You posted without typing anything in the name field, or you simply typed "Anonymous." Please choose a name or handle to use on the blog and try again. Conversations among several people all called "Anonymous" get too confusing.
Inapplicable in this my case.

  • Your comment was a duplicate of another recent comment. If you double-posted accidentally, you don't need to do anything more -- the first copy of the comment will still be published.
Ditto.

  • You posted using the name of an administrative account, but the blog couldn't authenticate you. If you are an administrator, please log in and try again; otherwise, please choose a different name.
Inapplicable unless you've added an administrator with the handle 'ianf'

If none of these reasons apply, then your message was spam filtered and will be held for review by a human. We apologize for the inconvenience.
This review by a human done when exactly? My post contained 3 links, but no obvious (to me) keywords associated with spam. The last-chance reminder has expired 5 hours ago.


I'm baffled by what had happened. Please look into it now.

65535January 10, 2016 10:36 PM

@ L. W. Smiley

Emptywheel is leery of the Sean Penn story for a variety of reasons including Penn’s family having ties to the DEA.

Penn:

“I tell him, up front, that I had a family member who worked with the Drug Enforcement Agency…”

Emptywheel:

“Update: There’s something else stupid about assuming Rolling Stone let Chapo approve this.”

“He’s in prison! So either, they had the article ready to go, but held it until such a time he got caught (as if they knew he was about to be caught).” –emptywheel

Emptywheel hints that one Penn’s entourage had a cell phone that could be easily tracked giving the geo-location of Espinoza. There are other theories, such as during Espinoza back surgery where he was somehow bugged.

https://www.emptywheel.net/2016/01/10/sean-penn-intelligence-dangle/

See:

http://www.rollingstone.com/culture/features/el-chapo-speaks-20160109

and see NYT –pay walled:

http://www.nytimes.com/2016/01/10/world/americas/el-chapo-mexican-drug-lord-interview-with-sean-penn.html?_r=0


@ TechnoSkeptical

I agree with your numbered points.

The current http/https system has been compromised from the phone company, to trunk lines, to the Juniper routers, to individual endpoint devices [4G cellphones, iPads, servers, CDNs, Amazon/Azure to Windows 10].

Everybody with valuable information is at risk. Generally, there are no good solutions except some very good opsec, a mixture of, pgp, Tor, and owing your own servers –in your possession.

I believe there will have to be a show-down between the Supreme Court and the office of the President. Currently, the President has far too much power using Executive orders and hidden opinions. That must stop.

I say the IC community/President plays by the US Constitution or declares Martial Law.

BuckJanuary 10, 2016 10:59 PM

@ianf

Could you try to post it again now? Possibly there was just some temporary technical glitch involved, but your submissions seem to be getting through at the moment...

From my own personal experiences, the message you received does indeed happen when leaving the Name (required) field empty. (I, myself accidentally put my name in the E-mail Address input instead on at least one occasion... Oops! ;-)

On the other hand - when filtered due to spam-like-suspicion, my posts were immediately visible as usual, only to be removed a short time later (of course our gracious moderator was able to fix this in a reasonable enough timescale - although my message was not at all time-sensitive, and obviously your mileage may vary).

Seems you may have gotten your desired message across already well enough though. Unless nobody can see your ADMINISTRIVIA but me... (How would I know?)

WaelJanuary 10, 2016 11:21 PM

@ianf, @Buck,

I concur. Forgetting my name gave me similar errors.

although my message was not at all time-sensitive

Speak for yourself, chief. It almost killed me.

How would I know?

Umm, you're a psychic!

@ianf,

The "ADMINISTRIVIA" directive can confuse the best of filters. Too many caps can clog filters, see. If you reduce the caps it may clear up the pipes. Just sayin'

FigureitoutJanuary 10, 2016 11:32 PM

Dirk Praet
--Thanks much mate. Eagerly waiting anyone else's projects they're working on. I hope it can be used in criminal investigations for evidence gathering of break-ins. Going to make it as best as I can, then move on to a problem to some other things, one being filtering out malware from file transfer.

BuckJanuary 11, 2016 12:02 AM

@Wael

Ahh yes, I remember that well... In that instance, it was entirely due to my own lacksadaisical approach that apparently led you to nearly holding your breath for far too long! Which is always a possibility that should not be mistaken for unwarranted third-party censorship that could be misinterpreted as the same (unless of course, it is the same, and therefore 'I' am no longer 'me' ;-)

Which again reminds me of one of our other missing friends mentioned recently... I hope all is well in his/her neck of the woods!

ianfJanuary 11, 2016 12:09 AM


@ Buck

I am waiting to hear from the moderator… the link to the video in the post has expired, but there is still a statistical access breakdown segment there that might be of general interest. No point in attempting to repost & have it blocked anew (tried it 3-4 times yesterday, changing the content each time, but the robot would not be outwitted).


@ Wael… applicable here as well.

BuckJanuary 11, 2016 12:16 AM

Umm, you're a psychic!
Maybe I just have an atypical set of sensory perceptions and processing apparatus..? Funny related story though - I recently had a dream of certain online personas changing aliases after going through multiple possible permutations. Then a day or two later, it seemed to have come true! Probably just some form of confirmation bias, I assume - that sort of thing isn't really possible, is it!?

Nick PJanuary 11, 2016 12:21 AM

@ Wael

"I kind of fit the profile"

Profile is ambiguous there. You're seen with good-looking, adventurous women? You spit on foes wearing a huge grin like a camel? Or you're a harmless Muslim just passing through?

"But if I keep silent, Mr. Trump will have me wear a badge (read bullseye in open season) 24/7"

Oh, OK. That profile. Yeah, you people gotta call them out.

"A plane crash (non terrorist) with one hundred people dead will get more news coverage than several car accidents within the same day that cause a thousand dead."

Probably true. That's why I bring up white and black shootings, esp in large numbers. ;)

"Good advice to heed otherwise we may end up like our friend @name.withheld.for.obvious.reasons and catch a bad strain of Sniper's Measles 🔫"

Haha. Yeah, I watch out for that but my present situation might be worse. We'll see.

"The subject of books came up. How are you doing with your electronics book? 😎"

I've propped my laptop and other items up on top of it numerous times. It's been handy. Far as reading it, I told you I probably wouldn't even use it: just needed a reference to hand to others or (rare option) use myself. That's what I've used it for. I keep thinking I might be able to subset the knowledge in it for use in verification or cookbook-style development without really learning it. Maaaybbe... Concept came to my mind when it said ASIC's usually only use three components: transistors, diodes, and resistors. Seems like one could use optimization algorithms to evolve or stich together components out of those if the math were encoded in a scoring function. I know analog synthesis does stuff like that. My intuition says the damned DRC's and their implications would do me in even if half-assing analog didn't. Bahh!

Anyway, keeping my eyes open, I think I found something interesting. I previously posted Nangate's tech that claimed it was somewhere between standard cell and custom. I didn't really understand why, though, since it's just cell libraries. Recently, working Google-fu for new avenues, my brain eventually came up with idea of "transistor-level optimization" that turned out to be a thing that already exists. This paper seems to be basically what Nangate describes (if I'm right) and helps me understand it. They automatically create variants of cell libraries that are more suited to a given I.P. block, improving overall attributes. Have no clue how Nangate does it at 45nm or below but I bet moderately-skilled academics could duplicate this at 350nm-180nm w/ even OSS tools. Breathe new life into those nodes which already still have significant business. What you think?

Note: As I re-skim the paper, I see they did it in 350nm. Ok, that answers one part of my prediction in affirmative. Only 180nm is an open question & that's where much, inexpensive action is these days. Even new-ish fabs targeting that with updated materials.

Note 2: I have one from 2014 that IBM's currently using that might be better. Been working too much to have read it as it's one person's thesis or whatever. Pretty big. It does cover lots of interesting background info from my glance at it. Will post if anyone wants it.

WaelJanuary 11, 2016 1:11 AM

@Buck,

Maybe I just have an atypical set of sensory perceptions and processing apparatus..?

You come across that way.

I assume - that sort of thing isn't really possible, is it!?

Maybe it is. That's the Paranormal or Paraphysics, which science cannot explain[*]. I flapped my lips too much today about similar topics. I'll tell you a story another time[**].

[*] Which is evident from the prefix that means "beyond".
All those who believe in psychokinesis, raise my hand. -- Steven Wright

[**] More surreal than this one

CuriousJanuary 11, 2016 3:37 AM

"New Discovery Around Juniper Backdoor Raises More Questions About the Company"
http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company/

I wish someone could explain to me why a 32bit nonce is so much more insecure than a 20bit nonce. They are pointing out that this 32bit nonce length was deemed optimal by NSA some years back.

"But a researcher discovered last month that Juniper made a grave error in how it implemented this. Willem Pinckaers, an independent security researcher in California, found a bug in Juniper’s software that actually caused it to ignore the ANSI algorithm altogether and only use that initial raw output from Dual_EC. Researchers have called it a “catastrophic failure” for Juniper and big win for the attackers who inserted the backdoor in Juniper’s software. It was this failure on Juniper’s part that allowed the attackers’ backdoor to work."

Gerard van VoorenJanuary 11, 2016 4:21 AM

@ Curious,

I wish someone could explain to me why a 32bit nonce is so much more insecure than a 20bit nonce. They are pointing out that this 32bit nonce length was deemed optimal by NSA some years back.

The nonce is 32 byte (= 256 bit), not 32 bit. A nonce is a key in a certain crypto protocol. It is quite possible that increasing key size to match it with the block size makes a particular encryption weaker.

Btw, off topic, the surname Pinckaers is quite funny in Dutch.

ModeratorJanuary 11, 2016 9:10 AM

@ianf: Your post is now published; it had been blocked by an anti-spam filter, now modified so as not to thwart you.

Please understand that the moderator tends to rest on Sundays. A problem that arises late Saturday may not attract human attention until Monday morning, EST.

meJanuary 11, 2016 9:45 AM

@ Curious

> I wish someone could explain ..

Juniper stuffed the nonce with the internal state of the RNG. Plus the next two numbers, for good measure. 20 to 32 increases the likelihood of Jail Time (TM) for someone. Oh, wake me up, I must be dreaming.

@ Nick P

I re-read what I said and stand by it. Aside from "shaping" any story that actually has some traction, there is a push to prevent incredibly newsworthy stories from receiving *any* comments at all. I've seen it time and time again -- totally predictable.

Nick PJanuary 11, 2016 10:37 AM

@ me

I understand. You all on the Russian version must be having trouble getting comments through on important, political topics. Whereas the rest of us are seeing 80-400 comments on heated topics in business, security, or politics on a small user-base where 1-3 comments isn't unusual for front page. On U.S. Hacker News, it's probably just lack of interest with moderation against off-topic or flame war stuff.

I know the situation might be different for you people over there, though. So, I only speak for U.S. version I've been using daily for months.

meJanuary 11, 2016 10:56 AM

@ Nick P

My sides are splitting! Very funny.

Are you also part of the team hiding the Wizard behind the curtain?

Nick PJanuary 11, 2016 11:26 AM

@ me

"Are you also part of the team hiding the Wizard behind the curtain?"

Nah, I was the bounty hunter trying to recover a family heirloom. Turns out, some psychotic bitch from Kansas dropped a house on a woman then stole her shoes. Some really hood shit. Forensic details here.

Anyway, I took the job for the family. They've been passing those slippers down for generations. Lots of grief loosing two things that matter in one week. Funny you mention the Wizard as he's already on the run from the police after his con was exposed. I'm trying to catch up to that scumbag before the cops do. If you see him, feel free to drop a GPG to my office. I'll split the bounty with you 95/5% if it leads to the slippers.

Clive RobinsonJanuary 11, 2016 11:39 AM

@ Curious,

I wish someone could explain to me why a 32bit nonce is so much more insecure than a 20bit nonce.

As the article says it's bytes and it's output from the Dual EC DRNG. Unfortunatly it in effect gets "passed through" to the network thus giving the attacker (NSA or whoever) an extra 12bytes or 96bits of the EC RNG output. As a very very crude aproximation the attack time halves with every bit so you reduce the work factor to crack the EC RNG from infeasable in any realistic time frame to doable in a few seconds.

I hope that helps.

meJanuary 11, 2016 11:46 AM

@ Nick P

> If you see him, feel free to drop a GPG to my office.

GPG? I'm too busy suffering these harsh Siberian winters! Then again, I could be pushing Juniper or Cavium to my non-existent clients. Add Broadcom to that list, if you please.

ianf—now with a dedicated anti-spam filterJanuary 11, 2016 12:09 PM


@ Moderator – what was it in my post that triggered the spam warning… was it my creative use of the bullet to prevent "goo•gl" from becoming a link?

    In hindsight, I should have used the ‍ insert method, i.e. the Unicode zero width joiner character that seems to prevent full or partial URL strings from becoming executable hyperlinks. Like this "http://goo‍.gl/" (with a visually suppressed ‍ in the middle).
PS. I am EXTREMELY envious of the yellow background in your pronunciations from the Ziggurat. In case you ever remake this blog, and offer unique distinct bg colors to selected posters, can I now prettyplease reserve the background signal hue
 
#ffccff
rgb(255, 204, 255)
hsl(300, 100%, 90%)
hsv(300, 20%, 100%)
exclusively for my own posts? Thanks much in advance.


@ Buck, Wael (Cc: Curious)

My Sunday Snowden-update post became unblocked 27 hours later, and reappeared in this thread in its original chronological order… 70 posts later, hence fairly deep in the 100 last comments thread, soon to fall out entirely. See it there: January 10, 2016 6:41 AM, only remember that the video link has by now gone stale (force majeure).

CallMeLateForSupperJanuary 11, 2016 12:16 PM

Even before I had finished reading the title of the linked article, a line from National Lampoon's "Deteriorata"[1] (1970's!) began playing in my mind's ear:
"Take heart in the bedeepening gloom
That your dog is finally getting enough cheese."[2]

ArsTechnica article:
"Finally, over-the-air software updates for your car are becoming a reality"

The decision to equip even the lowly family bus with essentially drive-by-wire technology is well underway across the indistry, with no prior debate. Done deal; move along; get over it. For our next act, we're delighted to announce that your secret dream of over-the-air firmware updates will soon be a reality. We use only the finest quality protocols and state-of-the-art encryption.
http://arstechnica.com/cars/2016/01/finally-over-the-air-software-updates-for-your-car-are-becoming-a-reality/

I have a really bad feeling about this; there are so many ways to get it wrong.


[1] "Deteriorata"
text: http://dmdb.org/lyrics/deteriorata.html
YouTube: https://www.youtube.com/watch?v=gFLvhKv-Lbo

[2] Likely inspired by a TV commercial of that time hawking cheesy-flavor, dog food. You work hard; give your dog the cheese she deserves! (groan)

MarkHJanuary 11, 2016 1:41 PM

.
YOUR ANTIVIRUS SOFTWARE MAY BE THE GREATEST SECURITY HAZARD IN YOUR COMPUTER

This really depressing Computerworld article explains in some detail how bad the security practices are among vendors of the major anti-virus packages.

Atrocious practices include:

• needless execution at the highest privilege level
• lack of code inspection/auditing
• failure to follow secure coding practices and/or use memory-safe programming languages
• loading updates with neither a TLS connection nor signatures to verify that the updates are valid

The article leaves the impression that if you are a well-resourced attacker, AV software is so vulnerable (and so powerful, once exploited), you'd be a fool to focus your attacks on anything else.

That being said, the consensus at the moment appears to be that AV attacks are sufficiently complex and valuable, that they are expected to be reserved for use against selected high-value targets.

But somehow, I don't feel reassured.

Nick PJanuary 11, 2016 2:16 PM

@ MarkH

In that case, the theory comes after all the evidence supporting it: AV has long been targeted by malware authors due to its poor quality. Also, most programs that need that much access to a system are already overprivileged. So, hitting them does an end-run around any privilege minimization done in other apps. Java was a prime example during most of 2000-2010. Now I'll skim the article to see what's new. ;)

re Gravity Zone and hypervisor-based scanning

While not new, it's good to see this in mainstream articles as it will be news to many that these are good ideas. Specifically, externalizing analysis from collection. That goes back to high assurance systems where they were instrumented to deliver audit data on all kinds of things but a less privileged process could analyze it. Given hackers target endpoints, it's actually best for security analysis and management to be on a different, hardened machine. A non-Windows machine, I'll add, given all the security tech available for Linux, BSD's, and RTOS's.

Far as hypervisor approach, Lynx already deployed that with one company. There's been a number of academic projects that did similar stuff for behavioral analysis or checking kernel integrity. So, this approach is being explored in a number of ways with some uptake in industry. It could eventually become a new buzzword feature among AV or network security peddlers. It's weaker, imho, than the other method because today's hypervisors are complex enough to have plenty of problems. Plus, HW is shared between security-critical code and compromised code, leading to sophisticated attack angles.

Privileged sensors sending audit data and/or receiving commands over a secure tunnel to external, hardened machine is probably best approach. Maybe there's a business opportunity here for a reader using simpler, hardened OS (or RTOS) on simpler, embedded boards. Could visually demonstrate all the risk eliminated by lack of complexity along with control-flow integrity or mandatory controls regular solutions couldn't have. This has already been done multiple times in high-assurance security but not for AV that I'm aware. So, a proven strategy plus an opportunity and even medium assurance is better than existing stuff. Should be cost competitive with low assurance vendors given what they charge.

meJanuary 11, 2016 3:03 PM

Antivirus is a joke. Anyone paying attention knows the various outfits employ WHITELISTS. Even F-Secure was not immune. So, if AV is your thing, choose your vendor wisely -- US Gov, Russian Gov or Chinese Gov. Seriously, weird organisms survive better in this harsh climate.

BuckJanuary 11, 2016 5:29 PM

@MarkH

• loading updates with neither a TLS connection nor signatures to verify that the updates are valid
Ouch! Well-resourced..? I would think this vector is easily accessible to anyone with a WiFi capable device and a copy of the metasploit framework...

Dirk PraetJanuary 11, 2016 7:13 PM

@ Nick P

In that case, the theory comes after all the evidence supporting it: AV has long been targeted by malware authors due to its poor quality.

Especially if you download an illegal copy from the Pirate Bay or other torrent sites. Almost all of these installers and key generators come with additional malware 8-)

65535January 12, 2016 1:02 AM

A small legal victory – finally.

"...In the opinion, Judge Kennedy notably tossed the CPD’s use of an oft-replicated template affidavit written by an FBI special agent who advocated withholding stringray documents. The judge dubbed it "the very type of affidavit that is insufficient to prove an exemption by clear and convincing evidence." Importantly, she also knocked down the police’s attempt to use a decades-old statute—known as a pen register or trap and trace order—that often provides the legal authorization for law enforcement’s use of the invasive surveillance devices… In fact, within the 19-page opinion Judge Kennedy seemed to specifically single out pen registers and trap and trace orders as two of the ongoing issues with the stingray era. In particular, she highlighted the fact that pen register-use pre-cellphone was not the same thing as when it gets applied to the more modern stingray…"

See:
http://arstechnica.com/tech-policy/2016/01/chicago-police-must-finally-produce-stingray-records-judge-orders/


WaelJanuary 12, 2016 3:54 AM

@Buck,

Which again reminds me of one of our other missing friends mentioned recently... I hope all is well in his/her neck of the woods!

I hope so too! All is fine unless his neck of the woods happens to be:
location.withheld.for.obvious.reason

Clive RobinsonJanuary 12, 2016 4:56 AM

@ Mark H,

This really depressing Computerworld article explains in some detail how bad the security practices are among vendors of the major anti-virus packages.

If only it were just "major anti-virus" vendors.

As I've pointed out in the past "code signing" says nothing about the quality of the code or of those that designed / developed / tested it. In fact it can be shown that the major benifit of it is actually DRM on non open platforms, of which games consoles have been the most obvious for the longest time, followed by the "walled gardens" of smart devices like phones and pads as pushed by Apple, Google and Micro$haft.

It is a battle we are losing and it will be slamed shut within a few years judging by what is in the TPP drafts.

With the advent of near compulsory 24H "fit-bit" wearing by employees of C Level execs looking for cheap medical insurance, I can see a time when the US Government gets mandatory access to the data.

Then as I've indicated in the past as part of faux "tax reduction" measures people will be very much increasingly "fined" in new and inventive ways by the Governmentoff of the back of such insurance systems. In the UK we have seen proposels for reduced "road fund" based on having your car "wired in", and thus as with tacho's speeding and other road offenses will be easier to "find and fine".

Thus with the likes of new and improved "Well-bits"(TM) a $100 fine and mandatory costs for the misdemeanor of, breaking wind, coughing, sneezing or even breathing to deeply etc in public places will not just occure to the money grubbers but be easy to implement by dictat.

It ceases to be mildly amusing and become the stuff of nightmares when you think about Smart Meters, IoT and Medical Implants...

As for privacy the only solution would ba a three step process, single sheets of paper on glass surfaces and soft pencils to do first stage encryption, then an "energy gapped" old PC to get it into "electronic form" and second stage encryption / normalisation / obsfication / stenography then transfer via some kind of one way process to the "Snoopernet", all whilst practicing solid OpSec to avoid IoT in your domestic appliances evesdropping and shoulder surfing 24x7.

That glowing red eye of HAL in 2001 lip reading Dave is where IoT is heading, unless we find ways to stop the Police/military Industrial Complex and their machianations. After all why have an expensive RoboCop when you can have a built in "White Good Spy".

Time to stock up on "old tech" whilst it's still yours to own and control. The fashion statment of "So last Century" might just apply to the new breed of "Wise Guys", not just those with a retro vibe.

Clive RobinsonJanuary 12, 2016 9:05 AM

More on Tor... and CMU

Some of you may know that back in December, Tor hired Shari Steele, who was for 15 years previously the EFF executive director. Shari is Tor employee number ten and has been interviewd by Arstechnica,

http://arstechnica.com/security/2016/01/going-forward-the-tor-project-wants-to-be-less-reliant-on-us-govt-funding/

The interview covers several things including Tor's desire to diversify it's funding, so that the development they can do is not constrained as much by Project Funding from the US Gov which effects what they can and can not do. It also covers the deliberate avoidance by CMU over it's FBI sponsored attack on Tor, and why CMU behaving in such a way has implications way way outside of Tor and right into the heart of day to day Comouter Security, especially on things like the rapidly declining trust in CERT.

On a point that's not mentioned in the article the FBI-CMU-Tor debacle also raises the question of "ethics". As some know all research carried out in Western Universities should be subject to scrutiny by an independant ethics committee (this is a legal requirment in some places). It is now abundently clear that CMU failed in this vital respect as at the very least it kept PII records that could be subpoenaed, and this has without doubt brought down 2nd and 4th amendment issues onto innocent heads, some of whom were carrying out legaly privileged activities.

Thus it should now be beholdent on all ethics committees especially those in CMU to ensure that all PII and Meta Data that can give rise to PII should be suitably anonymized at the point of instrumentation (sniffing) prior to it being put on any communications link, recorded, processed or collated in any way. And that if data and meta data that would give rise to PII can not be sufficiently anonymized then the research should not go ahead (this is the norm for the likes of human medical trials etc). Further all funding returned and any work carried out to that point should, if it would enable others to follow in the project foot steps sufficiently to replicate the PII revealing activitied should be made unavailable academically or legaly and these requirments made absolutly clear in any funding proposals.

Whilst it might sound draconian it is still more than possible to do research into information security that would reveal and allow PII threats to be identified and fixed by a variety of fairly well established techniques, not to disimilar from those used in malware research etc. That is there is very few cases where "live systems" need be instrumented in a way that allows PII recovery, and any such proposals should be deeply scrutinized by independent experts in advance of such work to ensure the ethical constraints are suitably built in.

WaelJanuary 12, 2016 9:34 AM

@ianf,

FOR THE STATISTICALLY-MINDED: since I posted the link on 12 Dec last year, it has been invoked 77 times (goo•gl doesn't lie);

Sounds tempting to try on links I share.

Clive RobinsonJanuary 12, 2016 10:30 AM

@ Figureitout,

YOu might find this of interest,

https://medium.com/@iMitwe/build-an-sms-center-with-python-kannel-and-a-gsm-modem-9c0d29560d82

BAsically it's a package that lets you use ZTE GSM dongles to send and receive SMS's from the likes of Raspberry Pi's.

With only a little work you could use it as a Mix-net like message network where encrypted traffic can be moved around in various ways. Importantly adding "store and forward" at random times and orders could be easily achived. More importantly though you could use it with old style Nokia phones that last a week or more on one battery charge you don't need to, you could just CLI in on a node and send fully encrypted to another node.

You might also find this FUSE article of interest,

http://engineering.facile.it/write-filesystem-fuse/

You and @Dirk Praet, @Nick P and others might also find this of interest,

https://torgeek.pw/how-to-access-the-darknet-the-safe-way/

It appears that the demise of Moore's has been over rated at least as far as Intel are concerned,

http://www.hpcwire.com/2016/01/11/moores-law-not-dead-and-intels-use-of-hpc-to-keep-it-that-way/

Mind you as I've indicated in the past the "more bang for your buck" is comming from "more cores" rather than significant improvments to individual cores, so my parallel predictions are still the way things are going. Which means programers are going to have to step upto that plate rather than throw the performance out the window.

@ Nick P,

One for your 70's Security Paper's archive if you've not already got it,

https://www.cs.virginia.edu/~evans/cs551/saltzer/

On another note it's three years today since Aaron Swartz met a very untimely end due to malicious behavior of Federal Prosecutors working on edicts passed down from the top of the executive. It appears that people are begining to pick up on the implications of that and the Ed Snowden revelations and similar and what it can mean for them at a personal level,

http://www.wsj.com/articles/car-insurers-find-tracking-devices-are-a-tough-sell-1452476714

(it's behind a paywall, but if you know some one who can cut n past to txt and share it, it reads OK).

It's not surprising when warnings given on this blog half a decade ago or so start getting more main stream,

http://motherboard.vice.com/en_ca/read/the-internet-of-things-that-talk-about-you-behind-your-back

As well as techno toys getting subverted for illicit use almost everywhere as fast as they get cheap / ubiquitous,

http://www.manchestereveningnews.co.uk/news/greater-manchester-news/ipod-skimming-device-cashpoint-scam-10692479

And on the EU -v- US issue it's not just "safe harbour" that's making waves,

http://venturebeat.com/2016/01/11/europe-fires-warning-shot-against-u-s-tech-companies-with-new-tax-ruling/

Nick PJanuary 12, 2016 10:51 AM

@ Clive Robinson

re first link

Nice article. What Peach's is doing immediately reminds me more of IRC than traditional, command lines. IRC was typically a graphical app or text emulation of one. Special functionality could be obtained with menus. However, it was normally typed with /command. There were few enough commands that people learned them easy enough. I remember having lots of fun with /me in particular. Everyone did. Not surprising the model comes back.

"The popular chatroom/collaboration software Slack uses slash commands similar to what its spiritual predecessor IRC used."

OK. So, they made the connetion too. ;)

"Now that computational power is available at a lower price than ever before, it’s possible to create pseudo-command-line systems with greater leeway for mistakes, and even the limited ability to “learn.” "

This is not only right but has been around. I don't have the link on me, right now. It was one guy writing in favor of eliminating command-based systems in exchange for what was essentially natural language processing that tried to understand what you were doing. The NLP was a subset of English words and constructions likely to be used. He deployed it in his application successfully back in the day.

So, before massive CPU power, this model was still available using NLP-style techniques.

"The experience is so important to some that for initiatives like Facebook’s M service, artificial intelligence is supplemented by the work of actual human beings on the other end."

I've long argued for this. Aside from expert systems, first time I saw potential for this was Programmer's Apprentice project back when I was studying AI. The idea was that programmers would still be in charge but not limited by mere text editors. They'd have a system that understood the languages, libraries, common idioms, etc looking over their shoulder. It would highlight stuff, help them refactor, suggest what they tried to type, do things like compilation in the background, etc. That project came and went. Yet, I believe you've heard of this sort of "AI" by a three, other letters. ;)

I look forward to seeing what Augmented Intelligence brings next.

"But if I were a venture capitalist I wouldn’t be asking them about how they plan to compete with News Feed — I’d be asking them how they plan to compete with M."

Good article with a bad ending. Most of these apps intend to get big then sell out. Peach *may* have to contend with M. More likely, they'll be gone long before M becomes a threat if they're well-managed.

Besides, only Bond dares compete with M and get away with it.

re second post

Oh, you bet I have the Saltzer and Shroeder paper. Far as Aaron Schwartz, I have mixed feelings about that one. I've been doing activism and pissing off governments long enough to know that the risks were clear up front and our elders taught us caution for a reason. I'll just quote commenter "raldi" in full in another discussion:

Some quotes from the official MIT report: http://swartz-report.mit.edu/docs/report-to-the-president.pd...

Typically, when an excessive use case is reported that is determined to originate from within MIT’s network, the Libraries report this to either the MIT Information Services and Technology (IS&T) network security team or MIT’s “Stopit” group, which deals with inappropriate behavior that occurs electronically. The Stopit group’s general response is to send the offender a warning email message. This is almost always all that is needed to get people’s attention and have them stop whatever it was they were doing that caused the problem.

[...]

This time, the requests and downloads stimulated a cascade of failures that brought down multiple JSTOR servers. Half the servers in one data center failed, and JSTOR engineers feared that the entire service might go down worldwide.

[...]

Also on October 12, the Director of the MIT Libraries reported to MIT’s Academic Council that a cyber-attack of the JSTOR database had caused a weekend shutdown of JSTOR to the entire campus.

Now take a look at the "MIT Hacker Ethic", particularly bulletpoint #2: http://hacks.mit.edu/misc/ethics.html

The few people brave enough to critique the Schwartz fanboys also showed he did a physical B&E and the sentencing was overstated. Most original, widely-shared reports I read in geek media didn't mention any of the above. That I just now found out about all this shows how distorted the situation was.

The truth is Schwartz, whatever his intentions, was acting very destructive and criminal in blatantly obvious ways. He got caught. People defending themselves escalated it to law enforcement. He was too mentally ill or cowardly to face the consequences. He killed himself.

That's not a fucking hero at all. Heroic are all the people fighting for civil liberties, privacy, ending corruption, etc taking risks and enduring the consequences *without* doing B&E's and taking down networks. I'll keep honoring them if they're unintentionally martyred doing a wise and productive thing. Personally, though, I don't think Schwartz deserves the support he's being given. It should go to his earlier, great work then shift to others like Tor project, Bruce, the Intercept... everyone *still living and fighting* for us without stupid or suicidal stuff.

And maybe his girlfriend/wife, too, who he left to deal with a huge mess alone. Let's not forget that...

re Europe tax ruling

Good that I can end on good news. Yeah, screw the multinationals skipping out on taxes. The real problem is in Ireland, though. I can't recall what their status is in E.U.. You think that, without Ireland's own support, the EU could do something similar for the Irish Double Dip? That could get back *billions*. It's why I have mixed feelings about this ruling as $765 million is a walk in the park compared to Irish dodges.

Church LadiesJanuary 12, 2016 3:56 PM

"acting very destructive and criminal"

Destructive, that we can talk about, but the term criminal is meaningless in a state that articulates as policy "to break all sorts of rules, to cheat." We now know that the rules this state will break include those on torture, war crimes, genocide, and aggression, the legal and moral bedrock of modern civilization. Under those circumstances it's silly to shake your finger at a human rights defender because he hasn't been enough of a boy scout. In the outside world where the rules are made, the rules say Swartz does not have to be 100% correct in his interpretation of our rights. He has to be nonviolent, that's all. Furthermore, when you consider that US rulebreaking is so systematic and widespread as to forfeit the sovereignty of the regime under the universally-accepted R2P principle, the rules provide for recourse to rebellion. That may take the form of civil resistance, in which citizens wilfully break laws to enforce peremptory norms under legal protections including necessity, lesser evil, inter alia, depending on municipal jurisdiction. You could look it up.

So in this very perplexing notion of yours, humans must comply with the rules of a criminal state? Fuck that. Before this mafiya state is reformed out of existence, it's going to claim a lot more victims. It is churlish of you to blame them.

Clive RobinsonJanuary 12, 2016 5:25 PM

Microsoft Windows Remote Desktop Protocol Security Bypass Vulnerability

On the day Bruce posts about Apple -v- Microsoft vulnerabilities last year...

Microsoft pop this one out,

https://technet.microsoft.com/library/security/MS16-007

Which is a fun start to the year...

It contains several major vulnerabilities but the one bypassing login security on the RDP for accounts without set passwords in Win10 is a real doozy, as it looks fairly simple to exploit.

Nick PJanuary 12, 2016 5:36 PM

@ Church Ladies

You're conflating what a democracy does defending itsslf afainst totalitarianism vs what one guy acting on his political beliefs does on the offense against corporations and universities. They're not the same thing. Americans are free to act pushing politicians to open-up stuff that's taxpayer funded, patented, copywritten, etc. They just dont give a damn or like the current system's benefits mostly.

Far as your arguments, let's test them in practice. So, a person who disagrees with you for political reasons should be allowed to:

1. Burglarize your house or datacentet.

2. Post your personal or business secrets online.

3. Take down our Internet connection or business services.

And not be charged with a crime for various justifications you give? Sounds like some rough anarchy to me. Also violates several rights in the Constitution.

WaelJanuary 12, 2016 6:23 PM

@Clive Robinson,

so you don't feel left out...

Thank you! I thought I got you upset somehow. You know, I just can't live with that ;) These links are spot on. If you remember, we discussed gravity modulation as a way to jump air-gapped devices! Didn't think it's possible, but that remains to be seen...

I'll read the docs and get back to you. Fascinating subject :)

Nick PJanuary 12, 2016 6:27 PM

@ Wael

Yeah. Gravity modulation, muons, neutrinos... people hear it here first as usual.

WaelJanuary 12, 2016 6:36 PM

@Nick P,

I was going to say the same thing, but one of the papers was published in 2006. It has happened here in the past, as you well know.

Nick PJanuary 12, 2016 6:54 PM

@ Wael

Damn. Well I can still hope the muon and neutrino side channels were mine first. Once detector prices come down a bit.

Clive RobinsonJanuary 12, 2016 7:41 PM

@ Nick P, Wael,

You two up for a side bet on "bragging points"?

As you probably know Pres Obama is giving his last "State of the Union" address in a short while.

Obviously he is going to mention terrorism and IS, but will he also mention technology and encryption?

And if he does which way he's going to push it?

Now a little bird has mentioned in my direction that the word is out that when Obama met with Silicon Valley tech last friday Comey pulled a switcheroo on the agender and banged on about encryption not how to deal with IS.

Unless the little bird who gave me the heads up is from the same nest as one Bruce has been listening to then other people are hearing a similar story that Comey is about to get some legislation that is leaning his way.

Do you think Obama is going to mention "a moving forward" on this?

WaelJanuary 12, 2016 7:57 PM

@Clive Robinson, @Nick P,

I wasn't even aware of the state of the Union speech. I'm not into politics that much. I better watch it then. You're on! I bet he will talk about quantum cryptography and Epileptic Curve Crapography (you know, export quality ECC stuff), too :)

Dirk PraetJanuary 12, 2016 8:31 PM

@ Clive, @ Wael

Re. Gravitational waves signal

Yesterday, I nearly fell out of my bed when I saw those tweets passing by on my iPad just when I was about to call it a night. Confirmation of the existance of gravitational waves could dramatically reshape our current understanding of the universe because they would allow us to detect and observe objects we now have no (direct) means of finding or studying. Most of the universe is "dark", as in not emitting (or absorbing) any light. Gravitational wave signals could provide an entirely new way of exploring those dark corners of the universe.

WaelJanuary 12, 2016 8:44 PM

@Dirk Praet, @Clive Robin, @Nick P,

I nearly fell out of my bed when

You almost fell because of a subtle gravitational compression wave.

Will be interesting to see how this turns out...

WaelJanuary 12, 2016 9:29 PM

@Clive Robinson,

I better watch it then.

Ho hum... 20 minutes was enough for me. I almost fell asleep, maybe a good thing :)

Church LadysJanuary 12, 2016 9:35 PM

@Nick. Knew you were going to do that. That's a deeply ingrained reflex in you: that laws are binding on humans - unless they work for the state. In this case, you tell us your state and its officials can blow off the law because it's a 'democracy' (yours is not; check it against the legal standards of ICCPR Article 25(b)) and it's defending itself against totalitarianism (Let's think about this a minute. Who are the totalitarians here? What exactly IS totalitarianism, if not state impunity for murder, torture, and aggression?)

Your 1-2-3 test is a forlorn strawman. The conflict in the particular case you brought up was between your common-law right to freedom of information [UDHR Articles 19 and 27(1)], and the engineering performance of some techno doodads run by JSTOR rentiers under a predatory corporate IT regime. You stretch that case grotesquely in who knows what directions and make obscure analogies between the unspecified result and three hypothetical derogations of an entirely different right, to privacy. Then you stick the whole mess in the blender and call it 'anarchy.' That's cop-level reasoning. You can do better than that, goddammit, programming demands logical consistency, and I know you can program.

Question is, What is it that keeps you from following your logical nose when statist orthodoxy is involved? Smells like immersive statist indoctrination. You hint darkly of high-stakes, desperate struggles with Da Man, but in specific matters of interest to the state you conform precisely to statist orthodoxy. If you thought about it for one second, the cognitive dissonance would pop your head like a zit.

Best of luck pissing off governments, but if you wish to be truly annoying to them (or, for that matter, to be credible as a shadowy cyber-freedom-fighter,) it would help to stop thinking like a brainwashed gumshoe G-man.

WaelJanuary 12, 2016 9:38 PM

@Nick P,

Breathe new life into those nodes which already still have significant business. What you think?

I think I'll wait until you read it and share your conclusion :)

WaelJanuary 12, 2016 9:49 PM

@Clive Robinson,

their population is aging but their birth rate is incredibly low.

Elementary, my dear Watson! A Japanese friend or two told me the Japanese body temperature is one degree less than normal. Japanese people are (consequently?) fond of hot springs and spend a lot of time there. May explain the low fertility rate...

FigureitoutJanuary 12, 2016 10:01 PM

Clive Robinson
--Thanks, read it a day or so ago. :p I like non or very small network projects for time-being that either require toolchain infections or physical interventions. FUSE was nice read too. And the torgeek article, I laughed when the bottom tells you to enable js to view some lovely discus comments. I'm about to setup one of my beaglebone's as a PC I'm just low on screens right now :P And get more accustomed to embedded linux. And get my Raspi finally setup w/ small touchscreen, probably as a VPN or firewall and just leave it. And school's gonna make me pretty quiet for awhile.

Anyway, did you look at my little project? How bad's the code? Saw a couple things already to change lol. Left it pretty small (~6.3K on a 32K chip) b/c I'd personally want a trimmed down version of a firmware I can customize myself. Got a few more tricks up my sleeve for it (and some I'm going to try, it's fun to see how right/wrong you are...). :p

means programers are going to have to step upto that plate
--Let's get the hardware first, eh? And make it clear to people that won't be forced to deal w/ this...exponential bugs and no existing tools to deal w/ it. I mean, let's see they're brains try to think how we're going to have to...

Nick PJanuary 12, 2016 10:35 PM

@ Church Ladys

"Knew you were going to do that. That's a deeply ingrained reflex in you: that laws are binding on humans - unless they work for the state."

You knew I was going to do it because you knew the implications of your claim. The dark implications that anyone could do whatever sabotage or damage they deemed necessary to achieve a remedy for what they believe is a rights violation. In this case, it was a particular, untested interpretation of a declaration from an organization that has many others that apply here, including intellectual property via WIPO. You ignored all local, federal, and international laws that citizens and countries approve of to base your whole claim on that one Article's interpretation. That's pretty sophist.

Let me take a look at those since they matter a lot to a few people here. Not me because nations (esp US) just seem to ignore them in favor of local laws. So, that's my focus. Let's look though. I stopped right at Article 8 where it indicates national tribunals are to happen for rights violations. In other words, you start in the legal system. So, you quote UDHR to support Swartz's attacks then ignore 3 articles that say he should go to court, one that says he shouldn't attack property, one that says he shouldn't interfere with others expression, and... lmao... one you cite which protects authors rights over their published work. The very set of laws he was breaking were established in the specific article you cite, international treaties from same organization, and most nation's laws. Interestingly, he used those laws himself in his own work.

Ok, the UDHR was fun. It condemns Swartz across the board even more than I did when I focused on a few things.

"You stretch that case grotesquely in who knows what directions and make obscure analogies between the unspecified result and three hypothetical derogations of an entirely different right, to privacy."

As outlined above, there's no stretch whatsoever except by Swartz. You implied that any perceived violation of any part of UDHR is justification for sabotage and theft aimed (in attacker's mind) at remedying it (against attacker's choice of target). Guess what? There's 300+ million people in my country with a lot of ideologies and perceptions about what constitutes harm or denial of their rights. Them doing what you suggest would be a free for all hitting everyone. Matter of fact, it used to be that way and much of our legal situation came from trying to restrain it due to all the damage. That's before I even consider all the friggin' guns.

"Question is, What is it that keeps you from following your logical nose when statist orthodoxy is involved?"

Private party repeatedly attacked private parties for personal reasons. The defenders initially gave a warning. Persistence of attacks and taking down targets service led them to notify the police. There's no orthodoxy, The Man, UN rights... just a ideological hacker using force to compel the release of a company's private property. You think it shouldn't be? We have politicians, courts, and so on for that if America gives a shit. Meanwhile, if someone persistently hacks my network and takes down service, I'd turn the data over to the FBI too given I might do time for retaliating personally. His target are scumbags but they were acting in self-defense.

Had he taken them to court and Feds came down on him to shut him up I'd have his back 100%. Even if he totally sabotaged JSTOR at that point. That's when 2nd Amendment authority applies: when other methods don't work due to pervasive corruption... aren't even allowed to. Yet, the citizens of this country support or don't fight copyright so the current system is legitimate even if fucked up. I'm all for encouraging academics to dodge paywalled publishing as a result. Meanwhile, disrupting those companies and their customers... which includes other students... is a crime that will probably be enforced by feds. He knew that, I knew that, everyone knew that, he didn't give a shit, said screw them, screw courts, screw business, screw democracy, did the damage, and his arrogance (and later cowardice) cost him his life. The [Too Predictable] End.

Meanwhile, the rest of us have shit to do to protect civil liberties. So I'm done with this thread as I have more of that to do. Gotta get back to my SW and HW stuff.

"Best of luck pissing off governments, but if you wish to be truly annoying to them (or, for that matter, to be credible as a shadowy cyber-freedom-fighter,)"

Are you famous? You got lots of money? Travel freely? Having little of that is how most know if they're credible: too much time working for public good and too little time on profitable endeavors. Or they get the shit taken away by a government that spites them. I'm pretty broke due to first reason with second one always hanging in there waiting to drop. Anyway, I plan to piss them off some more in the future. Just can't waste what might be my only shot. Getting closer to the holistic process from top all the way to transistors. Sending pieces to people who are builders regularly, too. I'm greatly weakened right now but still working on shit others apparently can't or won't. I'm doing my part.

Nick PJanuary 12, 2016 10:58 PM

@ Clive Robinson

He's a snake so I dare not even speculate. There's no way to know for sure. I'm not watching the scumbag talk, either. I'm going to read the bulletpoints and excerpts from groups with known bias after then watch video segments specific to those that I'm interested in. Same method I used when Bush was President. :)

@ Dirk

I've believed they might exist for a long time. Especially after Townsend Brown's experiments went dark upon military acquisition, early claims of industry, and how similar B2 was to its designs. Could be a bunch of hogwash they got sucked into. Might be an indication of something. Who knows.

@ Wael

"You almost fell because of a subtle gravitational compression wave."

It could happen to any mass that was... full of air. Lolol just kidding. Not Dirk. Some other people perhaps.

"I think I'll wait until you read it and share your conclusion :)"

Yeah, that will be a while. Requires specialist knowledge I don't have yet. There's a decent chance I'll acquire that eventually even if not the analog. Just because I love FPGA's too much and industry vastly under-utilizes them. Think Dave Chappelle voice in Black Bush skit: "Do you have any idea what... the FUCK... you can do with reconfigurable chips? RECONFIGURABLE!!!"

" Japanese people are (consequently?) fond of hot springs and spend a lot of time there. May explain the low fertility rate..."

If you're not kidding, then that's a great observation: sperm can't take heat hardly at all. Cooking the nads was proposed (and tested by Swedish researcher) for birth control. Doesn't even hurt after first minute or so: feels kinda good. Closest thing to empirical evidence (esp large sample) was a study on men who worked at blast furnaces who didn't have kids for something like a decade there. Many of them did only a few months after leaving. Seemed to imply the heat was doing it and effects were reversible with no problems with the kids. Also implies hot springs could be a problem for the Japs.

Of course, I just decided to have a casual look at the inhabitants of the country where the problems were. Whoa! I think I'm willing to make the necessary sacrifices. I'll take median pay, right to choose my own "clients," legal immunity, and free nutritional supplements (esp protein shakes). Given it's a numbers game, I know just the frat house where I could recruit some initial employees. I can't say what my methods are as locals tell me they give a competitive advantage. I'm just saying they won't be having a population problem for long. (extra, toothy grin)

Nick PJanuary 12, 2016 11:49 PM

@ Wael

If you mean this, then the two answers make OP look like he was doing a wild guess with his claim. I was also coming up dry on the other possibility. Both results unexpected.

Then there was this line:

"The results suggest that skin pressure by clothing could markedly suppress the nocturnal elevation of salivary melatonin, resulting in an increase of rectal temperature [2]."

Melatonin is part of sleep rhythms. So, a naive, lay interpretation of this result could be that putting on the right clothing leads to hot ass and no sleep. I haven't seen science this intuitive since Master's and Johnson.

tyrJanuary 13, 2016 12:30 AM


@Nick P.

Last time I looked the salivary glands were on one
end and rectal area on the other. How clothing makes
them come together sounds pretty questionable.

The horrible thing about Swartz was to believe that
he couldn't talk to his friends like Lessig because
the FBI said he couldn't. Like most genius level
folk he had a lot of flaws so he won't get a hero
statue, whether he deserved to be hounded to death
by the FBI for being smart is a different question.

The Rule of Law has to apply to everyone in society
or it just becomes worthless paper used to oppress
selected parts of society and that violates the so
called social contrct that makes humans get along
with each other.

Wael knows exactly what it means to be segregated
out for selective abuse as do a lot of others.

The idea that smart people are the new target is
one that people here should find quite troubling.

Clive RobinsonJanuary 13, 2016 2:52 AM

@ tyr,

How clothing makes them come together sounds pretty questionable.

There are oh so many ways... To answer that, but I think I might get banned if I did... Although Internet traffic type figures suggest there might be many "amateur researchers" looking at the issue but few of them get into physical research or publishing ;-)

@ Nick P,

I've not got any science papers, but I do remember a talk on evolution that looked at diferences in "native populations" who lived in differing environments. And there were plenty of interesting examples like Nepalese and their ability to exist at high altitude low oxygen environments due to differing blood. Chilean's and their square thigh bones giving better muscle anchoring. And native Australians who had slightly different eyes that could see a lot further, but also dropped their core body temprature by half a degree C when sleeping, thus could sleep outside more efficiently.

But the one that "blew my socks off" was in arctic canines where their leg blood vessels were different in that the veins and arteries were not just closer together but actually entwined, thus making an efficient heat exchanger.

So there are examples of different thermo regulation stratagies developing in issolated groups in response to environmental conditions they live in.

From other research there also appears to be other evolutionary effects in testicles in primates. The more monogamous the species the smaller the testicles are, suggesting that "flushing" is an effective evolutionary response.

So yes changes in social behaviour happening orders of magnitude faster than environmental movment might account for a lowering in the birth rate.

However, it's also known that in other societies which switch from agrarian low health care to industrial high health care, the fertility rate drops from an average of five children per couple to two or less. And that the age of child bearing changes from teens/twenties to thirties/fourties when fertility is naturally lower.

But even intelligence appears to effect fertility rates, there is an inverse relationship with standard IQ measures and fertility. The higher your IQ the less likely you are to have children and back in the mid 90's there was a study that showed above 130 the fertility rate is around 1.3 children per couple versus 2.7 at 110 rising to 6 below 90. Giving rise to the argument that "Intelligence was anti-Darwinian". Interestingly another study found that there was a socio economic status effect in the higher IQ fertility rates. The wealthier you are the more children you have and that these tend to be men having 4 or more children with two or more different women (the so called "breeders and squeezers" of "trophy wife" culture).

WaelJanuary 13, 2016 3:36 AM

@Clive Robinson, ...

I've not got any science papers, but I do remember a talk on evolution that looked at diferences in "native populations"

Boy oh boy! Evolution again? I'll help you out with the paper: This is the paper written by an early Scientist. Mua haha :)

But even intelligence appears to effect fertility rates, there is an inverse relationship with standard IQ measures and fertility. The higher your IQ the less likely you are to have children...

There is a German saying that supports your view! "Dumm ... Gut!"

Clive RobinsonJanuary 13, 2016 4:31 AM

@ Wael,

I'm aware of the German saying and three of it's "supposed" meanings (though just trying to pronounce it should give a base translation for those that speak English but not German).

The variety of meanings is typical of German sayings there is one that literally translates as "Warm Shower taker" which has a variety of meanings one of which would be the same as if you left Gut (good) off of the one you mention, or at it's mildest some one is a wimp, but could also cover the Japanese hot springs users...

However as far as expletives for expressing pain or frustration, in that neck sinue stretching teeth grinding way, Norway has a few that are hard to beat. They are actually quite mild in meaning kind of "oh drat" level but you can realy put your all into them and they sound realy emotive to someone who does not speak the language. The one slightly rude word that makes me smile is "Rumpentute" which most can guess refers to a horn like toot from the bottom. It's the sort of word you would expect a six year old to say and giggle over, but it realy resonates when arising volcanicly from the depths of the lungs of a man for whom wrestling grizzly bears would appear to be mild excercise.

CuriousJanuary 13, 2016 4:32 AM

Fortinet is a company that according to Wikipedia sells network security products, and a backdoor has been shown to exist. Though Fortinet don't want to call the use of hardcoded passwords a backdoor, but instead calls it "(...) rather a management authentication issue." in their statement.

Notice this detail: They obviously did not want to call this a "management authentication issue", but they would "rather" do so. This is I think a good example of this kind of ironic distancing bullshit I discussed previously some time ago.

"Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears"
http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-password-raises-new-backdoor-eavesdropping-fears/

"Brief Statement Regarding Issues Found with FortiOS"
http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios

I am not the best to comment on such things, so I won't pretend to fully understand this, other than knowing that hardcoded passwords basically work like a backdoor.

Church LadiesJanuary 13, 2016 8:37 AM

Good for you, looking at some of the inherent tensions between the rights. Fact is, Swartz does not have to get it right when he tries to balance them. He can be totally wrong, he's still a rights defender just like you.

And here's your fundamental INGSOC popping up again. Rights defenders like Swartz have to play by the state's rigged rules. But your rulers do not, because... they're democracies fighting totalitarian enemies, or that's the way it is, or something. A related dishonest thing you do is take the question of resistance to this particular criminal state and distort it into "screw courts, screw business, screw democracy." We are not talking about courts or business in the abstract, or whatever it is you mean by democracy in your absolutist police state. We are talking about this particular criminal state and this judicial system, which is rotted through with law-enforcement impunity, coerced confessions, and prosecutorial misconduct.

meJanuary 13, 2016 8:58 AM

@ Curious

Did you notice the Fortinet founders also created NetScreen, the product later purchased by Juniper?

Now, where is my ten-foot pole?

CuriousJanuary 13, 2016 9:51 AM

@me

I saw that NetScreen was mentioned here or there the last few days, but I didn't quite understand the context.

WaelJanuary 13, 2016 10:08 AM

@tyr, @Nick P,

... knows exactly what it means to be segregated out for selective abuse as do a lot of others.

That's right! A long time ago, in an airport in Houston, Texas, I went along to give my brother and mother a ride. I went to the ticket counter with them so they check the luggage in. We were standing in line, and this well dressed man comes to me, introduced himself to me as a security person hired by the airline.

Security guy: I'm just randomly picking people for questioning because of security...
Me (thinking): Yea, right! I've got your random right here, pal! :)
Me (speaking): No problem, I understand. I really do!

Security guy: You're Muslim, right?
Me: Right

Security guy: Sunni, right?
Me: Right, but how can you tell?

Security guy: Sunnis are taller than Shiaas.
Me (thinking): I didn't know that, I know of counter examples. But who am I to say?
Me (speaking): Amazing.

Security guy: What do you think of Sadat?
Me: I don't know. Some like him, some despise him. Internally, I think he wasn't that popular, but externally he was viewed as a good president.

Security guy: Where do you work?
Me: I work at company X

Security guy: What do you do there?
Me (thinking): good question! I'll let you know when I know!
Me (speaking): I am an xyz

Security guy: Thanks for your time
Me (thinking): This guy is really good! Obviously very well trained. Worth every penny they spent on him! Polite, educated, very sharp.[1]
Me (speaking): No worries.

The security person went and whispered something in the flight agent's ear. I thought: that's just great. I'd better start searching for another flight. Or perhaps I should check how much money I have incase I need it for bail.

By that time, my mother and brother had reached the flight check-in agent. She told my mother: We're sorry, the plane is full and there is no spot for you and your son.
Me (thinking): Hmm, where did I screw up?

Flight agent: But we have a couple of spots in first class. We gave you a free upgrade.

My mother and brother were happy. Me, being a "security person" thought: sweet! Next time I'll act "suspicious", and when the security person asks me questions I'll be extra nice! Then I'll get my free upgrade :)

[1] That person knew how to extract the answers from me. He would talk casually about some topic, then he'll abruptly ask me the question he's interested in. The answer came out of my mouth involuntarily. This happened in the beginning until I realized and understood his technique. I wasn't trying to hide anything. I was just impressed with his skills. There aren't too many of these people around.

Other "incidents" don't end up this nice. But not too bad either.

Nick PJanuary 13, 2016 10:25 AM

@ tyr

"Last time I looked the salivary glands were on one
end and rectal area on the other. How clothing makes
them come together sounds pretty questionable."

The clothing makes her notice you. Salivating and hot rectums sometimes follow. Not always, but sometimes.

"The horrible thing about Swartz was to believe that
he couldn't talk to his friends like Lessig because
the FBI said he couldn't. Like most genius level
folk he had a lot of flaws so he won't get a hero
statue, whether he deserved to be hounded to death
by the FBI for being smart is a different question."

I agree. I've written here plenty of times about abusive prosecutors and how immunity incentivizes it. It was ridiculous. This is where I ask people to use some willpower and maturity. Lawyers will tell you that they play these games. If the lawyer is any good, then they'll say just don't talk to the Feds without a lawyer present and otherwise don't worry about it until court. They can talk all the shit they like but have to present it and win before it sticks.

"The Rule of Law has to apply to everyone in society
or it just becomes worthless paper used to oppress
selected parts of society and that violates the so
called social contrct that makes humans get along
with each other."

Not really. I agree and prefer it should apply to everyone. The conclusion doesn't naturally follow. Another application, common in democracies, is that it will apply for most people most of the time. Also doesn't need perfect consistency. Just enough that people have an idea of what will and won't be tolerated with what risk levels. Finally, it is *sort of* to make us get along but really, in light of First Amendment, more to protect us from damage from each other & government. It's risk reduction with some specific yes's and no's.

So, even if elitism exists, the law is still beneficial for overall stability and safety. I'd venture to say that elitism is a problem that goes back to the dawn of humanity where alpha males probably got special privilege. People should fight to reduce it but not worry if it's 100% eliminated. The main issue I'm seeing is how they usually have more resources than many others combined. Let capitalism run long enough means the amount of peasants it takes to counter even one elite only grows. No surprise it's such a big problem in Capitalist Country #1.

"Wael knows exactly what it means to be segregated
out for selective abuse as do a lot of others."

So do it. I grew up white in black dominated schools and areas. They controlled everything. Whites got to experience being singled out for 3-4 on 1 beatings, served after blacks at lunch on occasion, different punishments, exclusion from social benefits, stereotyping, laughter when applying for jobs, and other stuff. All the while we heard speeches about how bad blacks have it and that whites live the high life. I can't remember whether listening to hypocritical bullshit was worse than the other stuff or not. In any case, there are many people with "white privilege" that had no such thing, were the abused minorities, and some that carry the "white rage" from that.

I don't. There were too many good people there. I could see the dynamic & how problems condensed to a few. Many racists, deadbeats, and others formed in that environment, though. The environment is critical for a person to develop properly into a decent, productive human. People can be better than that but I think it should be our baseline. Hence, me fighting for liberties, against racism, etc across the board so hopefully one day stories like mine or Wael's will be historical stuff people gasp at.

Meanwhile, too much bullshit on all sides there to make meaningful progress. The whites won't acknowledge their pervasive racism is still in effect and what effects it has. The blacks won't acknowledge, to white outsiders anyway, that their culture and mindset is creating a huge chunk of their problems and inability to fight racism effectively. I call both out when I see the BS. I try to stay focused on data and methods that are hard to argue with.

"The idea that smart people are the new target is
one that people here should find quite troubling."

They're not a new target. Anyone who thought for themselves has always been a target given conformity is a pre-requisite of abusive, long-term power. Another thing I recall from school is how we had to learn mathematical methods and scientific theories long proven weak or untrue. We had to learn them *and apply them* to problems before the better stuff. Those of us who refused to learn bad techniques, going right to good ones, were punished for insubordination and with bad grades. So, as usual, the U.S. school system rewarded mindless, rote memorization and compliance with protocol while punishing creativity and learning genuine problem-solving.

Being smart has been a problem for a long time. Decades at least. I'm still debating with myself about whether I should teach the kids in our family to stand out or blend in. Not be stupid rather than be outwardly humble and normal, maybe a bit exceptional. Just keep really brainy stuff in their heads usually and only open with people that appreciate it. Not sure. Terrible country or world we're in where I actually have to factor this in to a child's chance at success and happiness. Meanwhile, we're encouraging them to be smart, fun, and tough. :)

@ Clive Robinson

"There are oh so many ways... To answer that, but I think I might get banned if I did... Although Internet traffic type figures suggest there might be many "amateur researchers" looking at the issue but few of them get into physical research or publishing ;-)"

He was thinking too much biology and too little Anatomy & Psychology. I mean, Anatomy and Physi... well, there should be a class on it. Haha. I see you have experience with the subject.

"Chilean's and their square thigh bones giving better muscle anchoring."

What the hell... I'll have to check that out some time.

"But the one that "blew my socks off" was in arctic canines where their leg blood vessels were different in that the veins and arteries were not just closer together but actually entwined, thus making an efficient heat exchanger"

That's pretty damned cool. Yeah, in animals, there's all kinds of things. How gecko's use quantum physics to stick to walls was probably first that truly blew my mind as I was older. Or was it that some creatures saw similar to Predator. I loved thermal after that.

Nah, what you need to look up is the darned saltwater croc's in I think Australia. They have so many tricks it's disturbing. Vaguely remembering two. Big one is they can actually adjust their body pressure and *reorganize internal organs* for different buoyancy and attack capabilities. I was like "wth!?" That would've been great when doing martial arts. Incoming strike to the liver? Nah you hit a rib. Haha.

"vSo yes changes in social behaviour happening orders of magnitude faster than environmental movment might account for a lowering in the birth rate."

Evolution in action, basically?

" the fertility rate drops from an average of five children per couple to two or less. And that the age of child bearing changes from teens/twenties to thirties/fourties when fertility is naturally lower."

That's a trip. Didn't know about that.

"The higher your IQ the less likely you are to have children and back in the mid 90's there was a study that showed above 130 the fertility rate is around 1.3 children per couple versus 2.7 at 110 rising to 6 below 90. "

I think the movie Idiocracy hit the nail on the head. The people of lesser intelligence do more than they think. They're more impulsive. They might also have more skill in social areas. So, they have more sex. Probably that simple.

The long-term effects are frightening given what current situation emerged from their political power and intellectual apathy. So, yes, evolution is sort of reversing to reduce capabilities when combined with human civilization at a certain level. I'm sure there's good research to be done there on that topic. People doing it won't be popular, though. Haha.

Nick PJanuary 13, 2016 10:37 AM

@ Wael

Saw your comment after I posted mine. Interesting story. You handled it well. Glad that one ended in First Class.

xyzJanuary 13, 2016 11:29 AM

@Clive Robinson

https://technet.microsoft.com/library/security/MS16-007

Which is a fun start to the year...

It contains several major vulnerabilities but the one bypassing login security on the RDP for accounts without set passwords in Win10 is a real doozy, as it looks fairly simple to exploit.

Thanks for highlighting this. I would probably have missed it otherwise.

It would not surprise me if this kind of bugs are an artifact of a more arrogant stance toward user privacy at Microsoft

meJanuary 13, 2016 1:54 PM

Did anyone spot the Microsoft CEO during CNNI's coverage of the State of the Union speech last night? He was sitting near the VP's wife and appeared to be enjoying himself. Another nail for their coffin.

ianfJanuary 13, 2016 2:24 PM


@ Clive RobinsonJanuary 10, 2016 2:31 PM

I don't know how to say it without sounding offensive, so please note that offense is not my intent. Long story short, statistics, esp. such pertaining to demography (of which neither of us is an expert), can be used to "prove" anything, make anything sound well-founded, without being either. Used by hubristic amateurs, such as the author of that article, they become junk science,

Which is the case with the How Japan's vacant property crisis will affect the US item that you deemed worthy to expand upon with own illogical musings. A sample:

Clive: […] “for Western Countries the only cause for population stability or expansion is "immigration". Thus Japan's issues with property will quickly become the Wests problem with property. Then of course there is the cost of medicare and pensions to resolve…

  1. by "population stability or expansion" you probably mean population growth rate, the proper demographic term—so why do you use, as does the author of that text, improper DIY descriptors? (FTR: "population stability [index]" can be used as an euphemism for "ecological stability," which, however, applies mainly to biological species' not going extinct—hardly a risk facing the Japanese).
  2. The logic bridge from that first above quoted sentence to the next is AWOL - but, please, do not prolong this thread by mansplaining to me HOW the West's (and Japan's) native below-replacement threshold TFR truly hangs together with Japan's alleged "issues with property" (that will in turn affect the West/ USA, etc).
  3. … all of which somehow being tied to, if not depending on, “cost of medicare and pensions” [you forgot Obamacare, but never mind].


Frankly, I've read that article several times now, and, besides getting irritated by the author's abuse of statistics, cherry-picking "scientific" terms to shore up his line of cul-de-sac thought, I still don't get how the alleged Japan's "vacant property crisis" will affect the Americans, the target group that he's trying to scare (BTW. SHAME ON THE 2ND BANANA BRITISH CHAUVINIST YOU FOR TRYING TO EXPAND THE SCOPE OF THE ALLEGEDLY AFFECTED TO ALL OF THE WEST!!!!!!!)

    Yes, I do know that Japan is heavily in debt, which makes the economists shiver with disgust, because it will soon need to "print money," and yet there's no chance in hell it will ever repay what it borrowed. (Perhaps it could offer homeless Americans free lifetime occupancy in the abandoned properties KIDDING!)
So, first, let me assure you: while there indeed are plenty of vacant houses in Japan, there is no crisis; even the author admits that it is being managed:
They’re not just going in and razing the properties […] They’re also turning these properties into municipal buildings and affordable housing.

Secondly and lastly: Japan is a advanced capitalistic market society. If the situation was as dire as he sounded, and you amplified, then the "market forces" would act, and there would be plenty of dirt cheap real estate deals to be had around Tokyo. That would then have evened out the cost of living in one of the more expensive metropoles in the world, make it more affordable for outsiders (Tokyo is not Detroit). Whereas that simply isn't happening.

    [As I said, I'm not an expert on either of this, merely competent enough to recognize bullshit when it hits the screen; also the guy who usually gets called in to explain to the public what the boffins themselves habitually are incapable of.]


[and now for something completely different]

[…] “Now a little bird has mentioned in my direction that the word is out that when Obama met with Silicon Valley tech last friday Comey pulled a switcheroo on the agender and banged on about encryption not how to deal with IS.

Time to retire this little bird, acquire a new, less gossipy one [conditional question mark]. Comey's coming[sic!] CA bait-and-switch tactic has been widely known ever since appearing in The Guardian's “Asking Silicon Valley to 'disrupt' terrorists is tech talk for 'surveillance',” and notified of by me here on Sunday, January 10, 2016 3:49 AM.

ianfJanuary 13, 2016 2:31 PM


@ Wael

"http://goo‍.gl/" sounds tempting to try on links I share.

It's the web analytic tool LITE for those of us who can't be bothered to rely on proper analytics frameworks with their immersive 100s bells and whistles. “bit‍.‍ly” has similar functionality, but it is managed by the NOC of the failed-state Libya.

Mind you, the evil google logs everything in your account name, and has of lately begun blocking URLs willy-nilly WITHOUT indicating the fact at creation time, only on the first access (when one is given the oppo to "request a review" of the robot decision).


@ January 12, 2016 9:49 PM

the Japanese body temperature is one degree less than normal. Japanese people are (consequently?) fond of hot springs and spend a lot of time there. May explain the low fertility rate...

The overall 1-[℉ or ℃?] lower body temperature of the Japanese (some say chiefly women) may be an urban legend with a grain of truth in it due to shared regional ethnic genetic makeup… the Japanese on the whole being more genetically homogenous than are other, over the ages "mongrelized" ethnic groups/ nations. BTW. I grew up with the figure of 36.6℃ as a normal body temperature, now I read online that the new normal (in the US?) is 37℃. The 0.4 difference would probably be more than a single ℉ degree.

Still, had you had abundant, clean, well-managed/ roofed hot springs around you, as are these in Japan, you'd have been fond of them too (compare it to the hot tubs in your Cauliflower County with by invitation only, restricted admission). However, all is not lost. The emphasized sentence earned you a place in my associative array of simplistic.theories.dept[0]. Can't promise it to you for ever, however; eventually you'll fall off the index, to be replaced by more worthy occupant-du-jour.

As for your explanations re: Japan's TFR - one word: desist (3 words).

WaelJanuary 13, 2016 3:25 PM

@ianf,

Can't promise it to you for ever, however; eventually you'll fall off the index, to be replaced by more worthy occupant-du-jour.

Change is not only inevitable; it's also essential.
-- Paraphrasing Frank Zappa, I think.

ianfJanuary 13, 2016 3:32 PM


Speaking of the NSA… while, thanks to Thomas Drake, Bill Binney, Edward Snowden and others we have "some hum" as to the extent of their spying, we do not really know how they go about it, how the decision of whom to investigate up close is reached, who to watch by other than purely mechanical means (=noise collection). It's all classified; so, unless Ed writes a tell-all book of by then outdated methods and once-decision trails, we'll never know that.

For that reason alone it pays to analyze how screenwriters, the very people employed to re-imagine reality, go about portraying it for the rest of us (besides, what other choices do we have?) Only, while there have been several, usually sensationalist and boom-boom! movies and TV-series about the FBI and the CIA, hitherto the NSA was at best alluded to, or present only in some peripheral capacity.

[SPOILERS AHEAD]

But there is one exception: the (April 2014) 5th season finale of "The Good Wife” series on CBS, esp. the concluding 18th episode named "All Tapped Out" (or #s05ep18 in hardcore TV-buffs parlance).

    For those not familiar with "TGW": it's a meandering story about the lawyer Alicia Florrick and her estranged, first disgraced and jailed, then exonerated and reinstated husband Peter, Governor of Illinois (only in America!). While full of clichés, it's not some run of the mill kludge, but an ambitious, high-stakes quality drama executively produced by Ridley and Tony Scott. The episode recap “TGW Looks for the Next Snowden and Outwits the NSA” summarizes it fairly well, but for one item of which more later.
Of course, it's still just a TV show, not some fly-on-the-wall documentary. But ever since I saw that particular episode, I've been wondering over the plausibility of its revenge on the NSA storyline.

    I know it's all conjured up, but would it really be that easy in the USA to, essentially, "polygraph-swat," and cast "mosque-connection suspicion" on an adversary, as depicted there? Perhaps those of you who've seen it, and/or now read the recap, could opine on how plausible it sounded.


Do observe: absent in the recap is a minor subthread from earlier in the season, of Alicia and Peter's teenage son Zach having for a while a Somali-recent immigrant study pal/GF in high school. I thought the inclusion of such a strange-plumage "bird" there was to underline the liberal openmindedness of the household, towards both Muslims and refugees(?). The GF soon was no mo, with plenty of girly heartbreak over the landline to Zach. Only some of these calls came from a cellphone (IMEI#?) that once called someone in Somalia or thereabouts – which OF COURSE triggered the NSA's interest in the nature of that particular handset's connection to (estranged from, but formerly still) the lawyer wife of the Governor, and started the eavesdropping of Alicia's phones at home and at work.

    It was only during a deposition of her law office's (still bound by secrecy) NSA-subcontractor client, that Alicia indirectly realized that the TLA must've been listening to her home phone. From which point she, and the likewise indirectly eavesdropped-on husband Governor, began to fight back.

Please read the recap, especially the 2 paragraphs near the end, that start with the words “On another screen, an NSA staffer is monitoring the call back from the senator,” to find out how the invigilation was stopped: by the Governor essentially blackmailing, threatening a NSA-connected Senator with doxxing of a business deal that they both knew to be corrupt: i.e. American mentality at work/ business as usual!

[The TGW series continue, but I haven't watched it since; am waiting for the reruns.]

BONUS: how CBS's graphic designer of fake terminal screenshots on “The Good Wife” imagines the "Three Hop Warrant" of the NSA.

Nick PJanuary 13, 2016 3:33 PM

@ me

"Did anyone spot the Microsoft CEO during CNNI's coverage of the State of the Union speech last night? He was sitting near the VP's wife and appeared to be enjoying himself. Another nail for their coffin."

Maybe he's just a player or good conversationalist who wouldn't pass up an attempt to chill next a VP's wife. I'd probably take the opportunity, too. Then try to prod her the whole event to have an honest moment in conversation. She might find a genuine person to to be a relief. Might even have insights on the dynamics of modern Washington.

Lot of different reasons to talk to someone so high up. Sheer curiosity would be a start for me as they live in a whole different world from the rest of us.

Note: Not to say MS CEO isn't a scumbag. Just not for this reason. ;)

meJanuary 13, 2016 5:11 PM

@ Nick P,

You don't consider his joyful presence as an overt sign he is cozy with the Executive? The same Executive that is using secret courts to *cough* "force" his company to do numerous things?

Nick PJanuary 13, 2016 5:43 PM

@ me

Oh yeah, I do. They're probably tight. I've just seen people present with world leaders or top politicos whose actions otherwise didn't support the domination of humanity. It can be cronies, business titans, celebrities, sometimes scientists. On occasion, politicians bring in people on opposite side just for image reasons. So, I was just saying that by itself it doesn't mean anything.

However, it *does* mean something when combined with context of Microsoft's monopolistic situation, government contracts, tight relationship with DOD, and constant inclusion of surveillance software. Context is critical: their context condemns them. ;)

Dirk PraetJanuary 13, 2016 7:33 PM

@ Nick P, @ Wael

"You almost fell because of a subtle gravitational compression wave."

LOL. But there's far more practical methods of using specific "waves" to have fun with people. Cheap devices like the Sonic Nausa generate acoustic sound waves that make people extremely nauseated. Ideal to totally sabotage a noisy party at your evil neighbour's place. It also has a big brother called the Sonic Assault to deal with bigger crowds.

But my all-time favorite prank involving sound to date remains a really mean sound engineer friend of mine who had discovered a frequency that kinda "unlocked" the anal sphincter muscles in people, making his victims in the recording studio soil themselves. It was nothing short of hilarious!

ianfJanuary 13, 2016 7:50 PM


@ WaelJanuary 13, 2016 10:08 AM

Interesting vintage airport-encounter story.

A long time ago, in an airport in Houston, Texas […] We were standing in line, and this well dressed man comes to me, introduced himself to me as a security person hired by the airline.

Judging by subsequent Anwar Sadat line of inquiry, that must've happened some time around 1981… were airline security personnel then even aware of there being two strains of Islam? And why would they care?

If it happened later (I'm guessing before 2001/9/11 though), when approximately.

Couple questions:

Did the well-dressed man [henceforth WDM] carry a badge, or present himself to you by voluntarily (and with respect) first showing you some ID? (What would have happened if you asked to first see some ID?)

Did WDM first or before approach any other passengers in your queue? (or after)

Was anyone in your party dressed in tribal/ traditionally Eastern clothes, or were you identified as "Sunni Muslim" purely by outer visage image? [If so, then Cesare Lombroso must be dancing Macarena in his grave].

What would have happened if you simply answered "No" to his ethnicity or religion question; refused to answer; or told him Cherokee Atheist?

WDM: Where do you work?
Wael: I work at company X

What if X was 72virgins.prepschool.org?


being a "security person" thought: sweet! Next time I'll act "suspicious", and when the security person asks me questions I'll be extra nice! Then I'll get my free upgrade :)

Well, did it ever pan out?


I realized and understood his technique. I wasn't trying to hide anything. I was just impressed with his skills. There aren't too many of these people around.

Socio-technique, the favorite discipline of the good-cop–bad-cop police interrogation tactics. What approximately did WDM hope to extract from you in the course of that brief encounter, was he simply checking if you'd start to sweat in the presence of "the law?"


Other "incidents" don't end up this nice. But not too bad either.

I was once present when another traveler [a mathematics lecturer from UofMich, Kalamazoo] had his Earth Shoe sandals destructively probed with a screwdriver by a suspicious "never seen shoes like this" Israeli screener. Afterwards I asked the guy why didn't he simply explain they were like Birkenstocks, only different. Never heard of Birkenstocks. Turned out Mr. Absentminded Professor had a leaflet about Earth Shoes in his luggage, but never thought of bringing it out either

Nick PJanuary 13, 2016 8:29 PM

@ Clive, Wael

Trying to help someone, I accidentally discovered a great paper by Cindy Gonzales on static analysis of programs to find error-propagation... errors. Recall many people getting blind-sided by the conference paper on using exception systems against programs as an attack vector. Error codes have shown to be easier to understand and get right. Yet, they're also easy to get wrong as they're pretty manual. So, a detailed approach to the topic spotting the types of propagation errors, heuristics for detection, and use on real-world projects was a great Ph.D. idea. Love seeing foundational or just major work in neglected topics.

Paper here.

WaelJanuary 13, 2016 8:51 PM

@ianf,

If it happened later (I'm guessing before 2001/9/11 though), when approximately.

I think it was in the late 90's. Likely before 9/11.

Did the well-dressed man [henceforth WDM] carry a badge...

I don't believe he showed a badge. He had some kind of ID around his neck.

Did WDM first or before approach any other passengers in your queue? (or after)

Not that I have seen.

Was anyone in your party dressed in tribal/ traditionally Eastern clothes, or were you identified as "Sunni Muslim" purely by outer visage image?

Nope. He heard us talk, I guess.

What would have happened if you simply answered "No" to his ethnicity or religion question; refused to answer; or told him Cherokee Atheist?

My mother would have missed the flight. Can't win that battle.

What if X was 72virgins.prepschool.org?

He'd probably have asked me for a box of Viagra™, but I'm not sure.

Well, did it ever pan out?

Nope!

What approximately did WDM hope to extract from you in the course of that brief encounter, was he simply checking if you'd start to sweat in the presence of "the law?"

Evaluating the risk I pose. He was far too sophisticated to just look for sweat beads on my forehead.

Now tell me something and be honest: you are a fan of James Bond movies, right?

WaelJanuary 13, 2016 9:17 PM

@Dirk Praet,

a frequency that kinda "unlocked" the anal sphincter muscles in people, making his victims in the recording studio soil themselves. It was nothing short of hilarious!

I heard of a military-grade US weapon version of this a few years ago. You remember the "shock and awe" big bombs? This one was called the 'shock and awe sh*t" weapon ;)

Nick PJanuary 13, 2016 10:23 PM

That was a good paper. Rational, consistent, avoided extending language, type checking, analysis of prior work... I liked C++'s exceptions when I learned them and expected rational justification but that was more than I expected. Now, let me share the two, brief posts that got me thinking on the topic again: pro-error-codes and pro-exception.

Joel is right in favor of error-codes. High-assurance systems taught us that all behavior, correct and failure modes, must be explicitly modeled and dealt with to ensure either correctness or fail-safe respectively. I didn't think of the analogy of goto before but it seems to fit. Very first case study in excellent book Release It! is how a whole airlines system was taken down by an uncaught exception a person didn't think of. More interesting was how hard it was to figure out where the problem was. That longjump-like property is exactly the problem Joel mentions. His point about multiple-return feature is spot on and his hack was similar to my attempt in C++. The points about macro's... *real* macros integrated into type-checking... also provides readable handling without goto properties. Finally, static analysis tools could ensure everything was checked.

Ned is right in favor of exception handling. It typically leads to more readable code. It doesn't require explicit handling of a specific code. It integrates with the languages that support it better. It *easily* gives more detail on the error type. Your linked paper adds how the error types can be organized and standardized with OOP, too. Shittier programmers can possibly build more error-resistant software with exceptions as well.

So, they both have good points. I'm thinking Joel is more in the right if we modify immediate, return-based handling with syntactic sugar and standardized way of handling it that makes readable code, allows people to explicitly see what's going on, forces cases to be handled with static checks, and allow's richer information if possible. Basically, reinventing exceptions without the problems of exceptions. Not sure at the moment exactly what that would look like outside of functions with two return values, one for errors, with the second one being an error handler defined in that same module. Might also have an exception-style way of passing the error up if it can't be locally handled given caller usually knows context better if it's on their end.

Nick PJanuary 13, 2016 11:14 PM

@ Wael

Thanks and that's what I proposed. ;) It's the specifics that are tricky. The PDF and articles showed there's a series of sub-problems to solve. The solution is heavily tied to the language's grammar and type-system. So, it might not be possible to recommend a specific model so much as a solution per context (i.e. language). I mean, one can do ideal languages and models for example or experiment.

Might be worth doing such an experiment with a Modula or Oberon due to their relative simplicity. That would make the parsing and transformation aspects easier.

ianfJanuary 14, 2016 9:39 AM


@ Dirk Praet

Cheap devices like the Sonic Nausea generate acoustic sound waves that make people extremely nauseated.

Are these subsonic, or ultrasound waves, inaudible to human (and most mammals?) ears, but somehow powerful enough [in a 9v battery!] to interfere with other biological organs of ours? Harmonic distortion which the organism attempts to combat by nausea? Tell me, I am missing something.

[ Interesting website all the same, seems like the USA shop front for an Israeli(?) spy-gear company. They don't seem to have an (official) outlet in Europe, or if they do, they aren't telling ].


@ Thoth

I've seen a number of such "falconry drones" that used a net to disable other drones, but this was the first such seemingly worthy of further development, not simply a proof of a concept. Plainly put, drones and nets do not mesh… the net being as much a threat to the attacker's (if unshielded) propellers, as to these of the target. So this one has to have some "ironclad" safeguards to always stay above and upwind of the target, and/or to cut the umbilical cord to the net once it has engaged…

Drone uses a net gun to capture another drone in mid-flight video.

PS. it's uncanny how in the written-1994/ staged-1996 “Cold Lazarus” TV theatre play, the then-dying playwright Dennis Potter, not known for his love of gadgetry, foresaw presence of hybridized "spy-falcons" in the future, essentially bio-drones, against which there would exist business defense weapons and tactics. He also imagined future Luddites' resistance movement called RON, short for Reality Or Nothing (as in against VR etc inroads in everyday, in his future by and large electronics-infested, life. Consider yourselves illuminated ;-)))

ianfJanuary 14, 2016 2:31 PM


@ Wael

Obviously, YMDV, but I was sort of surprised that, in a offhand confrontation with some self-designated authority figure, you did not inquire at the outset to what do you owe this pleasure of being singled out, and in what way could your standing in line be considered a risk factor ("to be evaluated"), but accepted a subservient position directly.

Perhaps your tactic was the suitable one at the moment, but either you are treated on a par with others, or you are The Other (remember Orwell's Animal Farm: all animals are equal, but some are more equal than others). By that I don't mean that you should have adopted some strident pose, but, since your usurper-interlocutor engaged with you in a gentle colloquial manner, you had all the right to respond in kind… one equal to another. He's interested in you, and you're interested in why you are of interest to him, you being the common denominator between the two of you—elementary my dear Waelson (yes, I am aware of my Monday morning quarterbacking).

    I've had my dealings with the police of various shapes, with mixed outcomes. Only I am convinced that, as "the law" builds up a (if unofficial) dossier on one, and at some point in the future puts one up to a scrutiny, they then note one's competence of being a hardass-nut to crack, so they think twice before bothering one again. Call it preventive self-profiling. Only once was I ever interrogated by police (upon a complaint of "having threatened elderly neighbour"), which ended up with the inspector practically begging to be forgiven for having called me in. After that, despite a few such scrapes (largely unavoidable in today's ego culture), I get to hear about them only via mandatory notices that a complaint so-and-so has been written off.

    BTW. this preventive "saber-tooth" tactic usable also in other conditions. Several years ago I heard a rumor of taking away my (formally illegal) storage shed in the backyard. Whereupon I wrote a 4 page memo to the board outlining why this would be a bad idea, and what I proposed instead. A shot across the bow. Never heard about it since; the shed, with all my bicycles in it, was less important than having to argue against me in court.


[…] He was far too sophisticated to just look for sweat beads on my forehead.

Yes, the hallmark of subtlety associated with U.S. airport security.


you are a fan of James Bond movies, right?

Nope. I like well-made movies and TV with realistic, yet unpredictable narrative arcs—and the Bond movies are the opposite of that. I've seen perhaps half of the 24 of them to date, none of the latter ones (waiting for them to appear on TV). The last thriller-y item that I remember truly lurving was the 1985 BBC Edge of Darkness (not the 2010 2hr compressed movie remake!). Also, ever since arrival of the streaming services, movies are shown in so short runs in the theaters, that it's easy to miss them altogether… after a while I stopped bothering. But here are some titles I've seen on telly that stuck in my mind:

Take This Waltz (2011)

The Broken Circle Breakdown (2012)

Flashbacks of a Fool (2008)

The Place Beyond The Pines (2013)

Broken (2012)

Mother and Child (2009)

tyrJanuary 14, 2016 3:59 PM


@Nick P.,Clive et al

One of the muddier areas in evolutionary process theory
is trying to separate out adaption (individual attempts
to modify self for the environmental conditions) and the
passing on of useful traits to subsequent generations.

I have a longer large intestine (used to extract more water
as a desert dweller) and a larger set of lungs (used to
extract more oxygen from thinner atmosphere) from living
at higher altitudes. Both of these are adaptions that my
body made to conditions. None of my children have these
traits, they may have the ability to do these adaptions
but without the environment they won't occur. Popular
conceptions of how this works are almost invariably wrong
from the desire to make it easier to discuss. You will
adapt or die (natural selection, or survival of the
fittest) but there is no teleology involved in it even
though most would wish for such divine reasons.

I've been reading Arendt on anti-semitisim and it strikes
me that the current political stinks mirror the past with
Islam being substituted for Jew in a repeat of the same
crap that wrecked the world in the 20th century. She has
contended that the victim is a convenient scapegoat for
what is wrong with the society and is being used to evade
coming to grips with the real problems while appearing to
"do something".

The purposeful methods of education used to segregate and
scapegoat those who might pose a problem to the mass and
their selected spot as a consumer dumbass product of the
school system means the gulf gets wider everyday between
thinkers and the general populace. This is not just some
isolated phenomena, all of society is being divided along
the same lines. We need to get over the idea that things
just happen without a reason and start paying attention to
the machinery of our institutions. The surveillance state
isn't a disconnected phenomena and it isn't overreach that
has it spying on consumer dumbass, that is being done for
a purpose. Some of the ugliest statistics you can find are
the decline of literacy in USA when we spend enough on the
school system to make a millionaire out of every child by
putting the same money into an investment fund for them.

If you love your children teach them how to read sounds,
teach them basic math skills, and teach them logical methods
of reasoning. Do not depend on a disinterested stranger with
no power to help them. Help them conform as a method of
getting along but do not think that conformity is an end in
itself worth pursuing.

Shite, another great grandpa polemic !! I keep hoping to do
this less.

I see the bombing of Syria has worked just like dynamite in
a manure pile. Now Isis /da'esh is scatterd all over the
world instead of being regionally contained.

Markus OttelaJanuary 14, 2016 6:31 PM

@ Nick P, Thoth, Figureitout, Clive Robinson

All features seem to be working now.

While it's not ready yet, daily revisions can be obtained from
https://www.cs.helsinki.fi/u/oottela/tfc-nacl/

If you want to try TFC simulated on *buntu/Mint run the setup.py and choose configuration 7.
To run the data diode simulator programs in local testing configuration, run something similar to

gnome-terminal --title='TxM' --geometry=100x35+0+630 -x sh -c "python /dir/Tx.py -d"
gnome-terminal --title='NH' --geometry=71x41+920+150 -x sh -c "python /dir/NH.py -d"
gnome-terminal --title='RxM' --geometry=100x20+0+0 -x sh -c "python /dir/Rx.py"
gnome-terminal --title='dd' --geometry=25x12+740+630 -x sh -c "python /dir/dd.py txnhlr"
gnome-terminal --title='dd' --geometry=25x12+740+425 -x sh -c "python /dir/dd.py nhrxlr"

As the GPG signing process makes DNSSec look easy, the installer won't be signed before I upload the source to GitHub. The key's expiring in April so I'll probably update it along the OpSec.

Dirk PraetJanuary 14, 2016 8:27 PM

@ ianf

Are these subsonic, or ultrasound waves, inaudible to human (and most mammals?)

The device uses a high frequency oscillator to produce ultrasonic electrical waves that are amplified by transistors and converted to sound waves by a high frequency responsive speaker powered by the 9 Volt battery. The more transistors, the merrier. The ultrasonic waves then travel through the ear canal and pass through a region very close to the human equilibrium. The waves are such a high frequency that they cause resonance in the ear canal and it begins to severely vibrate the equilibrium, causing the sediment-filled liquid to slosh around a bit. It is this that causes a feeling of disorientation and quickly makes the victim(s) feel the sudden urge to vomit. It also causes dizziness, temporary vision problems, and possible mental disorders after prolonged exposure.

The Broken Circle Breakdown

Aaaaargh! The horror!

WaelJanuary 15, 2016 12:57 AM

@ianf,

you did not inquire at the outset

I don't like headaches... Just get it done with.

By that I don't mean that you should have adopted some strident pose, but, since your usurper-interlocutor engaged with you in a gentle colloquial manner

I know people who got arrested for adopting this attitude.

Obviously, YMDV

Hard to say, since I don't know a thing about your milage! Try this next time you fly: take some baby powder with you and when you're going through the security line take some in your hand and blow it in the face of the security dude, then yell: anthrax, and run like hell. When they catch you, just be nice and you'll get your free upgrade. Give it a try, you thank me later! It works like a charm!

CuriousJanuary 15, 2016 6:26 AM

I am reading that France supposedly now is rejecting having backdoors "by design" in a headline, but I don't know, this "by design" sounds a bit like a useless qualifier, so in my head I would be inclined to think of such an expression as possibly being ironic distancing, some kind of possible boilerplate response for 'official policy' that ultimately doesn't quite have the same meaning as you think it does.

A more sensible response would be something like this: "France rejects having backdoors". Very simple, presumably being an unequivocal expression, and being very poignant. I am ofc concerned that a directive for implementing a backdoor nonetheless exist or would be something that could come about, becoming a mandate for implementing a backdoor retrospectively, even though you were given the impression of something the quite opposite. So what would "by design" mean? Presumably, a "design" can simply be corrupted so as to allow a backdoor, but I am no programmer/security researcher. I can't help but wonder if faulty coding might be a way to mandate backdoors in various applications.

CzernoJanuary 15, 2016 6:46 AM

@Curious : unfortunately the "no backdoors" stance is just that, French guvment PR.

Actually - voted last month - French law has authorised, formally, all kind of surrepticious access by several more or less secret investigative services (without a court order) for the sake of "anti-terror", in a very BROAD interpretation, and backdoors are PRESCRIBED
to be installed and activated by ISPs on authorities' request (again,
no judge involved).

There seems to be no ending to Big Brother's tightening its
grip over all aspects of our lives and secrets, all under
the pretense of struggling against a menace, elusive and
in large part the result of this same government's exterior politics.
I'm voluntarily suppressing political argument however, as we
know expressing political views and preferences isn't appropriate here.

ianfJanuary 15, 2016 7:14 AM


@ Curious

[…] “Presumably, a "design" can simply be corrupted so as to allow a backdoor… can't help but wonder if faulty coding might be a way to mandate backdoors in various applications.

You probably are reading too much from a single clause in a (by design ;-)) more terse than copy text headline. Also, for the sake of validation, you should have included the French original of it, to allow us to judge whether it's been simplified, twisted, or even wholly "lost in translation" (=not bad book by Eva Hoffman; also same-title film by Sofia Coppola, but there used as a metaphor for cultural alienation).

That said, buggy software can indeed be used as excuse for subsequently discovered backdoors. I wouldn't call them "mandated," though, for precisely the reasons of any future WHO–ME? deniability.

ianfJanuary 15, 2016 4:50 PM


@ Dirk Praet

[…] The [Sonic Nausea] waves are such a high frequency that they cause resonance in the ear canal and it begins to severely vibrate the equilibrium, causing the sediment-filled liquid to slosh around a bit.

100 kHz or (orders of magnitude) more? The device seems portable enough, so, were I to bring it to a Zoo, would the apes go ape?

The Broken Circle Breakdown

    Aaaaargh! The horror!

Whatever real or ironic horrors it may have evoked, surely this Didier's diatribe [alas in Flemish; couldn't find it with English subtitles] nullifies them all?

    [it's an emo-charged, spontaneous outburst of grief in the form of an attack on G.W. Bush’s religious zealotry with stopping stem cell research that might have led to a cure for the deceased wee daughter of now-grieving parents.]


@ Wael

I am fully aware that we're discussing theory, whereas you have to live to survive… the practice, so to speak, which differs from it.

I know people who got arrested for adopting this attitude.

You said your interlocutor striked you as quite sophisticated. Surely asking for credentials AND the MANDATE of non-uniformed personnel (an uniform being kind of automatic mandate, especially with an automatic rifle – ask Anders Behring Breivik) must be within rights of anyone being questioned, and a sophisticate should be able to recognize that himself being questioned first is more of a normal behavior, than accepting his authority on sight. Maybe not in the USA though.

I'd say that anyone randomly challenged at boarding time, and acting meek and not making waves would be more cause for suspicion, than a loudmouth (when once challenged why am I angry at being prodded, I blurted out "I've now been en route for 18 hours straight, am very tired, what did you expect?" Waved on). You think Mohammed Atta would have raised a stink if his box-cutter discovered and taken away from him? (I bet he practiced effective killing with a ballpoint pen as well). But I once protested loudly when a zealous screener wanted to confiscate my nail clippers that I keep in coins pocket—a supervisor came, I got to fly with it. Still there.


[…] Try this next time you fly: take some baby powder with you and when you're going through the security line […]

That's an unfair comparison… you're talking of offensive, aggravating behavior, I spoke of forms of don't-thread-on-me defensive stances.

ThothJanuary 15, 2016 5:25 PM

@all
re: London's Met Police spying with fake cell sites
Best to switch to wired encrypted communications if it is anything of importance than to use wireless channels. Using Bluetooth and WiFi mesh networks (and possibly using good old infra-red communications) would be useful in mitigating the current targetting of GSM networks.

Due to the fact that these SIGINT devices are built by military contractors (e.g. Harris, Thales ...) thus these devices are known to be using military grade FPGAs (e.g. Xilinx, Altera...) that controls software defined radio frequency which are currently tuned to GSM channels. It doesn't take much efforts to load programs on the fly into the SIGINT devices' FPGAs to prepare their software defined radio units to listen in on any other wireless communications and also to disrupt or spoof them.

The tactics used by the military to listen in on enemies and to spoof and disrupt enemy wireless communications are now deployed against civilians in a bid to militarize the "Law (less) Enforcement" by widely deploying and using military devices and tactics (e.g. military SIGINT tools as IMSI spoofing and disruption).

ianfJanuary 15, 2016 6:48 PM


Once we build, and deploy said IMSI catchers, what do we do with the results/ how do we identify the baddies that put them up in the first place, AND HOW DO WE SPANK THEM—if that'd be within the law?

ThothJanuary 15, 2016 11:33 PM

@ianf
Governments have highly robust secure channels to use exclusively and there is nothing we can do to them.

What we can do is educate on the insecurity of GSM channels and conduct further research.

What is left is to use other means of communications that produce lesser trails and signatures like wireless secure meshes that broadcast messages.

The Man in the Black JacketJanuary 16, 2016 1:15 AM

@Thoth, @IMSI Catchers, aka Stingrays, SDR, etc

Where is this week's Friday Squid? Regardless, this is a good conversation.

I think people do need to bear in mind these cops and feds are pretty dim witted, when you do the final calculus. Not that I am some Moriarity who would be advising criminals, or relishing outsmarting "them" -- any fool could wonder if I do not work for the good guys, if they exist, in government.

In the US, the twenty dollar rtl-sdr dongle won't do. You will have to get the bladerf, at best. The 300 hackrf can get you started, however, as it does cover the IMSI related bandwidths. But, you have to remember, it is the bandwidths not covered which can be critical. If you are bugged, long distance would be preferred, right?

Nowadays, you don't need triangulation. You have google heat map apis and a car. ;-)

Or, walking the dog. Like the song.

The good thing about the 20 dollar sdrs are, perhaps, you can run multiples at the same time... and so home in on certain frequencies. But, again, if you were a spy spying on you... would you want to have a system that requires close up contact for burst transmissions, or something permanent near the house... or something that can be heard from long away?


Speaking of stingrays, Cory Doctorow, who worked on systems that invented the modern internet of social media and distributed, open video sharing... as well as a top notch science fiction writer... and main powerhouse of EFF...

(Who has a bizarre penchant for social engineering topics, that is decidedly not 'in your face' mockery...)

Posted this, this week, on the evolution of the discovery of stingrays (zero relation to the recent Harris corporation 'ball busting' youtube post of who knows who):

http://boingboing.net/2016/01/14/how-an-obsessive-jailhouse-law.html


...

SDR has so changed things. I remember back in the day, when I was in the army, our radio boxes were huge. In the seventies, we had to do with enormous rooftop antennas. Nowadays, you go and plunk down thirty some odd bucks for a raspberry pi, and boom. Long wire and a can. Or hook up in the walls.

The Man in the Black JacketJanuary 16, 2016 1:35 AM

@ianf

Once we build, and deploy said IMSI catchers, what do we do with the results/ how do we identify the baddies that put them up in the first place, AND HOW DO WE SPANK THEM—if that'd be within the law?

Okay, word of advice. Cops are there to catch criminals. They are human beings. Unless you are engaged in criminal activity, they are not your adversary.

Spies are there to catch foreign spies. Including terrorists. That game has never changed, regardless of the change in terminology.

Nobody is scared of Joe Blow. Everyone is scared of Joe Blow Who Works For Foreign Nation X.

If you lust for spanking people, I suggest finding a boyfriend or girlfriend.

Cops and spies both, being human beings, look for adversaries. How to be an adversary? Ever hear of a cop stopping someone because they give them a challenging eye? It is in what you think, first.

Spies? Very different. They get up close and personal. They blend in or "die". But same mindset. They blend in with their thinking, first. And last.

But, your adversary there, at the level of thinking of them as your enemy, is the knuckle dragger. The "cointelpro" genius. Because "coin [telligence] pro [we are professional]" geniuses were knuckle dragging idiots who would probably still swear J Edgar Hoover was straight -- and his hacking of gays across government proved it. (!)

Genius, idiot. Really it is about what is in a person's heart. A genius doesn't go out into the yard and consider their own shit as food, as a dog does.

Seriously. "MKULTRA" -- same layer of "genius". They randomly spiked drinks across the country with bars and created monstrosities like the Boston gang leader - whatever his name was, Whitey something - and the unabomber.

Incredibly intelligent people. Who had to shit and fuck and worried a whole lot where their next meal was coming from and if they and their family had a roof over their house.

Do any of these sorts understand the technology they grossly overpay for?

Of course not.

But, do they zero in on people who openly express adversarial belief systems? That is about their only indicator they have...


The Man in the Black JacketJanuary 16, 2016 1:45 AM

@Tyr

I have a longer large intestine (used to extract more water as a desert dweller) and a larger set of lungs (used to extract more oxygen from thinner atmosphere) from living at higher altitudes. Both of these are adaptions that my body made to conditions. None of my children have these traits, they may have the ability to do these adaptions but without the environment they won't occur. Popular conceptions of how this works are almost invariably wrong from the desire to make it easier to discuss. You will adapt or die (natural selection, or survival of the fittest) but there is no teleology involved in it even though most would wish for such divine reasons.

MY GOD, man, are you using lynx as your browser?

You British have neither no sense of comedy -- nor of despair! Not anymore. That is for God's sake truth!

These things said, clearly, the human race was seeded by a hyper intelligent, morally, sexually, and physically superior race. This "evolution" nonsense will never stop, regardless of how we feed it. Because Mars Needs Women.

All that aside, revolution is the singular best course of action.

I am not talking violent revolution, but mental revoltion, as in ESP. Mind control over your adversaries.

Control their women, their men will follow.

Two words of advice.

ThothJanuary 16, 2016 1:59 AM

@The Man in the Black Jacket
This week's squid is likely late again. Our host probably is busy.

You propose using long range for the SDR emission of signals. Would that affect the quality of receiving signals on response to the sent signals. You need to be able to receive as well as send ? Maybe the transmission tower can be done far away while a passive listening receiver that somehow coordinates with the transmitter should be close up to get better quality signal interception ?

It would be nice if the Govt are actually going about helping the civilians and the spy agencies focus on collecting foreign intel and the police not absuing power but as we can see, it doesn't seem like the theory of people doing what they are suppose to do actually works. Hopefully things can change for the better... just hopefully...

ianfJanuary 16, 2016 2:00 AM


@ Thoth

What is left is to use other means of communications that produce lesser trails and signatures like wireless secure meshes that broadcast messages.

1. we can't fight everyday use of cell phones, the chattering public thinks the world of them, while the spooks find them just too alluring, irresistible to not abuse them (the last Ed Snowden's acute assessment).

2. [non-cell?] wireless secure (impromptu or ad-hoc) public spaces communication meshes require easy to acquire, turn-key solutions/gadgets, perhaps something akin to once emerging technology of "Gaydar" (before cell phones became ubiquitous there were at least two distinct matchbox-sized products that detected presence of like device in its vicinity, 20m radius?, and "peeped" Doppler-like the closer they got to one another). Of course, then came the cell phones, and the social apps that killed the gaydar star ;-))

[A rare sample of one such that was NOT a social network, did not require personal registration, only of interest to interact, was this: http://inneract.us/support/ alas no more in the App Store.]

I also recall a ballpoint pen with a built-in vibrating notifier of incoming cellphone msg over BT. The technology has advanced since, so one could probably fit quite a bit of RF functionality into such innocuous-looking devices.

As for what could we do about IMSI harvester cell sites… I was hoping for at least a suggestion along the lines of "once our app detects such in the vicinity, it broadcasts a warning to any other devices within some geo fence, of them being spied on here. So that they get offline, encrypt, etc." The receiving app then builds up a map of signal vacuuming-up unsafe areas, leading (perhaps, in time) to public illumination and protests.

    Did the Prime Minister know that, when she's merely walking from her car to the door, no less than 6 different snooping cell sites in that area poll her mobile phone and suck out her latest blood pressure, number of, and median length of her strides, call history, and other data that upon reflection hardly are critical for the defense of the realm?” ;-))


@ The Man in the Black Jacket (that you, Jeff?)

You assume that all the data-hoovering-up, masquerading as ordinary IMSI sites are those of the LEO/ TLAs. But what if they were set up by criminals? The technology has gotten sophisticated, but not outside the reach of those who know what they're after.

PS. if you're going to stick around for a while, you first need to develop brain muscles capable of weeding out metaphors from literals. Spanking the baddies was the former – look it up.

where's this week's squid?

It's cooking, in olive oil and with chili peppers (as per the latest, just-in Ætertelepathy® dispatch).

Clive RobinsonJanuary 16, 2016 2:30 AM

As somebody else has mentioned Cory Doctorow, I guess I should mention this article,

http://boingboing.net/2016/01/12/keep-your-scythe-the-real-gre.html

Whilst it is a kick out at the "lefty forward to the past through rose tinted glasses" idiots, it also highlights another more serious issue which is the elites "Politics of status". In the process it also gives a simple explanation of why the "Free Market" mantra is wrong, and how economists deliberately blinker themselves to promote the view their sponsors want to be highlighted.

At the very least it is an amusing read.

CuriousJanuary 16, 2016 4:41 AM

@ianf

To clarify. One can easily imagine how insincere and flawed a discussion about not having intentional backdoors becomes ("by design"), if one understand that focusing on the perceived benevolence on this idea of having an official policy that don't mandate backdoors by design, when instead the same state actor might "very well" allow for a covert policy that mandate having backdoors based on downgrading security or exploiting flaws in various ways.

To clarify further. So the issue I am having with this perceived greatness of "not having backdoors by design", would be about security products being released as functional, but that with a tweak (if possible) effectively being turned into backdoors. Then, this simple idea of not implementing a backdoor "by design" would be 'truthful' and 'deceiving' at the same time, depending on whether one think "by design" is about a state adhering to a strict moral principle of never allowing a backdoor to exist at all (no directive, no manipulation, no exploitation), or is simply understanding "design" as an euphemism for being a released final product, with the option of a state actor to alter the deal, do things in secret, and otherwise specialize exploitation, so it wouldn't qualify as general exploitation.

I also can't see how one could trust an official to control the actions of other state actors by decree, as if the mere announcement of a state policy simply meant that other officials working with "national security"/"national interests" would be coerced into abiding to perhaps lower level policy guidelines.

I've been wondering: I mentioned some time ago, that I envisioned this problem of USA possibly having some kind of martial law going on (I have no idea how to prove this), without the public being informed about it, as a means to give itself more powers than it would otherwise (a state no longer controlled by "democracy"/public officials). I can't help but wonder if UK and France are also playing with this idea of expanded state power. The main issue with this idea then, is that one couldn't trust public officials to be in control, as these expanded powers might simply be governed by a military (non civilian).

FigureitoutJanuary 16, 2016 6:57 AM

Markus Ottela
--Good to see the updated code. I generally like to run "on hardware" not emulated/simulated etc.

Clive RobinsonJanuary 16, 2016 5:41 PM

@ Nick P,

There is a github book and examples on "Scalable C" that might be of interest to you,

https://hintjens.gitbooks.io/scalable-c/content/preface.html

If it does work the way the author suggests, it might well "put new life in the old dog" ;-)

Even if not, it will give an insight into massively parallel issues ranging from multicore CPUs through Clusters and Wide Area Massively Distributed Systems (WAMDS).

Nick PJanuary 16, 2016 6:01 PM

@ Clive Robinson

Yeah, he's from iMatix where they do the DSL's that compile to C and maybe worked on ZeroMQ. I told him I looked forward to seeing how he did model-driven stuff for distributed C. Should be interesting.

Clive RobinsonJanuary 17, 2016 5:54 AM

Hotdesking gets junk imaging

If this were the first of April I would think it a badly done April Fools Joke...

Sadly it appears not,

http://www.theregister.co.uk/2016/01/15/put_your_private_parts_on_display_if_you_want_to_earn_a_living/

Put simply a battery operated imaging device [1] is put under the hot desk to view your groin to see if you are at the desk. It sends information off wirelessly to a central system where your groin image is logged in the cloud for cross refrencing by Human Resources or others with cloud access...

So if you are one of those "side saddle" or "stand up" workers, you will be regarded as "not playing" so your work record and ultimately pay could be adversly effected.

[1] http://www.occupeye.com/how-it-works/

ianfJanuary 17, 2016 7:27 AM


No squid this weekend, so am reheating last week's dish. Speaking of porn and one other popular OT topic here, this Carole Cadwalladr's review of expected-to-win-the-Oscars The Revenant tracks ISIS' propaganda roots back to Hollywood:

    […] “immersive” film-making at its finest. Though, arguably, not as immersive as putting a camera in a cage and then setting a man on fire. Have you seen that one? Where the man is burned alive? It’s not by González Iñárritu, but Isis. It wasn’t nominated for anything but the pain is even more real, more visceral, more – what was the word, thrilling? – than DiCaprio’s.

    But then, all of Isis’s video output is inspired by our own entertainments – in its subject matter, its soundtrack, its editing. Islamic State hasn’t invented new narrative tropes, it’s simply lifted them straight from Hollywood. All it’s done is to go one step further, trumped Hollywood at its own game. It has seen what we want, what we thrill to, and given it to us. If there were grizzly bears in the Syrian desert, there’s no doubt that they’d put one in a cage and let us see what it really looks like when one rips a man apart. […]
[No, I haven't seen it, nor do I intend to].

ianfJanuary 17, 2016 8:04 AM


Clive, this Hotdesking gets junk imaging can but be—advanced, but still—a hoax. For one, given British society's disgust of overt exploitation of sexuality, had such devices been deployed, the pervs responsible would now be helping the police with their enquiries prior to them appearing in the Old Bailey… didn't you hear of those caught photographing undies of women while riding the escalators on the Tube?

That said, I've read of a similar pack-of-cigarettes-size surreptitiously installed under desk sensor/ transceiver device, only that one was used to steal data from a bank terminal, and then remotely control the mouse and fill in form fields with digits representing money to be transferred from legit to a criminal's account (the remote controller sat across the road and observed the desk through analog binoculars). But a company-mandated crotch-watching #fuggedaboutit.

Clive RobinsonJanuary 17, 2016 1:56 PM

@ ianf,

...this Hotdesking gets junk imaging can but be—advanced, but still—a hoax. For one, given British society's disgust of overt exploitation of sexuality, had such devices been deployed...

Sadly if you read both links and follow the links off of them you will find that not only do the systems appear to exist, they were also deployed at another Newspapers offices, where the employees got a bit uptight about it.

Whilst I'm not ruling out either fake or over exaggeration there is sufficient independent points of refrence to say that the company apparently exists and these battery powered wireless motion / thermal systems likewise.

The $64,000 question is how low bandwidth this imaging is. If as it's claimed it's powered off of a couple of AA cells thats about 2200mA/hours at 3V with high quality dry cells, you'ld be hard pushed to get a week of continuous use out of it. Burglar alarm sensors tend to be 12V at 10-150mA depending on the sensor type, when they are battery powered wirless units they tend to only powerup for a couple of seconds every minute or so. Those IR "wildlife" cameras that record movment video to SD memory card often need their four or six AA batteries changing every night depending on activity. So you would expect something nearer an alarm system than a CCTV quality video system.

I'm also assuming that it does not radiate "non ionizing radiation" even though the company logo more than suggests it. Otherwise the Scum and other red tops would have "My nads were microwaved by HR" or equivalent stories hinting at sterilization and deformed baby risk, thus class action law suits and the potential cost to the nation of health care etc etc etc. As the Daily Fail website shows a bit of scurrilous fear mongering makes good click bate especially when mixed in with the latest fad diet and "thermacon defoliant" adverts, after all you have to be trimmed --not ripped-- in oh so many ways these days.

Sue Dough NymJanuary 17, 2016 5:55 PM

Gerhard Strasser: “We also have — and this I found surprising — a mention, and a rather serious one, in the Kama Sutra, in India, from about the 4th century. We actually have a reference in the 44th and 45th chapters that men and women should practice cryptography. …”

- How Encryption Technology Can Be Traced Back to the Kama Sutra (The Atlantic)

tyrJanuary 17, 2016 9:35 PM


The crotchshot desk app sounds almost like Concord
Californias Police Department toilet cam, a noble
surveillance idea that failed with a spectacular
lawsuit. In an attempt to appear non sexist they
put the cams in boys and girls restrooms. Girls
were not amused at all.

I read ianf as not wanting to see DeCaprio mauled
by a bear, but i'm sure that scene will have a big
fan audience among the (insert pejorative white
folk term for native people here).

I just consider it the "bet you wish you hadn't
left your .454 Casul behind when you went into the
woods" scene.

If someone hadn't posted a squid recipe Bruce would
have some left on Friday.

Clive RobinsonJanuary 18, 2016 12:38 AM

@ Sue Dough Nym,

How Encryption Technology Can Be Traced Back to the Kama Sutra

David Kahn wrote about this in his 1960's book "The Codebreakers".

From memory --if it's not failing me-- one cipher was based on phonetic variations in the words, the second cipher was a simple reciprocal substitution which was effectivly a simple reflector where you wrote down one line above another for the Key with half of the alphabet characters in the top line and the remaining half in the bottom and you simply swaped the verticle pair in use. Thus the same key was used for encryption or decryption without change in proceadure.

Like the later Enigma machine and it's wired reflector it solved one --human-- problem by creating a worse --technical-- problem. However the Kamasutra was written befor the Arab Scholar and mathmatician Alikindy --from where we get the word algebra-- so how to break such a cipher was possibly not known then, but the same was not true for the Enigma invented shortly prior to WWI...

Clive RobinsonJanuary 18, 2016 1:31 AM

When is a mic not a mic?

When it's some other transducer with sufficient bandwidth and sensitivity.

We have seen this with "crisp packets" and video cameras which is actually quite difficult.

But how about something closer to home, like the gravitometers in your mobile phone...

https://crypto.stanford.edu/gyrophone/

It's why you realy have to be carefull with the likes of the Jackpair kickstarter and other inline wired voice encryptors. Your smart phone might or might not disable it's inbuilt mic but those little gravity sensors to get the screen to rotate etc, nope they will be left on...

ianfJanuary 18, 2016 1:30 PM


@ Curious Re: to clarify, and to clarify further… I reacted to a purely linguistic aspect of your argument, the body of which I couldn't then, and still can not follow.


[…] “I envisioned the problem of USA possibly having some kind of martial law going on (I have no idea how to prove this), without the public being informed about it, as a means to give itself more powers than it would otherwise (a state no longer controlled by "democracy"/ public officials). I can't help but wonder if UK and France are also playing with this idea of expanded state power.

This unease of yours is very much warranted, and that by you detected state of state affairs' proper label is larval stage of corporativist fascism (different stages in different countries). Fascism, rule by threat of force and violence towards "the unruly," is not aliased to left-right-whatever ideology, and is very pliable depending on circumstances (the most Fascist country on Earth, North Korea, dresses itself up as a Workers' Paradise). Fascism is the logic progression of all, to begin with provincial, despots seeking to consolidate their power by whipping up populistic discontent among the masses.

    Fascism happens, when we're not looking out; or, to paraphrase John Lennon, when we're making other plans.

To learn more, I recommend Walter Laqueur's “Fascism: Past, Present, Future,” or, the 6hr with popcorn lite version, 2-part “1900” movie by Bernardo Bertolucci, the most concise, gripping novelistic depiction of its genesis that I know of.

tyrJanuary 18, 2016 4:43 PM


@Clive Robinson

Great paper on the gyro threat model. The better the
tech the worse the security problems from unintended
consequences. I particularly liked the part where a
multiple phone input makes the techniques even better.
Since most folk are surrounded by cell phoneys all
day long.

Joe KJanuary 18, 2016 7:32 PM

Clive RobinsonJanuary 19, 2016 8:12 AM

Why up the stack thinking fails

The "Stack Fallacy" might be called Duning-Kruger meets the Peter Principle.

That is going the next layer up looks easy to businesses but they usually fail miserably when they try,

http://techcrunch.com/2016/01/18/why-big-companies-keep-failing-the-stack-fallacy/

Whilst the "What not the how" problem explains part of it there is more to it than that.

Firstly people tend to forget that something like 98% of new technology startups fail, likewise 87% of new consumer products brought to market by established companies fail. And importantly in both cases nobody realy knows why they just guess at an idea and dress it up in words and dodgy market surveys.

Worse part of the reason new tech startups fail is they can not get market share within the Internet. Ordinary economics does not explain this very well but it can be seen that ignoring the "Distance Cost Metric" is a fundemental problem. In tangible goods markets it costs more to enlarge the area of your market coverage because of the shiping cost which is one aspect of the Distance Cost Metric (returns is another). Thus a startup can establish it's self using the same idea simply by being far enough away that it is less costly local to it's point of production. With the Internet the Distance Cost Metric is not only very small it's actually paid by the customer not the producer. Thus the intangible goods producer cost rises by customer volume not distance, which allows the economies of scale to apply very much more profitably than it does for tangible goods producers.

Various other effects can be seen from this, but the point is it gives rise to the idea that "In the Internet First to Market is Winner Takes All" and "In the Internet inncremental ideas cut no market share". All of which makes not just the prize high but the risk as well because "In the Internet it pays to own radical"...

CuriousJanuary 19, 2016 8:53 AM

Off topic:

Well crap. I can no longer view Youtube videos without being blocked by a popup message from Google, in which they basically want to force me to click "accept", something I won't do.

BoppingAroundJanuary 19, 2016 9:47 AM

Curious,
If you are willing to indulge into a little hassle, the youtube-dl script can download videos from YouTube and many other video/audio storages.

ianfJanuary 19, 2016 10:35 AM


@ Curious is blocked by a popup message from Google, in which they basically want to force him to click "accept", something he won't do.

What does that Accept-preceding text say? If that they've changed the EULA or ToS, you've probably agreed to it long time ago, and now are simply notified of changes (for which unilateral method there were provisions earlier) in the form of lawyerly again acceptance. If it was a notification of a cookie being placed, your resistance counts for nothing to them. On the other hand, viewing of YouTube clips is neither mandatory, nor critical for survival, so more power to you.

Clive RobinsonJanuary 19, 2016 11:38 AM

The Verge on the 5 Crypto lies

The verge has an article on what they see are the five lies of the current Crypto War.

Whilst they have the FBI side well plugged as well as the big conpanies handing over user data 99 times out of a hundred, they have got the crypto side only partly right,

http://www.theverge.com/2016/1/12/10749806/encryption-debate-fbi-terrorism-going-dark

What they have left out is the fundemental point that a user can still encrypt "off decice" and no amount of "on device" backdoors etc is going to solve that ever.

FUrther the mention David Chaum's Nine Person system without mentioning two very important things,

1, The system as described does not go about protecting meta data in anything like a sufficiently robust way.

2, And more importantly the XKCD "$5 wrench" attack on the nine system operators.

You would have to be mad to be one of the nine operators because you would be painting a big flashing target on your back for every spy, criminal, blackmailer and terrorist on the planet. The same for both your immediate family relatives and friends. You would all be watched by so many pairs of eyes there would be nowhere for you to scratch your backside let alone do anything else risky or otherwise, with all eyes looking for the slightest mistake they could take advantage of. It is for similar reasons the US President and many other heads of state and their families have the eye wateringly expensive security they do, which costs billions a year to put in place.

Nick PJanuary 19, 2016 3:47 PM

Waterfall development was slanderous strawman: the *real* recommendations were golden

Managing the development of large software systems (1970) Dr. Winston Royce

How did I never read this paper before now!? People have been bashing waterfall for a long time. If this paper originated it, then the resulting waterfalls say more about the readers and IT culture than the visionary that recommended a very, adaptive process. A convenient strawman as another commenter put it. A few points on the paper.

The author describes the software development as a creative process. Most managers and even many CompSci researchers thought it was mechanical with potential for automation and assembly-line type guidance. He wisely contradicts that in a way that I hope was to help us all out by putting reality in management reader's heads.

I used to think one person did waterfall followed by other models (eg Spiral) realizing initial work usually failed and is rewritten. Now I know it's the opposite: original author knew requirements or design would require rewrites. Even made new diagrams for it to replace the original, unrealistic one now called waterfall. Diagrams most of us never saw while unrealistic model was plastered everywhere. He underestimates how difficult coding part can be but his claims still proved out with methods like Cleanroom and Correct-by-Construction that kept coding structures simple. Almost all defects happened outside of coding and coding changes were straight-forward.

The documentation chapter is pure gold. Managing scope, preventing excuses during failures, ensuring everyone is on same page, rules to keep it consistent even by halting development, wisely noting maintenance/rework phase is horrible enough that docs are a necessity, and handing off system to cheaper, ops people. Those particularly stood the test of time.

In one section, he recommends implementing something to get the process started even if one doesn't know what they're doing. That's to avoid paralysis by analysis and give something tangible to start with. Ironically, "modern" and anti-waterfall methods recommend exactly that.

The simulation part is tripping some people up and a weird read. People take it too literally. What I'm seeing is a call for prototypes that explore some of the user interface, key calculations, structure, I/O, and other trouble spots. The stakeholders each review a bit of this to spot early requirements and design problems. The next section mentions feedback loops that do the same thing which collectively result in buy-in by those paying. Just shows he wisely considered a critical human factor that led to many project failures later on.

So, it was a short and delightful read whose advice should've led to many successful projects and hastened arrival of more Agile methods. Instead, people cherry-picked his points and even slandered him in a way in subsequent work. All kinds of disaster followed.

Least I know now that waterfall was only the intro to the real principles that were designed to prevent that and probably would have most of the time. So, props to Dr. Royce for being one of the giants whose shoulders we stand on trying to make IT great. Well, should've stood on for many. ;)

Note: Follow-up paper here that tries to track the development of iterative methods with some exploration of how his paper got twisted into the strawman crap everyone slams. Truly unfair. Haven't read the whole paper but the sections referencing Royce were good.

BoppingAroundJanuary 19, 2016 4:11 PM

Clive Robinson,
> What they have left out is the fundemental point that a user can still
> encrypt "off decice" and no amount of "on device" backdoors etc is going to
> solve that ever.

Perhaps TPTB are willing to tolerate that. Perhaps they know that only a
relatively tiny amount of users will go that far but the majority of the
systems will remain vulnerable.

That's assuming intentional calculation. If it's mere stupidity or omission,
this little hypothesis goes out the window.

Clive RobinsonJanuary 20, 2016 6:54 AM

@ Nick P,

Dr Royce is right about many things, I did not find out about him untill after I'd got the better part of a quater of a century of engineering under my belt.

In that time I found out for my self about programing and it's relationship to art (Donald Knuth has some choice things to say on that as well).

My viewpoint is that whilst there are parts of programing that are art and science, engineering was most definitely not part of it (I was an engineer that took up programing as a necessary evil ;-)

On studying a bit of history I realised that most programmers are actually very much the equivalent of Victorian "artisans" that would later with the help of the scientific method become engineers. The only reason the Smiths and wheelwrights became engineers was due to the carnage of boiler explosions and the outrage that gave rise to legislation and thus licensing, with formal rigours "technical training" not just informal and patchy "mentoring apprentices".

It's why I have found that those who have trained through the rigour of other engineering and science qualifications tend to make better programmers when it comes to interfacing with the real world not just users. They learned as past toolmakers did how to build tools to carry out other activities. Thus they hit the ground with running feet not theory on the psychology of user interfaces (yes I know people will take exception but hopefully they will think on it first).

It's taken years for formal methods and engineering design practices to creep in alongside "artisanal patterns" etc and for others to realise the benifits, and it will still be "pushing in" long after I'm gone unless Governments make legislation that requires the formal methodology.

As for documentation yeh... It's vital in oh so many ways. As I've mentioned befor I comment code very heavily. So much so that it's been pointed out a few times that I document twice and write code once. And yes it's true, you can read the way the program functions at the interface level in the sub header commentd or on the line by line level adjacent to the code, as well as read the code it's self. It's a habit I got into writing at the assembler level and below, because it sanity checks things and makes fault finding much less difficult.

Then there are "History Files" few people make them even when required to do so. Which is a shame because they are a gold mine of information both you and others can refer back to. Oh and on the personal not project level, both scientists and engineers keep log books / diaries of what they have done and why and experimental results. They get to do this because they get told "If it's not written down it never happened", but quickly find that it becomes a personal guide and refrence book. When you look around you will find productive programers keep diaries / log books as well as history files.

Also those fron non CompSci degrees tend to develop styles that Dr Royce wrote about they kind of found out the hard way that it works...

Clive RobinsonJanuary 20, 2016 7:12 AM

@ BoppingAround,

Perhaps they know that only a relatively tiny amount of users will go that far but the majority of the systems will remain vulnerable.

Which is I suspect the reason that "speaks volumes" about their intent.

Those that encode "off device" or use non electronic communications are the very people who have most to lose so take the time and effort. A percentage of those people are those the authorities should be investigating.

But no the authorities want to go for at best low hanging fruit criminals or worse the innocent to fill prisons profitably. Instead of catching the serious criminals, cranks and those with violent political intent, that they could do, the authorities would rather use them as a way to buid their empires with the help of the politicaly sensitive appropriations commitees. We see this with Comey and Co's FUD, lies and spin to feather their nests.

AnuraJanuary 20, 2016 3:29 PM

@x

Why download it? You can write a script to print it for you:

for i in range(74207281)
    sys.stdout.write(1)

ThothJanuary 20, 2016 8:07 PM

@Clive Robinson, Nick P, Wael, Figureitout, Markus Ottela, Bruce Schneier, Anura, Crypto et. al.

We thought US NSA backdoors and subvert crypto via the Dual_EC RNG and now British GCHQ also has it's own crypto standards subversion via the Mikey-Sakke phone crypto protocol.

How can we ever trust Government published standards ever again for non-domain engineers trying to build security into their systems to comply with security standards while harming their customers (intentionally or not).

I guess we should cast bigger doubts over Government published suggestions and deem it as "insecure and compromised until proven" just like any other security practices where doubt always comes before trust with the particular reason being the Governments now are taking very offensive stances and actions against privacy and security for civilian usage and deployment which makes it even more difficult to trust any national published standards and guidelines.

Do note that although the Govts would share the use of COTS products, they would have known the vulnerabilities (e.g. Dual_ED RNG backdoor, Mikey-Sakke, ECC crypto weaknesses) in these products and probably got it all fixed before they could be introduced into highly sensitive environments (e.g. customization of hardware and software of COTS product).

Links:
- http://arstechnica.com/tech-policy/2016/01/phone-crypto-scheme-facilitates-undetectable-mass-surveillance/
- https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/
- https://www.benthamsgaze.org/wp-content/uploads/2016/01/white_paper-using_MIKEY-SAKKE.pdf

WaelJanuary 20, 2016 9:34 PM

@Thoth, ...

How can we ever trust Government published standards

Rule number 1: Trust no one; the truth is out there! [1]
Rule number 2: Verify using multiple references

Conjecture number 1: Don't attribute to malice what can be attributed to ignorance.

Governments are made up of people, just like you and me[2]. They also make mistakes because they aren't infallible, even if they recieve help from captured aliens with superior technology ;)

[1] The new X-Files is scheduled for this weekend. It's based on the Snowden leaks, and seven more "things". I wonder if they borrowed the idea from this blog.

[2] Although they lack the sense of humor. Or maybe they have a twisted sense of humor.

PS: I suggest, and I know it'll be ignored, that @Bruce sells some of the winning movie scripts to the X-Files script writers. Maybe he can even be a guest star. I just wonder what role would work for him :)

WaelJanuary 20, 2016 10:13 PM

@Nick P,

One can expect up to 100-percent overrun in schedule and/or cost

He's a bit optimistic. It can get a lot worse because there is no guarantee the second or third iterations aren't as bad as the first. But to be fair, he's applying this to a specific domain where the analysis step, as he claims, is done with relative ease after the first iteration. This may not work in modern rapid development environments where "agile" is the new fashion.

Nick PJanuary 20, 2016 10:16 PM

@ Wael

re "[1] The new X-Files is scheduled for this weekend. It's based on the Snowden leaks, and seven more "things". I wonder if they borrowed the idea from this blog."

Just watched the trailer. Nah. They used alien technology in the plot. This blog confirmed via leaks and posited many realistic schemes that were far scarier without using anything alien at all. Maybe the occasional computer, chemical, or organizational skills that are alien to most of the population. That's all.

" suggest, and I know it'll be ignored, that @Bruce sells some of the winning movie scripts to the X-Files script writers. Maybe he can even be a guest star. I just wonder what role would work for him :)"

Now that's a *great* idea. There's been lots of plots that would look good on TV. I'll nominate two of my own while we're at it. I think the pharma plot would scare the shit out of a subset of Fox's audience. They'd be pushing for a Online Pharmacy Administration or some other bullshit lacking creativity. ;)

re Royce's paper

I was wondering when you'd comment on that as I thought you'd enjoy it or at least have a comment. Not disappointed.

"He's a bit optimistic. It can get a lot worse because there is no guarantee the second or third iterations aren't as bad as the first."

True. His context, as second paper identified, is military contracting. His experience was mostly in the 1960's. He was already seeing need for iterative methods given problems of that time. Over time, we've only seen even more justification for the same.

Nick PJanuary 20, 2016 10:24 PM

@ All

How Sandstorm Works

This is interesting for a number of reasons. First, one author created Protocol Buffers and a capability version to replace it. Second, the vulnerability responses on that were excellent. Third, Mark Miller and Mark Stiegler of capability-security fame are, per the lead, "friends of the project and have provided review and advice."

Altogether, hitting more positive attributes in INFOSEC than I'm used to seeing. Worth looking into further. The lead gave me a page on their security showing it runs on Linux with seccomp and other practices to reduce risk. I critiqued that that's weak on endpoint side but might get further adoption and review going. I suggested they just stay away from anything that ties them too tightly to Linux so higher security practices or platforms can be used later.

I haven't really reviewed the offering itself as much as team and circumstance. I like the latter a lot so far. The former warrants further review just for that. Curious what you all thought of it vs the average cloud offering we see. Btw, this is a crowd-funded, OSS effort. I almost dismissed it as another VC-backed, cloud gamble when I first saw it.

WaelJanuary 20, 2016 10:35 PM

@Nick P,

I was wondering when you'd comment on that as I thought you'd enjoy it or at least have a comment.

It was on my list. I had slight previous exposure to similar "industries" with aircraft cabin control software. My neighbor at the time worked at one of "these places" and he "primed me" for an interview. Had to read about six sigma and stuff.

It's a good paper. Now I'm not an expert on the evolution of software development models, but this paper (book) seems to be a pioneering effort in that field. Water fall -> reiterative -> agile ...

They'd be pushing for a Online Pharmacy Administration...

Lol!

Clive RobinsonJanuary 20, 2016 10:39 PM

@ Thoth,

I saw the Bentham's Gaze article earlier this week, and have been thinking about it off and on.

Without doubt GCHQ were trying to pull the "finesse" wool over the commities eyes. I've seen those moves befor, although in the past it's usually been introduced as a "safety feature" which is harder to argue against than a "think of the children" argument. Likewise "committee stuffing" with "friendlies" to out talk if not out number dissenters (you see this in International Standards and UN sponsored meetings, where the likes of the FiveEyes representatives play "table tag").

The difference this time was the "covering lie of persuasion", I guess "safety" and "think of the children" have become a little over used, as "anti-whitecollar crime" is a new one, and has arrisen as an opportunity since the various "banking scandals" such as the LIBOR scandle etc.

I like the article because it's pitched at a level that is both technical but also graspable by those outside the field of expertise, and within C-Level exec cognition.

However as the article points out there is still the "meta-data" issue, in that the protocol makes no attempt to hide it in any way. Which in of it's self should have been a "big red flag" warning in this day and age [1].

The article does point out some of the less obvious side effects of this with the PGP-web of trust example. Though I'm quite certain TOFU as a replacment is not something most ordinary people can think through. Especialy if they can not grasp the importance of the "check words" to limit the MITM risk.

The comparison with the likes of Signal in the handy little table does highlight why this GCHQ protocol should be given "The Barge Pole Treatment".

[1] For those following along, the danger of "meta-data" in communications is the essence of "Trafic Analysis" which is the big "hot button issue" of "collect it all" "data mining". This enables an attacker to build organisational social data that can then be used on the human level to "social engineer" a desired objective such as finding hidden participants or placing of a spy, agent provocateur or other effective "insider" as an "agent of influance" etc.

FigureitoutJanuary 21, 2016 12:59 AM

Thoth
--You appear to still be going thru the shockwave of realizing every single electrical part you source could be maliciously tampered w/... You will not design a single thing of any worth whatsoever w/ that mindset. People looking for "perfection" will continue living in fantasy land, again not doing a damn thing besides talk talk talk...Embedded and below is where you'll find the most security, as that gets worse, so too does the ability to secure yourself digitally (imagine you ONLY had choice of backdoored Intel chips). It's just like how PC development has gone (unified BIOS lol, more like one hack to rule them all).

Microchip just bought out Atmel, this makes the job easier to force manufacturers to put in backdoors b/c investigators can't do their jobs otherwise. There's got to be a limit to all this surveillance b/c eventually it becomes just too worthless, it can mostly be automated, no need for humans really.

Clive RobinsonJanuary 21, 2016 4:42 AM

@ Figureitout, (Thoth),

You appear to still be going thru the shockwave of realizing every single electrical part you source could be maliciously tampered with.

It is not a "fun thing" to go through. But as you know you can get through it and come out the otherside. And according to the old "That which does not kill us makes us stronger" maxim, often with a better appreciation of how to go about things, without ending up "an off grid spoon whittler" [1].

For me it happened in a gentle way as I was doing "what if games" back in the early 80's and found things and experimented. Which led me to finding out independently about RF Falt Injection Attacks. And this led to reasoning out other attacks.

The important thing to note is that the further down the computing stack an attack happens, the harder it is to exploit reliably which is good news. As is that it requires considerable bandwidth and has little power available thus making it very short range in most cases. But the bad news is the lower an attack is the more devistating it can be as it's lower than most of the protection mechanisms.

You also will find out that to be effective the attack designers need to make various assumptions about how components are going to be used for their attacks to work. Which means several things which you can thus mitigate against.

Firstly you have to realise that for an attack to work, the mechanism has to have sufficient bandwidth and energy with an effective coupling or radiating mechanism to get the information modulated on it out of the conponent and the system it is part of.

The trend to SoC's with built in peripherals makes this easier for an attacker, as does hard pressed product engineers following "recommend designs" to save time when getting product out the door. Or as in some cases get the chip manufactures technical sales and support staff to "do the hardware design for them"...

Which means using older non SoC chips where you have a lot more "freedom of choice" in what you do gives you advantages over attackers. Also doing odd things like "bit banging" serial rather than using UARTs and using Manchester coding etc as well as filtering to close down energy transfer etc.

Things like inbuilt USB and radio's realy are very bad news and it's often cheaper to do a RED/BLACK design using a low cost micro to do the plaintext and crypto, then using one or more SoC's to do I/O processing thus seperating RED from BLACK traffic and strongly controlling the choke point between the two to prevent as much as possible side channel issues.

As a thought experiment an "In Line USB Encryptor" for serial comms that could be used as part of a secure data diode design. You would have two USB to serial converter chips that give you the four serial lines as the choke point interfaces. These connect via filters etc to a low end PIC chip or equivalent. This does the data and protocol encryption and control. It also has a "bit bang" port to do KeyMat and other control functions, optionally it could "off load" the crypto to a Smart Card. Depending on the level of security you want you could also "instrument" the serial choke points to check for errors etc. Obviously you use good EMC design practices as well as the filtering and shielding. Whilst not ending up with TEMPEST/EmSec kit (which is a controled technology in some places) you can end up with something that is similar but without the paper work.

You can improve the design by putting opto couplers in the serial lines and using independent power supplies for the USB to serial chips and get full Galvanic isolation. And if you want to go one step further use fiber optics and get the component parts inductively and capacitively isolated as well as acousticaly, mechanicaly, magnetically and thermally isolated.

Yes it's a lot of work but if your security needs require it, it's a lot less expense and trouble than alternative ways.

[1] It comes from a UK ISP advert from BT, which for some reason is becoming part of "Outh-speak" that teenagers grunt at each other from time to time, it appears to be the "new nerd" from what I can tell...

ThothJanuary 21, 2016 5:00 AM

@Figureitout
I think I have spoken about adapting to unfriendly environment and one of many past posts include a conversation with @Wael on obsfucating codes with compiler side randomness and some chip side randomness. I have also spoken about some levels of using SIM/Smartcards despite being backdoored for secure key storage (by splitting the keys) which leverages @Clive Robinson's Prison ideas in some sense. There are a couple more things which I have mentioned including Box-in-a-Box level crypto which intercepts user GUI inputs and encrypt/decrypt them (me discussing with @Clive Robsinson a few Fridays ago) and I have talked about using common protocol tunnels to do communications in an attempt to mask it's nature with a few people here.

Most of my assumptions and threat model are in the worst case scenario where you are given a commercially available chip and have to make do with it (exact scenario that me and most of you are in now) and perfection or idealism is something yummy but not very possible in the current climate as all of us know.

What I mentioned about in the Mikey-Sakke protocol that GCHQ released is a thought in the direction of "innocent" coders or product managers who would climb on-board unknowingly or knowingly into a flawed protocol and sell it to unsuspecting people while touting it's "virtues" as being FIPS certified, CAPS certified and so on...

For those of us engineers who have been on the field and sat through sales promotions by our sales and product managers and have to cringe at the hype and promise the sales and product guys bring to the table while you silently sit back and scratch your palms and bite your teeth during these meetings... you know what I mean...

What we predict for these new introduction of flawed protocols like the Mikey-Sakke and the Chaum's golden key protocol needing 9 "Ringwraith" admins is that these flaws would slowly poison the industry and also seep into our daily lives, find their ways into the default settings of your smartphones and wreck havoc. The continuous use of Dual_EC RNG by Juniper (if you remembered that the Dual_EC entered into the Juniper's RNG suite in 2009 despite a few years after the Dual_ED was discovered as a backdoor which is around 2007) is a recent and classical case of industry standards turning against those it is supposed to be protecting (all of us). The rampant use of standards certifications like FIPS, CAPS, CC EAL ...etc... during sales and marketing pitches ... ***CRINGE HARD*** ... Bad memories ...

Those certifications means very little and allowing flawed algorithms and protocols to get away and slip into the requirements of these standards certifications as pre-requisite criteria is a madness....

As for my practical work, I am still dabbling in smartcards and HSMs as usual and I wouldn't be releasing anything yet until I think it is good to go :) .

lunixJanuary 21, 2016 8:58 AM

Common Android and Linux Zero-Day Gives Attackers Root Access
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

According to the researchers that discovered this flaw, the zero-day is a local privilege escalation vulnerability in the Linux kernel that originates from a reference leak in the keyring utility.

The Linux keyring facility stores login information in an encrypted format, making it available for other applications and drivers when they need it.
The zero-day resides in the Linux keyring utility

As Perception Point developers explain, the keyring feature also gives applications the extra option of tinkering with cryptographic keys and even replacing them when needed.

This process can be hijacked, and an attacker taking advantage of this unnecessary feature can fool the keyring application into executing malicious code in the kernel.

Security researchers have informed the Linux team who will be deploying patches in the upcoming days. Proof-of-concept code is also available on GitHub:
https://gist.github.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f

BuckJanuary 21, 2016 6:11 PM

Is it just me, or a blizzard over the beltway, or something else entirely..? Seems awfully quiet around here today!

WaelJanuary 21, 2016 6:26 PM

Because we've been waiting for you :)
Out with it @Buck: what would you like to talk about?

tyrJanuary 21, 2016 6:39 PM


@Buck

It's probably the stunned silence caused by MIKEY-SAKKEY.
As in " I hope I'm not really reading this right !!"


BuckJanuary 21, 2016 6:48 PM

@Wael

You told me that you'd tell a story even more surreal than this one... Is now another time?

@tyr

Bleh... same old same old!

WaelJanuary 21, 2016 7:57 PM

@Buck,

You told me that you'd tell a story even more surreal...

Right. Let me set the context first. You had a dream. We were also talking about evolution, science, and what we can sense with our five senses in a recent thread. This story is true. When I was in college around the third or fourth semester, my whole family went for a vacation to a different country. My father, mother, and siblings. As it happened I also moved at the same time and my phone number changed. Then I had a dream when I was in the dorm. My father came through the window and said something to me which I didn't remember. Then he started walking out of the window real fast, I tried to jump behind him to catch him and continue the conversation. He stopped me and said: not now, you can't come now.

I couldn't reach my parents for a month, and neither could they because my number had changed. Finally, through friends I was able to contact them by phone. Short story is my mother told me: you don't need to buy the texts that your father wanted you to get him (he had asked me for a couple of medical books.) I knew what happened and asked her did he die? She said yes, he died and already got buried. I asked her when did he die? The strange thing is he died the night I had the dream.

So there are things that science cannot explain, it would seem. That's of course if you give me the benefit of the doubt and believe my story.

Is now another time?

Now is another time, but not the time I had in mind. Was waiting to finish a book.

BuckJanuary 21, 2016 8:44 PM

@Wael

Wow! What a soul shattering story that is. My deepest condolences and greatest appreciations for you are well deserved indeed...

I'm sorry if you felt like I was rushing you, but that was not my intention. Let me know when you've finished that book, and thanks again for sharing!

WaelJanuary 21, 2016 9:09 PM

@Buck,

What a soul shattering story that is

Not at all. It's not like I'll live forever ;) it's just a matter of time. Speaking of which, this is the book that @tyr recommended - A world without time.... Full of information! Learned quite a bit from it, but I suspect it'll need a second pass. I'm about 60% done. Talks about Gödel, Einstein, Turing, Heisenburg, Alonzo Church, and a ton of other thinkers and their interactions with one another and their contributions to mathematics, philosophy and physics. The more I read it, the more I suspect @Clive Robinson read it :)

There are a lot of surprising information in it as well. Written by this dude... A knowledgable man!

BuckJanuary 21, 2016 9:31 PM

@Wael

True that! We do what we can while we have the 'time' ;-)

Thanks for the book rec too! I caught the hint when @tyr suggested it before, but it has not parlayed its way into my reading list as of yet... If too many more unreasonably trustworthy types keep pushing on, I suppose I'll have to clear up some space in my ledger for it :-P

FigureitoutJanuary 21, 2016 10:29 PM

Clive Robinson
--But the fault injection was realistically only happening within say a less than 6m circumference. Real fault injection w/ reliable results, not communicating w/ a "secret" RF api.

Using the "SoC" means avoiding all the stupid mistakes you'll make along the way, and yes having a deliverable much faster. So, that's a management decision, to hurry it up and push out something that, can still be better than in-house from scratch designs, but there's a lot of decisions you did not make and use a part you cannot 100% verify. Or design something from first principles, keep saying "it'll work" and trumping it up, and taking the blame for its failures. Management decision, but of course we'd all prefer option 2 if we could do it confidently.

Small SoC's reduce the damage an attacker can do (just split up your systems, then you need a lot of interfacing attacks and ever increasing risk of discovery) but having a working programmable&debugable chip right away is golden. Those tools are the real magic, make programming so much fun.

Seeing Microchip just swallow up Atmel all of a sudden, layoffs on the way, and reliable supply of parts is a real concern. And documentation, older parts, I come across a bunch in my little hoarding collection that bring up a bunch of chinese dead link crap. An IC could be an MCU, Op-amp, or just a simple shift register and you don't know the pinout, testing for it could kill it easy. If I'm crunched for time I'm not taking that risk. And humans can't homebrew this stuff anymore reliably, it's stupid, like doing a bunch of algebra when you have a programmable PC.

I have another simple project in mind (arduino again, I haven't seen what I'm thinking yet so I'll put it out there), I'll whip it up w/in the next year or 2 (school and work, and I have a GF now so my free time gets drained even more b/c I have to "social" and all that jazz).

I've done close to nil embedded USB work, but that's what I need, so nice not having a cludge of cables programming (that twist and break...*cringe*). I don't get why they have so many pins besides interfacing w/ lots of protocols.

BTW, thanks for not offering any feedback on my project, (I know you're reading this... :p) I'm calling you out again for not getting into the details (what's wrong, getting a little too tired and old for that? :p ) and saying obvious "blah blah" comments :p (getting pissed?--Good, tell me how the project sucks. :p ). I'm not doing memory management (which I'm looking into amongst other holes, probably going to place the variables in flash, and try to have them rewritten there instead of RAM), and I'm going to use all the security features I can squeeze out of libraries and hardware.

And thankfully I've learned quite a bit about how freaky "electrical isolation" issues can be w/ my work. If I can have boards made how I say w/ layout guy/gal they'll be mostly good. And operation needs to take place in external shields, it's just the prudent option anyway (like you can trust a chip w/ 28+ "antennas" these days...).

Thoth
--Yeah, sometimes it helps to talk it out w/ someone. Just get the "negative energy" out. Sh*t, looking at the archives w/ me is cringey as hell, it's a miracle I wasn't banned. But it really helped me mentally and some brave souls acted as "protection" watching over my networks and person when I felt like I was going to be assassinated etc...(the worst anxiety attack ever for me was when I thought someone placed a bomb under my car while I was running in a park (I was watching car whole time) and do the ignition bomb explosion...I don't like preparing myself for having my limbs blown apart.).

We simply can't trust these gov't-backed standards anymore, and if you can analyze it you need to clearly lay out your argument publicly so the most people can verify it (from low level circuit analysis up to algorithmic vigor).

WaelJanuary 22, 2016 1:40 AM

@Figureitout,

Yeah, sometimes it helps to talk it out w/ someone. Just get the "negative energy" out. Sh*t, looking at the archives w/ me is cringey as hell, it's a miracle I wasn't banned...

Yup, get that negative energy distributed among us. It's a miracle you weren't banned, true. I thought you were a gonner for sure. Good thing you are building things. I did look at your project and "code" :) it doesn't suck :)

I'll have to go back a year or so in time and look at some of the kits you shared, some were interesting enough to mock with. But time is limited, which beats the alternative of being unemployed.

ianfJanuary 22, 2016 2:55 AM


@ Wael,

as you're into such highfalutin, not to say obscure, esoterica as “The World Without Time,” I hesitate to point you to the Mother of All Otherworldly Learned Diatribes “Gödel, Escher, Bach: An Eternal Golden Braid” by Douglas R. Hofstadter (1995?), because, knowing by now your M.O., we'd be losing your enchanting company for long stretches of time while you lie on the floor in the fœtus position attempting to systematize and brain-file away all that new intel of How Things Work.

Clive RobinsonJanuary 22, 2016 3:19 AM

@ Figureitout,

But the fault injection was realistically only happening within say a less than 6m circumference.

It depends on what you are trying to do when you illuminate the target. If you are trying to extract information such as the so called "radar bugs" then yes the receiver has to be fairly close but the illuminating transmitter does not (think about Theramin's "Great Seal" bug). If you are looking to just disrupt operations with a CW signal then likewise your illuminating transmitter can be quite a long way away, you just up it's ERP such that you get the desired V/m field strength at the target. If your attack is more complex with the need to detect information to synchronize with the targets operation then you do get some range limits due to the round trip time from the detector to the modulation waveform generator through the modulator and transmitter and back to the target.

One advantage of modern SoCs and the PCB boards they are usually on is the "loop area" for an effective antenna is way way smaller than it was back in the 1980's so the susceptibility is a lot less. But the ft of the devices is much much higher so you can use much higher attack frequencies which are much more amenable to being "beam formed". But worse still the device operating voltage has dropped significantly so the devices are way more susceptible (about a tenth the power is needed by the attacker at the same range or giving a little over eight times the range at the same power).

So back in the 80's with CPU clock frequencies in the MF to low HF range, a VHF or low UHF attack frequency was fine. Now with CPU bus speeds being up in the upper UHF low Microwave you are looking at X-band and above attack frequencies with wavelengths in the low cm or high mm, which can easily pass through conventional ventilation slots and case gaps that work as "slot antennas". Which is what the UK Cambridge students did when they attacked the comercial TRNG and reduced it's entropy from 32bits to around 7bits with a microwave CW signal.

Thus in reality the range figures have gone up some for the bare electronics, but the case / shield design got a whole lot more exacting. From a defenders point of view things have got harder not better.

With regards looking at your project, like quite a few other things it's had to be put on hold. I was in an accident back in Sept which has caused me a few problems, which are slowly getting sorted out. But one that has hit me hard is the loss of sleep, and some days I'm like a zombie and concentration amongst other things goes right out the window (@Wael can tell you about sleep loss issues). I'm surprised that the "Clive Watchers" here had not noticed my lack of posting and scintillating whit ;-)

Mind you the whole blog appears to be suffering the "winter blues" currently as @Buck has noticed.

WaelJanuary 22, 2016 3:32 AM

@ianf,

I hesitate to point you to the Mother of All Otherworldly Learned Diatribes...

Oh no! By all means, point well taken. Will add it to the list, but not in the immediate future. I had more than enough of the Gödel dose. It's been three years already! It's pretty depressing. Every time I read a book I realize how much I don't know.

we'd be losing your enchanting company for long stretches of time

I wouldn't worry about that. I'm good at multi-tasking. Unlike other men who are single track minded :)

systematize and brain-file away all that new intel of How Things Work.

I know how things work. They don't work the way we want them to work :)

Clive RobinsonJanuary 22, 2016 3:47 AM

@ tyr,

It's probably the stunned silence caused by MIKEY-SAKKEY.

Yes it's about par for the corse.

Though it's interesting to see the excuse for the backdoor is nolonger "safety" or "think of the children" but "insider trading".

I guess it's the biggest indicator it's a "political snowing" by the IC as they Empire Build. That is they just find an excuse based around the latest "faux existential threat" that's causing politicos and their paymasters the most "knicker twisting".

There are times I would like to see the IC and LEO seniors peddling this crap to be strung up by their underware untill they dry up. They appear to be not cognizant of the real existential threat their behaviour is to society and what history teaches us the likely end result will be...

WaelJanuary 22, 2016 3:56 AM

@Clive Robinson, @Figureitout,

@... can tell you about sleep loss issues).

Yea! Insomnia is @Clive Robinson's harsh mistress; it's my sweetheart, sweetheart :)

I'm surprised that the "Clive Watchers" here had not noticed my lack of posting and scintillating whit ;-)

I noticed that. But you're an eccentric man, so it's expected :) I tried to hold the fort for you when you were "zombied out"...

Mind you the whole blog appears to be suffering the "winter blues" currently as @Buck has noticed.

Probably because people lost a lot of money in stocks. However, it's real easy to remedy! Just throw a controversial-subject cluster-bomb into the blog! That reminds me...

You still have some pending "action items" of unanswered questions, not least of which is this rotary engine. Now tell me, does this bad boy look like it came out of a mindless "nature" consisting of a random process + a deterministic "intelligent", forward looking selector. i.e. mutations + natural selection?

ianfJanuary 22, 2016 5:55 AM


@ Wael,

Mind you, the advantage of the Hofstadter book over other such weighty treatises is that it is multi-genre and multidimensional (Stephen Jay Gould would have called it instances of non-overlapping knowledge magisteria—not that I really grok WTF he'd have meant); pretty entertaining, and can be read non-sequentially in very much random fragmentary fashion without guilt that one has lost the context (which is a given!). It used to be my "loo lecture" until I realized that some visitors also sneaked a peak in it, and then spread rumors of having been fed something indigestible, like the spicy broccoli and quorn stew, my staple; them the woollies.

Friend of mine once read it on the subway, was asked by a fellow rider about one of the concepts there, which led to a memorable discussion. Some time after that he discovered (decided(?)) that his interlocutor was most probably Stephen Wolfram. It's that kind of book.

    Then again, anybody dealing with iconoclastic concepts of time had better first take time off [sic!] his busy schedule to peruse Martin Amis' novel Times's Arrow. All I can say is that there are whole echelons of historians, scholars with beards up the wazoo, who can not make up their minds is this novel is mere art or what… a feat hard to beat.
PS. haven't read the Forgotten Einstein, probably won't do, ever. Life is not long enough to read everything already piled up.

Nick PJanuary 22, 2016 11:29 AM

@ Wael

Damn. I was sure it was a family member. It's why I wasn't going to touch the topic for fear of kicking you back into depression if it was your kid or something. Least the rest of the family is OK and you're doing better.

" She said yes, he died and already got buried. I asked her when did he die? The strange thing is he died the night I had the dream. So there are things that science cannot explain, it would seem. "

You're drifting along to my side nicely. Might even have some of that universe-bending power in your blood, too. A little practice and we'll be Masters of the Universe. ;)

WaelJanuary 22, 2016 12:03 PM

@Nick P,

Damn. I was sure it was a family member.

No, that was a very long time ago, when I was still in my late teens!

universe-bending power in your blood...

We all do :)

Nick PJanuary 22, 2016 1:42 PM

@ Wael

You mentioned the soul-crushing experience like it was recent and disappeared for a while. The one I'm thinking of. I'm confused now.

@ All

A guy's fight with legacy, mostly-asynchronous systems led me to realize I had little in my collection on that except for many nice finds in async or GALS hardware. So, I did some research to see what past and cutting-edge methods exist for verifying asynchronous algorithms or communications. Turns out and surprisingly, it *seems* to mostly be a solved issue far as Comp Sci is concerned. They're just improving the methods. For developers, it's justs a matter now of structuring one's system/app to apply the techniques and/or merging the theoretical work into messy, industrial tools with the mismatches.

Anyway, I collected something like 10-20 papers on the subject plus two, free toolchains. I'll post them if anyone is interested. Then, I think I might have another go at trying to learn Rust's confusing-ass resource model using the latest beta of their guide.

WaelJanuary 22, 2016 1:49 PM

@Nick P,

Two different "events". The one I related is about "science" and it's limitations. It was't a "sole shattering" experience, although it can bring tears to a glass eye ;)

RolandJanuary 22, 2016 2:37 PM

Google paid Apple $1bn to be default iOS search engine
http://www.theguardian.com/technology/2016/jan/22/google-paid-apple-1bn-to-be-default-ios-search-engine

Lawsuit proceedings reveal Google paid handsomely to be default search option for iPhones and iPads and that Google’s total revenue from Android is just $31bn

On top of the $1bn payment, which had been reported as a rumour by TechCrunch in 2013 but not confirmed until now, Oracle’s lawyers also revealed that Apple and Google shared a portion of the revenue Google received from showing adverts to iOS users. According to Oracle, “at one point in time” that share was 34% – although it wasn’t clear who got the larger end of that deal.

Nick PJanuary 22, 2016 3:06 PM

@ Wael

"Two different "events". The one I related is about "science" and it's limitations. It was't a "sole shattering" experience, although it can bring tears to a glass eye ;)"

Thank Allah it was only that!

Clive RobinsonJanuary 22, 2016 5:47 PM

@ Wael,

Your eclectic tastes cover such things as the "Fermi paradox" sometimes called "WTF are the Aliens?" question...

Well you are probably aware of what some say about "life is to short" in the Goldilocks zone, unless you have a moon, and giant outer planets.

Well down in Auz at Parks they have another similar but different theory,

http://astronomy.com/news/2016/01/the-aliens-are-silent-because-they-are-extinct

Personaly I'm happy with the "hundred years of broadcast radio" theory. Which basicaly says that it takes a civilisation about a century to go through discovering, then exploiting radio first with high power broadcast systems with simple modulation systems that might be heard outside their solar system, to using complex modulation on low power personal systems that can not be detected at one astronomical unit from their planet let alone at the outer edges of their solar system or beyond their suns heliosphere.

A hundred years is but the blink of an eye when compared with how long the dinosaurs walked this Earth.

tyrJanuary 22, 2016 7:32 PM


@Nick P., et al

I did notice one glaring omission in the waterfall
paper. While he recommends lots of documentation
he failed to mention everybody in the project has
to have access to a copy and more importantly all
the copies have to be the same. There are few
things that compare to finding out multiple folk
are working off a different set of plans. The
hazard of big projects doing this is far too real
to leave things to chance.

He does seem to have nailed the programmer problem,
they assume that they know how to do what customers
want even though there is nothing in their experience
or background that gives them expertise in that area.

I recall one episode where sequential functions were
rewritten to be concurrent and released as an upgrade
without being documented as to the difference and in
violation of the government specifications for the
device. Nasty surprise all around.

BuckJanuary 22, 2016 7:40 PM

@Clive Robinson

I am a fan of the 100 years of radio theory. Seems like a good bit of wasted energy versus point-to-point mesh networking (unless our neighboring aliens really need Star Trek à la Galaxy Quest)... Although, depending on the frequency of Earth-like technological development, we still might expect to see that the universe is teeming with Voyager probes in the vast expanse!

FigureitoutJanuary 22, 2016 7:59 PM

Wael RE: my "code"
--Yeah lol, it's almost entirely "cut" besides implementing the crypto, which I haven't seen anywhere (my bare bones simple implementation), hence I state that I'm mostly modifying a "getting started" program. I was happy w/ how slim and easy to follow V1.0 was, but I'm going to be adding in more and more (some low power stuff, channel switching, little more crypto, configuring the chip, and a chat program w/ a yagi antenna attached; then I'll be moving on probably).

Get all the harder code (RF comms, transmitting data, etc., there's so much that can go wrong in RF) in place and now I can have fun w/ it doing easily added features that can be customized a million ways.

Regardless I want to know if anyone can remotely hack it as is right now (attacks on toolchain/flashing PC or physical attacks are bullsh*t lol). I've read a little about "anti-radar" which is concerning, of course the most obvious place to go after is the sensor, disable it, ideally temporarily, so attacker would go undetected by this.

Clive Robinson
--Yeah but, don't you have a lot of problems based on the RF characteristics of your target sites? Noise from other appliances? For instance, UV-window tint caused issues for us in the field. In the real world, not a lot of people shield, nor are buildings shielded, but RF labs, will have tons of shielding or their experiments will be corrupted.

I wish I could show you physically what's happening w/ one of our boards, you put it in debug mode, then shut it down, and try to program regularly another build and it gets locked up by some flipped bit. But if you mess around w/ the speed of the comms from programmer, you can eventually reflip this bit back and program it regular again. I don't believe it yet, that, that's what happening. I don't think it's RF. Is that an injection attack? Scares the living hell out of me that comms speed from a programmer could generate noise that flips a bit in the chip, getting in the memory of the chip. A realistic attack now, if one wanted to sabotage a company (say a competitor), is to infect PC's w/ some script that always sets that speed for the programmer, then they would think they have bricked boards...

With regards looking at your project, like quite a few other things it's had to be put on hold.
--Bah, excuses... :p Well, get well. It's not that much code eh? I tried making it as simple as possible, and it's Arduino! Have you caught wind of any attacks on nRF24 radios?

WaelJanuary 22, 2016 9:02 PM

@Clive Robinson,

This might be to eclectic even for your tastes,

You never know! Perhaps that's where we need to focus our attention for a solution to this problem. Fascinating... we never finished the discussion about my "nightmare" :)

BuckJanuary 22, 2016 10:00 PM

@Clive Robinson, @Wael, and tangentially @Nick P

Gotta love that time entanglement! ;-) The quantum violation of the pigeonhole principle was pretty wild too. Although, it makes perfect logical sense if we follow from the thought experiment of Schrödinger's cat... It's not so much about where the cat/pigeon was, is, or will be; but more about where/when/how the observation is made.

I suppose it lends some credence to my theory about everything being about the stories we tell... The narratives we weave lead to new questions begging to be answered, and those answers lead to ever more questions! I believe it was @tyr that posted a similar theory of 'dark reading' related not to quantum theory, but involving the research of literature.

Heck, maybe even my loony neuron-to-neuron idea will find some use! But, if I'm right, it will only be temporary. As we once thought that our community was like a farm (sow the seeds and reap the wheat), this thought gave way to the world as a steam engine or factory (all parts working together seamlessly without deviation). Now that we are transitioning from the 'universe is like a digital computer' to 'multiverses behave with peculiar quantum effects' -- I really wonder what's coming next!

WaelJanuary 22, 2016 10:37 PM

@Buck, @Clive Robinson, @Nick P,

Heck, maybe even my loony neuron-to-neuron idea [...] I really wonder what's coming next!

Brain neuron entanglement. That's the communication method of the future! It takes two to tango :)

BuckJanuary 22, 2016 11:07 PM

@Wael

It takes two to tango
Hmmm... A kind of "we think, therefore we are" type deal? I like it!

WaelJanuary 23, 2016 12:23 AM

@Buck,

"we think, therefore we are"

That's something @Nick P would appreciate. Something along the lines:

Roses are red violets are blue, I’m schizophrenic and so am I. :)

WaelJanuary 23, 2016 2:31 AM

@Buck,

Let me know when you've finished that book, and thanks again for sharing!

Finished.

@tyr,

Thanks for the recommendation. Great book. One of the best I read on the subject!

Nick PJanuary 23, 2016 9:07 PM

@ tyr

"While he recommends lots of documentation
he failed to mention everybody in the project has
to have access to a copy and more importantly all
the copies have to be the same. There are few
things that compare to finding out multiple folk
are working off a different set of plans. "

I went back to check on that and you're right: he ommitted that entirely. He does imply it a bit. I wonder if it was due to the fact that this predates the Internet, screencasts, etc. He came up with this with experience from pre-1970's tech. So, it's something missing but not necessarily wrong with his paper. It should be in any set of recommendations for robust software. So, he either didn't discover this or just didn't tell us clearly.

"they assume that they know how to do what customers
want even though there is nothing in their experience
or background that gives them expertise in that area."

I really like how you worded that. I've never seen it put that way. Maybe because it would offend them. It's true, though, as the customers have totally different perspectives, domain knowledge, etc. Not to mention they often represent a collection of users whose voices are never heard.

"I recall one episode where sequential functions were
rewritten to be concurrent... Nasty surprise all around."

I put the ... in there because those opening and conclusions go naturally together most of the time. :)

@ Buck @ all re quantum brain cells

Turns out that there's actually a Wikipedia article that sums up the various people and their claims. The one I was thinking about in the last discussion is probably Penrose and Hameroff because I remember the "microtubules" now that I see it. They thought they had quantum behavior. Most of their stuff was discredited. Others postulated a lot but nobody has evidence.

So far, the various functions of the brain often seem to map to certain regions. Artificial NN's based on visual processing cells even performs similarly to humans with abstractions showing in between layers and bogus data causing LSD-like visualizations. The mind seems to be the brain. The neural circuitry can do all kinds of stuff even with our pale knockoffs. As Clive and I have said before, the brain's neural net uses lots of feedback loops that many researchers' models avoid. Enough research into that might show us some results that make up for the gaps. Yet, the models of memory, visual processing, and so on give lots of credence that classical computing can cover most or all of what it does.

I'd love it to be some cool shit like quantum. Just doesn't look like it so far. There is something my hardware studies keep reinforcing into my head, though, that you might find equally interesting: the brain is analog. Not just technically but it resembles a massively-parallel, general-purpose analog computer. Now we have the end all argument to use against anyone who says only digital is good for general-purpose computing, precision math, compression, etc. We just say "My brain is analog and can do all of that."

So, like your interest in quantum, the fact that the brain is an analog or hybrid computer using neural networks reinforces my interest in both neural networks and general-purpose analog. I found a few links on the latter including an accelerator with 100x speedup. I speculated that a hybrid digital-analog implementation of deep learning would do a speed up, then found a startup doing it tight on details. The other speculation was that more research in to feedback models, analog implementations, and general-purpose analog might give us tools for understanding mind or implementing better ANN's.

Still looking forward to seeing if that proves out.

@ Wael

"That's something @Nick P would appreciate. Something along the lines: Roses are red violets are blue, I’m schizophrenic and so am I. :)"

I appreciate your comment about my highly-evolved ability to look at any problem from many, distinct perspectives that evolve my view over time. Indeed, any sufficiently-advanced, human capability will look to the uninitiated like magic. Or insanity. :P

@ Clive Robinson

Shit. I just saw your link that started this tangent. Here I was thinking Buck was just reviving his interest in showing his brain to be more quantum than D-Wave. Too tired to digest "time entanglement" right now haha so I'll get back on it next day.

BuckJanuary 23, 2016 11:00 PM

@Nick P

The one I was thinking about in the last discussion is probably Penrose and Hameroff because I remember the "microtubules" now that I see it. They thought they had quantum behavior.
Oh, their ideas have almost certainly influenced my trains of thought...
Most of their stuff was discredited. Others postulated a lot but nobody has evidence.
That doesn't bother me... Not at all! Even today, plenty of scientists believe in an outlandish theory that at one point there was nothing at all, and then suddenly, here is everything! Now, where have I heard that story before..?
So far, the various functions of the brain often seem to map to certain regions. Artificial NN's based on visual processing cells even performs similarly to humans
...
The mind seems to be the brain
Enough research into that might show us some results that make up for the gaps
...
I'd love it to be some cool shit like quantum. Just doesn't look like it so far.
Precisely my point! At this time, we more or (mostly) less understand how neural networks function. Which in turn makes it easier for us to draw upon a comfortable analogy as to how the mind really works. Though, as we continue to add more epicycles to our theory of consciousness, I am confident enough to predict that this house of cards will eventually collapse too.
Now we have the end all argument to use against anyone who says only digital is good for general-purpose computing, precision math, compression, etc. We just say "My brain is analog and can do all of that."
I really doubt you could plausibly make a strong claim for the analog brain given our current understanding of quantum physics, but I'd love to be proven wrong!

tyrJanuary 24, 2016 3:19 AM


@Nick P. et al,

Been a long time since I looked at Penrose, but I seem
to recall he wanted quantum microtubules to make up the
soul so as to place it out of reach of the neuroscience
folk.

Thats the basic trouble with speculations on the arcane
once you allow the material world access to it some wag
will come along and prove that it isn't mystical after
all. You see a lot of that kind of thing in philosophy.
Attempts to decide AI is impossible based on a flawed
set of premises. Chinese Room being a classic example, if
the neural modules of your brain work like that example
then it proves AI is quite reachable once complexity is
large enough. That doesn't make the modules digital as
except for the inhibitor functions most of it looks to
be quite analog. I recall one model that resembled a
rubber sheet pushed up by pins from below that let a
thoughtstream flow in the channels created. Switching
the pin substrate got you a different flow pattern.
That was pretty analog in my opinion. Trying to map
what acts like the pins didn't make much sense until
Rod Brooks started building his modular robotics and
showing by experiment how living things functioned.

Higher level education seems to be a process of building
the special function modules to hardwire a specific task.
i. e. No one is born with algebra ready to use, it takes
a bit of study and neural modifications to implant it.

The trouble with higher level physics is building the
Chinese Room to give you access to quantum level thought
turns out to be a chrome plated bitch to accomplish.

But your reach is supposed to exceed your grasp or we'd
all turn into angels and fly away.

Clive RobinsonJanuary 24, 2016 4:00 AM

@ Nick P,

Most of their stuff was discredited. Others postulated a lot but nobody has evidence.

Not exactly discredited nor is it the case that there is no evidence. Both are signs of a very new field of research moving from theoretical beginings.

There is growing evidence that biological mechanisms use mechanisms we can not explain except by quantum effects. So we now have the field of Quantum Biology, the problem is not that the processes may be quantum, but finding the process mechanisms [1] and finding out how they work which is the job of the experimental scientists.

And as you would expect in a new field of endevor there is a lot of whittling down of false starts / leads to do. You would not expect an original Peeler (Policeman) to be able to do what modern Crime Scenes Investigator teams can do, because you need to build up a body of knowledge, practices and tools.

Quantum Biology is becoming a recognised part of life, for instance plant photosynthesis can apparently reach 99% efficiency in energy conversion across a broad spectrum that can not be done in any other way based on our understandin of just a few years ago. And we are now begining to get to grips with the mechanisms.

Further there is the "mint / orange" issue with smell/taste, that likewise appears to be resolvable if the "nose" worked at the quantum level, with secondary arguments about other creatures being able to detect single molecules of odor compounds again requiring an efficiency that could not be obtained in simple chemical ways.

The main stumbling block appears to be "time" traditional understanding of biological mechanisms is that they are very very slow, and quantum systems very very fast. With the difference in some cases being in the order of 10^8, thus we are looking for efficient cascade effects. The problem there being that most macro biological systems are only moderately efficient in cascade --think light power to hay, to horse, to cart, to mechanical power-- thus we are likely to be looking at the molecular scale of things.

One of my local Universities (in guilford surrey) --more world famous for space payloads-- held a workshop on Quantum Biology a short while ago and have put some of the presentations up,

http://www.ias.surrey.ac.uk/workshops/quantumbiology/report.php/

You might recognize one or two of the faces of the presenters.

[1] @Wael, that efficient rotary engine that fascinates you in some cases uses a proton pump mechanism which pushes it into the growing Quantum Biology coverage.

Clive RobinsonJanuary 24, 2016 4:05 AM

Oh darn... it appears I left the forward slash out of the second block quote above... Ho hum it is Sunday morning prior to my first cup of the hot brownian motion generator ;-)

WaelJanuary 24, 2016 4:27 AM

@Clive Robinson,

that efficient rotary engine that fascinates you...

Oh, the engine is but one of a zillion things... Anyways, suppose I want to run my own computer simulations. I know how to model 'mutations'. How would you suggest we model 'natural selection'? I'm asking you because I value your cerebral quantum process ;)

Sometimes I think about evolution and the chicken and egg problem. Not so much which came first... that's quite obvious! I'm thinking about the first chick that hatched out of the egg, and who initialized (inspired, no offense) its behavior ;)

Oh darn... it appears I left the forward slash out of the second block quote above...

No, dear. It doesn't "appear"! You definitely botched that post up and forgot the freakin' slash. But no worries, please do enjoy your tea and crumpets -- your message still got through! @ianf with unorthodox formatting gave us enough training!

WaelJanuary 24, 2016 4:30 AM

@Nick P,

I appreciate your comment about my highly-evolved ability

You're quite welcome, sport(s)!

Clive RobinsonJanuary 24, 2016 6:44 AM

@ Wael,

How would you suggest we model 'natural selection'?

The answer is simple but brings up a new level of complexity that is far from simple (just like weather forcasting).

You model the dynamic environment and the pressures it creates for your chosen subjects.

The normal way to do such a model is to have a surface that you grid up you then make each cell in the grid dependent not only on the contents of the cell but it's neighbouring cells as well.

The problem is deciding in what order to update each cell, because any change in one cell is reflected back to it via it's neighbouring cells as well as the cells neighbouring those. That is every change ripples out as well as reflecting back.

If things are linear in behaviour then you can make assumptions based on what happened in the previous itteration and that can minimise the effects of ripples and reflections caused just by the selection order. But first you have to analyze the algorithm to see how it behaves.

You thus run the model a hundred or so times with small adjustments in the starting conditions and try to work out what is linear and what is not and how sensitive the outcome is to the changes. You then feed that knowledge back into your model and run it a hundred or so times again and try to isolate the non linear effects to see if they are chaotic or not. Where there is chaotic behaviour try and map out the cusps or tipping points.

That should enable you to get a feel of your model to see if it is realistic or not and what the dynamic behaviour is. Thus any computational short cuts you can take.

The most likely thing to come of it will be an interesting game for others to play. That appears to be the fate of most models since the original "game of life".

As for the cell algorithms you can use an energy transfer function based on the second law of thermodynamics. In effect you are looking for algorithms that are very local that take one of many coherent energy sources and as efficiently as possible builds coherent self replicating structures. Obviously as the environment changes then the most usefull energy source changes. Which means there is a trade off between becoming two focused on one energy source and becoming extinct as and when it does or being over general and thus not sufficiently efficient to survive. As an example it's advantageous to store energy but that takes volume and mass that effect your mobility thus making you an energy source to others. Thus you have to also decide on the trade off between survival of individuals and the species by balancing the replication rate with the mobility rate derived from energy storage to predation rate. Apex preditors effectivly don't get predated so favour the individual over the species and thus have low replication rates. Those towards the bottom of the pile have very high predation rates thus have high replication rates. Plant's and some animals try to cover both by also having self regeneration properties. Apples are of interest here they have rapid diversity on replication, thus when a breed of apple is found that has marketability growers replicate it by cutting and grafting and using the plants regenerative abilities to make new plants, with no diversity.

Now you can see why there is a fun game like element to such models.

WaelJanuary 24, 2016 12:21 PM

@Clive Robinson,

The answer is simple but brings up a new level of complexity that is far from simple (just like weather forcasting).

That may work for a first iteration 'model'. Assume everything is linear, ignore interdependencies and mutual interactions,... Still, I don't think we took everything into consideration: for example, what causes 'mutations', both intrinsic properties and 'extrinsic' ones such as gravity fluctuations, atmosphere variations over time, cosmic rays (DNA bit-flips.)...

There is undeniable evidence of some form of micro-evolution, but "bugs still remain bugs". We can model it more accurately with several systems in cascade (at least initially.): Random generator + environmental laws of physics, etc... + competition among species + desire to live and procreate. The last four systems simulate "natural selection", which is more of a "trial and error". Problem is: trial and error implies intelligence, so what we need to experiment with is showing the following:

Apparent intelligent design = random generation + trial and error

Still, without trial and error (some sort of intelligence that learns from previous wrong "guesses"), can we show the validity of the above equality? I'm not sure. I don't know if I'm willing to go through this exercise and end up with a "game" - unless it makes me rich... Maybe one of these days...

Can we apply the same principles to security and expect a "Secure. System" to evolve out of that process?

Clive RobinsonJanuary 24, 2016 2:11 PM

@ Wael,

That may work for a first iteration 'model'. Assume everything is linear, ignore interdependencies and mutual interactions,...

Err not quite the first iteration is is to find out if there are any "hidden" or unexpected effects.

Still, I don't think we took everything into consideration:

Actually we should taken very little into consideration with the first few iterations. The idea is to find the sensitivities and ensure that the way order we proccess the cells etc does not impact on the model to the point it starts to effect the results.

Problem is: trial and error implies intelligence,

No it does not, not in the slightest. Take the ability to grow, this is dependent on getting sufficient energy and not getting predated by other creatures, no intelligence required there. Likewise the ability to grow improves mating privalages, again no intelligence required there. After all how much intelligence does a microbe or weed need to be successful not just as an individual but as a species?

All that is required is the ability to feed and breed, with occasional mutations in individuals effecting feed / grow / breed abilities that get passed on down the generations.

Can we apply the same principles to security and expect a "Secure. System" to evolve out of that process?

Depends on what you mean by "Secure System" thus how you set the equivalent feed / grow / breed goals. Which might be your hardest problem to solve.

Clive RobinsonJanuary 24, 2016 3:08 PM

@ Wael, Nick P,

In a reply to you the otherday I mentioned the FPGA tone decoder experiment that in effect used a natural selection process.

Importantly I mentioned that altgough it worked and was very efficient nobody had a clue at the end of the experiment how the arangment of gates worked...

Well it appears that the same issue exists in Neural Network AI. In this article about it's origins,

http://business.financialpost.com/fp-tech-desk/how-the-artificial-intelligence-revolution-was-born-in-a-vancouver-hotel

You will find this little snippet,

    Terrifyingly, the people who build neural networks aren’t always sure exactly how this process works.

Which again raises the question about "design" via "intelligent design" and "natural selection". It would appear "natural selection" can easily produce designs that we "intelligent designing" humans can not currently fathom...

Clive RobinsonJanuary 24, 2016 3:36 PM

@ Wael, Nick P,

I know you guys just cannot get enough high quality reading material for free. So to stop you wasting money or twiddling your thumbs you might want to read this free eBook on Neural Network Design,

http://hagan.okstate.edu/NNDesign.pdf

It's just over a thousand eBook pages so should keep you quiet for a few weekends 0:)

Nick PJanuary 24, 2016 6:47 PM

@ Clive

re NN book

Yeah, I saw it on HN but my question went unanswered: does this provide material and techniques relevant to current deep learning techniques or just old stuff that built up to it? Maybe you know if you've been reading more papers on it than me. Saved it anyway just in case.

re article

I'll check it out and respond to it later.

@ Clive, Wael

A bit of synchronicity or serendipity going on here. I thought what you both were discussing would basically be described as verification and simulation of either cellular architectures or cellular automata. First one was giving me garbage given all the things called cellular, esp wireless research. The second one gave me unexpected tie-in to prior thread: quantum-dot cellular automata (QCA). I had heard of quantum dots but not that they were implementing logic gates in them.

Poster describing the basics and advertising a software for them

Design of a D Flip-Flop QCA cell

Efficient QCA adder cell

FPGA made out of quantum cells

Note: (BLEEP) YEAH! There was also a primitive, one or two instruction, CPU someone did. It barely useful. A FPGA at nanoscale? Sign me up when they're getting the volume discount. :)

Oh, back to verifying cell-based architectures. I don't have much to report due to short search and garbage messing it up. I'll get back to it later on. Meanwhile, I did find two verification strategies for them:

Regular model-checking and verification of cellular automata (2008)

Model-checking Omega Cellular Automata

I think there's also potential in applying hardware verification strategies to this problem as well. The most common model in standard cell that I've seen is called globally-asynchronous, locally-synchronous. Similar to CA's. The methods for verifying composition of those should apply to cell-based architectures. As a start rather than the whole answer. I have a few papers on verifying asynchronous systems, including GALS, if anyone wants them. Collected around half a dozen this month.

Nick PJanuary 24, 2016 7:43 PM

@ Clive

OK. Finished your article. Here I was thinking it was going to be long and detailed. Just a short tribute to the few researchers that persevered in their work until it got something done. Nice read.

What jumped out at you, incomprehensibility of their function, bothered me back when I first looked at them. Matter of fact, expert systems could at least explain their bad reasoning to help us see why they're wrong but ANN's were a pile of math functions self-organizing. How the hell would we even start understanding (a) why they worked at all or (b) why they weren't working in specific cases? That's still an open question and worth avoiding them for high assurance applications outside maybe a first stage w/ checks following.

What jumped out at me is why I've been reinvestigating them (and more analog) in the first place: "But Hinton said his faith never wavered for one simple reason: 'Because the brain must be doing it somehow.'”

Exactly. I keep thinking neural networks (or whatever they approximate) of brain style must be the best artificial intelligence tool because they're the only architecture that's resulted in general-purpose intelligence. That simple. Unbelievably simple. Yet, the argument didn't get anywhere with anyone. I mean, certainly explore alternatives for when we only have regular CPU's and such to work with. Or if we need more predictability.

Yet, brain architecture is where it's at for doing AGI. Much of it might not even be necessary for what we want given it regulates our bodies in precise detail. Brains for software systems that manage themselves or have simple interfaces might be pretty simple in the lower parts. The higher parts might even be reusable across applications if we can easily map what they do in original apps. Plenty of potential here. Hinton, LeCun and others were right to stick with it. Now they're getting handsomly rewarded too. :)

WaelJanuary 24, 2016 10:55 PM

@Clive Robinson, @Nick P,

It's just over a thousand eBook pages so should keep you quiet for a few weekends 0:)

A lot of the concepts and tools aren't new, so it may not keep us quiet that long. Thanks for the free book, though :)

WaelJanuary 24, 2016 11:01 PM

@Clive Robinson,

Which again raises the question about "design" via "intelligent design" and "natural selection". It would appear "natural selection" can easily produce designs that we "intelligent designing" humans can not currently fathom...

I'll need to sort out my thoughts on this one... Will take sometime as I don't have a clear definition in my mind what "natural selection" really is, at least from a 'simulation' perspective. One thing I can say: design, to me, implies a designer. I didn't distinguish between an 'intelligent design' and a 'design'. Maybe it's better to use 'intelligent design' to imply a designer, and 'design' to imply 'no designer' -- symantics stuff...

WaelJanuary 24, 2016 11:08 PM

@Nick P, @Clive Robinson,

I thought what you both were discussing would basically be described as verification and simulation of either cellular architectures or cellular automata.

The only exercise was to test the hypothesis that a clever design of a complex system (or ecosystem) can be produced through mimicking the theory of evolution postulates. I was stuck on how to implement the "natural selection" part (without intelligent 'logic'); meaning no 'if' or 'switch' statements, unless these statements represent known laws of 'nature'...

Clive RobinsonJanuary 25, 2016 2:26 AM

@ Nick P,

What jumped out at you?

The issue of "inexplicable results" or if you prefer "results pulled from a magicians hat".

As you note,

How the hell would we even start understanding (a) why they worked at all or (b) why they weren't working in specific cases? That's still an open question and worth avoiding them for high assurance applications outside maybe a first stage w/ checks following.

The problem is not just "high assurance" it's anything where there might be a legal liability.

As has been pointed out in the past one of the important reasons we don't have driverless cars is not that they are technicaly difficult, but the legal implications of a "directing mind" based on a thousand years of lawmaking.

Humans appear to have an inbuilt fear of the unknown, even when we in fact know it's safe (think darkness in a bedroom and the creak of heat loss in the building structure causing people to assume monsters / wild animals etc). Many have indicated it's the primative monkey brain warning us we are just about to get eaten if we don't "flee for the tree" and others have tried to explain it as "the intervention of God". The thing is though we don't understand it and it causes a hightened emotional response in nearly every one, especially when an immediate explanation of the noise is not apparent.

Such emotional responses often cause other behaviour such that people will point fingers and scream "burn the witch". Or in more modern parlance "sue for damages". The only defence to this is usually to show negligence by another or a highly improbable event that gets called "an act of God"...

Worse humans tend to "over trust" other humans. Accident statistics say that the major cause of accidents is not mechanical failure or design flaws but human operators (not being sufficiently trained, or over estimating their abilities). Faced with the facts it's amazing we actually get into vehicals in the first place...

Another human failing is to put desirable human characteristics onto animals and machines... Why we do it is way beyond rational logic. Thus you genuinely do get people who have vehicles in a poor state of repair beliving that their "good little car, would never hurt them".

Further is the unscientific arguing from effect to cause. When an improbable event happens people claim it as skill or lack of forsight depending on good or bad result. That is you "get a hole in one" you are a skillful golfer, you go for a walk with a girl on a sunny day the heavens open up she gets soaked it's your lack of forsight because "you talked her into it" or "you didn't bring her coat / umbrella" etc etc.

In short people do not behave rationaly even in normal circumstances, and will seek to blaim others when their irrational beliefs cause them or those close to them harm, and if they can not pin it on somebody then a deity will do, just as long as they don't have to take responsability.

Which gives rise to a problem, you have a device that people start to trust and it causes then harm, you know that there will be an accounting. You will have to argue that you are not just "not at fault" but also "not culpable" in any way... Which means even if you can demonstrate the operator was behaving in a way that was unwise, you have to show that you were in no way responsible for the unfortunate result they suffered. That is they expect the impossible for you to have 20-20 forsight.

Do you realy want to stand up and say "We do not know how this works, but it tested OK", you just know in advance that some shyster is going to claim it's your fault for not testing adequately or in this particular set of circumstances etc etc etc, it's why we call it a "loose loose situation".

But it also has another aspect, clearly the result of the mathmatical process is a usefull object, rather more complicated than a watch. How do you get around the "watchmaker argument" of "inteligent design"?

If you can not demonstrate "the how " of a usefull object, then in most peoples eyes you are not the designer. Therefore someone else inteligent "must have" designed it. But what if nobody can be shown to know "how" then a few people irrespective of what evidence you produce about the process will still look for inteligence not probability and thus see "the hand of God" or other "divine creator" such as "the work of the Devil".

Either way they are insisting in a belief of "intelligent design" not "directed probability". The problem with such reasoning is "who created the watchmaker", it's a "lesser flea" problem[1] which can have unfortunate results in those who chase after it[2].

Which has in turn another issue which is "not being able to know". Some people will not accept there are limits on what they can or should know. It's seen by some that they are somehow lessened by this that it robs them of destiny or power etc etc.

I'm known for saying that "There is no such thing as an accident, only lack of timely knowledge". People hear the first part and get upset, rather than think on what the second part means. We are seeing for real this issue with "Big Data" the assumption is "if we collect it all we know it all" therefore acts of terrorism can be stopped. They forget a few things,

1, Information is not knowledge.
2, You have to be able to turn information into knowledge.
3, It takes time to turn information into knowledge.
4, You have to be able to use the knowledge.

The last one on the list is the big problem. Prior to 9/11 it was known that a flight school had reported odd behaviour in some of the trainees. Prio to 9/11 the knowledge did not have context and thus made no real sense. However post 9/11 it was easy for "armchair quaterbacks" to go from effect back to cause and everybody pointed the finger at "Intelligence failures".

It appears not to matter how often you point this out for various reasons people don't want to take on board the idea that "not being able to know" or "imperfect future knowledge" is an intrinsic fact of life. Thus even in a "pre ordained universe" life is probabilistic and does not need "the hand of God" to throw the dice.

[1] From "Dogs have upon their backs fleas to bite them, upon these fleas are lesser fleas, and so ad infinitum".

[2] Serious contemplation of the infinite has given rise to the very real problems in the past, of mathmaticians becoming seriously unbalanced if not mad and dying much earlier than they should have done.

WaelJanuary 25, 2016 3:33 AM

@Clive Robinson, @Nick P,

Many have indicated it's the primative monkey brain warning us we are just about to get eaten if we don't "flee for the tree

And how would they know unless they have a primitive monkey brain themselves? Monkeys aren't scared of dark.

Further is the unscientific arguing from effect to cause.

What is scientific and what's not?

When an improbable event happens people claim it as skill or lack of forsight depending on good or bad result. That is you "get a hole in one" you are a skillful golfer,...

What about quantifying the improbability of the event, then accumulating the improbability of ten thousand more events? Your analogy should be something like: a lucky person keeps winning the lottery ticket every day all her life, and so do her kids and grand kids -- that's more like it. Then she is a lucky person ;)

Serious contemplation of the infinite has given rise to the very real problems in the past, of mathmaticians becoming seriously unbalanced if not mad and dying much earlier than they should have done.

Is it that those mathematicians possessed above normal mental capacity in certain areas that made them successful and also caused their mental deterioration later in life? John Forbes Nash Jr., Kurt Gödel, are only two of many examples. The same can be said about some famous philosophers. They say there is a fine line between genius and madness.

PS: you forgot the slash again on your post. Hmmm, do I need to prescribe the medicine for you too?

Nick PJanuary 25, 2016 11:02 AM

@ Wael

"I was stuck on how to implement the "natural selection" part (without intelligent 'logic'); meaning no 'if' or 'switch' statements, unless these statements represent known laws of 'nature'..."

It does. "If" change facilitates sex or survival, "then" you have more kids and change propagates. No laws of nature needed past reproduction. In digital evolution, one just creates a fitness function that scores the solutions then tweaks the number that go to cross-over or reproduction. Both use similar principles to drive increases of complexity from a simple, random start. While natural one is still debated, the digital one has consistently proven the principles to the point there's awards for human-level or greater achievement.

@ Clive

"The problem is not just "high assurance" it's anything where there might be a legal liability."

Yeah, I understated it...

"If you can not demonstrate "the how " of a usefull object, then in most peoples eyes you are not the designer. Therefore someone else inteligent "must have" designed it."

I've experienced this many times trying to explain evolutionary programming. They don't want to believe a good design can just emerge from chance processes nudged along by an evaluation function. I tell them: "I couldn't have designed the schedules or scheduling strategy. I have no clue how it works. I designed what bits represent them and the algorithm for saying how good it is. Evolution did the rest. I still don't know how it works but here's a schedule that meets all your requirements. Like all the others our blind schedule-maker evolved for us."

I think the word for how they look at it is surreal. ;)

"It appears not to matter how often you point this out for various reasons people don't want to take on board the idea that "not being able to know" or "imperfect future knowledge" is an intrinsic fact of life. "

Yep. Too true. It's why INFOSEC never became the simple, mathematical models they wanted it to be.

"Serious contemplation of the infinite has given rise to the very real problems in the past, of mathmaticians becoming seriously unbalanced if not mad and dying much earlier than they should have done."

I tried it a few times. Gave me a headache. Decided to stick with mental models instead. :)

@ Wael

"What is scientific and what's not?"

This is scientific. Specifics of how that's implemented are debatable. The results when applied as intended speak for themselves, though. We went from having mostly superstitions and guesses to a whole collection of knowledge that can be independently verified, revised, built on, and so on. The principles worked. So, they're a good foundation to build on.

"John Forbes Nash Jr., Kurt Gödel, are only two of many examples. The same can be said about some famous philosophers. They say there is a fine line between genius and madness. "

It's true. The ability to spot patterns can go either way. Extremes in one area ususally have extremes in other areas. All of Tesla's odd thoughts and behavior are good examples. So, we can't be sure if it was intrinsics of infinity doing them in or just how their own mind worked. I'm leaning toward the latter, too.

PS: The medicine doesn't work. I've been taking it daily long enough to know. I'd quit but I think it contains addictive compounds. Plus, I start having huge lapses in memory if I'm off it for longer than 48 hours.

@ Clive, Wael

Syncronicities piling up now. Quantum thing, then cellular topic, that leads back to quantum cells in ASIC's, and now an unlikely paper on HN about biological cells from CompSci angle. Maybe I need to go buy stock in a biology or quantum firm really quick. Whichever one I can find on Google maps with directions produced from that random CA rule. :)

Nick PJanuary 25, 2016 4:04 PM

@ All
(esp Wael, Clive)

Method that shows what signals in brain are analog or digital

BOOM! I knew it was a hybrid with significant reliance on analog components. Meanwhile, I found this very interesting chip from 2008 that tries to build an analog, neural architecture. Individual chips seem to go back to 1993 or so. However, these people throw an entire wafer at the problem without separating it! That's pretty wild. Their group page is here with another chip tuned to evolutionary stuff. Hard to tell at a glance if the architecture ever panned out for intended purpose but it's wafer integration and analog properties are likely worth remembering.

So, that's closer to cutting edge. Another is a startup that figured out how to use memristors to beat IBM's TrueNorth. Enough for them: what about small efforts? Best to go with something more digital on an older node. Found something for that, too, from 1999: Learning Processor. Basically a bunch of RISC cores like you'd expect but shows they can be pretty small. Their simulations showed 256, 8-bit cores at 100MHz were getting "2.4 giga connections per second" on a 0.6 micron node. Today, 0.35 is pretty cheap and 0.18 affordable. So, we'd do better today.

Dirk PraetJanuary 25, 2016 4:55 PM

@ Wael, @Clive

Which again raises the question about "design" via "intelligent design" and "natural selection". It would appear "natural selection" can easily produce designs that we "intelligent designing" humans can not currently fathom...

Isn't it rather the other way around, like in new and superior "designs" - or just those most fit to cope with and thrive in a specific environment - to prevail in "natural selection"? And why should it be a design, instead of just a random mutation on which natural selection than acts?

WaelJanuary 25, 2016 4:57 PM

@Nick P, @Clive Robinson, ...

I knew it was a hybrid with significant reliance on analog components...

Nice set of links! Fits nicely here. My suspicions were true. I'll add this to the unwrapped gift of a lifetime you gave me. Now if we can utilize this in developing "self healing" and "self protecting" systems, that posses "self awareness and conscious" + "desire to survive", then that would be a security paradigm that rocks.

WaelJanuary 25, 2016 6:13 PM

@Dirk Praet, @Clive Robinson, @Nick P,...

Isn't it rather the other way around, like in new and superior "designs" - or just those most fit to cope with and thrive in a specific environment - to prevail in "natural selection"?

I'm not sure I understand.

And why should it be a design, instead of just a random mutation on which natural selection than acts?

Short answer:
The same reason you look at an iPhone with its hardware, software, protocols, and it's AppleStore ecosystem, iTunes, etc, etc... When I ask you doesn't this look like it was designed by someone? The rhetorical answer I get is: Who designed Steve Jobs!

My intention isn't to "change your mind" -- I'm just trying (honestly) to simulate "natural selection" the way it's claimed to work. So I'm thinking of this model:

1 "Nature" has a lot of different shaped holes (to represent a view or a slice into the laws of physics and possibly the influence it has on random generation)

2 There is a random micro object generator, continuously generating objects.

3 Objects that fit in one of the holes survives, and goes on to the next level

4 Objects that don't fit are recycled into the elements

5 Each layer gets more complex, ...

6 In a lower layer (represents different laws or long periods of time), objects get combined together to form more complex objects that have to fit through layer-2 holes to go to the next step.

7 At some point, you reach a complex system that gives the "perception of intelligent design" to observes at the same level. These observers would "think" anything that reached their level is "intelligently" designed. Because the objects which went through all these layers seem to be "designed" for this environment.

That's what I was trying to model while avoiding any "intelligence" in the design (not hard for me to do) :)

Can we use this model to design systems? I think we can. I don't think it's efficient, but hey! It's less work for us :)

Clive RobinsonJanuary 25, 2016 6:31 PM

@ Wael,

One of the curious things about natural selection is the comparable results from issolated areas.

You are probably aware of the radiant principle where one species in a new environment with little or no competition will evolve into most environment niches.

Interestingly it has a convergent property. That is two very diferent base species will evolve into similar environmental niches. Interestingly they end up looking or behaving the same way.

The oddest is perhaps the Aye Aye, that is a lema that has filled the position taken by the woodpeckers. Although it looks nothing like a woodpecker it uses very similar behaviours, one of which is it nests...

The point being that it is a clear indicater that the environmental constraints produce similar solutions in different species, so acts as the selection process.

Clive RobinsonJanuary 25, 2016 7:30 PM

@ Wael,

So you are in effect using a sive / screen model as a fitness gate, and an initial random generator.

What I don't is how you intend to get further changes?

That is the usual way is to either,

1, Take two objects that have passed through the first screen and randomly select a combination of their parts.

2, Take a single object that has passed through the first screen and make a copy but randomly change one or more of it's parts.

You then take the whole lot and run through the second sieve / screen and repeate the excercise.

Importantly the second sieve / screen is it's self a mutation of the first sieve / screen but moving in a chosen direction to represent environmental change.

BuckJanuary 25, 2016 7:39 PM

E = nhv

BAM! Energy emissions are emitted only in discrete quantities, ergo the excitation states of neural activity (and every other physical process) is also necessarily non-continuous. Not to say that analog signals aren't a perfectly good model for a large number of situations (the resolution is like totally amazing)! Just like Newtonian mechanics are incredibly useful even today - it's a great model regardless of whether or not it accurately describes reality. Nevertheless, once one begins to take an ever closer look, the edge cases will undoubtedly get a little more fuzzy...

"If" change facilitates sex or survival, "then" you have more kids and change propagates. No laws of nature needed past reproduction.
Sex or survival? What weight for each rule is to be given to the fitness function? I have no doubt in my mind that the dinosaurs were well enough able to reproduce. Did they know the mass-extinction event was coming and give up hope? Did some of the extremely fit ones evolve into birds because they knew an asteroid/climate-shift/whatever was to be many generations later? Perhaps these questions don't matter to AI - it'll be so much smarter than us that it can easily avoid the 'heat death' of the universe - but I'm still rather fond of humans. :-\

Speaking of which, It's not yet clear to me that most humans have survival in mind. Sex, certainly! But how do you plan to account for the sexual selection of your genetic programs? For humans, it is most definitely culturally influenced... How would you know if/when your machines develop a sustainable culture? Does that even matter?

And a bonus quote from Max Planck himself:

A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
(Not that I entirely agree with this statement, but I do see some truths in it)

WaelJanuary 25, 2016 8:18 PM

@Clive Robinson,

What I don't is how you intend to get further changes?

Good question. In addition to what you listed, the following refinements are needed:

Laws of nature: Sieve; natural selection
Effects of environment: Shaper; adaptation (your Aye Aye example)
RNG: Mutations

RNG [produce object] ----(pass through)----> Sieve[select a fit object]
Shaper----(act on)---->(Fit object)----> iterate, repeat as necessary... For how long? I'll tell you when I go through a small illustrative calculation...

WaelJanuary 25, 2016 8:52 PM

@Buck,

I have no doubt in my mind that the dinosaurs were well enough able to reproduce.

But could you imagine a dinosaur talking to its kids about "birds and bees". The act lasted as long as a "good sneeze". Little wonder they got extinct!

And a bonus quote from Max Planck himself

I like that quote too.

BuckJanuary 25, 2016 9:06 PM

Add the fact that male and female genitals don't tend to persist in the fossil record, and the average paleontologist knows less about dinosaur sex than a second-grader knows about the human variety.
Sounds about right... ;-)

Clive RobinsonJanuary 26, 2016 12:39 AM

@ Buck,

But how do you plan to account for the sexual selection of your genetic programs?

It's a good question...

In nature humans are a bit of an oddity. In that dispite obvious visual differences we are nearly all sexually compatible for the purposes of breeding. That is we have not realy diversified in that respect.

However in "birds and bees" where the visual differences are to our eyes considerably less, most species are sufficiently diversified that they are not sexually compatible for breading.

If we move on to horses and donkeys obly limited cross breeding is possible and the offspring are usually sterile (I can not off of the top of my head remember the actual order of mating that works and does not, you'ld have to look it up but it's something like male horse + female donkey works whilst female horse + male donkey does not).

So as a first approximation you would have to have a compatability function that produces a probability of mating success, where the closer the "dna match" the higher the probability of success.

Likewise you will need a second function that confirs "mating privalages" on prefered charecteristics.

As has been noted by those working in the field the easiest change is size. In humans for instance diets low in protein tend to produce smaller size humans. However as shown by asian refugees in Canada within three generations of a higher protein diet size reverts to large. It was summed up as the "MacDonnald's children effect" by somebody in the medical proffession who noted, in return for the growth in size they get far worse growth in cardio vascular problems and shortening of life expectancy.

In more recent times science has started to focus in on epigenetics as heart disease and diabetic issues appear related to "what your grandfather ate"... Which is why contrary to what the governmental medical people chuck out, scientists know that there is not "one diet for mankind" but the likes of "racial diets" that suit the race you effectivly are.

This can be seen through food tolerance, the classic being alcohol sensitivity. In western culture the consumption of alcohol has been the norm for over four thousand years as it's safer to drink than poluted water. Thus those overly sensitive to it's effects have become rare. Not so in far Eastern culture where tea was the favourd safe drink, thus something like 50% of the population is overly sensitive. They have similarly different profiles with things like grains.

Modeling such things early on hopefully will not be necessary as alcohol was very rare in diets less than ten thousand years ago, tending to occure only by chance at certain times of the year and even then infrequently by quantity.

tyrJanuary 26, 2016 4:05 AM


@all


I seem to recall a cellular automata system that was very
simple (slightly above life game) that began to exhibit
purposeful behavior from the base ruleset. It wasn't in
the initial program but was an emergent behavior.

Once you allow for adaption (individual variability) selection
falls out naturally from the environmental impact. Most of
the adaptive mechanism is just quantum level jitter. The
radiation hell outside the magnetic envelope occasionally
gets through and no one is sure what the magnetic reversals
do yet. If the field collapses and reforms it could blast
everything on the planet with the solar wind.

All evidence points to a continuous nature with everything
connected except for arcane mathematical artifacting (using
math thinking to steer cognition) by assuming digital is
really discrete bits you can do a lot, but a quick fourier
decomposition of a square wave will show you the continuity
involved.

Planck is usually paraphrased as science advances one grave
at a time.

Godel was like Darwin, the pressures that led him into the
aberrant behaviours were the implications of their work if
exposed to the public and their peers. It is really hard to
overcome the thousands of years of foundational thinking
without having some qualms about how it will be received.

Most of the selection pressures on software have no real
analog in biological evolutionary terms. Mostly being due
to who can you get to front the money in the beginning and
how to get enough market share for some viability. None
of those have a thing to do with fitness or excellence of
the ideas. A perfect example of Sturgeons Law.

@Clive

The best reason to limit population is economic, China
took off like a rocket as soon as the one child per
family rippled through their economy. Its called cause
and effect but if your focus is on next quarter like
most of the politico loonband they aren't going to
notice.

Nick PJanuary 26, 2016 11:06 AM

@ Wael

You can't do it that way. We tried in automatic programming days. There's still people trying. The small, but active, community doing "program synthesis" is achieving nowhere near close to that in general.

The problem is that software doesn't have square holes. Software is more like a language that represents ideas. The method would still have a formal description like high-level programming or legalease English. The description would say what functions, with a focus on results, to perform on what data, input, or output. The interfaces and data would have to be annotated to show permissible values, even usage patterns (eg 90% read, 10% write). Then, algorithms that are heuristically-driven with GA's, stochastic optimization, whatever would iterate little solutions for each block and connect them.

Those prior models, ranges, etc are important, though. A given function might have any number of inputs, outputs, types for each, expected ranges. Those might be composed any number of ways. Saying it's a NP-Hard or NP-Complete problem, whichever, would not do it justice. So, it's just too open-ened to be done. Likely compromise is a method like mine above using FP or mathematical programming techniques w/ lots of pre-supplied functions already implemented.

Now, there is one area it worked: EDA. Binary logic has simple operators and rules. It's easy to mechanically produce one pile of Boolean equations from one or more other piles. RTL is a bunch of binary logic from what I can see. The systems that generate RTL from behavioral code and optimize RTL are doing what you describe. The algorithms they use to do that are published. Gave me hope that, if constrained properly, the regular programming could be done the same way.

Problem is that the real-world is more like analog: widely varying and irregular. That's still mostly custom. However, even analog got some automation via what amounts to templates that machines fill in. Testing and verification for AMS improved via methods similar to abstract interpretation. So, similar to my predictions for software and some hope. Will still be a creative, manual process.

BuckJanuary 26, 2016 6:00 PM

In nature humans are a bit of an oddity. In that dispite obvious visual differences we are nearly all sexually compatible for the purposes of breeding. That is we have not realy diversified in that respect.
Some studies supposedly point to evidence of pheromones which can influence humans to select mates for diversity of immune systems, though I don't know if this occurs in any other species or not. Viruses are also sometimes responsible for exchanging genetic material among their hosts. And cosmic bitflips may play a role as well... Interesting stuff to ponder on, but yes, I guess it isn't really all that relevant to genetic algorithms. If we could program an infinite time Turning machine, I suppose these selection mechanisms would eventually emerge from a very simple set of rules. Maybe something like: generate random numbers; find and minimize repeating patterns? But as we have no such machine to program, at least choosing the selection methods will still be a creative, manual process.
All evidence points to a continuous nature with everything connected except for arcane mathematical artifacting (using math thinking to steer cognition) by assuming digital is really discrete bits you can do a lot, but a quick fourier decomposition of a square wave will show you the continuity involved.
This seems rather backwards to me... The quantization of energy is a well observed physical phenomenon, but fourier decomposition is strictly a mathematical construction, no?

WaelJanuary 26, 2016 6:48 PM

@Buck,

but fourier decomposition is strictly a mathematical construction, no?

Correct! Although you can see the effect on an oscilloscope, including the Gibbs phenomena. Fourier series representation of a square wave is just a mathematical decomposition. A square wave is composed of an infinite series of single frequency sinosoidal waves (with the proper amplitude and phase.) That's one reason square wave generators produce a lot of broadband noise (too many frequency components.)

BuckJanuary 26, 2016 7:49 PM

generate random numbers; find and minimize repeating patterns?
You can tell I didn't think about that for very long! :-P

I was trying to come up with some simple rules that weren't too biased by human understanding of biology and intelligence. Ummmm, hello... Pattern recognition!?

Nevermind that! Something similar to Conway's game is definitely more appropriate there. It would still need that sieve though. Maybe a gravity-like rule that modifies the others depending on how many squares are in any particular region? An ever-expanding board size might lead to interesting results too... Hmmm, I'm sure these ideas have probably already been attempted. I'll have to look into it!

@Wael

Let me get back to you on that after I figure out whether the totality of all possible planck-times is a finite or infinite series?

tyrJanuary 26, 2016 8:56 PM


@Buck

Like I said the math assumptions you use tend to skew the
viewpoint you have on "reality", whatever that means in
your context.

Assuming discreteness leads you into Zenos paradox about
arrow flight. If the arrow flight is continuous Zeno gets
skewered when he tests his theory against reality. You
always need to check your basic ideas now and then since
that's where you can make some real progress in thinking.
Wandering along in the same rut is wasteful if you want
to get some interesting results.

I see a lot of people arguing with Darwin (who was wrong
in many areas) and thinking they are managing to disprove
evolutionary theory. What they don't see is that it has
moved a lot further since the 1840s. Somewhat like the
useless mathematical diversions of Boole have done.

You can go a long way thinking of atoms as pingpong balls.
A closer examination seems to show them as strange waves.
That is also useful but so far the attempts to go deeper
seem to be math constructs which may turn out to be of
some use once we get the tools to look deeper.

BuckJanuary 26, 2016 9:37 PM

the math assumptions you use tend to skew the viewpoint you have on "reality", whatever that means in your context
That makes perfect sense to me...
A closer examination seems to show them as strange waves
I have attempted (and apparently failed miserably) to avoid any direct discussion about wave mechanics thus far, but then, I don't really know very much about that strange stuff... However, I do know enough to confidently predict that the traditional understanding of our 'analog' world is on its way out within my or the next generations' lifespan.

Clive RobinsonJanuary 26, 2016 11:47 PM

@ Buck,

You can tell I didn't think about that for very long! :-P

Sometimes the simplest of things can prove to be the most complex, and complexity is something humans have problems with. Often to the point of saying they are beautiful or ugly.

Strange as it may seem, we realy do base our judgment on what looks beautiful. It helped Newton and others to unravel the mechanical world. It also alowed Maxwell to turn a nasty bunch of equations into the elegance that explained the electromagnetic world.

Then there is the quantum world, I will probably get flamed for saying it's equations are inelegant, thus probably not right... But elegance is a measure of fitness we humans naturaly use.

My mind keeps wandering back to the FPGA tone decoder, it worked, it was minimal, it was also ugly and nobody understood it...

So a question for you, let us assume that elegance is a fitness measure humans use, how would you code for it?

Secondly, just how many "right track" solutions were dropped early because they were not elegant?

Which leads me to think that the human requirment for elegant solutions may be limiting our horizons and that trying to use randomization and selection sieves may be a way past the limitations of elegance.

BuckJanuary 27, 2016 1:02 AM

@Clive Robinson

Ohhh, some questions? I love those!!

So a question for you, let us assume that elegance is a fitness measure humans use, how would you code for it?
I'm not too sure, but I'd suspect that my code would be incredibly biased by my own assumptions as a programmer. I don't know how to define elegance, although, pure-simplicity seems to have some sort of advantage going for it at this point...
Secondly, just how many "right track" solutions were dropped early because they were not elegant?
How would we ever know? Are those successful solutions in any way related to the number of "failed" solutions that were (not) elegant?

I'll go ahead and make a tangent leap now... I was recently (2 days ago) searching for a quantum-analogue of the FPGA tone decoder scenario, but this is what I stumbled upon this article instead (trigger warning: cites Penrose):

MENTAL DISORDERS AND FUNDAMENTAL SPACE TIME GEOMETRY AT PLANCK SCALE: A HYPOTHESIS

Since cytoskeleton is altered in mental
disorders we have earlier proposed that the mental disorders are associated with altered quantum computation. This may
lead to altered brain frequency which resonates with a world which has frequency different from that of the decohered
world. We further propose that the world which resonates with the brain of a patient with the mental disorder is stabilized
in the reference frame of the patient at the Planck scale. Further we discuss that there may be a thin line between epiphany
(and creativity in general) and hallucinations/delusions and we propose a physical explanation for it.

Sabertooth wireless penMarch 20, 2016 11:49 AM

Because the 1990s, U. S. cyber police force expressed concern regarding "going dark, " approximately defined as an incapability to gain access to encrypted communications or perhaps data even with a court order. Silicon Vly companies are rolling away encrypted products that enable users alone to gain access to their data, and in the wake of the Paris and San Bernardino, Calif., terrorist attacks, regulation enforcement officials argue that their fears are getting realized.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.