Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland

It's rare:

Fishermen caught a 19-foot-long giant squid off the coast of Ireland on Monday, only the fifth to be seen there since 1673.

Also the first in 22 years.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on May 19, 2017 at 4:12 PM • 167 Comments


Ben A.May 19, 2017 4:16 PM

Virtual German Lorenz code machine implemented in the browser

You may need a big screen to see everything!

We Did It Again: Deleted Notes Extracted from iCloud

Apple have been caught lying again about the data they upload to iCloud.

"It mentions bookmarks but not browsing history; no information on storing call logs is provided; and it is said that deleted content is cleared. Oh, really? I’ve got some bad news for you: this is far from truth."

OpenVPN Audits Yield Mixed Bag

How did the WannaCry Ransomworm spread?

VMware Patches Multiple Security Issues in Workstation

New version is: 12.5.6

Google wants to share your photos with your nearest and not-dearest

Extending Microsoft Edge Bounty Program

Microsoft are extending the end date of the Edge on Windows Insider Preview (WIP) bounty program to June 30, 2017

Let them paste passwords

Phishing scum going legit to beat browser warnings

"...since the two browsers started to berate HTTP-only operations, phishing sites added an extra layer of credibility by adding HTTPS."

Chubby OneMay 19, 2017 4:59 PM

The US Government is deploying more than 120 Singrays to catch illegal immigrants

A new password checker has been released.

It is here:

Sadly, most of the advice they give is silly or plainly wrong. My favorite is their claim that using a number as the middle digit makes the password stronger. Oi vey.

Ergo SumMay 19, 2017 5:09 PM

@ Anon from May 13, 2017 8:41 AM...

I found out that Micro$haft had a patch for XP at the same time as more modern OSs back in march.

But it was only available to those paying a kings ransom ($300/year according to some sources) to get the continued XP support.

Thanks for the clarification...

Ben A.May 19, 2017 5:23 PM

@Chubby One

I tried two passwords and that meter reports them both as "strong" -


Lawrence D’OliveiroMay 19, 2017 5:25 PM

I’m curious to know people’s opinions about this article describing a new system for emergency services to locate those who make 111 calls from mobile phones. It doesn’t require any special software installed on the phones, yet it seems able to get GPS-equivalent location accuracy. This level of accuracy is only available on Android phones, not Apple ones.

How would it work?

Ergo SumMay 19, 2017 5:26 PM

@Ben A...

How did the WannaCry Ransomworm spread?

Quote from the Malwarebytes link:

Claims of WannaCry being distributed via email may have been an easy mistake to make.

It's nice to know that the security experts' knee-jerk reaction is blame the end user... :) Like they had been doing since the beginning of time...

ThothMay 19, 2017 6:46 PM


Google's Android Things (a.k.a Google Persistent Backdoor).

Youtube video (for those who hate their own privacy) on Google's promotion of Android Things (i.e. highly vulnerable and buggy monolithic kernel promoted as "Secure IoT" and on top of that uses ARM TZ for persistent hardware backed backdoors).

Better off running Zephyr microkernel on a non-ARM A series chip (i.e. STM32F Cortex M, Atmel SMART ARM Cortex M ...etc...) and forego the entire "hardware backed keystore" since technically what "hardware backed keystore" actually means is a bunch of OTP bits/fuses blown into the chip for it's root key and you could actually do those as certain chips may have OTP bits storage areas.


ab praeceptisMay 19, 2017 8:30 PM


Two quick remarks.

zephyr? Really? I don't trust the linux foundation any further than I can throw a T-72 tank.

As for security I personally like to go the route of using an STM32 as main proc. and an additional ti 430 basically for security plus funny useful services. While the ti 430fr2 and siblings have got security quite well I trust neither of the two and use them merely for my own way to do things (the triangle, see below).
Of course both can be cracked, particularly by a resourceful opponent but then I can't build my own chips and have to chose from what's available.

Here's what I basically do: I set the STM32 to rdp1 and/but treat it as untrusted device. I use the 430 as poor mans secure chip (which it does way better than the stm32), close it completely down so as to refuse anything and everything (incl. new bootcode) and have it to hold part 1 material of a 2 part algorithm (the second being on the stm32). Additionally all sensitive operations are 2 part, too. As a free throw in I (usually) use the analog circuitry for TRNG generation.

The third part of my triangle is algorithmic. Cracking either one of the chips gives you nothing but a probably bricked chip. Another nice feature of the 430s is the cap lines which enable cheap and simple - and fingerprint or temperature pattern free! - code input by a human. All of that for less than two $ is not to complain about.

Side note: Pretty much all major chip companies nowadays offer /usually expensive) "security chips". I don't trust them. About the only real added value they offer is even better tamper resistance but that isn't worth much to me because an opponent able to crack the chips in my triangle either in or very little below the league that also cracks "security chips". And with my own poor mans solution I *know* the implementation of the algorithms is a) solid and verified and b) not java crap.

ThothMay 19, 2017 9:01 PM

@ab praeceptis

Zephyr is mentioned as it is the "lesser of two evils". Theoretically, it is best to write an application specific firmware and constrain it but as per most developers, they will pick the easy way out and comparing a totally busted Android kernel with who knows how much hidden stuff we don't see compared to a much leaner microkernel, thus the lesser of two evils would still be Zephyr.

Of course to fully avoid the situation of "lesser of two evils", the devs have to "create from scratch" their application specific firmware but that is unlikely to happen knowing how most modern devs are whereby they will definitely choose to easy way out.

Just use a smart card in SIM form factor if security is required for tamper resistant storage. The RNG key generation are done by the STM32/TI chips while the tamper resistant keystore is done by SIM card. The encrypt/sign function can be done via SIM card or STM32/TI depending on paranoia levels.

ab praeceptisMay 19, 2017 10:01 PM


As for zephyr I guess I'll have to agree. Sad situation.

As for "paranoia" solution, I was a fan of "security chips" for quite some time. What made me change my view was mainly two factors, namely a) java plus the need to trust, and b) all them funny protection measures are crackable in pretty every uni lab.

Which leads me back to a). How and why would I trust utterly profit driven corps to do it right rather than just adding "security" mumbo jumbo layers? From all I've seen, profit greed seems to be one of the arch-enemies of security. Them managers will invariably come down on the tech guys and demand what basically boils down to "listen, we don't need to sell security but the image of security which btw is also much more cost effective".
Plus keep in mind that them security chips are an extremely attractive target.

What I do see as an advantage is the "something I have" factor of a sim card. But that needed to be separate from the board and connected only when needed, e.g. at startup.

But then my use cases are different from yours. For your case which I losely summarize as "people, here's something that offers you some decent safety level. Stop entrusting sensitive stuff to your android or windows box!" I do agree with you.

Btw. I wish you success with your company and product! Your work deserves to be rewarded.

ab praeceptisMay 19, 2017 11:35 PM

Maybe let's encrap should have first tried "let's learn parsing urls".

ssl/tls and family - the plague that just never stops providing demonstrations of incompetence ...

(Yes, I'm waiting for someone smart to bring up the "commercial CAs are crappy, too!" 'argument'. As if sh*t-for-free were any tastier than sh*t-for-money)

ThothMay 20, 2017 1:15 AM

@ab praeceptis

I have mentioned in the past the problems with CAs be it open source or commercial. I think it is not a surprising problem and nobdoy should be surprised either as we know that like any software without lots of thoughts into modelling the entire system for higher assurances.

Just slap together a smart card for the CA admin to login and a HSM to store the root CA signing key and ot becomes magically secured. That is the train of thoughts of most projects.

ab praeceptisMay 20, 2017 1:26 AM


Maybe it's my strange mixture of stupidity and friendliness but I vaguely assumed that after quite some problems, usually introducing critical risks, with url/uri processing the happy members of the ssl/tls mental asylum might have woken up and started to work more carefully at least regarding things that had already bitten them multiple times ...

Obviously I was too optimistic, indeed.

mostly harmfulMay 20, 2017 6:40 AM

A new virginity checker has been released.

Oh, wait. Wrong forum.

As you were.

RachelMay 20, 2017 6:40 AM

regardless of how one feels personally about julian assange, it's staggering to read in the Guardian, the ongoing smear campaigan and absolute bias regarding him and his legal situation. Lies. No other word for it. why let facts get in the way of good story?

mostly harmfulMay 20, 2017 7:24 AM


Calumny can be a recommendation:

[Daenerys is presented to Khal Moro.]

Akho: For you, my Khal. The white-haired girl we found in the hills.

Bloodrider #1: Look at those lips, blood of my blood.

Wife #1: Blue-eyed women are witches.

Wife #2: It is known.

Wife #1: Cut off her head before she casts a spell on you.

Khal Moro: Even if I was blind, I’d hear my wives say, “Cut off her head,” and I’d know this woman is beautiful.

RachelMay 20, 2017 7:35 AM

@ mostly harmful

what on earth are you talking about? Wishing you a speedy and complete recovery supported by the appropriate methods.

Please refrain from any further non-security related posts.

mostly harmfulMay 20, 2017 7:56 AM


I had considered pointing out explicitly that truth, in an artistic domain, is sometimes represented by beauty.

But then I thought, "Nah, too obvious".

WaelMay 20, 2017 10:04 AM


What the hell is this?

An anachronism

How does that even qualify as a article?

A somewhat informative article, but missing a lot of information.

Am i missing something with JavaScript disabled??

You're missing nothing; move on.

Patriot COMSECMay 20, 2017 10:48 AM

This was the week in which China's "One Belt, One Road" plan made the news in a big way.

This ambitious trade scheme has huge security implications for the future. As China becomes increasingly powerful in the region, they build communications infrastructure in partner countries. Can you guess who collects the data?

A host of security-related projects go hand-in-glove with One Belt, One Road, such as China having their own GPS system. All of this is aimed at reducing the influence of the U.S. NATO-like security agreements have also been spoken about, and I think this is what the future holds for China in Central Asia-- and perhaps beyond.

RachelMay 20, 2017 2:43 PM

@ Dirk Praet nursing a sore head and slam dancing to the 'werk
@ anyone evangelising Open BSD

Here's a great concise easy to imbibe piece by a minimalist (the founder of CD Baby incidentally) about why he uses Open BSD and why everyone should. Note: he doesn't maintain that the security features are the reason to use it.
It seems to be a useful piece for sharing with windows users or anyone you feel needs convincing to try harder.

@ Patriot Comsec

i could say I'm disapointed in your sudden cathartic-emetic surge of ethics- transparency but, to be honest, you completely lost me (and everyone else whose opinion is worth something) a few weeks back when you made out Snowden was a hybrid of McVeigh and that guy framed for the John Kennedy whatsy. You do an adequate job of articulating yourself. Thats about it.

DorothyMay 20, 2017 3:45 PM

Re: [ ]

It's probably not for you.

It's not for beginners. Beginners should use Ubuntu. [ ]

Look. We've all been using computers as part of our daily jobs for years and years now, for essentially every task that involves mental rather than direct manual labor. We're not in Kansas anymore, and we're not listening to a street preacher on Matthew 25. I hate men who call themselves virgins.

BSD lets the DAEMONS loose !!!!!!!

AndyMay 20, 2017 4:26 PM

It's a bit soap box but I think I earned it. Donald trump just make a policy when the media ask for comment, just don't turn up and leave a message your got a country to run

albertMay 20, 2017 5:00 PM

@Patriot COMSEC,

Chinas "One Belt, One Road" initiative is remarkable, and very smart indeed. They build billions in infrastructure and become 'partners' (i.e., part owners) in the ventures. Unlike the Wests 'bankrupt, bail, and buyout' strategy, China reaps benefits along with its partners.

The psychopaths in the USG are worried. There is no option* to counter this except the only one they know: military action. Say what you want about Bill Clinton, he said as much years ago: The era of US preeminence is coming to an end.

* Well....there is another option. It's called 'beating them at their own game'.

P.S. Having ones own GPS system has military as well as strategic advantages.

P.P.S. China collects the data. Users think twice about stirring up revolutions. Instability is bad for business, China doesn't roll that yet. They are only sniffing the Wests Kool-Aid.

. .. . .. --- ....

Patriot COMSECMay 20, 2017 5:52 PM

@ Rachel

It is OK not to agree with others on this blog. Minority opinions can be interesting.

I worked for the puzzle palace for a long time--retired--and so my view about Snowden is informed by that. If a devastating attack against the US happens again, and you were hurt, and it is proven that Snowden enabled it, please send me a message here.

It just... sits there like a pet rock!May 20, 2017 6:42 PM

@Rachel, thanks for the classic OpenBSD hobbyist plug from Sivers: Do what I do! Execute the forty thousand consecutive commands in the 80 Meg zipped file I can't be bothered to put on the web and give OpenBSD a thousand bucks and if you want something that actually accomplishes work in the human world, ask them for it and do it for them. Cause it's best!

Patriot COMSECMay 20, 2017 10:38 PM

Wikileaks is at it again, and this time we get to hear more about "Assassin" and "Athena".

In one of the documents there is an ominous remark. To paraphrase it: you can destroy the universe with this, so use it with discretion. (How nice to let it out!)

It is important to remember that we do not know if the documents have been doctored, nor do we know if the material is even true, partly or in whole.

The Russians are laughing, literally. That too is in the news.

tyrMay 21, 2017 3:10 AM



That's interesting about Rasputin. Since the
usual Rus revolvers made on contract were
called 44s (429 diameter slug) and Colts
of that approximate size were 456-458. A
455 would stick out like a sore thimb.
There are fairly arcane reasons for all
of this having to do with militarys
who preferred matching slugs for rifles
and pistols. Moderns can afford multiple
machinery for arsenals so that has gone
the way of the dodo. People who make
their own still like that idea.

That may have been a family inspired hit.
If the Crown had noted the bad publicity
of Rasputins hold over a cousin.

There's a real problem in not seeing the
Russians for what they really are because
it leads people into dangerous fantasies
about them. The worst mistake USA made was
to believe the crap peddled by the Gehlen
apparat and their Tsarist stooges. Once
the U2 overflights failed to see the massed
bomber fleets it should have been apparent
they were lying through their teeth. Once
they have peddled it as gospel, no one
wants to admit that their secret squirrel
information was all a perpetrated hoax.
That might cause a horrible consequence
like a budget cut.

Bitter OldmenMay 21, 2017 3:22 AM

All them funny protection measures are crackable at home as they are operated by humans.

tedMay 21, 2017 3:54 AM

The squid kept yapping about U.S. NATO security agreements and DIY.

Microsoft distributed fixes for long outstanding flaws in their OS and have not completely abandoned them. Only when it is financially convenient, one lever that operates certain practices. Another, when defense of business name or trade marks matter.

PhilMay 21, 2017 5:36 AM

Lawrence: I imagine the more accurate Android location is being provided by this service:

I believe the way it works is that when you dial an emergency number that a modern Android phone recognises (112, 111 etc) it turns on the GPS & sends that data to a custom mobile data endpoint which is shared across mobile providers that implement the service. That data is then passed on from the mobile network to the emergency services & matched up with the voice emergency call.

RatioMay 21, 2017 5:41 AM

@Dirk Praet,

(Moved here, because OT.)

[...] these huge arsenals of WMD's they found in Iraq and for which an entire region of the planet was set ablaze?

The entire Middle East is on fire because of the Iraq War? Is that what you are saying? Doesn't that view strike you as just a tiny bit facile?

(That whole comment wasn't quite as understated as it could have been, if you don't mind me saying so.)

JG4May 21, 2017 6:38 AM


I missed the comparison of Snowden, McVeigh and Oswald n days and weeks ago. It is an interesting topic that bears on security at multiple levels. All three served the US military, McVeigh and Oswald as enlisted troops, and Snowden in his civilian employment. All three are thought to have/had patriotic leanings, Oswald's pink sheepdip notwithstanding. Oswald certainly was recruited by one or more quasi-governmental agencies. The claim has been made that McVeigh also was recruited, but that leads to some very dark possibilities that I'd rather ignore. Not because they are unpleasant, but more because the evidence is very thin and mixed with too much misinformation and disinformation. You can waste a lot of time and energy trying to separate fact and fiction. I feel the same way about their psychological profiles - there is to much noise with whatever the signal was. Perhaps with the arrival of civilian AI, some of those mysteries will get untangled. A staggering effort has been made to untangle Oswald's history, with limited but interesting successes. Not one expert shooter has ever replicated Oswald's purported feat of marksmanship in numerous attempts to recreate the events of Dealey Plaza. Oswald claimed that he had been framed, by saying on national TV "I'm just a patsy." It may be that Oswald was framed and that substantially all of his activities were directed by a shadowy mix of characters inside and outside government. BTW, Oliver Stone's movie is quite good, but difficult to follow if you haven't read the books. If Oswald's mindset were patriotic, he and Snowden are not so different. The key difference apparently is that Snowden was self-directed, although that is not guaranteed.

The Second Gulf of Tonkin incident is missing from the list. I've said before that the greatest fear of the highest-ranking US POW in Hanoi was that his captors would discover that he knew that the whole war was fabricated, break him and parade him on TV to tell the truth. He's a lot tougher than I am, because he beat his own face with a stool so badly that they couldn't put him on TV. A healthy skepticism about government policy is a good starting point for any discussion.

Patriot COMSECMay 21, 2017 7:10 AM

@ JG4

Snowden and McVeigh both tried to make it into Army Special Forces, and both got injured and failed.

McVeigh blew up a building in Oklahoma City, Snowden did the same amount of damage, metaphorically, to a building in Maryland. I contend that both were losers motivated by hate.

Dirk PraetMay 21, 2017 8:02 AM

@ Ratio

The entire Middle East is on fire because of the Iraq War? Is that what you are saying?

That is exactly what I'm saying. The destruction of Iraq as a nation, the regional power vacuum it left, the subsequent rise of Daesh, the ongoing proxy wars in Syria and Yemen, the resulting refugee crisis and wide-spread famine can all be traced back to the misguided and ill-conceived invasion of Iraq by the US and its "coalition of the willing" (most of whom, with the exception of Tony Blair, realized fairly quickly it was a total mistake). An error that was later repeated in Libya, creating yet another failed state and opening up an additional door to Europe for hundreds of thousands of African migrants.

To top it all off, you now have a president that has just concluded a $100 billion arms deal with the country that not only is one of the most prominent players in those conflicts, but also the cradle of Daesh philosophy, supplier of the majority of 9/11 AQ terrorists and whose role in 9/11 to date remains a topic of debate. In return for which he is lauded by its feudal leaders and Islamist clergy as "a bringer of peace".

You can the deny the US's responsibility and accountability for what's going on in the Middle East as much as you want, blame the EU, Russia and Iran instead, but - whether you like it or not - that's pretty much how the entire world sees it and how it will go down in history.

JG4May 21, 2017 8:22 AM


China builds a new world in which *it* is the great power
Summary: US borrows trillions to wage war in foreign lands. China helps build other nations’ transportation infrastructure to connect them for mutual trade. Which program will work better? Their secret advantage over America is seen in every day’s news headlines.

The Chinese scale may be too large to be sustainable, but "It is too early to say." The US clearly is doing some unsustainable things, particularly spending at WWII rates.

@Patriot COMSEC

Your hypothesis is plausible, but it's pretty clear that Clapper and countless others lied in a way that subverts any semblance of democracy. That is not just perjury, but includes conspiracy to violate countless laws and capital treason. It now has been repeatedly proven that the safeguards are wholly inadequate. In what is purportedly a democracy, ignoring recent election events, particularly Seth Rich's death, it is impossible for people to elect good leaders without accurate information. If Congressional and public oversight of the intelligence agencies isn't possible, that has rather dark implications. Snowden's actions (and Wikileaks and Shadowbrokers) shed some light that is critical for oversight. That eventually will lead to information that allows business intellectual property to be developed and used without concern that it is being stolen faster than it is created. If we need to look for reckless disregard for security that endangered US lives and millions of others, we wouldn't have to look any further than Hillary Clinton and her Benghazi and email scandals. The first was sufficient grounds to fire Comey and indict Clinton. The second has a lot to do with the shocking conditions in both Libya and Syria.

o Your Corporate Dependency HealthMay 21, 2017 8:42 AM

In the land of excess the human race appears spinning out of control. Profit driven Dependency Technology brings out the worst in human behavior as corporations exploits human weaknesses to maximize profits. Trust to do the right thing is replaced by pushing the envelope and forced sharing.

Effective Security ultimately depends upon trust and keeping the need-to-know loop as small as possible. Increasingly trust is evaporating as Big-Data insatiable appetite to know everything. The recent Wanna-cry solution logic offers a great example.

Every Computer Will Fail
Creating a bit-perfect images of a stable boot drive and having off-line backups is essential to speedy recovery of your computers health. Even the most serious threats can easily be recovered from. Of which malware is just one and frankly rare (don’t engage in risky behavior).
Knowing what exactly caused the failure is of secondary importance. Its typically solved by examining at the usage time-line. Any good IT department maintains these stable disk images to automate new or reinstall of ‘hosed’ computers. If it occurs several times then they replace the computer.
Note: In a high risk surveillance environmence restore the stable image using a new SSD periodically. Boot images are built from a computer never connected to the Internet. DRM-free Linux can become unpredictable by using different combinations of hardware. Then when connected feed computer configuration disinformation through the browsers User Agent Spoofer. Success is when Amazon and Google challenge. By using this, uBlock Origin and disabling Javascript they bad guys won't know WHAT to attack.
Note2: VPNs are only useful against corporate surveillance due to NSA black-budget sponsorships.

Why I Quit Windows
Instantly see the secret MS tracking files locations. Sort by time. Add locations to CCleaner custom:

More Corporate Excess: Blimp Manufacturing

Trust? Just Eliminate Humans Entirely

PMay 21, 2017 9:11 AM

The Election Comission of India is holding a challenge where they will let political parties attempt to manipulate the votes it registers. The catch is that they cannot open up the EVMs to tamper with the hardware, but wireless interaction is admissible. With that restriction, manipulating them seems impossible to me as these are neither wireless nor network capable.
Here is the link to the challenge rules PDF document:

War GeekMay 21, 2017 11:39 AM

And here's the latest for the 12 O'Clock news. Tin Commodities are Up!

Who?May 21, 2017 11:50 AM

@ Rachel

Thanks for sharing that information about OpenBSD.

I agree, OpenBSD is not just a secure operating system. It is a well written one too. It strictly follows standards, so it is usually a good platform to write and test portable code too (not to say, manual pages clearly mark when an extension is not portable and suggest lots of secure practices when using dangerous library functions). In my humble opinion, one of the best features of OpenBSD is its documentation. It is very nice being able to install and configure it using its manual pages and examples only, without looking for additional information on the Internet each few minutes. Quality documentation is very useful when you are working on a computer that cannot be connected to public communication networks.

Who said that a secure operating system must be difficult to use or limited on its features? OpenBSD is secure but, at same time, it is one of the best server, desktop and embedded operating systems available right now. When I used OpenBSD first time, fifteen years ago, I was not looking for a secure operating system, I was looking for a stable, well documented and easy to use operating system. Now I see security is the most important feature of OpenBSD, but it is not its only "selling point."

I know, there may be more secure operating systems out there. Some are really secure ones (e.g. Genode OS), others are just considered secure by media (Tails, Qubes OS). OpenBSD has not only been tested in real world since mid 90s, where it has demonstrated "security" is not just a buzzword, it is being used to do real work too.

OpenBSD is one of the few operating systems that had found a good compromise between security and functionality.

RachelMay 21, 2017 12:11 PM

@ Who

thankyou for the feedback. I enjoy all your contributions.
You identified particulars of so called secure OS, for example 'secure va media' in the case of Tails. Other commentators have pointed out Tails was virtually in Beta when Snowden 'revived' it; @ Ab Praeceptis has pointed out its a Debian box so should be filed under 'I' for Iron Maiden (painful death/Run For The Hills, depending)

I wonder if there is a checklist style comparison of security oriented OS in the fashion compare features and detriments of messenging apps. In fact, just a flat out point for point comparison would be valuable. A chart like this would bring some necessary transparency to the flaws in Windows and iOS

RachelMay 21, 2017 12:18 PM

seeing as we are on the subject. it's easy to simply skim over the vast range of comments, absorbing without fulling imbibing or enquiring further.
Which was my inital take on two of the replies to the Open BSD article. I realise it's worth following them up:

@ Dorothy

I don't understand your response about the OpenBSD article I posted. Except that, potentially, you don't agree with the sentiments therein . Can you extrapolate or more clearly define your stance?

@ it..just sits there like a pet rock

You were clearer in your objections, but your post would also benefit from futher clarity. If you feel so inclined, I would value it (as maybe would others)

SamMay 21, 2017 4:53 PM

Sorry if this is off-topic,

I was wondering if you had any thoughts on the verifiability of recorded content.
We're not there yet - unless nation states are keeping it secret, but we are rapidly headed towards the point where genuine recorded video and audio is going to be indistinguisable from simulated content.
There are in this major implications for the use of video and audio as evidence that an event either did or did not occur.
The only solution that I can think of right now is the inclusion (on device) of a private key signed by the manufacturer - but that solution is only security by obscurity, and would require both that the manufacturer is trusted and that any attempt to extract the device's private key would fail one way or another.

JG4May 21, 2017 5:00 PM

some doom-porn to brighten your day

this is some of the most brilliant snark that I've ever seen on your planet. I would have included earth-crossing objects in the short list of problems to worry about, and to their credit, the billionaires have too

Class Warfare
“Notes from an Emergency” [Maciej Cegłowski, Idle Words].
This is really a must-read; it’s an angle on the tech world (and Haygood’s Five Horsemen) that we rarely see. Here’s a sample, and save us from squillionaires with bright ideas:
Given this scary state of the world, with ecological collapse just over the horizon, and a population sharpening its pitchforks, an important question is how this globalized, unaccountable tech industry sees its goals. What does it want? What will all the profits be invested in?
What is the plan?
The honest answer is: rocket ships and immortality.
I wish I was kidding.
As happy as I am to see Elon Musk and Jeff Bezos fired into space, this does not seem to be worth the collapse of representative government.
Now, I’m no fan of death. I don’t like the time commitment, or the permanence. A number of people I love are dead and it has strained our relationship.
But at the same time, I’m not convinced that a civilization that is struggling to cure male-pattern baldness is ready to take on the Grim Reaper. If we’re going to worry about existential risk, I would rather we start by addressing the two existential risks that are indisputably real—nuclear war and global climate change—and working our way up from there.
But real problems are messy.
World-class invective, but Cegłowski has serious and interesting policy concerns and proposals as well.

see also:

Milo M.May 21, 2017 5:34 PM

@Lawrence D’Oliveiro & @Phil --

New Zealand government pages on the feature:

Google announcement cited in the EENA post:

"Jul 25, 2016

. . . we created the Emergency Location Service in Android. This feature, when supported by your network, sends location from your phone to emergency services when you dial an emergency number. This uses the same location technologies available to apps on your phone, including Wi-Fi, GPS, and cell towers, to produce a more reliable emergency location both indoors and outdoors.
This feature is solely for the use of emergency service providers, and your precise location is never seen or handled by Google. It is sent from your handset to emergency services only when you explicitly place an emergency call, either directly or through your mobile network.

Emergency Location Service is supported by over 99% of existing Android devices (version 2.3 out and upwards) through Google Play services. The service activates when supported by your mobile network operator or emergency infrastructure provider.

Our service is already live today for people with Android phones in the UK and in Estonia. We’ve collaborated with several mobile network operators and emergency services to make this possible."

SkepticalMay 21, 2017 9:14 PM

@Dirk: the ongoing proxy wars in Syria and Yemen, the resulting refugee crisis and wide-spread famine can all be traced back to the misguided and ill-conceived invasion of Iraq by the US and its "coalition of the willing"

Treating the Iraq War simply as a fact, leaving aside judgment as to its prudence or justice, you are mistaken in giving it place of primary cause for the Syrian Civil War and the Yemeni Civil War.

Syria: These are the series of events that precipitated the avalanche. In March 2011 a group of teenagers painted anti-regime slogans on the wall of a school in Deraa. As is SOP for the brutal regime clinging to power, the teenagers were detained and tortured. As happens from time to time when a dictator who relies on brutality to suppress most of the population, the action provoked mass protests. As might be expected, Syrian security forces fired into the crowds. But the protests continued, and grew, and in areas where the regime had inadequate forces or hatred of the regime burned particularly bright, resistance became organized, and violent.

Or do you wish to trace the entirety of the protests of the Arab Spring - including Tunisia and Egypt - to the invasion of Iraq as well?

The factors that foretell the danger of a failed state - lack of national cohesion, lack of institutional loyalty and legitimacy, brutal deprivation and suppression of a majority of the population by a minority - are present throughout the Middle East to varying degrees. They were particularly prevalent in Syria.

As to the larger global order... there is a reason why liberal democracies are close allies - even during the unpleasant exchanges prior to the Iraq War, French and German Governments furnished considerable assistance - and will continue to be. Shared political values matter - this is something difficult for those in highly corrupt systems to see or understand.

And there are reasons why authoritarian governments can be particularly dangerous.

I don't agree with all aspects of US foreign policy, UK foreign policy, or that of any other nation on earth or in history.

But what I do know is this. The West has built the most robust set of global trading institutions, and has protected and expanded democratic values and human rights against an adversary that sought - and lately still seeks - to undermine belief in such values and rights.

No society is perfect; nothing human is perfect. Compared to an ideal of perfection, all shall show poorly.

But we must be practical in our comparisons, and consider viable alternatives. Right now, I would take the human rights practices of any Western democracy over that of Russia or China, and it would be an uncommon fool who would not.

One can critique aspects of the West, and its framework, and foreign policies, without losing sight of the fact that it holds the best promise for the future of humanity.

All nations are a product of history, endowed with particular strengths, weaknesses, blindspots and insights. And - regarding the discussion of patriotism and nationalism on another thread - part of the strength of the US is the ability to form credible alliances with others, to seek positions of mutual self-interest, and, perhaps befitting a nation largely populated by immigrants and the descendants of immigrants, also the ability to understand not only the particular strengths of other nations, but to be sympathetic to the feelings of national pride the people of those nations hold.

The caricature of the American scornful of other nations is just that: a caricature.

Granted, I speak in generalities, and exceptions abound. I assure you I can find chauvinists of great ignorance in every land - they're usually just pains in the ass unless they happen to be a dictator running an aggressive and high-risk foreign policy.

ThothMay 21, 2017 10:04 PM

@ab praeceptis, Nick P, all

New (JVM/JS) programming language (Kotlin) has been added to Android as a first class (JVM/JS) language.

Not a safe language and compiles to either run on JVM via Java bytecodes or JavaScript platforms (i.e. web browsers). Bad choice of runtime environment despite claiming to be a "safe language".

Will be added to the list of the next Hoilydays nothing that although Kotlin has been labeled as a safe language, the platforms it runs on (JVM, JS Intepreters and web browsers) are a totally bad choice.

Lawrence D’OliveiroMay 21, 2017 10:14 PM

→Phil, →Milo M -- thanks for the info. So it is tied specifically to the dialling of an emergency number. That would make it difficult to exploit without, say, setting up a spoof cellphone tower.

I wonder how hard that would be ...

ab praeceptisMay 21, 2017 11:13 PM


From my point of view kotlin is just worthless crap on a large pile of jvm/java related crap that does not even deserve a place on the golden sticker holiday cards.

mere mortalMay 22, 2017 12:26 AM


Very correct. Thanks for that mention of the much more friendly Ubuntu.

This comment is for those that follow this blog (and intuitively understand the importance of the discussions here) but at the same time have day jobs and don't otherwise have time to become engineers - but still desperately want to leave MS Windows. My advise is to skip Ubuntu as a first choice and instead install Linux Mint -

Although Mint might not the *bestest* choice security wise (which can equally be said for Ubuntu - in fact, Mint is built off Ubuntu), it does - in the meantime - provide an intuitive interface (i.e., an end user experience very similar to Windows) that makes it the perfect "gateway OS" for switching from Windows.

So, if you want to switch from Windows, do Mint first. For no other reason than it's the easiest/most intuitive way to do so. Once you're comfortable with Mint, then look into other OS's as time allows. I'm not a technical genius, but I do care. Deeply. I'm not at all inept, but just switching from Windows to Mint took me time. But it happened. Now I'm on to other, not perfect, but *better* practices. It's hard and frustratingly slow given everything else I've got going on. Sometimes it even seems ridiculously impossible. But I just keep going, project by project, as time allows. And that's how you can do it too.

Give yourself time, be patient. This stuff can get confusing. Don't give up. Remember, you're not a terrorist. You're not a politician. You're not a dissident. You're not a criminal. You're just someone who believes that there is such a thing as legitimate secrets/privacy. Don't let the TLA/commercial/political propaganda/lies get you down. Take back your privacy. Take back decency. Take back your home. Simply do what you have time to do to put sand in the gears of the illegitimate criminal violation of your 4th Amendment rights that is mass surveillance.

PS - Beside business clients/gaming machines, I'm 100% *OFF* Windows OS. Yea! Finally. After the Win10 fiasco, I will never, ever, trust any MS product again in my lifetime (I know, slow learner). I know this might seem "cute" to many of the regulars here, but it was not at all an casual endeavor or something I think everyone is equipped to do. But it can be done. By you. Good luck brother.

PSS And yes. OpenBSD is in the works.

ab praeceptisMay 22, 2017 12:59 AM

Thoth, all

Indeed. Good that you warn them.

I'd like to add something. If for some reason you absolutely have to use linux - which I strongly advise against - do NOT use any linux with systemd!! A quick search will show you alternatives that are at least not systemd infested.

If you can avoid linux my advice depends on your level of knowledge and time to learn. If you can go the OpenBSD route then you should. If that is too tough for you there is still FreeBSD which is less security focussed than OpenBSD (but still much more secure, solid, and reliable than linux) and quite friendly. Also note that there is even a clickediclick version (I think it's called PC-BSD). Plus, FreeBSD runs most linux programs, too (although with thousands upon thousands of FreeBSD packages you will probably not need any linux stuff).

Again: If any possible avoid systemd infested linux (which is most distributions)!

Clive RobinsonMay 22, 2017 1:26 AM

@ Thoth,

Not a safe language and compiles to either run on JVM via Java bytecodes or JavaScript platforms (i.e. web browsers). Bad choice of runtime environment despite claiming to be a "safe language".

It's no better or worse than any other language that either compiles down to CPU native executable code or gets interpreted down to native executable code. Eventually it all meets an interpreter at some point be it the Microcode in the CPU that converts to the Register Transfer Language/logic that moves the bits around or a F/J/P code machine that produces CPU native executable code.

Computer Data Security --not EmSec / side channels-- when all is said and done is about "providing constraint" on the movment of bits between mutable memory locations be they registers, cache, core memory or semi-mutable storage.

As I've noted before type-safety is in effect an illusion or conjuring trick by sleight of hand. The ALU in a CPU realy only understand the types they are built with and these days that is mainly register width words (arithmetic instructions) or subwidths there of we call integers and bits either in integer widths or as individual special function flags. From a combination of these all other data types and their methods are built up by either the CPU microcode interpreter or executable code under a programmers control.

And Type Safty thus boils down to "providing constraint" on a "programmers control" in a given code image produced by the language tool chain. Importantly "no more and no less" it's an imperfect contract based on many assumptions that may or may not hold further down the computing stack.

That is type safety stops at a point quite far up in the tool chain in the source code analyser in the front end of the compiler or interpreter.

Due to very real resource limitations in the early days of computers it was usually not possible to produce an executable code image in core memory. The solution was to break the source code into pieces and reduce each piece to an object file that contained executable code that could be linked together either to produce a final executable file (staticaly linked) to be loaded at run time or a series of files that got loaded and linked at run time (dynamic linking). It quickly became clear that in a resource constrained environment dynamically linked files offered a number of significant advantages. However there was a hidden disadvantage two different code files could link to share a block of memory that holds a non primitive type. All that got shared was a pointer to a memory location, thus it was and still is possible for the two code files to treat the contents of the block of memory differently... Thus to try to ensure this did not happen further tricks such as header files etc were added. With them came more complexity which of course opened up more edge / corner cases and loop holes to catch the unwary programmer.

And as we know treating a signed integer as an unsigned integer either implicitly or not causes problems. From what has been said this appears to be the problem that WannaCry exploited in the SMB / CIFS code that goes back to the early still collaborative days of IBM and Microsoft...

ab praeceptisMay 22, 2017 1:55 AM

Clive Robinson

I contradict.

For one, the jvm is known to be particularly lousy.

More importantly, however, your argument is flawed in that it boils down to saying that making 1 element in a chain stronger is meaningless. This is grave insofar as it is one of the major common excuses to not care at all.

Looking logically the strength of the chain we're interested in is like with any chain defined by its weakest element - which usually happens to be the link between algorithm and, say, intermediary code.

True, with the way processors and compilers (with all their stages) work the a.m. link is certainly not the only one that is less than perfect; it is, however, usually by far the weakest one. Hence, language (a compiler) that makes it hard rather than easy to produce crap makes the whole chain stronger by a considerable factor.

Just compare the rather rare Eiffel or Ada f*ckups vs the very common C/C++/java f*ckups.

That said, you are right insofar as we certainly need to invest a whole lot more care and work in the other chain links. Happily this has at least begun as efforts in e.g. chip spec/design tools show (e.g. Chisel).

Clive RobinsonMay 22, 2017 2:36 AM

@ ab praeceptis,

More importantly, however, your argument is flawed in that it boils down to saying that making 1 element in a chain stronger is meaningless.

It was not my intent to argue it that way, but to point out that the problem is something that needs attention all the way down the stack.

However as you point out the more constraint applied on the programmer the less likely there are to be errors.

But there is another issue to think about as well, which is how we deal with the issues of dynamic linking. The easiest way would be not to have pre-compiled object or library files that get linked at run time. These days where resources are not realy a limitation, just including all source code at the precompiler point in the tool chain makes more sense as type checking amongst other things becomes easier. Also it takes the burden off of the programmer, thus would reduce errors further.

Alternatively we could go another way compleatly. Which is to go down the "scripting" route. That is we have two types of programer, those who have the skill sets and mindset to code securely using low level languages and write "tasklets" and those who script together the tasklets into applications.

The advantage is that the scripting framework can provide strong monitoring and control at the communications interface between the tasklets. In effect you do in software what EmSec designers do in hardware. That is you use strong segregation and enforce a secure message passing mechanism between them to give high issolation. Idealy each tasklet runs in it's own process space so it can not get at other tasklets memory or resources.

Whilst it's not going to win any "speed demon" prizes it will make for faster application development with much higher levels of security.

CassandraMay 22, 2017 2:38 AM

Re: Google's Android Emergency Location Service (ELS)

Unless Google have done something magical to enable fast (and I mean fast) lock on to the satellites, if you do not have the GPS already operating, it will take longer than the average Emergency Services call for a device to work out its location via GPS from cold.

This has two implications

1) This is not as useful as made out. Or, at least, make your emergency services call after you have enabled GPS and got a lock. Which might need walking outside a building. Google do have their Wi-Fi map to speed things up if they have a Wi-Fi signal in view of the device. That presupposes you have Wi-Fi turned on, too.*

2) Possibly, GPS might be enabled permanently by this, 'for emergency use only', even if your Android settings explicitly have it disabled.

Of course most folk (readers of this blog excepted) probably have GPS and Wi-Fi on all the time anyway, because it is useful and/or the default.

*Location from mobile phone transmitter masts, if your device can see signal from more than one, would also help finding an approximate location that could be fed into the GPS location calculations. This can be network-based, which requires the mobile phone service provider to work out where you are and send the info to you, or handset based, which requires the handset to have the appropriate software, which in the case of Google's Android, it could well have - See and and

Lawrence D’OliveiroMay 22, 2017 5:27 AM

systemd-haters here, of all places? Where you would expect a quality of comment a cut above the usual blowhards who hang about elsewhere?


Dirk PraetMay 22, 2017 5:36 AM

@ Thoth, @ mere mortal, @ Dorothy

Currently, Linux Mint have acknowledged this lock screen issues and are working on it.

That's bug 1652489. It would appear it is still not entirely fixed. I also refer to some other woes plaguing Mint, as in not appropriately warning users trying to run the i386 version on (older) machines with processors not supporting SSE2 extensions, rendering major parts of the system unusable instead.

That said, Mint/Cinnamon indeed is a very user-friendly distribution, well-suited for Linux greenhorns. I do hope they get above mentioned stuff fixed as soon as possible. Others that come to mind for Linux first-timers are Ubuntu, Fedora and OpenSuSE.

@ ab praeceptis

Also note that there is even a clickediclick version (I think it's called PC-BSD)

It's called TrueOS nowadays. 64-bit only, and requires at least 2 Gb. of RAM to run kinda comfortable. Despite excellent hardware support and many cool features, the update/upgrade routines remain highly problematic to the point that I regularly end up with broken systems which for a novice are beyond repair. Which is why for now I definitely recommend against it for this category of users until this is fixed.

@ Rachel

@ Ab Praeceptis has pointed out its a Debian box so should be filed under 'I' for Iron Maiden (painful death/Run For The Hills, depending)

(Chuckle) They also recently played here. Great show. I'm not entirely sure what @ab's problem is with Debian based distributions. I don't find them particularly more cumbersome than the rpm based family.

JG4May 22, 2017 6:47 AM
Big Brother IS Watching You Watch

Revealed: Facebook’s internal rulebook on sex, terrorism and violence Guardian

California Authorities Are Failing to Track and Prevent Abuse of Police Databases TruthOut

Trump Administration Deploys a Controversial Tool in Its Immigration Crackdown Truthdig

Police State Watch

The cruel but usual conditions inside two Georgia immigration detention centers The Hill (Phil U)

A predictable nuclear accident at Hanford Bulletin of the Atomic Scientists

Hanford contractor finds radioactive contamination on worker’s clothes The Oregonian

How a US Non-Proliferation Failure Became a Global Cyber Security Threat The Wire

Disable Linux TrackingMay 22, 2017 8:37 AM

Linux distributions typically track user activity too.
Unlike Windows, the tracking can easily be disabled.
However attempting the straight-forward method of uninstalling packages will fail because of dependency issues.

I’ve recently disabled tracking in Fedora and Ubuntu by simply renaming the tracking executables. The following example is for Ubuntu.

Disable Ubuntu Tracking
Rename /usr/bin/zeisstopnm to zeisstopnm.bak and zeitgeist-damon to zeitgeist-damon.bak
Then delete the contents of /home/’user_name’/.local/share/zeitgeist/
Create a bookmark here in the Nemo filemanager and check occasionally

Linux Desktop Selection
The Linux kernel is common to all desktops and where the latest generation of new hardware gets is supported. For instance Kaby Lake processor optimizations.

Fedora’s ecosystem is better suited for business or corporate environment with paid support contracts. Popular consumer applications may be unsupported.

I rejected Mint because fixes and updates in technology are too slow and spotty. Debian (while stable) is worse as features can take two years to show-up. Ubuntu is just about right with two combined desktop and kernel updates a year.

Highlights of Ubuntu
Effective kill switch. Unlike Windows, disabling the network is convenient. I disable the network during boot.

Good support for Nvidia and Intel graphics drivers

The easy-to-use yet powerful Synaptic Package graphical Manager greatly expands upon the Ubuntu Software Center

A wonderful resource for improving the default desktop and applications

Kernel/driver news:

Nick PMay 22, 2017 10:33 AM

Datashield: Configurable Data Confidentiality and Integrity (2017)

A lot of work has gone into automated safety of C/C++ programs. They've looked at memory and control flow especially. The remaining weakness is attacks based on clever abuse of data flows in the program. There's only been a few attempts at total solution of that problem that I'm aware of. This work transforms C/C++ programs to preserve data confidentiality and integrity with a reported 30-40% hit on performance. If their model is proven sound, then that's good news given moving key checks to hardware would probably knock that into single digits or unnoticeable given results with other, more-complex schemes.

Bootstrapping Wiki

This project by rain1 on is collecting examples of compiler bootstrapping. The focus is on the simplest stuff esp that can tie in to defeating Karger's compiler-compiler attack that Thompson wrote about. In addition to what rain1 had, I've added a bunch more within the following requirements:

1. We need several since users will come from imperative (esp C/Java), scripting (esp Python/Perl), Scheme, and functional (esp ML/Haskell) backgrounds. What's easy to grasp for them depends on the background. So, one of each style. That they'll work so differently will also add a diversity benefit if the same application is run on each with equivalence check of output.

2. The target might be software already on major distros (eg bash, awk, Perl), assembly, or machine code. It might be input by hand onto an OS or by hex onto a board. Need something for each.

3. It must be small and simple enough for a non-expert to understand with as little effort as possible. This is an unknown as both the problem space and what each tool can handle set a lower bound on the complexity of the implementation. The main solution, other than simplistic algorithms, will be using the language/tools in as standard a way possible with lots of documentation on what each thing does.

We already have a nice list. The next thing we need are assembler and especially linkers coded in simple as possible way with great explanations of what they're doing. I had one assembler/linker in Python that was perfect for this but that bookmark disappeared at some point.

Empirical Study on Correctness of Formally-Verified, Distributed Systems

In high-assurance systems, certification usually mandates that many forms of verification are used since one might catch problems others missed. Sometimes, the problems are in the verification tools themselves. The authors review tools that seem to have only used formal verification on select aspects of their distributed systems. The added techniques of code/doc review, observing things in debugger, component-based testing, and network/file fuzzing caught a bunch of problems.

Interestingly, the verified code did exactly what the spec said it would. Like with CompCert, the formal verification made the implementation flawless in terms of conforming to the spec. The spec errors were mostly at interfaces as the founders of software engineering found in the 1960’s. I always say to bulletproof those by throwing everything you can afford to at them. That numerous components didn’t work the way the authors guessed reinforces why high-assurance software always lists everything in the Trusted Computing Base (TCB) along with what was verified and how. If you don’t fully understand a 3rd-party component, then there’s no way you can say your own component correctly uses the other one. This is also why projects such as are going from hypervisor code all the way down to the hardware. An example of a lightweight method is to build monitors for 3rd-party components that watch traces of its execution to spot inconsistencies with specifications that reflect user’s expectations. This has been used in both embedded (Copilot) and enterprise (NonStop) systems.

Why Writing Correct Software is Hard by Ron Pressler

The video and text are interesting. Ron Pressler (pron on Reddit or Hacker News) has been advocating methods such as TLA+ on the basis of formal verification being too hard, costly, time-consuming, and for small code. There's counterpoints to that with all the advances being made but he argues further that correctness does not compose. Interestingly, there's relatively recent work in mathematical proofs showing that. If true, it means mathematics isn't powerful enough to handle full correctness of large software no matter if we use modules, objects, etc to try to hide the complexity. Certain classes of problems could be verified to certain degrees in certain ways. His recommendation is empirical study of code patterns and correctness strategies to find piles of ad hoc ways of dealing with it.

I'd really like to see this work looked at by the likes of DeepSpec etc. I countered his points on inherent difficulty of *any* real-world application and lines of code so far. The first comes from fact that formal methodists keep making tools that let us automatically apply verification to protocols, algorithms, data structures, and so on. Using just the automated or low-cost stuff on what we can will help by letting us verify other stuff with verification budget saved. Far as lines of code, he's right that most projects seem to max out around 10,000 lines of code or so. This doesn't tell us anything, though, because most projects like DeepSpec have been scaling *down* to cover more and more low-level details. For all we know, they might have scaled up the same distance. I do want to see efforts attempted at 100Kloc with a bunch of interacting components to see what they end up accomplishing. Microsoft tried on Hyper-V getting about 20% verified in VCC but I haven't heard anything since.

His good points, aside from mathematical proofs, are that the challenge to respecify/verify old problems tool almost the same size and effort in each tool that was used. That hints at intrinsic complexity instead of it being a tool problem. Also, students who work on things like seL4 often say it was one of the most painful experiences they had. Many get disallusioned by the experience. That's for a tiny system, too. So, this problem of how much global correctness can compose is worth tons of study by mathematicians to see if we're just wasting our time past a certain point.

Now, all that said, I disagreed with him that all hope was lost. The recommendation of high-assurance has always been to use simple, easy-to-analyze components as much as possible. In security, we leverage a small TCB whether it's prevention, detection, or recovery. The TCB's are almost always small enough for formal verification to handle. Even if Ron is right, my recommendation of Design-for-Verification would seem to hold where you do what you can on new code, design it simple enough for current tooling to handle, and people can plug in a verified version of that TCB code later if it's deemed worthwhile. Guard functions, model-checking, and testing strategies can help with the stuff that explodes in state space.

Quick note on empirical side. What he suggests the field should do has been going on for decades under the likes of Software Engineering Institute. They got so impractical that most programmers will reflexively stay away from anything that looks like it. This could be another AI winter in our field where we'll have to very-carefully introduce empirical work to programmers that are clearly useful. The one above is a good example. I think another is that combinatorial testing paper from NIST since it showed the error distribution in N-way testing was the same for several, diverse types of applications. Just 3-way got 90+% of bugs with no more found at 6-way. I didn't expect that. I intuitively think it's quite significant with other things to teach us. Another example might be analysis of subset rules for things such as C and Java vs bugs found in real-world code to see what's helpful, when it is, and what was just bullshit guessing.

Mister T Pities the Fool jangle jangleMay 22, 2017 12:45 PM

Here's Skeptical engaging in prissy sniffing at uncommon fools that know their rights. Perhaps Skeptical can explain to us why all the common fools prefer their bowdlerized US human rights though they fail to meet the world standard of institutionalized human rights subject to independent international oversight, The Paris Principles. Russia meets those standards, how come the US can't?

No doubt Skeptical can speak for all the common fools who can explain to us why the Human Rights Committee directed the USG to interpret the ICCPR in good faith, and why the Committee Against Torture directed follow-up on multiple urgent breaches of the convention, and why systematic and widespread torture meeting the threshold of crimes against humanity is good enough for US proles.

Oh, and while you're at it, explain to us why the US government has failed to accede even to the core human rights commitments. Be sure to cite the paragraphs in the relevant documents that substantiate your heartwarming patriotic pride.

mere mortalMay 22, 2017 3:43 PM

@Thoth, Dirk Praet, Clive Robinson, ab praeceptis, et al.

Thank you all for your feedback and commentary. I very much appreciate it.

As I mentioned, I consider Linux Mint a "gateway OS" - for those otherwise busy folks who's immediate desire to leave Windows outweighs their current technical skillset - and not as an acceptable end state OS. My most recent foray towards such an end state was Cubes. When I was initially deciding which OS to try next, I narrowed it down to a choice between Cubes and FreeBSD. I went with Cubes because I'm a sucker for the *idea* of compartmentalization (Clive, you did that - instilling the appreciation for "compartmentalization" that is, not Cubes). But given recent events/discussions here, it's becoming apparent to me that I should have went the BSD route. Oh well.

@Disable Linux Tracking

Will do. Thank you. any other, as Dirk Praet so graciously described us, "Linux greenhorns/first-timers"...

Don't let the realities of the grim state of digital security/privacy (or your *currently* lacking technical skillset) discourage you. Everyone has to start somewhere. I've been a lurker on this site since Snowden and the conversations here - although often very technically intimidating - have helped guide me to a point that I don't even recognize who I was when I first got here.

So my advise to you is this; "trend towards".

Most of us will probably never achieve the technical prowess of the regulars here. So what? That doesn't mean we can't benefit from their advice/observations for the directional value it provides. If you're not a spook, politician, criminal, guarding trade secrets, in litigation against the state/big corp, criminal, etc., then you probably enjoy the luxury of a relatively relaxed threat model. Although one (or twenty) poor technical decisions might get your bank account emptied, they're unlikely to get you killed. So use the advice here as an ideal to "trend towards", and incorporate it - to the degree you're able - into your own best practices over time.

Don't have the chops yet to take on OpenBSD? Okay, just get off Windows for now. Using the default texting app on your phone? Switch to Signal instead. Surfing the web while logged into your Google account? Stop that. Do you use a "free" commercial email service? Switch to a provider that offers a higher likelihood of respecting your privacy. Post every little detail of your life on Facebook? Stop that. Buying into the Internet of Things? Avoid it like the plague. Do you financially support the efforts of NGO's like EFF and EPIC? If not, send some cash their way. Etc. Etc. Etc. ad nauseum.

Now the regulars here will be quick to point out the inadequacy of all that (and it would be foolish not to carefully consider what they have to say), but by doing each one, you would have put yourself in an incrementally more secure/private position than where you were before. So instead of having sads because you're not bulletproof, take pride in throwing what sand you can into the gears of the illegitimate, immoral treachery that is mass surveillance. If you're reading this, you are the resistance. ;)

Milo M.May 22, 2017 6:20 PM

@ Cassandra:

Assisted GPS or Aided GPS (A-GPS) has been around for over 20 years. There are a lot of variations on the theme, but the essential concept is to send a lot of data to the mobile to speed up the navigation solution.

The navigation solution may even be accomplished at a base station and linked to the mobile.

This is 15 years old, but the two lead authors were with Global Locate, one of the pioneers of so-called Assisted GPS (A-GPS):

"the real reason for implementing AGPS is customer satisfaction when using locations or E-911 services. With AGPS, the position can be computed more quickly, on the order of a few seconds."

Broadcom bought Global Locate in 2007.

More recent story, , with location times ranging from seconds to a minute:

From the European Commission:

"In 2015 the UK was the first Member State to deploy AML, improving accuracy levels to up to 4000 times. The solution does not ignore the Cell-Id information that already existed but rather supplements it with either GNSS information (GPS) or Wifi information taken from the handset. AML was subsequently implemented in Estonia where the accuracy is less than 50 meters in 80% of the cases. As part of the HELP 112 project financed by the European Commission, the HELP112 solution, that is based on the AML architecture, was tested in UK, Lithuania, Austria and Italy. As a result the handset based location solution was deployed in Lithuania and parts of Austria. It is to be noted that the Advanced Mobile Location solution is available only on smartphones using the Android operational system. Latvia and Norway are planning to deploy AML location in 2017.

When an emergency call is made with a smartphone that is AML enabled, the phone automatically activates its location capability (GNSS or Wifi) during 20 seconds to establish its position and sends this information via a text message to the emergency services. The radius is 50 meters or less for most calls in about 85% of locations. This is a life-saving improvement when compared with Cell ID location that can have a radius of tens of kilometres in rural areas."

Before Global Locate, there was Snaptrack, founded in San Francisco in 1995. In 2000 they were bought by Qualcomm. Snaptrack technology, or its descendants, is in lots of Qualcomm mobiles.

AnonMay 22, 2017 7:52 PM

@Nick P:

Code Correctness: "Hiding complexity" in classes etc.. is I think a good way to end up hiding bugs, because if the complexity is hidden, so too are the traps and programming errors!

It is impossible for one programmer to understand an entire system (if anyone wants to get anything done) so this is where there seems to be a major disconnect in software development - no-one wants to talk to the guy who developed/wrote the code in the first place.

When I'm working on large systems, I talk to someone who knows something about the code I'm working with. If I spot a problem, I chase it back to the source until I get someone's attention.

It seems to me that too many programmers are taking code, accepting that it is a "black box", and not asking any questions. When it blows up, they don't ask why - they try and mask the problem with more complexity, instead of digging into why it failed.

"Root cause analysis" seems to be an alien concept to most people. It doesn't help that systems today represent the 50th layer of a broken design.

ab praeceptisMay 22, 2017 11:23 PM

mere mortal

You are welcome. It seems that my advice re. PC-BSD/TrueOs was bad as, so it seems, the "friendliness" has a high price in memory (Sorry, read about it but never used it myself). I can tell you, however, that I have practical experience with running FreeBSD in 128 MB or even less (no X). With or without X, no matter, FreeBSD will not need more memory than linux.

As you love "compartmentalization" (as you call it) you might find it interesting that FreeBSD not only has jails of fame but also it's own virtualization, "bhyve" with which I have made very good experiences. It might, however, not yet be the right thing for newbies. For them the good virtualbox support might be more attractive. Also note that virtualization seems to be one of the weak points of OpenBSD.

As for gui/desktop stuff I can't tell much because I'm utterly ignorant in that area and gladly use jwn. I know, however, that XFCE and other typical desktops are available out of the box with FreeBSD (plus there is quite a lot of guides, tutorials etc. for newbies).

ab praeceptisMay 23, 2017 12:19 AM

Nick P

"Datashield" - it's still more of a POC than something useable for production. Also note that for C they provide musl as "standard lib"; now, musl is certainly attractive but it's also rather exotic in terms of being certainly not in wide-spread use and.
Let me quote one paragraph from the paper:
As expected, without DataShield protection the client’s heap was corrupted, but with protection the attack caused a bounds violation and termination of the program.

Well, in many cases a dead server might be more desirable than a vulnerable running happily and ignorantly, but still, that's not really what a good solution looks like.

What I do like, though, is their pragma approach rather than the typical comment approach.

"Distributed System" - largely irrelevant but interesting. My personal advice would be to read it with the eyes of network software security people as the problems are often similar. A future version of cryptoverif, for example, might profit from it.

"ron pressler" - I even took the pain upon me to watch some minutes of his youtube musings. So I certainly demonstrated good will ...

Ron Pressler ... has been advocating methods such as TLA+ on the basis of formal verification being too ...

Uhzm, tla+ is for spec, not for code verif, ...

If true, it means mathematics isn't powerful enough to handle full correctness of large software no matter if we use modules, objects, etc to try to hide the complexity.

I do not see pressler in any position to credibly make statements like that (I try to avoid saying "bullsh*t!").

(also for the rest) Granted, I have not yet done really large projects with my current tool set but that doesn't even matter. And btw. all in all my productivity has not been lower but about the same or even somewhat higher than before working in, say, naked C (plus lots of experience). Simple reason: One must look at the *complete* dev. cycle - which in normal (e.g. C) development usually doesn't even end at GA because de facto the end users typically are doing the final beta test ...

As for the students hating a formal dev. approach, so what; they lack experience and, importantly, they are a product of rather poor education and the habits and views developped there. Looking properly at it one can't but notice that at some point in time one just has to properly spec, so why not doing it right in the first place?

RatioMay 23, 2017 4:35 AM

@Dirk Praet,

The entire Middle East is on fire because of the Iraq War? Is that what you are saying?

That is exactly what I'm saying.

Then could you tell me, country by country, what fires are/were there in Bahrain, Cyprus, Egypt, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Oman, Palestine, Qatar, Saudi Arabia, Syria, Turkey, the United Arab Emirates, and Yemen that you think are due to the Iraq War? How would you explain the causal link in each case?

Again, isn't what you're saying a bit facile?

As you apparently think it's okay to just pretend I said more than I did, to compensate I'll go ahead and pretend you said less than you did. (Please don't do that.)

CassandraMay 23, 2017 6:24 AM

@Milo M.

Thanks for that.

Note that the enhanced speed and accuracy of location services described for the EU are for Android phones only, and AGPS also requires external input to the phone - in the implementation described, several SMS messages. It's not impossible that the Android ELS is getting AGPS-style augmentation messages when activated.

I keep location services disabled on my Android devices, even though the software continuously nags me to turn them on, as I prefer to choose when I make my location available to software I do not control. Most people don't bother. It is truly astounding how people have accepted having their location tracked.

Thanks again for the additional details.


JG4May 23, 2017 7:01 AM

I think that it's pretty clear that the US and others helped to destabilize Libya, Syria and Ukraine. I am skipping over the ancient history where the Shah was installed in Iran and Saddam Hussein was hand-picked and trained by various intelligence agencies. Speaking of hand-picked, it's hard to believe that Idi Amin was a good choice, but the bright young psychopaths get things done. US, European, Japanese and Chinese monetary policy had a role in driving up the price of grain, which destabilized Egypt and Tunisia, and other places where people live on $2 a day. It even caused riots in Mexico.

Clive RobinsonMay 23, 2017 8:22 AM

Terrorist bombong Manchester UK

The UK Manchestr Police have confirmed that a bomb that exploded in the foyer of the Manchester Arena last night was by a terrorist suicide bomber. It is still unknown if the person was working alone or not, however another 23year old man has been arrested from the fallow feild district and a controled explosion was carried out.

The audience at the concert by American singer and actress Ariana Grande were mainly teenagers / young people, some children as young as 8.

So far reported are 29 dead and 59 injured some very serious, many are still reported as missing. The bomb exloded towards the end of the concert.

The media are making special note of the "American artist" and that it is the worst terrorist attack in the UK since 7/7. Some are making an "American" link between this attack and that which occured at the Eagles of Death Metal concert in the Bataclan theatre in Paris a year and a half ago.

TatütataMay 23, 2017 8:55 AM



I thought I had been diligent enough in checking out this story, but I forgot to look here. The story is even older than I thought.

In my defense, I was rather ill at the date this item came through, so I may not have seen it back then.

Last night I wanted to get my daily dose of trump madness from US media, but got instead the coverage of the Manchester murders. There was the usual assortment of babbling torsos filling up the time between erection pill commercials with their "wisdom" and "expertise", and the continuous looping of video snippets. Why am I watching this? Then came on a particular torso who said that this was a consequence of communications "going dark" because of that treacherous non-patriotic un-American "encryption" stuff.

At that point I switched off the telescreen and tried to go back to sleep.

Google is a has-beenMay 23, 2017 10:26 AM

World's largest advertising company is running out of ways to increase shareholder profit.

Shouldn't be much of a surprise considering that the company does not produce much of anything of "value", except adverts and corporate PR articles (like those about Google IO 2017 that portray lame AI solutions as "intelligent").

Google starts tracking your offline shopping — what you buy at stores, in person

AlanS May 23, 2017 11:50 AM

Special relationship: I've seen various comments that British government briefing US counterparts on Manchester investigation and details immediately leaked to US media.

AlanSMay 23, 2017 11:59 AM


Police confirmed the 22-year-old’s identity after officials in the United States passed it to news reporters, apparently against the wishes of the police and security services in the UK.

SystateMay 23, 2017 1:49 PM

Google is a has-been
When you thought shit couldnt get any realer from google. I am pretty sure this system can be beaten with cash. But i am pretty sure that is somewhere on their chopping block list. Once cash is gone you have 2 options, get with the program or live in the caves.

Clive Robinson
Sad but what do you expect. And i am pretty sure their response is and has always been the same. More bombs.

GahMay 23, 2017 2:40 PM

@qb preceptis, mere mortal, turns out FreeBSD needs a snazzy sticker of its own.

On the other hand, it's somewhat usable until something updates and it explodes. (c.f OpenBSD, which is so gosh-darn secure that people just never update it.)

rMay 23, 2017 5:50 PM

@tatutata, wael,

Don't you know it's the witching hour and most of us are already fast asleep?

Slime Mold with MustardMay 23, 2017 7:20 PM


It always astounds me that the names of these people come out so soon, or even the fact that the authorities know who they are. What is more certain to make even peripheral cohorts swim the Channel? In this type of case I think the government is even justified in lying and saying that they "still working on identification" while they run down every last lead. (They also might park fewer than twenty-five marked vehicles at the suspect's home, and decoy at vacant properties).

The U.K. is now on "Critical (highest) Alert". I can think of three reasons for such a move - from scariest to least -
1. No traces of explosive of precursor chemicals were found in the suspect's home or garage.
2. A background check suggests the suspect lacked the competence to manufacture the device.
3. Several similar "on-the-radar" associates who are suddenly hard to find.

That "Know Your Chemicals" booklet shown in news photos is of limited use for this sort of thing.

ab praeceptisMay 23, 2017 7:33 PM


That's true in (a small) part and nonsensical or false in part. For a start, the author of the link is an OpenBSD guy and what he writes pretty much comes down to the old boring "FreeBSD is not OpenBSD!" allegation. I myself, btw, ripped apart one of the more influential/visible "OB is more secure than FB" "analysis and report".

In the end it boils down to "FreeBSD targets *all* users, incl. desktop users and hence *of course* comes with a different basic config than OpenBSD".

FreeBSD offers common virtualization, in particular Virtualbox (which one may consider as seriously imperfect but which happens to be very, very wide-spread and preferred by desktop users), it offers a linux compatibility layer, and many other things that make it much more and more conveniently usable than OpenBSD.

Both have by far more in common than they are different. They are pretty much one and the same thing, with one being targetting to be a secure BSD and the other one to be a friendly desktop BSD.

Is either of them a secure OS? NO, absolutely not. In fact, OpenBSD does not even meet my requirement for intermediate security, let alone the requirement for a secure OS (neither, of course, does FreeBSD).

So, if we use a scale from 0 (ridiculously crackable) to 10 (highly secure), so as to have a reasonable frame of reference rather than relying on fan boy blabla, android would be 0 to 1, windows would be 1 to 2 (the eal golden stickered windows being the 2), linux would be 1 to (rarely) 3, FreeBSD would be 4, OpenBSD 4.5, and some systems most of us have hardly ever heard would be in the 5 to 8 range. And yes, there is no 10 and not even a 9 due to diverse factors like (security wise) lousy hardware (e.g. intel amt), doubtful compilers, doubtful hypervisors, unverified tool(chains), etc.

Being a little more realistic and humble might be helpful.

As I said, none is secure and OpenBSD (ignore the evangelizing blabla) did not even strive to be(come) a secure OS. Their target was to be as safe and secure a BSD Unix as a BSD can be while FreeBSD targeted to be(come) a good quality general BSD with very good gui clicky clicky Joe and Jane usability. From my point of view both grosso modo achieved their goal and are continuing to getting closer. And both are reasonably secure within the frame of common OSs, in part btw. because they cooperate by far more than some X is better than Y sectarian want to make believe. We all profit from that exchange.

Clive RobinsonMay 23, 2017 7:59 PM

@ AlanS,

Special relationship: I've seen various comments that British government briefing US counterparts on Manchester investigation and details immediately leaked to US media.

Outside of the UK SigInt Agency GCHQ and one or two other UK IC agencies the UK-US Special Relationship is one of sacrifice where the UK especially politically Kow-Tows to US political interests. This state started with WWII and the excuse for the Kow-Tow was the War Debt, however even though Maggie Thatcher ensured it was paid off back in the 80's the US government demand that the subservience to their wishes continues as though it was still owed.

Also if you think back a little, the US is quite happy to burn it's allies HumInt assets, as was seen by the second underpants bomber reverlations, just for political reasons. Thus US politico's and their wanabee's are more than happy to throw anyone under the wheels of the bus even their own intel agents if it will get them networking credits with the press. Which is why you have so many unnamed insiders giving supposed off the record briefings to the US press.

However as Vietnam found out recently as far as the US is concerned any military engagment they get into must be payed for by the country concerned... Where as any aid given by other countries to the US must be given for free or worse be gifted so the US can rent-seek on it which is why most UK war time inventions ended up being the major products of various US corps they then sold world wide to the UK's considerable loss.

But the political aspect was worse, the US had and probably still has a very serious inferiority complex, thus a need to be seen as first at every thing. It was this that amongst other things caused JFK to make the UoT speach that gave rise to the race for the moon. The idea being that if a goal was set beyond what the Russian's were assumed to be capable of technology wise --from now known to be over stated intel-- then US prestige could be maintained. Which in turn was why it was said that political support for NASA ended when Neil Armstrong's foot left the first imprint on the moon.

The need to appear often incorrectly to be the worlds technology leader has cost the US dearly and will cost more and more until they have no more capital be it political or financial. It was this realisation that gave rise to the contentious parts of the TTP and other trade agreements, which the US tried to keep secret and as a result ended up killing the deals and thus a big chunk of what would have been Pres Obama's political legacy.

As a poster pointed out the other day the US requires the rest of the world to be beholdent to it and further cast themselves in the IS image... Such chauvinistic nationalistic behaviour is how most outside the US view the US and it's people. Those from the US who are more worldly wise than the majority are not just aware of it but actually embarrassed by it to the point of finding a number of their fellow countrymen cringe worthy.

Why it's called "exceptionalism" is often viewed in a derogatory way by other cultures, so much so there are sarchastic jokes made about it. In Thailand for instance, there is the saying that there are three Thailands, the first is Thailand for the Americans, the second is Thailand for other more respectfull tourists and finally there is Thailand for the Thai's.

Clive RobinsonMay 23, 2017 8:19 PM

@ Systate,

Sad but what do you expect

What I see as likely is as conflicts in the ME wind down is for disafected and increasingly demoralized individuals to return back to the UK. Where I expect one of two things to happen, the first is they try to reintegrate with the communities they came from. The second is that some will bring their disaffection and ideology back with them and act on it in a number of ways that will be detrimental to not just the communities they came from but others as well. Which as you say will mean more bombs.

It actually takes a degree of skill to make IEDs and those that can do it will regard themselves as more important to their cause than those they can recruite and talk into becoming suicide bombers. Unfortunatly die to various factors such as the poor state of the economy and educational issues, they will not have difficulties finding those they can recruit for "greater glory"... The reason this will almost certainly happen is the Petro-dollar sloshing around various individuals from Saudi Arabia who have used it in vast amounts to have their ideology spread around the world.

JG4May 23, 2017 8:35 PM

there is an afternoon edition that occasionally has some relevant content
News of the Wired

“Instagram is the most harmful social network for your mental health” [Quartz]. “A growing body of research suggests social media is contributing to mental-health problems such as anxiety, depression, sleep deprivation, and body-image issues in young people, who are the heaviest users of social media. And Instagram, which now has 700 million users globally, appears to be the social network having the greatest negative effect, according to a new report by the UK’s Royal Society for Public Health (RSPH), an independent charity focused on health education. Only YouTube had a net-positive effect among the respondents. Every other social network came back with a net-negative effect. (In order from least negative to most, they were: Twitter, Facebook, Snapchat, and Instagram.)” So it stands to reason Twitter is the one everybody beats up on. Here’s the original report.

“For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That’s according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets” [Ars Technica].

“Introducing the Blockstack Browser: A Gateway to a New, Decentralized Internet” [BlockStack]. Interesting if true. And no Mac *.dmg file yet.

Slime Mold with MustardMay 23, 2017 11:10 PM

@ Clive Robinson

The problem with the leaks is that they are all lauded in the D.C. press and weaponized by the opposition if they are seen to hurt Trump. Since it was almost certainly one of those same leakers who leaked this name, consequence is unlikely. The only publication playing up the leak angle when I searched on a google proxy (IXQUICK) is Business Insider, a more conservative publication.

As for the almost one-way IC relationship. I agree it exists, but see hegemonic exploitation as one of two factors. The first is budget. GCHQ head Sir David Omand told BBC 4 on November 7, 2013 "We have the brains, they have the money"
If we allow defense spending as a proportional proxy for FIVEYES IC budgets:
US 611 bil USD 330 mil 3.3
UK 58 bil USD 65 mil 1.9
AU 24 bil USD 25 mil 2.0
CA 15.5 bil USD 35 mil 1.0
NZ Hobbits Cattle Whales

Indeed when commenters on this blog complain that Europe is often seems treated as a vassal of the US, I wish they would refer to this:
(a couple of critical caveats on that list. China and Russia get a lot more for their spending than countries in the west because of relative wages. There are efficiency factors, of course. They also do not pay their militaries shit). The fact is, European oil not purchased from Putin is guarded by the US.
Do the England fans really sing:
Rule Britannia, Britannia rule the waves ?
Not really au courant eh?

"political support for NASA ended when Neil Armstrong's foot left the first imprint on the moon"
Nope. Political support for manned space flight, specifically the Apollo program stopped when;
1)Americans started changing the channel (NASA even sent a clown car up there to try to get more viewers - ratings still dropped ). We have a short attention span.
2)Americans got color TVs, the moon never got any color.
3)No aliens, gold, or uranium - and Americans didn't know what the hell "Helium 3" was.

In short, the moon was kind of a drag.

RachelMay 24, 2017 2:00 AM

@ Dirk Praet

sometimes you use the phrase 'your mileage may vary'
In the spirit of boycotting google and facebook, perhaps you will consider
upgrading to the phrase 'your kilometres may vary'
It is also more original. Which I believe, is something you're one to appreciate for its own merit

Clive RobinsonMay 24, 2017 4:24 AM

@ Rachel,

'your kilometres may vary'

It will go horribly wrong...

The reason is "boys and their toys" and the liking to have military sounding speak.

Thus the kilometres that many US tongues can not drawl around will change to 'klicks'... Thus the phrase will become in a short time,

    Your clicks may vary

Which will be read entirely differently ;-)

Oh and you loose that "Imperial" fealing that "Miles" gives you, thus you loose that Starwars 'storm trooper' anthem runing in the back of your head, and instead get some Parisian accordian street music and visons of men in berrets, stripy jumpers on old push bikes with hugh skiens of garlic bulbs B-)

Dirk PraetMay 24, 2017 4:35 AM

@ Rachel

perhaps you will consider upgrading to the phrase 'your kilometres may vary'

I don't know. I already come across as a git sometimes, and stuff like this would only make it worse. There was a time when I experimented with idiomatic expressions literally translated from Dutch, which totally confused the living daylights out of my native English conversation partners. As in "there's sh*t on the marble" or "it knocks like a bus".

Totally cool Rollins video, by the way. Been a fan of him since his Black Flag days, and he's definitely one of the most impressive musicians I've ever met backstage (in Eindhoven, Holland, while working as a roadie for the opening act)

@ Clive

The second is that some will bring their disaffection and ideology back with them and act on it in a number of ways that will be detrimental to not just the communities they came from but others as well.

I do not believe such people can be successfully integrated back into a society they had already come to reject in the first place. Neither do a majority of psychologists and field workers. As harsh as it may sound, they forfeited their place here the day they left for Syria or Iraq. Legally, there is unfortunately little that can be done to stop them from returning, except in the case of dual nationality citizens or folks that had previously been granted refugee or asylum status.

The Manchester bombing is something I'd been afraid of for a long time. Concert and festival venues are extremely vulnerable to this type of attacks, especially because security staff have very limited authority to adequately deal with potential wrongdoers.

@ Slime Mold With Mustard

It always astounds me that the names of these people come out so soon, or even the fact that the authorities know who they are.

Because in general they had already previously appeared on radicalisation radars. Logistically, it's impossible to monitor them all 24/7, and legally it's impossible to proactively take them off the streets. That's the price we pay for being a (relatively) free and open society. Best thing you can do is restrict their freedom of movement, but which in practice is very hard to accomplish too.

RachelMay 24, 2017 4:40 AM

@ Clive

'..stripy jumpers on old push bikes with hugh skiens of garlic bulbs'

But Dirk may really go for that

Clive RobinsonMay 24, 2017 5:52 AM

@ Slime Mould...,

As for the almost one-way IC relationship. I agree it exists, but see hegemonic exploitation as one of two factors. The first is budget. GCHQ head Sir David Omand told BBC 4 on November 7, 2013 "We have the brains, they have the money"

History shows that during WWII the seniots at Bletchly were only to aware of not just the financial but manufacturing resources issue, and that for the foreseeable future Britain would be "the poor cousin at the table". Which is why they pushed realy hard against quiye a bit of opposition for what became the BRUSA --later UKUSA-- agreement. If you look at various books and released papers you will see that the likes of the CIA went down the commercial equipment route and had little in the way of scientific input. Even GCHQ was staid in it's approach and was reliant on US tech. It was MI5 that in the 50's lead the way with getting scientists and engineers into inteligence to do practical work which MI6 only started to catch up upon in the late 70's. My contact with the UK intel community in the 80's again showed technology from the US but ideas and direction from the UK and importantly an emphasis on boots on the ground to check what ElInt and SigInt were providing had context.

But for various reasons the UK always gets very bad value on military spending, you only have to look at the Trident replacment as well as the nonsense with the replacments for the UK aircraft carriers to see this.

The French and some other European countries however appear to get very good value for their spending which begs the question of what is realy going on in the US and UK MIC. Thus I tend to regard the 2% of GDP spend the US keeps pushing as being somewhat suspicious to put it mildly. It's clear that defence spending has a significant and detrimental effect on a national economy thus 2% of GDP realy is a case of "shoot yourself in the foot" and all the arguments about offsetting by defence sales fail when you consider the amount of corruption involved.

As I've pointed out in the past defence spending is a con game. It arises from the issue that you never know when you are spending too much only way to little because you get attacked. Thus those inside the MIC have an almost perfect setup to use the bogieman tactic of over inflating the threat. The money then apparently evaporates for a decade or two untill a pile of non functioning crap appears that then requires further hugh investment in capital. A current case being the UK Navy destroyers where of the six only one appears opperational at any one time...

It's interesting to read press reports such as,

The clear message is "spend more" but no sign of finding out why these disasters happen more often than not, nor any intention of sorting them out so they don't happen in the future.

FreezingMay 24, 2017 10:47 AM

@ Patriot COMSEC

All of this is aimed at reducing the influence of the U.S. NATO-like security agreements have also been spoken about, and I think this is what the future holds for China in Central Asia-- and perhaps beyond.

"Who controls the Heartland controls the world"

Who?May 24, 2017 11:07 AM

@ ab praeceptis

Also note that virtualization seems to be one of the weak points of OpenBSD.

Not anymore. In the last years OpenBSD has done a great effort in both guest and host lands. See for example how many great improvements have been done in paravirtualization using the VirtIO protocol (see, for example, vio(4), vioblk(4), viocon(4), viomb(4), viornd(4), vioscsi(4) and vmmci(4)). OpenBSD now includes its own virtual machine monitor (vmm(4), vmd(8)).

Of course, all these technologies are somewhat new in OpenBSD (starting at 5.3 with virtio(4) up to 6.1 (vmm(4))). If you want running the OpenBSD's virtual machine monitor I would suggest going to -current and not expecting big features yet. vmm(4) can be considered experimental right now and will have large improvements in the near future.

AlanSMay 24, 2017 1:15 PM


It's hard to feel sympathetic towards the Brits on this one given their own penchant for "chauvinistic nationalistic behaviour", although now such behaviour on their part is mostly delusional and rather pathetic (e.g. Brexit, Empire 2.0).

The Americans seem oblivious or maybe they just like pissing, taking a leak as it were, on May and Co. (understandable): US officials leak more Manchester details hours after UK rebuke.

TatütataMay 24, 2017 2:33 PM


This state started with WWII and the excuse for the Kow-Tow was the War Debt, however even though Maggie Thatcher ensured it was paid off back in the 80's the US government demand that the subservience to their wishes continues as though it was still owed.


The UK owed an awful lot of money to Canada too:

The US loaned $4.33bn (£2.2bn) to Britain in 1945, while Canada loaned US$1.19 bn (£607m) in 1946, at a rate of 2% annual interest.

The assistance from Canada was thus on a per capita basis two to three times larger than that provided by Albion's prodigal son. And that amount doesn't take into account forgiven debts and outright gifts (especially in the emergency period 1945-1950), which I believed amounted too in the billions, or the Canadian war effort. (The Empire parliaments declared war almost together with Westminster in September 1939, not in December 1941).

Yet only the debt to Uncle Sam counted...

Several Canadian imperialists were disappointed in the aftermath. And those who didn't believe in the Empire felt confirmed. Canada's trade with Britain collapsed, and was progressively more integrated in the US continental system, especially after the UK applied for membership into the EEC. Newfoundland, which was bankrupt since the 1930s, was essentially flogged off to Canada, even though not a few Newfies would have preferred another option... The wartime scientific and industrial collaboration (e.g.: Radar, Tube Alloys) didn't survive very long either.

On the credit side, the war business provided a huge boost to many industrial sectors (e.g.: aluminium, navy, aircraft construction, radio manufacturing) which wouldn't have been been possible under continued depression-era economics. And some Canadian politicks entertain(ed) colonial fantasies about taking over British possessions in the Carribean! (Canadian banks did anyway...)

The UK debt was actually finally formally paid off in 2006, long after Maggie's tenure. And if one takes into account inflation, the amount that was actually paid back is without doubt much smaller than what was initially borrowed.

I remember this stuff when I hear British UKIPpers or conservative politicians mouth off over the financial problems in Iceland or Greece or southern countries in general, or their misplaced nostalgia for the bl**dy Empire, and I'm so much more dumbfounded by Brexit. Maybe I'm too much influenced by the cartoons by Steve Bell or Martin Rowson.

AlanSMay 24, 2017 2:49 PM


The Bell and Rowson cartoons are the best parts of the Guardian.

Slime Mold with MustardMay 24, 2017 3:23 PM

@ Dirk Praet

I misspoke. I should have written "I can't believe the police even let the press know they have identified the bomber". If you re-read the rest of the paragraph, I will seem slightly less stupid

@ Clive

I wish I had not implied that all military spending was worth it. If we accept the premise that the object is deterrence (questionable), it is currently unprovable, historically, if effective, it is 'provably' wasted.

In the US, when they concentrated on buying congress, our predatory arms industry delivered arms of fair quality at inflated prices. Having re-invested some profits in purchasing the Pentagon, they now produce crap for astronomical sums (as you observed).

You mentioned the two aircraft carriers the UK is building. As they are intended to carry Lockheed Martin's F-35 Flying Dumpster Fire, they as well be sunk to block the Danes or Dutch from sailing up the Thames. : >

SystateMay 24, 2017 4:02 PM

Clive Robinson
You said computer science is not a science yet you want them to apply engineering principles to solve the problem. Hows that going to work out if they are always being led about by the industry?

tyrMay 24, 2017 4:10 PM

@Clive, et al

This character was a Byte Magazine columnist
back in the day.

His latest is this popcorn stuffing epic on

I seriously doubt the idea of Trump as savior
for reasons of personal cynicism on my part.

I did enjoy Amber Rudd being outraged that
the spooks blithely interfered in an investigation
of a crime. That's the modern interlocked
collusion between IC and media blatantly

EvilKiruMay 24, 2017 6:33 PM

@Rachel: I think there's no euro-centric equivalent of the US-centric "your mileage my vary", which refers to the EPA-mandated MPG (miles per gallon) rating that must be included on the new car consumer information sticker that US car dealers are required to place on the inside of a window on new cars they sell. When this went into effect, all US car ads also had to include the MPG rating and they all included the phrase "your mileage may vary".

Clive RobinsonMay 24, 2017 7:18 PM

@ tyr,

His latest is this popcorn stuffing epic on Comey.

I was reading Jerry's stuff both his fiction and circuit celler stuff in Byte, back in the 80's. You might remember he had a thing with Ronnie "Ray Gun" Reagan, and wrote the Space Defence Initiative (SDI) part of Reagan's state of the union address. which he later followed up with claims that their "Starwars" SDI weapons were what brought about the colapse of the Iron Curtain and end of the Cold War. Which all things being equal does not realy hold water as a claim.

As for the stuff he's reported to things immediately come to my eye as being wrong.

Firstly that anti-Trump report from the Ex MI6 bod was payed for twice, the first time by the Republicans to try and get Trump out of the running. When that failed the Democrats payed for further work on it. However as we now know the guy writing it created his own echo chamber and was thus told what he wanted to hear, not what was true. He then developed what might politely be called "missionary zeal" and just went off the reservation into a la-la land fantasy where any old tat was treated as gospel and in no way checked the more ludicrous the invention the more it was believed, hence the prominence of the "Golden Rain" tale.

As for HSBC it's not a "British Bank" the obvious clue is "Hong-Kong and Shanghai Banking Corp" (HSBC). The fact that they have offices in the UK is one of "convenience" much like "Liberia Registered ships" are sailing under a "flag of convenience". Put simply with the ending of the 100year lease on Hong-Kong island to the British HSBC had to find a new home before the Chinese got their claws into them. British law was convenient as was London's location in terms of time zones. You might remember that much of the financial shenanigans that came to light over HSBC was due to what was happening via their Swiss arm that was actually a "Private Bank" in Switzerland and revealed in the "Panama Papers". The actual British Bank involved is "the Queens Bankers" Coutts. You may remember Coutts got aquired by RBS and much suspect behaviour occured during this period as they opened up the client base. Both HSBC and Coutts are reputed to have used Limited Liability Partnerships held abroad to shift vast amounts of money into the likes of the UK propeety market on behalf of some decidedly doggy political leaders basically stealing money. Apparent LLPs were popular for this sort of thing because if effectively held abroad their requirments for fillings at the UKs Companies House was as close to nil as you can get...

Tony H.May 24, 2017 7:25 PM

@Milo M.
"When an emergency call is made with a smartphone that is AML enabled, the phone automatically activates its location capability (GNSS or Wifi) during 20 seconds to establish its position and sends this information via a text message to the emergency services."

How does it know where to send that text message? Hardcoded short code to work everywhere? Broadcast by the network at some lower protocol layer? A-GPS *must* be used, and it's part of the GPS helper/ephemeris/etc. info? Or...?

Some of these schemes would allow for spoof messages to be sent.

Clive RobinsonMay 24, 2017 7:26 PM

@ Systate,

Re your comment on CS / Eng, can you give a bit more detail such as which of my comments you are going by because they do not appear to be on this thread.

Clive RobinsonMay 24, 2017 7:46 PM

@ Slime Mould...,

As they are intended to carry Lockheed Martin's F-35 Flying Dumpster Fire, they [may] as well be sunk to block the Danes or Dutch from sailing up the Thames. : >

They would probably be of more use defence wise as an artificial reef than as functioning aircraft carriers ;-)

I don't know if you know but there is a sunken WWII munitions ship with about five kilo tonnes equivalent of explosives on board still in the Thames estuary not that far from London. There are various opinions as to what might happen if it does go pop, one of which is "by by Canary Warf, the O2 center and much of Royal Greenwich / Detford new multi million pound waterfront high rise housing developments" purchased by the Chinese friends of our old Chancellor of the Exchequer Geroge "White lines Gidiot" Osbourne, who is now the Editor of the Evening Standard, and busy trotting out the Tory Line as hard as he can even though he is known to hate Mrs May with more venom than the Grand Canyon filled with rattlers.

The reason I say the aircraft carriers would be of more use as an artificial reef is that they are without doubt a compleate waste of space. There is a myth about their "projected power" ability, the reality is they are just sitting ducks as I've mentioned before. Compare the PNR range of the F35 to that of a cruise missile or drones actual range to see why.

Clive RobinsonMay 24, 2017 8:05 PM

@ Tatutata,

The UK owed an awful lot of money to Canada too

And most of what is now the Commonwealth as well. In turn it can be argued that much of Europe and Russia likewise owed the UK over WWII.

When it comes to war debt the one thing history teaches us is that if reperations etc are put in place the usuall out come is another war.

The way to avoid wars is by trade, that way both sides have way more to loose than they have to gain. Something that will haunt the US badly if it comes to war with China over the South China Seas.

It might be one of the reasons there is so much saber ratteling over North Korea. It could well result in a proxie war as was started by Stalin in the 1950s and then dumped on China. The US does not have a good success rate with proxie wars in asia historically. With China and it's major rearmament[1] and artificial island building the western aligned nations there are starting to feel very very nervous indeed. Thus it would take very little for the South China Seas to turn red, not just politically but with the blood of a million or so people.

[1] Including an F35 rip off that apparently does not burn and crash every five minutes ;-)

AlanS May 24, 2017 9:50 PM


HSBC was founded by a Scotsman. If you look at their logo you'll notice that it's a St Andrew's Cross.

The Scots have a fairly 'colorful' history in HK. Earlier characters included Jardine and Matheson, who started working for the East India Company, before heading out on their own. Jardine Matheson, as was the case with the EIC and HSBC, made vast amounts of money trading in opium. They were not popular with the Chinese authorities. Google image search for a photo of the Jardine House building in HK, then search for the Chinese nickname for the building. Most Brits don't remember, their memories are clouded with romantic empire bullshit, but the Chinese do.

The corruption you describe has a very long history. A good part of the argument in The Wealth of Nations is an attack on the practices of the EIC, the world's first big global corporation. The EIC (famous in Boston for their tea) often acted outside effective government control, had its own vast army in India, which it 'governed', not the British, for a long period, and which wasn't beyond starving millions to death if it earned some coin. It's the model for modern corporations and everything rotten in market economies.

FigureitoutMay 24, 2017 11:37 PM

--Yeah it's very relevant and something that makes me very nervous. Framing people for crimes they didn't commit would be very easy to do in a civilian setting when you're not actively looking out for it. Proving you were framed would be harder to do if a perp cleaned up and you are logging whatever premises 24/7 (basically impossible or there'll be holes).

mere mortal
--Glad you're able to make it work for yourself. Stepping stones to more secure setups is how the world works, you don't just flip a switch and do no work to get somewhere in computer security. Getting off exclusively windows was really nice, but I still use it a ton for programming (lots of toolchain support, b/c that's what gives you biggest bang for your buck if you're a company and you choose an OS to support). I've tried a lot of distros, lots of CD/DVD's, and have used OpenBSD (barely tried FreeBSD) for variety of purposes. It's very easy to install and the minimalism is quite nice. Few things make me pretty mad like pre-installed crapware firstly taking up my memory, then taking up CPU time with network traffic and wasting battery/power. They know no one in their right mind would install their crapware, so they pay to pre-install it. And windows 10 putting candy grams or whatever that worthless game was on my work computer pissed me off, I'm not playing games when I'm building production firmware builds...I have lots of computers for specific purposes. For day-to-day use, being able to install most anything easily, keyword *easily* and knowing I can resolve an issue that pops up pretty quickly is what I want most times. So I went back to latest Ubuntu for my biggest PC I have. Can do a lot of programming and other work on it.

Security Musings: Potential Security Risks of Low Power
--Was reading this paper today trying to wrap my head around how some other chip works (being able to reset a watchdog timer w/ code executing on separate processor inside, not the main CPU; must pass a pointer to the processor to pick up that loop. Most chips you put to deep sleep, there's no code execution or separate processors, and you can't reset a watchdog timer so you can't have it on in sleep.)

Two threats popped up in my head, keep in mind, these are way out there and I bring them up as a fun thought exercise, they may be totally overblown or not.

1) In clock-gating (being able to selectively shutoff oscillators), if you have critical functionality dependent on certain clocks, there may be a risk of it getting shutdown by an attack to enable other attacks or to incapacitate defenses on chip. Or if a remote shutdown backdoor were to be added (possible in today's environment), adding more gates that control whether a clock is on or off would make a prime spot for a backdoor.

2) "Flashing sampling", which is a technique to reduce power by powering on flash memory for quick bursts, then turn off. I could see malware or a rootkit using this technique to covertly scan flash memory to either eavesdrop by copying and moving to an exfil point or check it's malicious code is still there, maybe doing so quickly (10 nanoseconds) it hides from detection or get written off to some other unknown effect. Can't immediately find much more on this technique.

ThothMay 25, 2017 1:46 AM

@anony, all, Moderator

There is no Github repo link to be found for review.

Also, noting the reward offered, nobody knows who you are and how much to trust this reward. There is no official statement whatsoever as well and the fact that $1000 is offered with an unknown identity, a ciphered message and no effective link the Github repo sounds rather suspicious and it seems like some sort of marketing for some products along that line.

I am not sure about the legality of such messages on this forum and it is up to the discretion of the @Moderator and @Bruce Schneier for their decisions.

Also, the amount of trailing "---This message has been ... " is a very bad idea as a user doesn't want to handle that stuff and "---End of Encrypted Message" is also a bad design choice as it is a calling card for those observing the traffic or data to see such metadata and there is always a saying that "Metadata Kills" and the more metadata you introduce, the more you leak details about the sender and receiver.

This sort of encrypted messenger will not make the cut with such a huge header and also a dead giveway that someone is attempting to encrypt to another recipient and such metadata would allow attackers to create traces and pinpoint targets.

JG4May 25, 2017 6:17 AM
New Cold War

How a dubious Russian document influenced the FBI’s handling of the Clinton probe WaPo. (This is the Kos rewrite: “Comey was duped by the Russians into bypassing the Justice Department and attacking Clinton.” Wait, now Comey isn’t a Hero of the Republic?) Anyhow, “officials say” is WaPo’s sourcing. That is the sourcing. “Current and former officials.” That is where we are with the sourcing.

Trump’s Go-To Lawyer Kasowitz: A Pit Bull Loyal to the Boss Bloomberg. But will Kasowitz be able to get his boss to button his lip?


AnonMay 25, 2017 6:26 AM

Leaking of Manchester evidence to the media:

An attempt to undermine POTUS, or public deception in order to smoke out the rats?

Clive RobinsonMay 25, 2017 7:00 AM

@ Anon,

An attempt to undermine POTUS, or public deception in order to smoke out the rats?

Neither, it's endemic behaviour of the "Twat's On The Hill".

If you go back and look at the 7/7 attack in London, you will find the same leaking of sensitive information by US Hill Twat's who should have kept their lips buttoned...

RatioMay 25, 2017 7:42 AM


Leaking of Manchester evidence to the media:

An attempt to undermine POTUS, or public deception in order to smoke out the rats?

Transparency and accountability, of course. Has there ever, in the entire history of mankind, been any other reason to leak?

Clive RobinsonMay 25, 2017 7:57 AM

@ Usuall Suspects (Thoth especially),

Plagiarism abounds yet again

Have a read of,

And compare to C-v-P...

The sad thing is they've missed some of the finer points...

The author is a Prof and was a post-doc researcher at Cambridge Uni Comp Labs and has worked with Ross J Anderson,

Thus he realy should no better than nicking ideas that are "Known in the field of endevor", especially when he can be shown to have read this blog...

Should I drop him a written letter?

ThothMay 25, 2017 9:27 AM

@Clive Robinson, Nick P

I sometimes wonder if you and Nick P have the ability to read minds. I was very close to bringing up that issue but decided to hold back precisely because they missed the finer points of the architectures we have been discussing. One side of me thought that it was probably coincident that they might just had that idea but the other side of me had some suspicion on them copying the designs we discussed here.

Well, he should receive the letter and the whole ton of C-v-P theories (by asking him to do his own Schneier blog search on his own).

Also note that he had to use some sort of specific hardware while all I had to do for my version of implementation was to use the host computer (i.e. Windows OS), a USB hub and a bunch of smart card chip embedded into USB form factor where the insecure router does the routing of messages between the multiple USB form factor smart card sticks which the smart card sticks will secure themselves and prevent the insecure router/middle-man from tampering with the traffic thus my setup is much more cheaper and cost effective with no requirements of anything fanciful.

ThothMay 25, 2017 9:43 AM

@Clive Robinson, Nick P

Also for the use of a trusted "controller" chip as verifier in the Prison architecture, I have thought of a possible way to not require a trusted "controller" chip sitting between all the secure crypto-coprocessors that do the secure execution. The third party chip can be as untrusted as ever in my current opinion (as I am still deciding on the properties of my current suggestions).

My new idea would be to simply do a group key negotiation of sort or some sort of announcing of their calculation results attested by their group negotiated digital signatures in a sort of broadcast style via using the controller to route the signed messages to each other. Once a small group of co-processors have finished doing their calculations and broadcasted their signed results with negotiated group session signature key, they would look at all the results and then amongst themselves produce a result by broadcast style anonymous voting within the group of co-processors.

The problem this produces is how to consolidate the results with as little overhead and present it in an attested fashion while correctly representing the consensus of voting of the results by the group of co-processors within the possibly malicious controller chip having a hand in anything.

Also for those who want to falsely dare patent or possess the works of @Clive Robinson, Thoth, Nick P et. al. who have contributed to the C-v-P architecture for the use of no good that which maketh us fools or to harmth others, do heed thee cursed by the sameth fate that befell those who broke into King Tutankhamun's tomb :D !!!

EvilKiruMay 25, 2017 1:07 PM

@Clive: I don't recall any connection between Jerry Pournelle and Steve Ciarcia's Circuit Cellar other than that both appeared in Byte Magazine.

Clive RobinsonMay 25, 2017 2:30 PM

@ EvilKiru,

I don't recall any connection between Jerry Pournelle and Steve Ciarcia's Circuit Cellar...

Hmm I think you are right, it was "Chaos Manor" he called it, but hey that was back in/before Ronnie the Ray Gun which is a third of a century ago, which is more than half a life time (so far ;-)

EvilKiruMay 25, 2017 3:05 PM

@Clive: Ah yes, Chaos Manor. I'd forgotten that. I just checked his personal website and it still uses that name.

tyrMay 25, 2017 4:25 PM

@Clive, et al

The Circuit Cellar had an interesting design
going. It's too bad Gary Kildall wasn't around
long enough to supply M/PM to Ciarcia for his
extended memory Z80 architecture (HD180 ?) comp.
My memory is pretty fuzzy on it now but that
combination would have killed Gates crap if it
had been allowed to determine the direction
of computing.

I've often thought that computing may come to
the same end as the Irish potato farmers by
insisting on monocropping. In the case of the
comp putting everything on the same architecture
for general usage. A worm that bricked all of
the Intel + clones through the TPM would take
down far too much of the modern world for any
level of comfort.

Figuring out who owns what in international
business is opening an ugly wormcan, by the
time you locate the head of the worm the tail
has disappeared in a flurry of legalistic
confetti thrown up by their lawyers. Mark
Blyth had a nice bit on Chinese Banks and
referred to investing in China as faith based
investments. Something to do with the lack
of transparency.

If Rayguns star wars hadn't derailed the
political push, the L5 Society would have
talked USA into building the habitation
module for a starship at that LaGrange
point. It would have been a better use for
the money. However bombing and military
expansions are a lot more stylish these

Milo M.May 25, 2017 5:15 PM

@Tony H.:

This probably doesn't answer your questions, but . . .

Advanced Mobile Location (AML) & Emergency Location Service in Android (ELS)

pg. 2:

"When an emergency call is made with a smartphone where AML is enabled, the phone automatically activates its location service during 20 seconds to establish its position and sends this information via a text message to the 112 and 999 service in the UK"

Advanced Mobile Location (AML) Specifications & Requirements

See pgs. 5 and 15.

European Telecommunications Standards Institute
ETSI TR 103 393 V1.1.1 (2016-03)

"An SMS message is initially routed to the home network's SMSC [Short Message Service Center]. SMSCs should be programmed to send an emergency location SMS (identified by an SMS number such as 112, or a dedicated full length MSISDN [Mobile Station International Subscriber Directory Number] operated by, or on behalf of, the PSAP tha"t is running an AML [Advanced Mobile Location] location processing application (the AML Server)."

Section 2 and Appendix C imply that this might not work well if you're roaming outside the country in which you pay for mobile service.

No idea how easy or hard it would be to spoof such a message. Not obvious why one would want to, but mischief abounds.

Clive RobinsonMay 25, 2017 5:17 PM

Another know nothing journalist touting the backdoor mantra

Those who have a copy of the London Evening Standard[1], might want to turn to page 17 or follow this link,

To read an article by Rohan Silva, who is basically using the Manchester bombing to regurgitate the "Snoopers Charter" line about encryption back doors. And in the process shows he either "knows nothing" about the subject or worse is being deliberatly disingenuous for ulterior reasons.

If he is being disingenuous I don't know why, because his Editor George Osbourn MP[1] is known to ferverantly dislike Mrs May PM who came up with the "snoopers charter". Furthe George is also known to have an intense dislike of Amber Rudd MP who has taken over Mrs May's old job quite ineptly as the recent WannaCry episode shows.

In fact as most journalists know Amber Rudd's only real claims to fame are her lack of business acumen[2] her bullying, fractious nature and her brown nosing ability to others who find her a "usefull idiot".

So on the face of it you would expect that George Osbourn would have used Editorial perogative to stop the story... Which leaves the question of "Why not?".

[1] The editor of the Evening Standard is ex-chancellor George "White Lines" / "gidiot" Osbourn (Cons), who was sacked by Mrs May (Cons) when she became PM. Why on earth anybodyvwould think he would be a competent let alone good editor is beyond most in the industry but then the Russian owner of the paper may be currying favour or if you like is "trying to influance the UK general election".

[2] Amber Rudd is known to be quite the failure in business life and her father is a multi-time bankrupt who is nolonger alowed to be a company director in name or influance. However as Private Eye has shown he appears to have had that sort of influance over Amber and her mother with the result that the family has lost considerable financial worth. So Amber appears not to understand the "Fool me once..." principle.

JG4May 25, 2017 6:45 PM

I favor deletion of abusive posts, but the very recently missing one was a work of art in satire. Except for straying over one or more lines. I object to it being deleted without a notice of how far was too far. My working assumption is that the references to various religions were objectionable (they made me uncomfortable, but the humor roughly balanced that) and I'd like to see it reposted with adjustments. I didn't get a chance to collect the links, one in particular. Thanks

JG4May 25, 2017 7:03 PM
Big Brother is Watching You Watch

“The Secret History of American Surveillance” [Reveal]. Surprisingly advanced techniques in our first imperial war, suppressing the Philippine’s war for independence.


News of the Wired

“How one man wreaked ingenious revenge on rude customers in a coffee shop” [Telegraph]. What’s the world coming to…

“There was method to the madness of Heath Robinson’s extraordinary illustrations” [The Spectator]. Looks like Rube Goldberg. Test of independent invention? Maybe not:

The expression ‘Heath Robinson’ has entered the dictionary to mean ‘an over-ingenious, ridiculously complicated or elaborate mechanical contrivance’. But early domestic gadgets were often ridiculously complicated. Hubert Cecil Booth’s original vacuum cleaner of 1901 was a steam-powered machine the size of a large cart, and pulled by horses. When you summoned it, the monster was brought to the road outside your house, and pipes led in through the windows. This was an important social event — ladies would invite their friends to come and take tea and observe the wonderful machine in action.

And this was before the Internet of Things!

“The GOP’s leading campaign and fundraising arm, the Republican National Committee, has thrown its support behind an initiative that could allow marketing firms and robocallers to spam your voicemail inbox — without your phone ever ringing” [TechDirt]. “Whether you want to have a voicemail inbox magically filled with political missives, ads for mattresses and assorted other sales pitches apparently doesn’t even enter into the equation. If you’d like to share your thoughts with the FCC on this subject, you can find and comment on the particular proceeding in question, here.”

Nick PMay 25, 2017 8:02 PM

@ Thoth

There's almost always a central, trusted component if it's not secure, multi-party computation. The consensus stuff gets complicated. I was doing something similar to what you're describing in my proposal for distributed, secure repositories. They would've essentially been link transaction logs that were synced up after checking signatures and/or access controls. It's doable. There's high overhead, though, to the point that I don't know off head its feasibility for verifier. The prior work in that area used high-reliability circuits that were simple. Recent work and my own proposal put the verifier on older, process node or just easier-to-verify methodology so it can be trusted.

Btw, you have some competition coming. Keep moving fast.

ab praeceptisMay 25, 2017 9:15 PM

Nick P, Clive Robinson, Thoth et al.

Today, after lots and lots of research and of work I dare to say that it's not all dark.

The 3 main reasons for my, albeit still modest, hope are the following:

- thanks to Snowden, Assange, Wikileaks and many others we have a changed situation. Sure, there are also factors working against us, the worst one being the smartphone swamp, and Joe and Jane are either blissfully or ignorant or helpless anyway. But generally the situation changed to the better, particularly because have begun to grow up (as I call it). There are more and more people who don't handle IT as the new wild west but who are beginning to understand how important safety and security are.

- More and more available and better hardware, particularly processors. While I like Risc-V it's not even about that specific processor but about having alternatives to x86 and arm and about better chip design and verification.
Unfortunately, the very chips we are supposed to trust most, namely "trusted stuff" like sim and hsm processors are badly tainted, even poisoned, by java but not all hope is lost; maybe sometimes soon companies like nxp or infineon wake up and offer alternative methods of (direct) access rather than having to go through a java crap layer.

- Lots of progress one the software side. Granted, most of it is not yet in a generally and widely usable state but we are on a good way.

Being at that let me report about some of my own experiences.

The task I chose (well the most current one besides my everyday professional work) was a high quality prng (I already hinted at that). The reason is simple: If I had to pick the one "lego" brick that makes or breaks encryption schemes I'd invariably end up looking at prngs. And I understand perfectly well why nsa chose to taint rc4 ...

One of the classical problems is that you can either have a fast prng or a good one, i.e. one that is very hard to predict. There is plenty more or less crappy but quite fast ones (e.g. the xorshift family) and there are quite some cs-prngs of high quality but those tend to be snail-slow (and btw. often do *not* have good random properties). Gladly though that's less bad than it seems because one could - and does - use csprngs to seed (and sometimes also to occasionally reseed) crappy but fast prngs. If there wasn't the problem that pretty all of the fast ones are so utterly crappy (predictable, biased, bad distribution, etc) that they are *very easily* predictable ("crackable").

The algorithm itself showed itself to be impeccable and even elegant (no, it's not mine) but the reference implementation (in C/C++, "of course") has diverse problems; some of them quite grave, most probably not so significant.

This is reporting about my work to implement it in sparked Ada. I myself spotted just 1 (grave) error in the ref. implementation, the rest was spotted by Ada, which I intentionally provoked by "stupidly" translating the C[++] ref. code as verbatim as possible. The kind of errors and problems I found was what I would consider typical for C[++]. Plus the whole thing was brutally lacking in elegance (don't underestimate that! Elegance is a quite reliable indicator of design quality).

So I started all new, based only on the algorithm and completely ignoring the ref. implementation. Result (after just a few days work, most of it thinking): Much more elegant (quite well matching the elegance of the algorithm) and almost no "red" (Gnats error marking).

But it gets better. The Ada compiler also grumbled at me when I had a variable that could be a constant and things like that. Excellent!

When I was all but done and running my test cases (in particular also testing for reference comformity) it soon blew up with a constraint error. It was code generated by Spark to runtime check a precondition. I mention this and find it interesting because it points at a very interesting spot, namely that the designer in me had formulated a precondition that was perfectly right but the programmer in me still had some bad old habits...
Side remark: Currently Spark brings quite many buts and ifs along and the kind of (very low level) code I was working on did not allow for static verification of some parts, so I had to have runtime checks created at least for the development version.

Another result that might be particularly interesting to many: My Ada code runs about as fast a C[++] code but I have to be fair and mention that that not the full truth. To achieve that result I needed quite some experience with Ada (e.g. trying to avoid implicit 2nd stack allocations) and with diverse tricks of the trade (e.g. when and what to inline). But then, the good result could be achieved and was achieved. That's an important message. Using Ada does *not* make your code slow.

All in all I feel confident enough to not just laugh at them if, say a nation state, asked me whether a trustworthy basic OS incl. the major libraries typically neeeded could be created with reasonably low resources and in a reasonable amount of time.

I'm gaining more and more confidence that we might escape into a safer future. But I also see that there is mountains of work before us. Nevertheless, medium gray is still much better than pitch black.

Clive RobinsonMay 26, 2017 5:12 AM

@ ab praeceptis,

I'm gaining more and more confidence that we might escape into a safer future. But I also see that there is mountains of work before us. Nevertheless, medium gray is still much better than pitch black.

Oh there's a little colour in their to if you look carefully you get the occasional jem.

One big problem that is not much talked about is "haste" in software development. Creation in art, science or engineering is actually a thoughtful endeavor and as has been discussed here briefly in the past elegance is a metric of fitness, that we have yet to quantify in a non abstract way. Throwing things together in overly short time scales gives rise to inelegance. I frequently mention the Victorian boiler makers, and wheelwrights. The wheelwrghts artisanl method of small incremental improvment gave rise to a pattern that if followed would provide a serviceable wheel for carts and carriages. The boiler maker however had no history to give them patterns, they only had "bodge it and cludge" which boiled down to work it till it breaks then bolt on a cludge and work it again, looping around untill it stops breaking. The results were as you would expect not just inelegant but down right ugly. There was also a side effect of deaths by boiler explosions. This got to the point wher the British Parliament had to act. The result was the gentlemen of science and the artisan blacksmiths had to meet and the result was engineering (look up the history of "The ring of iron").

If we now look at programing we can see scientists and we can see smiths and wrights, and a degree of artisanal behaviour. But as of yet no real engineering, so software development is mainly in the "bodge it and cludge" endless iterative loop. To make things worse, few can see the shape of software, even those who crank it out, thus the deformed morass of cludges essentialy remains hidden in the dark and festering like a rotting corpse. Few actually shine a light on it and clean up the stygian mess, instead they slap on yet more cludges as though necrotic code could be hidden by a wart and thus ignored.

Few dare mention the driver behind this state of affairs which is the cries of "faster faster from the bridge, as the bottom gets torn from the ship, and the crew frantically bail". There are many to blaim but the likes of Microsoft stand prominent in many peoples minds for the pushing of vapourware that needs endless patching. That in turn infected an entire industry and the techical debt becomes a tsunami of world girdling proportions. Thus we need to slow down and get the artisans to meet the scientists and become engineers. The problem is how to get out of the ship, and stop frantically bailing to keep your nose above water, because from the bridge of every other ship you hear "faster faster", as the world becomes a "Red Queen's race to the bottom". Even Bill Gates discovered that things had gone to far even for a Hercules and the stygian mess will remain in the Augean Stables that is the software industry.

With regards PRNG's it's not just the speed issue it's also the minimal memory requirment as well. It has often struck me as odd, that we know that "entropy" is based on redundancy yet we demand a state behind all PRNGs with minimal redundancy. Back in the 1990's I had reason to be designing PRNG's and as you probably know crypto algorithms have issues when used as PRNGs. Thus you end up with either ridiculously large block ciphers or chains of algorithms where one acts as a CS-CNT to feed the data in of a block cipher and another CS-CNT drives the key in and runs at speed that is a very small fraction of the data CS-CNT.

As I've mentioned here before I ended up using a modified version of ARC4 where the Sarray was 1024 elements long but the output was still only a byte in size. Further I modified the update algorithm such that the Iptr got jumped every so often by the adition of ten bits from a BBS generator. I did also modify the output algorithm such that it ran in the key fill mode, with the input from a Mitchell-Moore generator. The performance like the speed was good but... There were moans about the usage of memory which was 1026bytes for ARC similar for BBS and a hundred or so for the Mitchell-Moore generator, all to produce an apparently endless stream of bytes...

There are a number of ways you can look at your use of Ada, but in effect the process was taking time to think or of using a formal method both of which are a step towards the engineering approach, but the road is long, and the journey but a few steps started.

It's also why I'm known for prefering hard science graduates over CompSci graduates. Because not only do they have a solid science/engineering background, they have actually had to use software in anger for real engineering tasks. Thus they are more in Bacon's mold not that of Descartes which CompSci grads appear to favour.

ab praeceptisMay 26, 2017 5:59 AM

Clive Robinson

Haha! Your description of the Victorian boiler makers, and wheelwrights pretty well match major parts of the software industry, too, it seems. "bodge it and cludge which boiled down to work it till it breaks then bolt on a cludge and work it again" puts it quite well, doesn't it.

"as you probably know crypto algorithms have issues when used as PRNGs." - oh yes, and how well I know that. On the other hand, what are we to do (other than using trngs which for some reason are rarely available on mainboards ...)? Them mersenne twisters, xor shifters and linear shifters have good random properties and speed (in good cases) but are utterly simply predictable. The cs-prngs are very hard to predict (well, that's their whole raison d'ètre) but bloody slow and/or plagues by poor random properties.

Funny that you mention state space, which is both an ugly maladie and rarely noticed. Surprising, it seems to me, looking at cache sizes and multithreading systems. In other words: Unless your state doesn't fit in one cache line chances are that you have an attack surface on your algorithms a**. Unless you desire a bad day I suggest to not look at widely used crypto ... (states spaces of kilobytes are quite common (as is memcmp and other bad sins)).

"ARC4" - Oh there are many who made that choice and it seemed not that bad then; nothing to be ashamed of. OpenBSD used it, too. Today we know better. Btw, the prng I've implemented has a state space that fits easily in a cache line and with some effort it fits even in the register set (which, of course, is very strongly desirable).

"prefering hard science graduates over CompSci graduatee" - Hmmm, my personal approach is to go with seasoned CS people but to have some mathematicians on the team, too. In bad cases I end up being the "joint" myself but I've had cases where a CS colleague (with strong math inclination) and a math colleague with solid CS experience/inclination did very well.
The reason for my approach is that we usually absolutely need a good link between the two and also the typically used tools must be "digestible" and produce digestible output, because in the end it ends up in the code. Which btw is another reason why I really love sparked Ada; it brings together the math and the code very comfortably (well, it's on a good way at least). But I get your point.

JG4May 26, 2017 6:26 AM

@Ministry of Truth - Thanks! You might try reposting paragraphs of the weaponized satire as a way of probing what is over the limits.

@Clive - Thanks for the nice exposition of engineering history. There is a useful treatment of that and more in Petroski's book, To Engineer is Human.
Imperial Collapse Watch

The U.S. Intelligence Ship Is Too Leaky To Sail Bloomberg (resilc)

Big Brother is Watching You Watch

Florida GOP consultant admits he worked with Guccifer 2.0, analyzing hacked data ars technica (martha r)

About Face: DMV Lets Cops Search Database of Driver’s License Photos Seven Days (Chuck L)

Cartoon: The Internet of Ransomware Things Geekculture. EM: “The broom was my personal favorite.”

Nick PMay 26, 2017 8:25 AM

@ ab praeceptis

Nice experience report. :) I got another person, doubec, trying to learn SPARK. That user posted this report of their semi-automated style of proof on red-black trees. Meanwhile, I went to find out what Ada had on temporal safety vs Rust as I previously heard you eventually resort to unchecked deallocation if there's a lot of memory moving around. Plus, the Ravenscar restrictions are quite long compared to Rust's borrow checker which is 3 rules and 2 "traits" for concurrency. They really need to steal the safety system of Rust. Pushing them on Reddit and comp.lang.ada got interesting results:

Rust's temporal safety for Ada/SPARK

The bad news is the responses largely sucked. The difference between how they handle a question like this and how the Rust people handle it explains a lot about why only one has momentum. One thing I say everyone should steal from Rust that's non-technical is how they do community building to create momentum. In the Ada threads I encountered, quite a few didn't seem to get the basic question or focused excessively on concurrency part. So, there aren't many people following the main forum daily that can handle advanced questions about the language. Contrast to Mozilla having a whole team of people scouring Google Groups, Hacker News, Reddit, and so on answering questions. Then, I'm getting procedural stuff that doesn't quite explain itself to a lay audience. The Rust team puts tons of effort into writeups on about any aspect you can think of. Independent parties do as well given the momentum they create naturally leads to that. If you're curious, I eventually provoked a Rust team member enough that he dropped an ad-hoc guide to doing it. :)

Now, the bad parts aside, the good news that might appeal to you most is a knowledgeable person from AdaCore did show up. Yannick seems to show up on a lot of these threads. He told me the following:

"In fact, we currently have at AdaCore an intern working with us on the inclusion of Rust-like pointers in SPARK. He has reached a first milestone which was the description of suitable rules to include safe pointers in SPARK, which have convinced the SPARK Language Design Group at AdaCore and Altran UK (the small group working on the evolutions of the SPARK language).

He's now working with us and researchers from Inria team Toccata to give a mathematical semantics to the notions that we're using for these safe pointers: move (on assignment mostly), borrow (on parameter passing for mutable objects) and observe (on parameter passing for immutable objects). We have also started looking at the concrete implementation of these rules in GNATprove (the SPARK analysis tool).

In this work, we don't target everything that the Rust borrow checker does:

- we leave accessibility checking (the lifetime checking in Rust) to the compiler, using existing Ada rules, plus some restrictions in SPARK to avoid the need for dynamic accessibility checks

- we leave nullity checking to proof (a Verification Condition will be generated for dereference of possibly null pointers), with the help here of Ada non-null types that reduce the need for such proofs. Given that pointers are always initialized to null in Ada, there is no need to separately deal with initialization.

- we ignore the problem of memory leaks (which could be tackled later as an extension of the current scheme)

So the main issue that we really address with this work is the issue of non-aliasing. Or rather the issue of problematic interferences, when two names, one of which can be updated, are referring to the same memory location. We're focusing on this issue, because it is the one preventing inclusion of pointers in SPARK, as for formal analysis we rely on the ability to perform modular analysis, where we make assumptions on the absence of problematic interferences.

But since our solution to non-aliasing is based on this Rust-like notion of ownership of pointers, the same solution will also forbid use-after-free or double-free.

This work is ongoing, we will certainly let the community know about our progress after the summer."

Also confirmed that they'll try to extend it further in the language if this experiment succeeds. You can already see they're not investing enough, though, given they have one intern while Mozilla dropped an entire team on the problem. At least it will improve.

ThothMay 26, 2017 11:21 AM


It is quite obvious that Amazon's CloudHSM service provides ability to extract keys from HSMs with HSM administrator authority to hand over to anyone and even for themselves. EnigmaBridge took quite a while to realize that Amazon (in bed with U.S. ICs), will not think twice to reveal the user enrolled "HSM protected" key.

It is known that Amazon's CloudHSM uses Safenet Luna HSMs and the security level is set to FIPS 140-2 Level 2. What it means is the keys stored in the HSM CAN BE RETRIEVED. A Level 3 and above prevents retrieval and even then, Amazon is free to lie about the security level and can spoof as FIPS 140-2 Level 3 or 4 (prevent retrieval of keys) and even then Amazon could also lie about whether HSMs are actually deployed as there is very little that they can't do to spoof the HSMs' existence.

Also, the idea of a public cloud-based HSM service is a very bad idea as it means that you are surrendering critical cryptographic material to someone whom you don't really know well and even then it is bad idea to handover any security critical materials to anyone trusted or not.

Also, Enigma Bridge claims their setup for their CloudHSM is FIPS 140-2 Level 4 and it's secure. Yet another obvious snake oil again.

The best security measures are for the customer to purchase or build their own HSMs and deploy it themselves in their own environment and not anywhere else in the context of HSM deployment.

Enigma Bridge and other Cloud HSM solutions will be added to incoming Hoilydays list.


ab praeceptisMay 26, 2017 8:37 PM

Nick P

Actually I'm a little sad about C. Dross/Y. Moy doing what they are doing because while certainly meaning well they actually risk to add confusion. Let me explain:

That whole verification field is confusing enough and many do not fully understand it. As it also happens to be one of the few major tools in the rotten software world, it is of importance that it be well understood.

I'd feel a need to elaborate on two important points in that regard. And I'll begin with and use as a guiding light Dijkstras often forgotten but immensely important statement that code is the implementation of algorithm. This immediately leads us to my first point: What is code verification about? Answer: It is obviously about code, i.e. about the *implementation* of algorithms - *not* about algorithm verif.

What Dross/Moy demonstrate is understandable from a human point of view. Of course, having developed a powerful new tool, one wants to show its capabilities and to play with it. Quite probably another factor played a role, too, namely a very troublesome attitude mainly from across the ocean (something like "No need to properly think. Just do it. Shoot!").

And yes, Spark has grown to considerable power; one *can* do lots of amazing things with it, as (not only) Dross/Moy demonstrate.
However: That is *not* what code verification is about! It is *not* about algorithm verification!

As I said, the field is complex and we should certainly not mislead those who are just beginners in it. Similarly I can understand that it just seems practical to throw "all that verif stuff" together, particularly when a tool like Spark seems to be able to handle it.

No. We must discern and not cut corners. The question to be answered using Spark is a specific one. It is about the *implementation* - and nothing else. "Is my algorithm sound?" is a question to be looked at with other tools. Is my red-black tree design sound is not a question to be answered using Spark. Spark is about looking at the question "Is my *implementation* correct?"

2nd and related issue: code verification is *obviously* language dependant. Which also relates to your point of Spark looking at and maybe borrowing from Rust. Frankly, I think that that is largely nonsensical (albeit interesting and fun). Why? Simple: Rust has strong roots in the C family and, in fact, one very C-typical construct, namely pointers and the many related problems, has been a major, if not the reason for Rust in the first place. Most of those problems, however, simply do not exist in Ada.

Digging a little deeper one finds that the core problem is not even pointers but their utterly unaccounted willy nilly availability and arbitrary usability along with an utter lack of means to properly deal with them even if one wanted to; C (and family) simply don't offer any means. *That* is the problem, not even pointers per se. I know what I'm talking about; what I just said is the very reason why I looked at Frama-C (which I liked but which isn't powerful enough) and at separation logic tools.

Let us look at an algorithmically trivial problem, namely at a "hex printer", i.e. at code to "print" an unsigned, say 32 bit integer into a hex string. In C that would be something like a

void hexprint(char*buf, uint32_t num);
procedure where buf is the buffer to print into and num is the number to be printed.
Where does 'buf' come from? Is it on the heap, on the stack? Does it exist at all? What's its size?
In Ada the same thing would be
procedure hex_print(buf : String; num Unsigned_32);
and we need not care where buf is allocated plus the compiler *knows* that; also the size of buf is known. So, sparking it might be as simple as "with Pre => buf'Last >= buf'First + 8", done.

Which leads me to next point: When I said that we must properly understand what we are examining/verifying I left away one decisive point: context - and that's what I'm actually testing above.
Code verification means two things, namely a) implementation (e.g. the procedure itself) and b) context (which includes the interface).

Remember the uni days when they drilled us to provide context, when they drilled us to e.g. specify domain and co-domain for a function? Same thing. hex_print, being code, i.e. meant to be run on real world hardware, is not supposed to work no matter what; it is supposed to provide a well specified service with a well specified context; that may be something simple a 'buf' existing and being at least of size 8 (or 9 in C) or it may be much more complex factors such a temporal or other conditions (like e.g. 'buf' being read or written to from/by another thread).

I agree that Rust has found an interesting and promising approach. However, Rust is only interesting under the premise that one wants to stay withing the C universe - which, frankly, doesn't sound like a smart proposition considering all the problems we have.

But there is good news, too. Gladly only (so my experienced guess) a quite small part of the rich C related problems universe is to do with complex problems. The vast majority are 1 off errors, loop errors, many kinds of buffer errors, etc.

I respect the good intention of the Rust people but as far as I'm concerned it's a lousy compromise. New code should use better languages in the first place and for the huge body of existing C/C++ code we'll need post factum analysers.

I had good reasons to stress in my "report" that Ada a) does not run significantly slower (and usually just as fast as C code) and b) doesn't make us less productive; in fact, if there is a difference at all than it's one to the good side.

That said, I personally chose Ada for many reasons but my intention is not to preach Ada. Eiffel, for example, might be an alternative for many, too. And even C can be acceptable, provided that microsoft doesn't somehow limit vcc to windows and dark-world licensing.

My advice for those who are interested in formal methods and proper software design would be to have a look at tla+ and at B. *Those* are meant to be used to verify ones design (as opposed to code).

FigureitoutMay 26, 2017 10:03 PM

Clive Robinson // Thoth RE: c v p
--Not sure the beef besides if you just want a shout out (and it's still technically possible he doesn't read here and thought up this himself unless you're eavesdropping on his connections), you're aware you're posting on a public site, and I'm not sure the legal procedures to protect your ideas when you post them online (keyword ideas, not implementations, never saw implementations no matter how much I begged).

I have to keep my mouth shut about a lot of things I wish I could say and discuss, but I've signed agreements and would give competitors a leg up if they happened to be reading. Personally I find it really exciting that different brains with different approaches and different ways of seeing the world will take some work and apply new ways of thinking to it.

So long as you version control, if they muck up an idea so bad, just revert to older versions. :p

Clive RobinsonMay 27, 2017 5:01 AM

@ Figureitout,

Not sure the beef besides if you just want a shout out (and it's still technically possible he doesn't read here and thought up this himself unless you're eavesdropping on his connections)

The "beef" if you will is academics, they get very prickly about atribution of ideas or parts of ideas, hence the often long long list of refrences at the backs of papers. Also those who sites who sites, all are part of the "publish or die" rules. However quite a few academics treat what they see as non academics differently and will not acknowledge other peoples ideas unless they "are part of the club". Not only is it hypocritical behaviour it also makes their crime even more insulting. But worse it "buys in" to one of the worst straight jackets on knowledge since the Catholic Church the racket of the academic journals.

Even on a "public site" what I write good, bad or indiferent is automatically a "work" that has as a minimum the legal protection of copyright etc. The fact it appears on a public site which is freely available also means it is "published". The copyright can not be taken away, only the rights pertaining to it assigned to others. The fact it also carries both my name and a date of creation / publication further strengthens those protections and rights, and makes it in effect "prior art" from that time onwards. Which you probably know means it has legal impications when it comes to both patents and usage. Importantly like it or not the Schneier on Security site is due to both it's usage and history the equivalent of a "journal" even though not pre peer reviewed.

Any way all that said as I have said a number of times I do not mind people using my ideas, but there is to requirments, firstly acknowledgment, secondly that if they buy me a drink, prefereably through our generous host, thus they buy Bruce two drinks, and at some point Bruce can buy me one (if we ever meet up ;)

RachelMay 27, 2017 5:14 AM


Any way all that said as I have said a number of times I do not mind people using my ideas, but there is to requirments, firstly acknowledgment,

Clive, I acknowledge you. Because you are my hero! I mean that with utmost sincerity. I admire you on a variety of levels. I won't go into the number of reasons why but I am sure anyone else here could create such a list just as easily

How many lives have you saved and will you continue to save, we wonder?

Clive RobinsonMay 27, 2017 10:04 AM

@ Rachel,

Imagine if you can a man of sufficient hight and stature that a previous commenter described him as "looking like a Klingon", but without the wringles, and after reading your comment a slightly red complexion around the ears :$

Nick PMay 27, 2017 11:03 AM

@ ab praeceptis

"I respect the good intention of the Rust people but as far as I'm concerned it's a lousy compromise. New code should use better languages in the first place and for the huge body of existing C/C++ code we'll need post factum analysers.

I had good reasons to stress in my "report" that Ada a) does not run significantly slower (and usually just as fast as C code) and b) doesn't make us less productive; in fact, if there is a difference at all than it's one to the good side."

You seem to be missing a big reason for my post which has nothing to with C. There's no way in Ada to do temporal safety in the general case. The AdaCore rep acknowledged that. Many others wrote about the need to use unchecked deallocation in lots of places. The Rust solution started with linear types work in *functional languages* decades ago that the Cyclone team made work with a C-like language. Rust adopted affine types and improved on it. That Rust competes with or has occasional similarities to C is irrelevant. The relevant thing is the affine types on references, aka the borrow-checker, make the major, temporal errors impossible and allow safe concurrency with no extra constraints. One can also use multiple, concurrency models just like the best HPC languages allowed given different problems suit different models. All are safe at code level, though, via borrow checker. This allows Rust developers to use those pointer or thread heavy approaches that result in ultra-fast machine code *with no safety concerns or runtime checks*. Ada and SPARK can't do that just like AdaCore rep admitted.

So, I suggested *those features* be including *into Ada/SPARK*. Then, we get all the benefits of Ada/SPARK plus the strongest of Rust that Ada/SPARK currently lack. It also eliminates need for separation logic like VCC uses for temporal safety since it does same thing *without any verification effort*. They just heuristically learn ways to structuring programs to reduce battles with borrow-checker. SPARK would suddenly do dynamic memory and flexible concurrency so long as we're not talking real-time apps. Ada 2012 code would also require less runtime checks and tests given Rust's model makes it immune to these problems without runtime checks. So, there's clear improvement to be gained if Ada/SPARK adds a borrow-checker for references. Meanwhile, Rust is in the lead if the program is dynamic and/or multi-threaded.

Nick PMay 27, 2017 11:13 AM

@ Thoth

"It is known that Amazon's CloudHSM uses Safenet Luna HSMs and the security level is set to FIPS 140-2 Level 2. What it means is the keys stored in the HSM CAN BE RETRIEVED."

In the past, Level 4 devices were separate products that cost a fortune. I could see them not using Level 4 if trying to offer low-cost HSM's to a wide audience. I mean, it should be an option for mission-critical, business assets for those who would pay. They might not, though. Since there's justification against Level 4, my first question is whether their current hardware supports Level 3 with no extra costs? If extra costs, maybe a business decision from the penny-pinchers at Amazon. If not, then it may corroborate the idea that they're malicious.

Operating at Level 2 w/ key extraction possible is pretty damning. The report said "tamper-evident, seal broken." Does that mean the key is available but knowledge of extraction is tamper-resistant along lines of Level 3? Or can they get rid of the broken seal status? Also, does the interface easily allow a cloud vendor to let customers (a) ensure their stuff stays on specific set of HSM's and (b) get a signed confirmation that seal is intact before doing a sensitive operation? Then, they could just periodically check with a smaller window of risk.

RachelMay 27, 2017 2:16 PM


Imagine if you can a man of sufficient hight and stature that a previous commenter described him as "looking like a Klingon", but without the wringles, and after reading your comment a slightly red complexion around the ears :$

funnily enough I pre empted both components of your reply because you have previously described 1. your appearance and 2. your physiologial reaction, when reading of compliments on this blog

some millenia ago, Iskander was taking a stroll and encountered a naked Klingon wearing a barrel, sitting on the pavement. Iskander stopped and said, I will give you anything you want. The klingon looked up and responded ' Move out of my sunlight'
Iskander the ruler of the world sighed and exclaimed 'If I was not Iskander I would wish to be Clive Robinson'

FigureitoutMay 27, 2017 3:02 PM

Clive Robinson
--Well how do you know he didn't think it up himself, especially if it's "missing some spots"? Need to prove that first eh? It won't get a lot of uptake if it's locked behind a paywall. I didn't realize every post online is copyrighted.

Oh I tried to buy bruce a drink but he dipped out to his hotel room then plane after a talk. So sorry I guess a digital beer will do (and I'm not doing your toslink data diode either 😂😂)

ab praeceptisMay 27, 2017 7:24 PM

Nick P

For a start Yannick Moy != Ada(core). Y. Moy, who has a strong background in C/C++, with emphasis on safety and checking, is a senior engineer at adacore and mainly involved with Spark from what I know.

What he says about that intern is focussed on a certain quite specific problem where Rust like pointer may or may not be helpful.
Also kindly note that Ada's unchecked_deallocation is *not* something dangerous or evil (as it may sound); it's merely about deallocating a pointed to object expressly as wished by the programmer.

But the problem goes far deeper. We (safety oriented Ada people) have a "hierarchy" from desirable down to undesirable and pointers ('access types' in Ada lingo) are considered undesirable; sometimes necessary (e.g. at the OS interface) but undesirable. Another example is pointer arithmetic; it's available in Ada, too ("hidden away", of course) but you'll hardly get an Ada developer to use pointer arithmetic without seriously urgent need or a liberal dose of beating him.

On the other hand, people being people and existing software being what it is (e.g. OS or lib Interfaces) pointers are sometimes used, be it out of utter necessity or due to idiocy. It's *that* dark and sad corner Y. Moy is talking about and not about Ada somehow throwing away all its beauty only to follow the Rust creed.

Moreover keep in mind that Moy is mostly about checking, Spark, proving, etc. So, his statement is *not* "Rust does it better. We'll switch" but rather something to the effect of "Rust pointers are attractive for *checking* and bookkeeping. We should look at that".

There are - like everywhere - of course different factions within the Ada community, one of which is the lenient one with e.g. Moy (maybe to a degree also driven by business interests); I myself belong to the other faction, the one that says "Let them die. More often than not pointers are evil and if used at all, that should be left to only the experienced wise masters. If a grasshopper uses them and dies that's just natural selection and a solved problem".

Which brings us to the next point. Sorry if I'm blunt (my english isn't good enough to put it elegantly) but I don't trust or care a rats rear about Rust. Simple reason: To me "open source community" translates pretty directly to "bunch of idiots". Of course, there are usually some bright or even brilliant individuals involved, too, but "democracy", "equality", bla bla etc, quite commonly and reliably is but a recipee for disaster.

"It also eliminates need for separation logic like VCC uses for temporal safety since it does same thing *without any verification effort*."

To me that simply translates to "I don't care. Let them play, I have work to do". Verification is no burden, it's a gift from heaven.
And btw, even if Rust really had solved the pointer problems (which I doubt until I see rigorous proof) so what? There is still plenty enough crap in their C heritage rucksack. And let's not forget the ugly fact that mozilla not only gave us Rust but they also gave us the browser cancer which is their main product as well as the javascript plague. I won't touch anything from mozilla with a pole.

Nick PMay 27, 2017 9:41 PM

@ ab praeceptis

"For a start Yannick Moy != Ada(core). Y. Moy, who has a strong background in C/C++, with emphasis on safety and checking, is a senior engineer at adacore and mainly involved with Spark from what I know."

Yannick understands Ada enough to work on its flagship implementations at the main company contributing to it. That he admits the hole I describe is there is quite a bit of corroboration.

"Also kindly note that Ada's unchecked_deallocation is *not* something dangerous or evil (as it may sound); it's merely about deallocating a pointed to object expressly as wished by the programmer."

You could say the same thing about C or C++. The programmer wants to do that operation safely for good reasons involving dynamic, memory management. In Rust, they can. In Ada, they can't without garbage collection. Ada in FOSS also doesn't have a garbage collector as good as Go's per Yannick. Hence, Ada needs to have one or both of these to be safe in situations the competition is which Ada can't handle.

"On the other hand, people being people and existing software being what it is (e.g. OS or lib Interfaces) pointers are sometimes used, be it out of utter necessity or due to idiocy."

Rust is utterly dominating such extensions in terms of a safe, high-performance language doing them. Ada uses the same platforms without the same benefits. Your counter is actually corroborating Yannick and I's position that a borrow-checker in Ada would be a good thing.

"To me that simply translates to "I don't care. Let them play, I have work to do". Verification is no burden, it's a gift from heaven."

Intellectually stimulating but not in general. The concepts of maximizing potential and ROI means you want to create as many great things as possible with as little effort as possible. Forcing long, hard work in separation logic like Microsoft tried to do in Hyper-V is terrible compared to how quickly Redox team threw together a whole OS with same safety guarantees on heaps just using Rust's borrow-checker. Same benefits with fraction of knowledge or work = better solution.

Rust's temporal safety hit a sweet spot between cost and benefits I rarely see. So, I'd prefer the other safe, system languages to have the same capability. Otherwise, a concurrent, low-latency GC that can be customized to the job at hand more like Go to save programmers effort. However, if Rust people can handle borrow-checkers, the straight-jacket-loving developers using Ada should be able to do it just as well. Maybe better combined with other features of language.

ab praeceptisMay 27, 2017 10:48 PM

Nick P

Y. Moy is a bright and capable man but again: he is not Ada or adacorp. He is not even Spark. That is not meant in any way against Y. Moy but rather to put your story into a frame. What you call "quite a bit of corroboration" still is far away from "Ada/Spark will use Rusts pointers". Also Y. Moy didn't admit anything; he merely mentioned something that is, btw, *not* high up on adacorps ToDo list. Putting an intern at something usually translates to something like "is probably worth a closer look and some experimenting".

You also consistently fail to see the importance of language. This is not some game where one collects safety items and strives to have the best ones. Ada simply has BY FAR less need for safe pointers than C family languages.

One point that immediately struck me was the clear hint at something that tells a lot about the Ada people and reminds of the difference between professionals doing something vs. some amateurs playing around: Math at Inria and a strong desire to have it properly formally verified, both the design and the resulting code.

"In Ada, they can't without garbage collection" - uhm, garbage collection is optional and many Ada compilers don't have it (and I certainly don't miss it). More importantly, though, that demonstrates once more that you might want to pick up on my multiple strong hints about language specificity. That whole garbage collection mindset comes from a certain background, often C and family, but is of far lesser importance for other languages. So, for Rust GC might be seriously attractive but many Ada compilers do not even plan to work on it; it's simply an unimportant gadget.

"The concepts of maximizing potential and ROI means you want to create as many great things as possible with as little effort as possible." - Uhum. And what is "great things"? Unless "great things" means crap (like most code we have that was driven by profit greed and incompetence), if it means at least halfway decent quality we are back at formal methods and languages like Ada oder Eiffel, etc.

And I'm back at my "report" where I - with good reason - mentioned that TDC (total development cost) with Ada is *not* higher than with C and family. This is even way more true if we include maintenance.

So what are you arguing here? That we should throw millions of more hours and billions of more $ at the C family in the hope that one day in the year 2700 it might be able to deliver "great things" of halfway decent quality with not too much effort - say, like what we can do today even with Object Pascal (not even to mention Ada)?

"Forcing long, hard work in separation logic like Microsoft tried to do in Hyper-V is terrible compared to how quickly Redox team threw together a whole OS with same safety guarantees on heaps just using Rust's borrow-checker. Same benefits with fraction of knowledge or work = better solution."

Theory and improper, too. For a start the "long, hard work in separation logic" of microsoft lead to *provably safe* code. I've yet to see that for redox. Moreover you are comparing apples and horses, namely early research work of microsoft vs. much later work (btw quite probably profitting from microsofts earlier work). Furthermore Rust's borrow-checker solves 1 (in words: one) problem only, albeit a major one while microsofts work solves whole problem classes and offers formal verification.

And again: I did concrete work, I solved concrete problems in C, Frama-C, verifast (sep logic) and in sparked Ada. I have concrete experience with concrete work. And the result is that working in Ada is about as fast as in C and much, much more efficient and faster than ACSL annotated C plus Frama-C checking (which btw. is a pita even just to set up) or sep-logic annotated and checked.

That is a tremendously important result because it means that we can build "many great things ... with as little effort as possible." or, more concretely with about the same effort - but with hugely higher quality!

"Rust's temporal safety" - ... is mostly a misnaming. Yes, temporal aspects may play a role under certain circumstances but the thing you are talking about is mostly memory safety. As for temporal safety there is much more needed than merely pointer safety. And btw. Ada offers a lot in that regard since a long time (I'd love to talk about Eiffel, too, but a) my experience with Eiffel is quite limited and b) multitasking of any kind is quite new there).

As we are on a security blog, let me mention an example that is of importance in crypto protocol verification, namely the temporal pi calculus implication, i.e. a statement like "event A implies that there was event B before" which btw can also be transformed for what you meant, i.e. memory safety with multiple tasks -> "event 'grab token' or 'change bit' implies that there was an event 'release token' before".

All in all, yes, Rust probably is better suited than C to create less buggy software but as soon as we talk real safety we can't but talk formal verification, too.

Closing, I have a maybe interesting tip for you: as you like to dig into papers and concepts, you might enjoy a deeper look into the Pony language; you'll even find something similar to Rust's approach plus an amazing evolution towards quite well done and blazingly fast actors.

Clive RobinsonMay 28, 2017 3:47 AM

@ ab praeceptis, Nick P,

It's no secret that I don't like some of the implications of pointers.

Specifically pointers to data objects and who in essence actually owns the data object at any point in time. Whilst not too much of an issue in a process with a single sequential thread of execution, issues quickly arise with two or more threads. The brut force method being to lock an object to who it was last passed to (Rust's way of doing things) irrespective of if it was for reading or modifing the daya object. Under the same brut force mentality you have to lock the entire data object not individual data items within it.

In nearly all cases the use of clean functions that pass by message/value resolve the issues painlessly. And as a side effect tend to make generic garbage collection unnecessary as adjusting the stack frame on function termination resolves that. But the problem with this is three fold the size and duplication of the data object passed and likewise the return value(s) from the function, that might be used to update the data object, in effect pushes you back to single sequential thread operation and locked records.

Whilst a human can by having intimate knowledge of the function of the code can work around this, in general compilers can not because they lack knowledge to do anything other than brut force locking. Attempts to describe the function of the code via lables such as const / static etc still do not get around the problem.

In fact as a generalised case Process Callculi are defined to use message passing channels not by sharing variables, for good reason.

Whilst I won't say passing pointers is an abomination, the abuse many code-cutters subject them to is very definitely an abomination.

FigureitoutMay 28, 2017 11:32 AM

Clive Robinson
--Why would I remember that? Lol, that's Wael's fav emoji. 😋💩 Alright too silly now though.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.