Friday Squid Blogging: Squids from Space Video Game

An early preview.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on June 16, 2017 at 4:14 PM • 89 Comments


Ben A.June 16, 2017 4:17 PM

Advanced CIA firmware has been infecting Wi-Fi routers for years

Disable UPnP and look for the word "CherryWeb" in default URLs

The detection of faked identity using unexpected questions and mouse dynamics

Facebook exposed identities of moderators to suspected terrorists

Telegram chat app founder claims Feds offered backdoor bribe

Five Eyes nations stare menacingly at tech biz and its encryption

EU deals Theresa May encryption setback as MEPs propose ban on government backdoors

"Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services."

Ending The Endless Crypto Debate: Three Things We Should Be Arguing About Instead of Encryption Backdoors

When we said don't link to the article, Google, we meant DON'T LINK TO THE ARTICLE!

Finally, a fix for Microsoft’s draconian block on Win7 updates for recent processors

Pirate Bay facilitates piracy and can be blocked, top EU court rules

Nick PJune 16, 2017 4:58 PM

Using Proven Reference Monitor Patterns for Security Evaluation (2016)

This document was interesting for the combo of things in it. It’s the latest from one of founders of INFOSEC, Roger Schell, who with Paul Karger did landmark evaluations such as MULTICS, helped establish first standards for securing systems (with systems appearing), and with a Burroughs guy convinced Intel to add security features to 286. The recent work introduces the fundamental concepts (eg reference monitors, TCB subsets) invented in high-assurance security to deal with the effect of complexity on security. They describe how subversion risk is mitigated throughout the lifecycle by TCSEC criteria. They give numerous examples with or without their GEMSOS system. They show legacy systems such as Linux software can be run with full, MLS security. Then, since it’s also a heavily-biased piece of marketing, they encourage adoption of COTS, high-assurance products such as GEMSOS (which they license) with the last thing saying they have “no conflict of interest.” That was probably a joke by Roger Schell.

In the one I didn’t share with more marketing, Schell noted two things about the recent works:

1. The methods to bolt on security to monolithic kernels (esp Windows and UNIX’s) consistently failed to work. Smart people build a clever, lightweight mitigation that ignores root cause. Once it’s popular or with big money involved, then other smart people come up with a clever attack to bypass the mitigation. Schell and Karger called this “penetrate and patch” saying it would fail. The only ones unbroken right now are those with very little use by consumers or money to be made by breakers. I call it the “Mac is immune to viruses effect” until I have a better name. :)

2. Schell notes that the simpler, separation kernels that dominate right now in high-assurance don’t enforce end-to-end policy enforcement at the application level. They just enforce separation. Each component and interaction (or middleware) must be proven to be secure. Whereas, if you can tolerate prior policies (eg MLS, Type Enforcement), the security kernels enforced it for everything in the system. They were also used in distributed systems by essentially labeling the messages.

3. The security kernels were reusable. This goes for separation kernels and low-level runtimes, too. A common objection to an A1-class system, which includes formal verification, is that it requires specialists, takes a long time, and costs plenty of resources to build or change. They add only slow-changing or ultra-critical systems should use such an approach. Schell et al anticipated this early on by making things such as GEMSOS, STOP, and LOCK generic enough for many applications. Some of the integrations were really cruddy or inefficient but got the job done. Costly, high assurance plus reuse equals low-to-medium cost for later projects.

4. The new stuff doesn’t include full lifecycle protection against subversion. INTEGRITY-178B did as required for EAL6+ assuming the politics in Common Criteria didn’t let them hand-waive something. Not a strong assumption. However, most of these separation kernels are just using formal verification with code review. Reaching the source or object code with full formal is a step up from security kernels of old. However, they lack covert-channel analysis, secure composition, exhaustive testing, external pentesting (that I’ve seen), and highly-secure repos. The build from source or secure distribution aspects vary project by project. None have had years of field use in systems that nation-states might try to attack like the old ones. So, they do less than the old A1-class kernels in terms of overall assurance plus aren’t field-proven. Those deficiencies must be improved.

Now, to counter him, I’d point out research in capability systems, language-oriented security, crypto-oriented security against RAM attacks, CPU-level enforcement of any of that, and so on show their methods are likely dated. That plus new classes of attack and verification methods mean one would have to re-analyze those systems to see what assurance they have today. That said, the patterns still work today. The systems from that time are still stronger in security than most produced today. They would, by design, be easier to implement and verify with today’s methods. So, definitely stuff worth learning or imitating from even that mid-80’s to early-90’s era approach to INFOSEC. Especially given it worked while their critics’ systems mostly got hacked in simple ways. :)

Jonathan WilsonJune 16, 2017 6:20 PM

In regards to the debate over governments and other entities using unpatched vulnerabilities in software to hack into computers for all kinds of reasons (good or evil), I am surprised we haven't seen software and hardware manufacturers (who stand to loose the most when vulnerabilities go unfixed) haven't been lobbying for new laws to make it a crime to profit from the sale of vulnerabilities in software and hardware (except via bug bounties paid for disclosure to manufacturers via responsible disclosure)

Or do manufacturers actually have reasons why banning this stuff (and going after the bad guys with the kind of effort used to attack things like the Silk Road) isn't actually going to be a benefit?

Clive RobinsonJune 17, 2017 3:32 AM

@ tyr,

Sometimes the solution is to roll your own.

Yes, and sometimes no.

I've made mockup but working front panels cases etc in the past as well as full prototypes. Some were for Mil grade equipment and environments (including an ECCM system for ground based missiles that had a "joystick" postol grip controller).

The first thing I'd note is that from much experience you actually need two systems to work on the move. In London a two hour commute either way is normal, and you will not get a seat unless you are lucky or go out of your way to get one. Even disabled people get short shrift from 99% of other commuters. This mode of travel has earn't various names such as "strap hanging", "playing sardines" and a lot worse, the point to know is it is illegal to put "live stock" in such conditions". Oh and getting a seat may not be lucky... with crosswise seating if you have an end seat and the carriage is packed with strap hangers your face may be about a foot from someone else's less than fragrant backside as they push it up against your shoulder. And if they have had a pub visit they may not care about "degassing" directly into your face. Then of course are the hand bags and similar to gouge your eyes or give you facial scars and lost teeth.

In such an environment even a 10 inch pad is impractical to use, let alone anything with any kind of mechanical keyboard. Trust me on this I've tried it and it's a complete "No way No how".

However 7x14cm ~3x6 inch touch screen Smart phone you can use whilst strap hanging and importantly it slips into the breast pocket of a shirt / jacket / coat easily and quickly. Just make sure you add one of those "wrist straps" so if it does get knocked out of your hand --and it will-- it does not hit the floor where you will not be able to pick it up and somebody's foot will find it or your hand or both if you try.

But when you do get lucky and get a seat then you can start using the likes of "bluetooth" keyboards with it. I have two one that is a roll up "poke dead flesh" rubber one which grips onto the back of a cloth or leather satchel / bag / briefcase well enough to use one or two handed. So if travelling longer distance where you might get a fold out table or four seater table you can put the smart phone on the table using it's "picture frame" fold out leg to prop it up. The second bluetooth keyboard I have belongs to a pad I have that will in a hurry fit in a larger waist pocket on a jacket but is to big to use comfortably by hand so is in a fold out case with the case. Much to many peoples surprise I fold it out flat and put the smart phone on it's stand on the pad screen with the pad turned off/standby. The reason for this is the phone is easier to use for typing in text, and reading PDF manuals/books and finding code snippets in files I have stored in it. The phone has a nice little set of *nix tools The useful man() files and vim editor. If the worst comes to the worst then it also has a web browser (so I can look things up ;) But more importantly the phone uses a lot less power than the pad and can due to a sneaky little mod be recharged off of the pad battery or the solar cell charger I built into it using a set of those "hiker rucksack" solar cells.

Oh the other advantage of using a smart phone is you can use it when having to lay on your back in a bed especially a hospital one...

Transferring files from the phone to the pad is fairly easy using bluetooth, though I've had to write my own python program to do it as the android apps just do really dumb things in the name of "security" (like only transfer files that end in .txt or .pdf but not .py etc, but not actually check the file contents).

Clive RobinsonJune 17, 2017 3:53 AM

@ Azrail,

The Guardian story is a little thin. There is a better Scientific America article I linked to (as well as the paper in Science) in last weeks squid page. I also highlighted the problems of QKD in optical fibre and limitations of satellite systems. But... I also noted I think that a space based QKD system will be viable quite a while before either Quantum Computing or Quantum Computing proof asymmetric / public key algorithms do.

However the real issue with QKD general uptake is the thorny "last mile" issue. It's not practical for all but a few to have a satellite ground station capable of QKD, thus it will need to use fibre for the "last mile" to consumers etc. This requires "switches" for the Qbits to be sent to the end users. For such switches to be made we need a quantum repeater/regenerator, whilst we know it can be done it's a complex technical/engineering issue that has yet to be solved in a sufficiently robust way to be put into commercial equipment and work reliably and simply with the minimum of maintenance.

65535June 17, 2017 5:38 AM

@ Ben A,

“Advanced CIA firmware has been infecting Wi-Fi routers for years”

Ha, the CIA has targeted the weakest people.

These are people who use rental spaces that don’t allow wall wiring of any sort - most in the USA [most USA rental laws require pension from the landlord to wire walls and when the tenant leaves, the “improvements” revert to the landlord]. There is no incentive to renters to use anything but wireless networks.

That is one of the many reasons Wireless is so well used. This attack would be from Bland, Virginia to Compton California south of Silicon Valley. That is quite a large number of people to monitor.

I say use a propriety router with open source code no UPandPlay and wired LANs for safety. I am not saying that this will defeat Nation State actors but a lot of actors.

SystateJune 17, 2017 6:04 AM

I see why Nick P told me goodluck on the router issue. I see our boys have pawned it badly. It just makes me doubt my entire computer. I have no way of really knowing if my computer has not yet recieved this special treatment and i dont know about it. lol i was thinking of trying openbsd but then i thought am i actually going to get only openbsd or openbsd.cia version.

I really dont think using a raspberry pi would be any better and i would probably seen as a mad dinosaur always being paranoid if i dont use wirless. Vault 7 hasnt really being surprising but still seeing a punch coming doesnt mean that it wont hurt.

JG4June 17, 2017 6:20 AM

further proof that the FBI are dirty, sewer-swimming dirty. a damning indictment. some of the links in here are real gems, spot on to the topic of communication security (hint: if electronics are involved, you don't have any)

some interesting intrigue from long ago

a brilliant weekly compendium of economic/financial news.

financial security is just as important as air security, water security, food security, shelter security, transportation security, data security and communications security, just on different timescales
Imperial Collapse Watch

Seven missing after US navy destroyer Fitzgerald collides with merchant ship off Japan Guardian JTM: “Your tax or MMT dollars at work. How does an agile destroyer get T-boned by a cargo ship? Must have been Putin!?! Amiright?”

US Navy ship collides with merchant ship Associated Press. UserFriendly: “USA! USA!”

What’s more frightening than an evil world leader? A stupid one Guardian UserFriendly.

Big Brother is Watching You Watch

Step Inside Julian Assange’s Office YouTube (furzy)

CIA has been hacking into Wi-Fi routers for years, leaked documents show ZDNet. Bill B: “A reminders that NGOs like SRI are a common front for American spies. And, to an extent, this explains why Russia and China clamp down on them.” Moi: Yet another reason to have old tech! I insist on having Ethernet-only connectivity devices. So imagine the cable farm at my desk.

Gardaí offer help to Dublin Facebook staff hit by security breach Irish Times (Phil D). Subhead: “Iraqi-born Irish citizen being paid €13 an hour by Facebook fled Ireland after lapse.”

Revealed: Facebook exposed identities of moderators to suspected terrorists Guardian (Phil D)

Australian push to make decryption easier ‘could threaten global internet security’ Guardian (furzy). Headline misleading, it’s about backdoors. But the result is the same.

JG4June 17, 2017 6:44 AM

I missed a handful of gems in the previous comment. The one about the CIA studying French intellectuals brought to mind their collossal f**kup that killed half of Cambodia. I refer to the genocide and war crimes, where Nixon and Kissinger (tapes just released?) bombed Cambodia from the bronze age back to the stone age, setting the stage for Pol Pot's reign of terror. Note that Pol Pot was taught Marxism by French intellectuals. If the FBI don't assassinate me first, I may live long enough to water Kissinger's grave.
Mattis: ‘No Enemy’ Has Done More Harm Than Congress Daily Beast (reslic)

How Hillary Clinton May Find Her Way to Jail Sputnik (UserFriendy). She will never go to jail, but this is too much fun not to run.

Powder-Filled Letters With Threatening Notes Shut Down Georgia Republican’s Neighborhood Free Beacon. UserFriendy: “The note is a bit cheeky. It’s not like Ossoff is any better.”

Kill Me Now

A surprising number of American adults think chocolate milk comes from brown cows Business Insider (David L)


Yemen War Threatens Crucial Oil Chokepoint OilPrice

When Does Amazon Become a Monopoly? Atlantic (resilc). Telling how Whole Foods triggers more hand-wringing than Amazon warehouses.

Amazon has a patent to keep you from comparison shopping while you’re in its stores Washington Post (Chuck L). The determined will call or text significant others or friends at a remove to do the price comparisons.

The CIA Reads French Theory: On The Intellectual Labor Of Dismantling The Cultural Left Philosophical Salon (James C)

Antidote du jour. Tracie H: “Great Horned Owl in a Eucalyptus tree.”

see also:
“As part of Dodd-Frank, rules were put in place to address potential conflict minerals (coltan, tantalum, tin, tungsten, gold) and whether they were coming from or near the Democratic Republic of the Congo and benefitting armed groups there. The rules required retailers to disclose any potential conflict minerals in their products. Last week, however, the current administration passed the Financial CHOICE Act, which would repeal Dodd-Frank, taking conflict minerals regulation with it” [Sourcing Journal].

Shipping: “The US Coast Guard says there is no longer any threat posed to the port of Charleston by suspect containers on board a Maersk boxship” [Lloyd’s Loading List]. “A one nautical mile safety zone was put in place to cordon off the vessel while law enforcement authorities carried out checks, according to South Carolina Ports Authority, which operates the facilities at Charleston.” Only a mile? That’s a relief. Not that I’m foily.

The Bezzle: “A former managing director of Julius Baer pleaded guilty Thursday to a money laundering conspiracy in the DOJ’s prosecution of corruption in soccer’s international governing body” [FPCA Blog].

The Bezzle: “London Finance Workers Describe A Local Culture That Sounds Like A Mashup Between 1980s Wall Street And Dante’s Inferno” [DealBreaker]. ” If the HR manager thinks that The City is a black hellscape, imagine how the traders feel. Or the people trapped inisde the labyrinthine netherworld of eternal torment that is London’s UBS HQ.”

News of the Wired

Thread (DK):

Bharath Ramsundar @rbhar90
What can't deep learning do? Worth putting together a list of known failures to guide algorithmic development
6:31 PM - 15 Jun 2017
66 Retweets 224 Hearts

Ergo SumJune 17, 2017 8:52 AM


A surprising number of American adults think chocolate milk comes from brown cows Business Insider (David L)

I tend to disagree with people, who question the mental capabilities of the Americans, but it is becoming increasingly harder and harder everyday.

Ergo SumJune 17, 2017 9:15 AM

The Intel ME/AMT had been discussed a number of times, but I am not certain if it impacts Macs/MacBookPros. Some site does state outright that:

Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.


Provided that the quote is correct...

Is it only the software that missing, or the ME/AMT chip not there either?

Nick PJune 17, 2017 9:40 AM

@ Systate

OpenBSD on a small one with quality firmware seems best bet these days. I haven't evaluated any hardware recently, though.

Clive RobinsonJune 17, 2017 10:44 AM

@ Systate,

I really don't think using a raspberry pi would be any better and I would probably be seen as a mad dinosaur always being paranoid if i don't use wireless.

Not by anyone with any --now very rare-- common sense. If you look back to a time before "firewall" became a new ICT buzzword we used to talk of "Bastion Hosts" and "DMZ sub nets" Routers back then were eye wateringly expensive and of very limited capability, thus using a couple of Sun "dual homed" Spark Stations one from the Internet to the DMZ and one from the DMZ to the internal network was actually a more cost effective way to go...

In the past I've described what I call a "Garden Path" system, it takes the idea of the DMZ and adds one or more instrumentation hosts into the arrangement which by using data diodes change the router rules dynamically the second odd traffic is detected. Like all security it's not perfect, but it does make life a lot lot harder for attackers. Thus the generic attackers will find other low hanging fruit, and the specific attackers will in all probability go for a different attack methodology (black bag job, MICEd insider etc).

The over riding point though is "Energy Gaping" if anyone can see your internal network from outside because of wireless or other energy giving a communications channel then you risk a "drive by" attack. After all if you are an attacker who has a specific target in mind, corrupting an internally connected host or device from outside the perimeter is way safer than trespassing / breaking and entering or trying to turn / corrupt an insider.

Thus the use of wireless devices and a whole manner of other devices on the internal or DMZ network is not a bright idea. The reality is all energy radiating/susceptible devices / host should be treated at least as suspiciously as the Internet it's self, if not more so if you are likely to be "a person of interest" / specific target. Thus as such a person part of even home ICT security you need to practice physical security as well as human security.

People think I'm being paranoid when I have stuff not just inside a Faraday Cage, but inside several safes inside the cage which is very robust and has a door that locks, along with alarms. That's fine by me, they might catch up with my thinking one day.

That's not to say I don't use wireless devices, I have a smart phone and develop RF communications equipment including data links. I just maintain good energy seperation and compartmentalization with regards Confidential / Intellectual Property and other ICT activities. As anybody with a "duty of care" be it for legal / commercial / personal reasons should (but usually don't).

Who?June 17, 2017 11:24 AM

Facebook could secretly watch users through webcams.

Another privacy violation project from one of the flagships of the U.S. industry:

All this is getting really boring and repetitive. Perhaps the United States products should be banned on most civilized countries until all this gets fixed. Using the citizens as livestock is not right.

Who?June 17, 2017 11:43 AM

@ Ergo Sum

MacBooks (either pro or not) have an incredibly weak and buggy UEFI firmware. Even if these machines do not have Intel ME I would not choose them as a hardware platform for anything non-airgapped.

Our choices are very few right now.

Clive RobinsonJune 17, 2017 12:17 PM

@ Who?,

Our choices are very few right now.

Which when you think about it for a few momemts is actually quite odd.

Think of the advances in hardware...

For about 1 US Dollar you can by a single chip from the likes of Micro Chip that outperforms PDP11s and MicroVaxes and similar very pricy mini-computers still in use through the 1980s.

Off the top of my head I think some one has ported an earlier version of BSD to run on it quite well, you just need some serial or equivalent terminals which are not exactly difficult to make with 5USD gumstick computer a serial to USB converter and a suitably large LCD. Or you could get an old Android smart phone and root it or trick it into giving you a Linux console.

Or you can have some kind of 200USD or well above windowing box with flashy but slow and very unreliable and insecure software "blue screening" or whatever on you every few hours, whilst making the wheel in your electricity meter visably spin...

Thus the problem appears to me atleast to be crap software from MegaCorps, pushing atbest alphaware and patches every few weeks that contain the Devil alone knows what in spyware, attack vectors etc just to make you a product...

Who?June 17, 2017 2:34 PM

@ Clive Robinson

I think the earlier BSD you refer to is RetroBSD, the project started by Serge Vakulenko a few years ago to port the venerable 2.11BSD to the Microchip PIC32 architecture. It is an excellent operating system and, from what I have read, PIC32 computers are excellent for its price. Much cheaper and predictable than, let us say, the USB armory computer on a stick:

At least the PIC32 architecture should be free of hardware vulnerabilities like this one:

I really miss the 70s and 80s. Simple architectures that can be trusted, with public specs and —even more important— no overengineered features. These computers were powerful enough when running the right operating systems and software tools.

BobJune 17, 2017 6:30 PM

Since no one owns a cable box anymore:
I saw facial recog at Boston Logan story. Common sense would say there should be some pushback on this Orwellian nonsense. I can almost feel another Redflex-like story coming on in the near future.

Solution possibilities? Interpol expansion. Access to foreign criminal database and identification systems... or you don't come here. This is the result peoples' belief that blocking countries is racist. Um... I'm not doing this, but then again, I'll never fly into Logan for jack. Go to Providence or Hartford.

tyrJune 17, 2017 9:46 PM


I have ridden a few japan trains when
everyone can not breathe in at the same
time. Better to avoid the commute and
suffer what you have described.
I was appalled to see that after the
highrise fire the next day they still
had 70 people unaccounted for. That is
not good, the original story was bad
One thing rolling your own offers, you
can be sure no one understands your
machine better at the hardware level.


If you note the USS Fitzgerald story
that is what can happen in a high density
traffic corridor even if everyone has a
radar to throw their mind into overload.

SystateJune 17, 2017 11:29 PM

Clive Robinson
My man clive. I am still trying to understand your gardening path system approach. When it comes to energy gapping that seems to cost a bit of money and will consume quite a bit of resources. Am sure people ask "bro... is this really neccesary?"

But i get your reasoning though i want to make things significantly more difficult for the attacker.

Nick P
Openbsd on an energy + airgapped computer,check. When it comes to reverse engineering does the langauge matter? Will i get a better understandng of whats under the hood if i use assembly compared to python. Am talking as close to the metal as possible. (If you know some super secret technique of manipulating the metal itself, please share).

Gerard van VoorenJune 18, 2017 2:02 AM

@ Clive Robinson,

"Or you can have some kind of 200USD or well above windowing box with flashy but slow and very unreliable and insecure software "blue screening" or whatever on you every few hours, whilst making the wheel in your electricity meter visably spin..."

"Thus the problem appears to me atleast to be crap software from MegaCorps, pushing atbest alphaware and patches every few weeks that contain the Devil alone knows what in spyware, attack vectors etc just to make you a product..."

Why is this?

- Backwards compatibility. Once a crappy design pushed to the marked too early, today a burden. But they made lots of money with it so they don't care and the customer is happy when that nasty bug is fixed with the update.
- Ever expanding file formats, file systems, network protocols etc. How many network protocols that are standardized are seen as totally insecure and/or ridiculous by design? Which network protocols are officially deprecated? Not telnet. So you need to support an ever expanding array of (semi-) standards and closed propriety stuff. But supporting this is also seen as "competitive moat", an advantage, because for the competition it takes a serious amount of engineering to support these "standards" (in case of OOXML read cr*p). So standardization bodies are today part of the problem too. They are not deprecating, don't mind "duplication" (OOXML came after ODF and is much worse), and when fearing irrelevance, come up with stupid decisions.

What can be done about it?

Well, so far it seems like nothing. Even pointing out that it's corrupt doesn't help.

RachelJune 18, 2017 2:47 AM

@ tyr ever read that eighties office memo, supposedly authentic radio comms between a US battleship refusing to change course, and an unknown entity whom also refused to change position. The final line was 'this is a lighthouse.your call'
& such blind ego amongst extremely skilled captains has been responsible for serious aircraft disasters

concise book notes on your kind of title, that yes is security related.
Go back a page for the whole superb list

US Navy EmbarrassedJune 18, 2017 4:49 AM

Billion dollar destroyer gets rammed off the sea of Japan.
The huge Philippine cargo ship turned around 180 degrees and then t-boned the US warship.

So how could this SOTA equipped destroyer allow such a basic assault to succeed? The damage is probably over a billion dollars.

Dereliction of Duty?
Were the officers distracted on their cell phones? Were the ships systems hacked? Was it an intentional act? Was electronic warfare/jamming used? Were is the NSA?

In any event China benefits tremendously. The tarnished American projection-of-power loss is both humiliating and disgraceful. Its obvious court martial charges are coming. Certainly not proud to be an American today.
Now there is an eerie silence of selfish-arrogance-stupidity after getting our arse-kicked. The government and press have their own propaganda agenda to push and cannot let possible acts of war interfere.

We Hired the Swamp
The hysterically crazy solution is to increase military spending while secretly and savagely cutting life-saving health-care. Go Figure!

Casey RybackJune 18, 2017 5:04 AM

@ US Navy Embarrassed:

Casey Ryback: You're in the Navy, remember? It's not a job, it's an adventure!

JG4June 18, 2017 7:54 AM

Thanks to everyone who has offered helpful comments. Rachel and Clive spring to mind, but there are many others. BTW, I think that some of my memory problems are a result of magnesium deficit. The US diet is deficient. Add one cup of coffee and two glasses of wine, which are enough to double or triple the required daily magnesium intake, and you might have a chronic deficit. It's a short step from there to Korsakoff's syndrome.

I forgot to give credit to Karl of the rabid stripe for the link to arbitraging stupidity.

It's All About The Grift
Then there's Facebook and Google. Both exist in a legally-tortured alternate reality where selling information on you to people who you never consented to receive it for anything approaching the purpose it's used constitutes a huge percentage of their ability and reason to exist. As just one example Google recently popped up a request that I review a business I just stepped out of. I had not asked Google, maps or otherwise, to take me there and it was not open on my phone. I have location history turned off. Guess what -- Google's Android had irrespective of what I set not only recorded where I was it transmitted that back to Google and then generated the prompt in response.
Of course all the "big guys" are into this crap -- or its derivatives, including some of recent note that look really shady. Take this article on Apple's "app store" and how you can make $80,000 a month literally ripping people off via it. That's not theoretical either; it's happening right here, right now, today. Why doesn't Apple stop it? That's simple: They get a piece of the action and since they didn't "actually do it" and nobody will charge them with racketeering for their part in making it both easy and profitable they have no incentive to put a boot on the necks of those who are perpetrating these sorts of schemes.
[...arbitraging stupidity for $80,000 a month]

This fits into the general discussion of what hardware might be trusted. If you could harden the BIOS and prevent the microcode from being altered, you'd have a nice engine. The sharper minds can point out the other vulnerabilities and how to use filters to force the inputs into a safe parameter space.

A Clever And Fast Firewall/Gateway

I finally got my hands on one of these things....

Which one? The apu2c0, which is a 2-Gigabit Ethernet, quad-core AMD, 2Gb RAM single board computer that is fanless, runs on 12v and has AESNI instructions in it along with a very nice assortment of options for storage and similar.

kiss_torJune 18, 2017 4:26 PM

Brave Browser

FWIW recently I installed the Chromium Brave BrowOSser on a Windows machine. From a superficial perspective it seems to work and is also available for iOS.

Warning, however, on the Windows box, around several weeks ago, reported it unique.

BTW if you install Brave in a Standard account and don't enter Administrator or its' password, the install seems to work anyway. I assume this is better than installing Brave at the Administrator level if olnly one standard user is likely to use Brave.

kiss_torJune 18, 2017 4:39 PM

Whoops, link should be:

With 32 bit Tails and Tor, Tor Browser Security Settings set to High, panopticlick reported something like:

"Within our dataset of several hundred thousand visitors, one in approx. 100 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys approx. 10 bits of identifying information."

kiss_torJune 18, 2017 4:57 PM

@r and Slashdot-link posters in general


When I first read your above link, iOS with javascript turned off, I thought of end users destroying their notebooks the first time they turned them on.

In other words, please consider posting the Slashdot links, if relevant, such as
since on mobile iOS Slashdot doesn't work without javascript; don't know about Android.

Anyway fiction can be more interesting than facts, sometimes.

TatütataJune 18, 2017 5:04 PM

Re: USS Fitzgerald

I heard the lighthouse-vs-US-Navy story told as a joke in at least two languages.

The Gallic version featured a lighthouse in Brittany, "Ici le phare de l'Île d'Ouessant", and the English one an installation guarding the Straight of Belle Isle off Newfoundland.

This story however has a "K-141 Kursk" flavour hinting a nation in decline...

It is possible that the bridge on the freighter is only manned with only one officer at night, at least momentarily, if not for the better part of a shift, and one wouldn't want to spoil his night vision by looking at the radar.

The failure on the US side is harder to explain. Did the ship have its navigation lights on? Did it broadcast its position on AIS?

kiss_torJune 18, 2017 5:35 PM

@65535 and @Ben A.

“Advanced CIA firmware has been infecting Wi-Fi routers for years”

I haven't seen current Apple airport routers faulted, yet, in this regard.

For the price, and considering Apple's Privacy Policies and Update Policies, might Apple routers be a good choice for 99%ers; for example, for people that don't want to be bothered with, or trust, flashing roms.

BTW current Airport routers haven't received security updates for some time. In addition, it was rumoured that Apple was getting out of the router business.

Regardless, I would feel more comfortable using them if Thoth, figureitout, Clive, ab praeceptis, Nick P., Wael, Dirk Praet, or others from this blog, would take an anonymously purchased Apple Router for a test drive. At least in the US of A you can return Apple products within two weeks for a full refund. Maybe som.eone could get a magazine article or weblink out of this if you report your findings

Regardless, I use Apple routers and they just seem to work (double nat; most if not all sharing functionality turned off; "guest" network) and unplug ISP routers and Apple routers about once a week for about a minute.

kiss_torJune 18, 2017 5:51 PM

@Who? cc: @Ergo Sum

"MacBooks (either pro or not) have an incredibly weak and buggy UEFI firmware."

Some references or public links regarding buggy Apple UEFI firmware would be nice; Macs like the one I'm typing on, using a dvd of tails booted to ram, are one way I like to browse the web, regardless.

flannelJune 18, 2017 6:02 PM

@US Navy Embarrassed

Perhaps the plot thickens?

Uh, What Happened Here? (Fitzgerald Collision)

"Why was the first near-180 degree turn made and then why was course altered again southward just prior to the impact, given that the second alteration, had it not been made, would have almost-certainly led to safe passage. Further, do the timelines square with this or do they suggest something else?"

FigureitoutJune 18, 2017 10:02 PM

--Yeah cute, glad he took care of his needs. Hope he's not reading, I don't want to be nasty but the guts of the keyboard looks like crap, w/ glue globs, and would be a 'B' to debug if something was wrong. I don't get how that'd be easier to use than a laptop too, unless he was lugging a huge laptop (I'm envisioning those "as seen on tv" people who fail hilariously at anything they do lol). A smartphone or tablet or notebook is sufficient, if you're doing sensitive work on public spaces you gotta watch all the time for shoulder-surfing...I only use those times to do off-hand research (that I don't care about snooping, which is mostly a prerequisite for internet surfing these days) for my projects, etc.

I really miss the 70s and 80s
--Really? Over what we have today? You can still do that, a lot of MCU datasheets give block diagrams of the hardware, plus do so much w/ computers today.

--Yeah, it's good enough for the 99%ers. I'd want access to the firmware in the SoC (which will take a ton of time to review and understand), sufficient datasheet access, app notes, knowledgable FAE's for any tricky things not covered in docs, system design/layout (any "trouble" spots, but the RF SoC will have most all the meat on the board), know the protocol and structure of packets sent & received (more complicated that what I'm doing right now, which is a relatively simple RF link (but still would require $25,000 equipment to even see the packets moving thru the hardware so fast, so we have to use sidechannels to debug much cheaper...), so I'd have more reading on some more modern techniques for collision resistance). That's a full-time job for me (and isn't happening). Dirk Praet would probably give you the best review for what you want.

Vast majority of your traffic will be fine (mine too), it's simply too much data. Just be prepared to recover if need be, this applies to online accounts and bank accounts mostly. Stay frosty and you mostly don't find out there's a problem 'til it's too late...

Clive RobinsonJune 18, 2017 11:01 PM

With regards,

I heard the lighthouse-vs-US-Navy story told as a joke in at least two languages.

It was also told as a "carrier group and admiral" story as well, which gives away the historic truth.

Before the Stevenson's[1] started building lighthouses with stonr and considerable ingenuity. The treacherous[2] waters around England Scotland and other parts of the world claimed not just ships getting wrecked on rocks, reefs sand bars and similar, but the early lighthouses were likewise destroyed in storms. All of which caused a great loss of life, but at the time more significantly great financial cost, which was why "The Lords of the Admiralty" were looking to put in place reliable lights. And for those old enough to have navigated such waters at night the sight of a lighthouse from twenty or more nautical miles away was[3] a very very welcome sight.

One of the problems with navy's of the past was the command chain and the addled by alcohol, scurvy and malnutrition heads at the top and a very unpleasent death or punishment for even the most minor of disobedience (look up "keel hauling" and the "cat of nine tails").

Which in part caused the Scilly Disaster of October 22 1707, the worst sea disaster to have happened at the time.

Put simply a Royal Navy squadron was returning from Gibraltar under the flag of Admiral Cloudesley Shovell. As was common at the time they were "navigating from the lead boat" which was the Admiral's flag vessel. The weather was heavily over cast and stormy. The Admiral had earlier in the day consulted with the captins and navigators to determin the consensus on the squadrons position. Which was that they were on a positional line with Ushant in France. Thus the Admiral set course from that point on the charts. Unfortunatly the consensus position was wrong and in the dark the Admiral's smashed into the outlying rocks off the Isles of Scilly floundered and was lost as did three other ships. With the loss of the Admiral and atleast a thousand other seamen. One result from the public outcry over the devistating loss was that Parliament passed the 1714 "Longitude Act". Which eventually gave rise to great advances in horology and a number of scandals, one of which involved the mutiny of a Royal Navy vessel on 28th April 1789 which sailed of to Pitcairn with the "Kendall Time Keeper Number Two" (K2). Which was a defective "rip off" of a Harrison time keeper. It was later sold to an American captin and found it's way to Chillie and back to the UK and can now be seen in the clocks collection at the Royal Observatory part of the National Maritime Museum at Greenwich.

Oh the name of the lead mutineer and the vessal you might know as Lieutenant Fletcher Christian and His Majesty's Armed Vessel (HMAV) Bounty, which was originaly built to carry coal... The adverse cultural effect the mutineers had on the remote Pitcairn islands is still felt even today. But officialy it's the World's smallest democracy (and one of the earliest of modern democracies to give women the vote).

[1] Yup same engineering family as built the railway engine "Rocket" and it's train as well as bridges and other navigation ways.

[2] Oddly apt for a post about a shipping disaster in the waters south of England, the word "treacherous" is derived from the French for cheater.

[3] With modern "radio navigation" it was felt that lighthouses had become a needless expense, so they are being "Decommissioned". But worse so are nearly all the terestrial RadNav systems such as Decca Navigator and LORAN-C. Leaving us with just satellite navigation systems that could "just be turnrd off at a flick of a switch" for "National Security" of just one or two states...

tyrJune 18, 2017 11:45 PM

On theFitzgerald crash.

It looks like they were hit from behind.
That is a high traffic area and most of
the radar operators attention is to the
traffic in front of the ship. The inquiry
board might make interesting reading as
whatever the freighter thought it was
doing will come out then.


It looks interesting, Pareto tried to put
some science into social behaviors with
limited results. Folks are very uncomfortable
when you start digging into why things are
done. If behaviors are not rational but only
rationalized later in an attempt to justify,
no one wants to admit it. They prefer fictional
narratives that make it appear they are thinkers.
Once the knee-jerk emotional reaction has
occurred you will see endless explanations that
can't be parsed into logical narratives. Social
scientists would rather change disciplines than
examine their false narratives.

My favourite sea story is the Camperdown crash
which was done deliberately as a training exercise.
Another one was the Aussies carrier Melbourne that
used to routinely run over its screen destroyers.
The Naval adventure part comes after you have
survived the incident and can talk about it.
At the time hanging on and hoping to live is
more common.

Clive RobinsonJune 18, 2017 11:56 PM

@ Figureitout,

Really? Over what we have today? You can still do that, a lot of MCU datasheets give block diagrams of the hardware, plus do so much w/ computers today.

I miss the 70s and 80s as well, I guess you would have had to live through it to know why.

Back then it was the birth of the PC, it was a young, dynamic and rapidly growing field of endevor. BUT importantly it was still small and you could as an individual be able to grasp the entirety of the field of endevor. It was primarily hardware engineer led with a "can do" attitude. Every little circuit design got known and a new idea or trick (ok "hack") went around the community quickly to every ones benifit. It was why Bill Gates "nasty little letter" was seen as so alien, so carping and like a spoild child having an unseemly tantrum in public much to it's parent's embarrassment.

Untill relatively recently "Home Brew" systems had died back to the Ham Radio types doing leading edge stuff with the latest and greatest chips from the likes of Analog Devices. Thankfully the "Maker" trend has caught on but two generations have missed out on the creative side of hardware hacking.

As you should know there is quite a "life outlook" point of view difference between hardware engineers and code cutters that can be traced back to Microsoft and its Foundation Class and other MS boon dongles...

MFC was a nightmare mish mash of cruddy code and it was a very unpleasent experience to work with. Rather than have a "share attitude" those who had struggled through getting a grip on one small thread of the MFC rats nest had a "my work, my secret my advantage" mentality. Which in turn gave rise to "secret sauce" solutions of hidden call points. Which some people alledge were Micro$hafts way of maintaining "in house advantage" over competitors. Either way those hidden call tricks have a lot to answer for and a marked responsibility for the mess of backwards compatability issues that have given us oh so many needless attack vectors.

Further those two generations of not having hardware hackers has alowed the proliferation of those anti-competative DRM systems. Which means that although you buy a computer you nolonger own it. You have an enforced "walled garden" with a "Think of the children" marketing message aluding to it being a more secure way... Well the crap in Google Play with all the malware and PII theft kind of tells you the lie of that message...

So yes I liked the 70's and 80's and the freedom it gave me to be creative and build a multifaceted career. And I hated the couple of decades from the mid 90's onwards. Having to push back against those not just taking away those creative freedoms, but those who became like drug addicts just waiting for their next shiny box fix, that was apptly recognised and somewhat ridiculed by the "Apple fanboi" image.

But whilst I have an "out of my cold dead hand" mentality over the freedoms, I don't see why it should imply giving up the other gains we have made in those two decades. I see it more as a drive or battle to get it out of walled gardens and regimented thinking and ordered behaviour, back into the hands of people where creative chaos brings not just freedom, but fun and joy, as well as a self confidence many lack these days. It's called Heterosis[1] or Hybrid Vigour and it's the only way to avoid the inevitable monatonic death march of inbreeding depression you get when you don't have the freedom to tinker.

[1] Which shares some of the same roots as "hectic".

Clive RobinsonJune 19, 2017 1:57 AM

@ tyr,

I was appalled to see that after the highrise fire the next day they still had 70 people unaccounted for. That is not good, the original story was bad enough.

You will be further appalled to hear that even this morning there are still no "official figures" in part because the fire was sufficient to make the building to dangerous to work in, but the level of competence shown by the local council is uterly appaling.

Some are comparing it unfavourably to the FEMA response issues after hurricane Katrina.

Put simply the local government with responsability for the tower block and surrounding areas appears not to be responding in even a minimally procative fashion and are getting less than favourable reporting in the press. Especially when celebraties that live in the area have been seen puting in a lot of effort both physicaly and materially.

But on another issue what you may yet not have heard is that a man drove a van into a crowd near the Finsbury Park Mosque late last night as people were breaking the Ramadan fast. With atleast one man killed and several injured,

Whilst I can not say I am surprised it does not mean that I am not sadened and appalled by such an attack, and feel sadness for the victims families and friends.

Clive RobinsonJune 19, 2017 4:26 AM

@ Systate,

I am still trying to understand your gardening path system approach.

It's one of those ideas that we you get it you will think "That's bl**dy obvious" but till then...

The idea is that the Internet is like the road/pavement infront of a house, all manner of people and things go past, some down right nasty. It would be pointless challenging/inspecting every single one. So you have a front garden with a gate beyween it and the road with a path with your front door seperating your home from the garden. The garden is a DMZ and the gate and front door the routers from different designers/manufactures. As in the case of a real garden where you would have a CCTV and motion detector to alert you to the presence of people and things in the garden, the DMZ has a computer behind a read only tap that instruments both directions of traffic looking for what should not be in the DMZ. If such traffic is found the instrumentation system either alters firewall rules or open circuits the data paths ate the routers. Impoetantly just like a well placed CCTV camera the instrumentation computer can not be seen by a potential intruder, and a recording is kept. That way if you do detect strange or odd behaviour especially on the egress side you have a record you can work backwards through to locate the original intrusion or in bound malware.

The main reason for the garden/DMZ is that it cuts the amount of traffic you have to monitor/investigate down. The reason that you use two different routers is it gives the attacker a harder job, if they only have an exploit for the outer / gate router but not the inner / door router then the attack does not make it into the internal network. But if an attacker has got through the first / gate router then the chances are their investigating the second / door router will create a visable indicator in the DMZ / garden recording / loging.

No it's not perfect and it probably will not stop a higher end state level targeted attack, but it will in most cases limit damage and give you what might be called "actionable intelligence".

Oh one other thing to consider is that do you realy need your home internal network connected to the internet either at all or all the time?

Personally I don't have my intetnal network connected to the Internet and I don't have it powered unless I'm physically present and using it. Not only does it save me one heck of a lot of problems it limits any harm the likes of Micro$haft flaws can do. My main reason for this originally is that I still have to support software I developed for MS-DOS 5 and later and Win 3.1 and later including NT 2000 and XP as well as some other non MS but earlyish OS's etc (yes that includes an Apple product from the late 70's).

If I realy need to get data off the network I have my own serial data diodes with active nodes that only allow certain "text only" protocols to be sent across them. Likewise another similar arrangement to get data on using a *nix box to do a much more thorough inspection of data.

When it comes to a more "rich" data content then it's a little more interesting if the source is slightly trusted then image and sound get converted to uncompressed verions (WAV etc) and lightly filtered to remove artifacts before crossing more complex document file types get converted to either RTF or HTML and scripting of any form gets ripped out which is normally only an issue with spread sheets.

But for sources I definitely do not trust the mark one eyeball is used with a print out that then gets scaned back and OCR'd etc. It's not normally a pain as it's low volume stuff like academic papers that I would OCR for document searching anyway.

You could say I was patanoid, but the methods were as a result of doing work for others in the financial / legal industries where they have to show compliance to higher levels of security anyway to avoid "insider trading" etc.

The thing is one of the games big companies like to play is "begger my neighbor" to effectivly starve an opponent out. One such is "electronic discovery" which they use just to be awkward and make you pay large sums of money, and in the off chance there is a bit of juicy metadata you've not sanitized out.

I have a standard advice to people the first is,

1, Paper Paper never data.

Which strips out a lot of meta data even though you don't know it's there. It's a case of "What you see they get, and what you don't see they don't get". Thus is you print then scan as an image file that pesky file format metadata the likes of MS etc just loves to put in gets stripped. If you do this as an ongoing "standard practice" even a supprise raid is not going to give anyone any file metadata.

The second is about retention of documents sanitisation etc and covers all maner of inadvertant sins.

2, If it's POLICY it's not destruction of evidence.

In times past people kept "as little as was needed" in terms of business records, the rest got binned fairly promptly as it cost real money to store it in filing cabinets etc, not just the cabinets, and their floor space but the personnel in the form of "file clerks" and "librarians".

In the UK at least Government Policy back in the 1980's with regards to privatising what was once public organisations such as utilities gave rise to the massive use of electronic document systems. One inadvertent result was the "better safe than sorry" view that ment everything including "office love notes" got put into such systems. As it was later found just waiting for a little man with a writ or warrant to turn up and make every little secret a matter of "public record" via the "court record". If you have a policy of not keeping garbage then you are never going to have to smell the stink it might generate. Make it policy and practice and police it properly and you are not going to have that millstone hanging around your neck, it will also save you money as well. Also remember to include backup tapes etc, and to partition your systems up so that you have static OS/Apps files in one place changing App metadata files in another and data files in another. This helps the sanitation process a lot. As does having "thin clients" and no user Internet connectivity. If you want to be nice put kiosk type machines in the coffee/cafeteria rooms, you pay for work not play, and "social networking" is the new "drug of the masses" for ego stroking. Your employees do not need "personal storage" where the policy would find it difficult to get at to do the garbage collection every week/month/quater/year.

The point is an emoloyees "desktop" should not be a "file cabinate" if they are not actively working on a documemt/file it should be in a central repository. This was the way it worked with real desks back in the 1970's when office productivity was at it's highest. Computers have not improved productivity in the slightest in this area in fact productivity in admin appears to decline decade by decade as office applications get more and more feature rich...

I could go on but then I'd be giving away those pearls of wisdom people pay money for ;-)

JG4June 19, 2017 5:23 AM


"Do not speak to me of naval tradition; it consists of nothing but rum, sodomy and the whip" - Mr. Churchill

"Do not speak to me of windows security; it consists of nothing but chicken blood, pentagrams and incantations" - JG4

I too was a member of the "cold dead hands" tradition, and to some extent still am. I trust that my comments in recent years have been interpreted as dyed-in-the-wool libertarian, only a slight downgrade from rabid libertarian. Later, I came to realize a concept that I call "projected intent." I may have made similar comments in the past. A simple weapon like a gun or bow can project intent from 1 to 1000 meters over a period of milliseconds to seconds. A microprocessor can project intent decades into the future and potentially over tens of thousands of kilometers. Once the bad actors - you can pick whatever flavor you like, private sector or public sector - begin to realize more hardware-oriented flavors of project intent, we are going to be begging for more regulation. Ethical people will be under pressure from both public sector and private sector criminals, to say nothing of the ideologically motivated criminals. The best case scenario on your planet may be a profoundly dynamic balance of terror.

Just for the record, "Total Information Awareness" didn't go away, it went dark. With the right safeguards, it may be the only way to survive Grinspoon's gauntlet. Without the right safeguards, the future will be right out of Orwell's nightmares.

Clive RobinsonJune 19, 2017 5:24 AM

@ ALL,

NSA OSS Technology Transfer

As readers hopefully know, the NSA has two functions in life one of which is the protection of US systems. Under this they produce some intetesting Open Source Software. A list of which can be found at,

Which has URL's in.

However this has poped up,

Which is a very different URL to that in the PDF...

Any way there appears to be some interesting stuff in there. Of which "RedHawk" and "Simon and Speck" may be of interest to some here whilst others will be of interest to others.

Clive RobinsonJune 19, 2017 7:35 AM

@ JG4,

Mr Churchill, was a military man in his early life, upsetting a few people along the way. However it was in later political life he got the "navy lark" when he had the "First Lord of the Admirality" gig.

Those three "personal gratifications" (the third actually being "the lash") Churchill allegedly mentions appart from also appearing in Private Schools of the time, were also all that there was to relieve the bordom on ship, when not doing a multitude of otherwise meaningless distractions. In fact an earlier expression of the joys of a seamans life was "Rum, bum an bacca" the last being tobacco.

Interestingly though the three were connected by ships surgeons. Most ailments were prescribed rum, whilst resuscitation was reported in some sugeons notes as somtimes involving the use of tabacco or worse. The use of tabacco was by having the smoke blow directly into the lungs or rectum by use of a pipe. In fact the Victorians gentry actually paid to have points along the river Thames stocked with special pipes tobacco and matches in exactly the same way as we have "life rings" today. Apparently this was mainly as a method of reviving "girls from the country" that had fallen for the wiles of deceitfull gentlemen, and now having found themselves to be "fallen women" attempted to kill themselves by drowning (incorrectly described as a "peacefull way to die"). It's also the reason why various London bridges from the time have their own mortuaries.

As for Churchill it was alledged he made the statment when in a heated argument about converting navy vessels from coal to oil, various Admirals were arguing for the retention of traditional coal and Churchill was making himself very unpopular. History shows that he was right to go for the conversion for many reasons. Though Churchill did later say he never uttered the phrase, it was in keeping with his temprement, thus it may have been put around as a method of trying to discredit him.

Back in 1533 King Henry VIII first made the second of the three gratifications with man or beast a capital crime, and it quickly became associated to Popish behaviour and any Italian man.

It was not untill 1627 the navy made it a "death by hanging offence" at sea which lasted untill 1861, though it was for "uncleanlyness" and there were lesser punishments available. They did not specify the method of pubishment thus keel hauling, flogging around the fleet, or hanging from the yard arm were available as punishments. But bear in mind the latter was originally not "a drop" but a hoist, thus could have taken many minutes for a small person to die, kicking and jerking all the way. There are reports of a thousand lashes of the cat being given which would almost certainly been fatal if carried out. As for keel hauling that was a realy nasty punishment, two ropes were passed under the keel of the ship, the prisoner would be stripped to the waist and tied to the ropes hand and foot so his back would be in contact with the hull and keel. His fellow sailors would then have to pull him via the ropes right under the ship and up again the prescribed number of times. If they did it too slowly the prisoner would drown, to fast and his back would be ripped to the ribs or worse by the barnacles, nails, splinters and any other foaling of the hull. The fact that sailors did survive flogging and keel hauling and the subsequent infections is to put it mildly more than surprising.

TatütataJune 19, 2017 7:37 AM

Re: USS Fitzgerald

It looks like they were hit from behind. That is a high traffic area and most of the radar operators attention is to the traffic in front of the ship.

A radar display provides 360 degree vision.

For a high-stress area, try the English Channel just between Dover and Calais, which is quite literally like a busy motorway, excepted that you have the ferries going across too. The Malacca strait and the Bosporus are probably in the same league. Is a location like 34°32′N 139°05′E comparatively crowded? Vessels there would slowing down in preparation for their arrival at port, and vigilance would be increased.

I have trouble imagining any reason why the carrier would perform a hair-pin U-turn in the dead of the night. Did it really occur BEFORE the crash? There is often a placard in prominence near the wheel reminding how to perform a quick turnaround for rescuing a sailor fallen overboard. But since no casualties are reported on the carrier, this could be ruled out.

The carrier probably used GPS-based automatic navigation. Could something "special" have been going on at 1575,42 MHz, the GPS L1 frequency? The path in the link above could be the record of the ship manually being put back on the proper course after the electronics did something silly. Can this be ruled out? (But the recorded path would itself be derived from SatNav).

TatütataJune 19, 2017 7:57 AM

I miss the 70s and 80s as well, I guess you would have had to live through it to know why.

Each processor cycle was close to 1us, and I could figure out exact timing delays with pencil and paper. I could actually unsolder and repair a PCB, and essentially recite the yellow Texas Instrument TTL data book by chapter and verse. ;-)

I would spend my pocket money at the news agent getting the latest issue of Popular Electronics and the like, with their ads for S100 bus accessories, and other inaccessible stuff of dreams. The nerd stuff was in the row just under the girlie magazines.

My old man threw away all the ugly cr*p I built back then, which I had carefully stowed away in a marked cardboard box. :-(

FigureitoutJune 19, 2017 10:26 AM

Clive Robinson
would have had to live through it to know why
--Guess so, but based on what history I've read, I'm glad computers are as prevalent as they are today. There's more programmable computers than I could ever hope to use and they're very rich and dense and useful. Like you said yourself, I can buy 5 MCU's for $10 or less, w/ shipping, that are more powerful than desktop PC's back in the day. Harddisks, they used to have to wheel them in, and only like megabytes; now it's terabytes.

You'd be limited to the crude implementations of the 70's/80's, not some of the advanced work and design advances to do more w/ less. The peripherals are now all their own sector and rich and interesting to dig into, can get lost in just an MCU (now there's MCU's w/ radios attached, so need to know about the RF hardware, and the comms bus seems to be SPI for most part back to CPU)...For instance the power amplifier in radios, and how important it is. Really want to know the guts of how some RF designers were able to get more sensitivity, more gain, and less current consumption; but that's highly valuable IP.

We've got lots of open software, hardware is the next step and there's lots of people working on it. Plus FPGA's to try out hardware designs before fabbing. Just didn't have these tools available to designers before, all pencil/paper and slide rules, and can't do advanced simulations.

I could figure out exact timing delays with pencil and paper
--What's stopping you from doing that today for timers/RTI's or putting on an external crystal for your MCU? Is 32kHz too fast for you? Plus can divide it down, clock controllers allow you to change the frequency of operation.

I could actually unsolder and repair a PCB
--What's stopping you from doing that today if you design it yourself? If you make a 4+ layer board that's your own fault for wanting that or not using sockets if that's a concern.

I would spend my pocket money at the news agent
--Now you save your money, go to Fry's or order online from high reputations, probably cheaper if you just get internet.

Phubbers Meet Stingray Navigation June 19, 2017 11:04 AM

By design people from all walks of life are addicted to their cellphones. They ALWAYS keep it with them as it sweetly chimes every few minutes. The big-data distracts product averaging 150 times/day!
Now with unlimited data planes and multi-day batteries products keep GPS continuously enabled. How convenient...

These same esteemed advertising data-miners are invited to the White House today to give their ‘guidance’ to the government.

Stingray Navigation
Any government with a Stingray/cell phone tower simulator can precisely make course corrections to aim their kinetic energy weapon, even with a moving target.
Pass by first for data-mining of every sensor location and null out velocity/vector errors.
Comopute the centroid and provide real-time course corrections updates. Nighttime is best like 2am. Operatives exit to waiting submarine. The regular ships crew is kept largely clueless.

Up until now its been cars and trucks. Please add cargo ships to the list. Bonus: name another platform?

Only publishable in Australia (don’t upset advertisers)

Rejecting the Nipple
I apologize for using societies abandoned skill-set of common-sense and critical-thinking.

Ergo SumJune 19, 2017 11:33 AM


Within our dataset of several hundred thousand visitors, one in approx. 100 browsers have the same fingerprint as yours.

My Tor browser, running on Windows 8.1, tested at Panopticlick reports this:

Within our dataset of several hundred thousand visitors, only one in 200930.0 browsers have the same fingerprint as yours.

I guess the browser configuration being rather unusual is a good positive ID. Time to relax some of the settings...

JG4June 19, 2017 12:08 PM
The Air Force Is Getting a Space General Motherboard

Big Brother IS Watching You Watch

The smarter the home, the more online risks you face San Francisco Chronicle

Build an Internet Kill Switch Makezine (resilc)


Grenfell Tower Inferno Aftermath

A firefighter who attended Grenfell tower has written this: Michael Rosen Blog (Richard Smith). If you can only read one link today, make it this one. Harrowing.

Clive RobinsonJune 19, 2017 3:02 PM

@ Tatütata,

I have trouble imagining any reason why the carrier would perform a hair-pin U-turn in the dead of the night.

As I've occasionaly mentioned I used to design bespoke telemetry systems for the oil industry. Quite a while ago, I was on the Esso Fife which was at the time the largest tanker in the British Fleet.

Being a keen sailboat sailor I ended up chatting with the captain one evening and I asked him what would happen if the lookout spotted a sailboat in the ships path that had not been picked up on the radar.

He said that there was little or no chance of such a large vessel stopping in time using the engines. He paused and said it's why they had a procedure for broad siding the ship and could in effect come to the equivalent of a stop withn about two boat lengths.

So doing a rapid turn then finishing the 180 may have been due to coming into a potential collision with another vessel other than the navy vessel.

ab praeceptisJune 19, 2017 3:25 PM

Even better motorboats nowadays have radars and course interpolation and collision detection capabilities. I don't see any reason to assume that 500+ ft professional (military or commercial) vessels would not have that capability. It seems very reasonable to assume that both vessels knew of the collision potential at least 10 seamiles in advance and probably much earlier. In fact, chances are that on both bridges a loud alarm was sounded.

All the commercial vessel had to do was less than a 1° course change to avoid collision and all the aegis thingy had to do was to go a little faster or slower.

Why the commcerial vessel didn't change course seems clear. Highly likely due a) those vessels anyway hating to change course (time and $) and b) a "f*ck you!" effect.

The interesting part is why the aegis thingy didn't avoid collision. And no, it was not a "human error". As I've said, at a certain (early enough) point there certainly was an alarm on the bridge. It is hence my understanding that the aegis thingy did not *want* to avoid the collision.

Why? Probably something either dirty or shameful was going on; something like a sub in serious trouble and almost not maneuverable, maybe something else. Whatever it was, it was so "this must never be known, no matter the cost!" that the aegis thingy put itself into the container vessels way to absorb the impact and to protect whatever behind or beneath.

Collision Time-lineJune 19, 2017 5:46 PM

5-24-2017 US warship sails within 12 miles of China-claimed reef
The so-called "freedom of navigation operation," which is sure to anger China...

6-16-2017 Seven sailors missing as US Navy destroyer collides with merchant ship off Japanese coast
Actually the seven sailors died and the ship came VERY close to sinking. Communications were destroyed.

6-18-10`7 US Navy adopts lower-key approach in South China Sea

6-18-2017 US-led coalition aircraft shoots down Syrian fighter jet

From this time-line its easy to see anger and motive. The lapse for planning.
Finally the backing-off and creating a nationalistic distraction.

anonyJune 19, 2017 5:50 PM

The phone encryption "crises" is just BS.

The Tulsa PD file is 39 pages of cracks, most taking 1-3 minutes, just a few taking hours. most platforms mixed in there also.

"This is superbly illustrated in documents obtained from the Tulsa and Tuscon (AZ) Police Departments by Curtis Waltman. Tuscon PD documents [PDF] show law enforcement officers are using tools crafted by the same company that provided the hack to the FBI in the San Bernardino case, among several other options. But the real motherlode is the Tulsa PD's log of cracked phones."

RatioJune 19, 2017 9:36 PM

Facebook and Twitter being used to manipulate public opinion – report:

Propaganda on social media is being used to manipulate public opinion around the world, a new set of studies from the University of Oxford has revealed.

From Russia, where around 45% of highly active Twitter accounts are bots, to Taiwan, where a campaign against President Tsai Ing-wen involved thousands of heavily co-ordinated – but not fully automated – accounts sharing Chinese mainland propaganda, the studies show that social media is an international battleground for dirty politics.

The reports, part of the Oxford Internet Institute’s Computational Propaganda Research Project, cover nine nations also including Brazil, Canada, China, Germany, Poland, Ukraine, and the the United States. They found “the lies, the junk, the misinformation” of traditional propaganda is widespread online and “supported by Facebook or Twitter’s algorithms” according to Philip Howard, Professor of Internet Studies at Oxford.

(I fixed the link to the report on China, but left the "the the".)

MarkHJune 20, 2017 3:54 AM

Can't Make This Stuff Up !!!

My WiFi router had a hiccough yesterday.

Seeing that I had no connection, I opened a status dialog which shows available WiFi access points.

The one on the top of the list had this SSID:

Surveillance Van

Its connection security was listed as WPA2.

Unfortunately, the user interface I was using doesn't show the MAC. I would happily have published it here, had I caught it :)

When I refreshed the status dialog, "Surveillance Van" was absent. For all I know, it might indeed have been a passing vehicle.

If it was actually a vehicle used for some kind of surveillance, having a live WiFi access point broadcasting that SSID would be pretty comical.

RachelJune 20, 2017 5:06 AM


there was a permanent wifi broadcast near me that had '[non-english name of police service] Surveillance Van'

it means nothing

rJune 20, 2017 5:37 PM


Don't be so sure of yourself, covers have been blown for less...

Probe request county jail
Probe request
Probe request
Probe request

rJune 20, 2017 5:39 PM

I think in the news a year or two back that exact scenario happened with a surveillance van in some suburban neighborhood somewhere.

Documentation anyone?

Nick PJune 20, 2017 8:42 PM

@ MarkH

I used to use access point names with words like informant to discourage (or encourage) crime against it. My recent one takes a different tactic to claim it's the "slowestwifi" around. Maybe I'll get slowdowns from attacks since they'll think it's too slow to be worth their time to begin with. ;)

MarkHJune 21, 2017 12:45 AM

I've really no ID what "Surveillance Van" was about, and no hope of ever finding out.

In my semi-rural neighborhood, there are only a few access points, all familiar to me, and I haven't seen the owners assign playful names.

From a web search, I see that folks have been using SSIDs like this as a joke.

Because of the single fleeting appearance of it, I think it plausible that it really came from a passing vehicle.

Is there any reason why a law enforcement vehicle would need a WiFi access point?

JG4June 21, 2017 6:02 AM
New Cold War

We Are Inches From A New World War, And Clintonists Are To Blame Counter Propa (UserFriendly)

The New York Times steps up its anti-Russia campaign Defend Democracy

Bernie Sanders and Rand Paul Buck Party Consensus on Russia and Iran Sanctions Real News Network (UserFriendly)

Big Brother is Watching You Watch

The latest Wikileaks Vault7 release reveals details of the CIA’s alleged Cherry Blossom project, a scheme that uses wireless devices to access users’ internet activity failed evolution

Watch Hackers Take Over the Mouse of a Power-Grid Computer in Ukraine Wired (furzy)

Big Prize in Amazon-Whole Foods Deal: Data Wall Street Journal. However, it appears customers need to share with Amazon for it to get the best harvest:

The online retail giant likely will add new ways to track in-store consumer spending. One option is letting people purchase with Amazon Pay, a PayPal -type solution that lets customers check out with their Amazon account information. Another option is creating a Whole Foods credit card, the former employees say.

If you must shop at Whole Foods, undermine this project by diving your purchase into two orders and paying separately, and using cash for at least one of them.

JG4June 21, 2017 6:58 AM

some rabid to brighten your day. failed states aren't just in the countries where the US intervened

100 Million Dead In US
Go ahead folks, read this one.

Wut? (Hillary Clearance)
This is outrageous:
The State Department has opened a formal inquiry into whether former Secretary of State Hillary Clinton and her aides mishandled classified information while she was the nation’s top diplomat, Fox News has learned. Despite being under investigation, Clinton and her staffers still have security clearances to access sensitive government information.
How and why?
Let me point out something for you: Clearances are not given to people without cause and they do not survive when the need for them expires.
If you leave your post at a government contractor, for example, your clearance expires automatically in a very short period of time unless someone else picks you up for a job that requires the clearance.
If you're a politician and lose your seat, any clearance you once held expires because your job expired.

Clive RobinsonJune 21, 2017 7:38 AM

@ Bruce and the usual suspects,

I realy do not know what to make of this.

The Jaguar-Landrover car company --owned by Tata of India-- is looking to recruite around 5000 staff of which ~1000 will be software and electronics bods.

So far so good but...

They are trying a new recruitment wrinkle, in that although the more traditional recruitment route is open, they are offering a fast track by way of a problem solving competition... The people behind it appear to be using it more as an experiment, but it could well be the way of the future,

PanopticlickPatronJune 21, 2017 1:29 PM

@Ergo Sum

"My Tor browser, running on Windows 8.1, tested at Panopticlick reports this:

Within our dataset of several hundred thousand visitors, only one in 200930.0 browsers have the same fingerprint as yours.

I guess the browser configuration being rather unusual is a good positive ID. Time to relax some of the settings..."

Have you thought about running TBB or Tor Browser from a guest VM in VirtualBox or Tor Browser from a booted DVD on your Windows 8.1 box for "fun" or comparison? 1 / 200000 seems somewhat low of course for the TBB.

Tor Browser in Tails 3.0 reports:
Within our dataset of several hundred thousand visitors, only one in less than 500 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys about 9 bits of identifying information.

Microsoft admits to disabling third-party antivirus code if Win 10 doesn't like itJune 21, 2017 2:02 PM

Microsoft admits to disabling third-party antivirus code if Win 10 doesn't like it

Redmond readies the ground for Kaspersky's EU antitrust suit

"Windows 10 does disable some third-party security software, Microsoft has admitted, but because of compatibility – not competitive – issues.

Redmond is currently being sued by security house Kaspersky Lab in the EU, Germany and Russia over alleged anti-competitive behavior because it bundles the Windows Defender security suite into its latest operating system. Kaspersky (and others) claim Microsoft is up to its Internet Explorer shenanigans again, but that’s not so, said the operating system giant."


Big-Data Doesn’t Trust Big-DataJune 21, 2017 4:45 PM

WSJ Reports:
The battle between the King Kong and Godzilla of retail has moved into the cloud.
Walmart Stores Inc. is telling some technology companies that if they want its business, they can’t run applications for the retailer on Inc.’s leading cloud-computing service, Amazon Web Services, several tech companies say.
Walmart has ALL the Big-Data corporations tracking customers on-line- in-auto and in-store:
“We also personalize your experience on our sites and mobile services by showing you advertisements from Walmart or our advertising partners (Google, Facebook, Linked-In, Microsoft, Adobe, Twitter) that are tailored to your interests.”
This is why I use Amazon as they typically don’t customer share data. In casual interviews Walmart employees agree: they shop Amazon too!

Google starts tracking what you buy at (Walmart) stores in person
Google claims to have access to roughly 70% of U.S. credit and debit card transactions.

JG4June 22, 2017 6:01 AM
News of the Wired

Internet of Shit‏ @internetofshit
a whole bunch of people are exposing their philips hue lights to the internet 🤷‍♂️
Jacob Barrett Don Jeff Van Voorst Peter N Lewis T K You Zargh Jeff Cuscutis mayorofearth
3:10 AM - 21 Jun 2017
Hope nobody figures out how to make them flicker…
Internet of Shit‏ @internetofshit 7h7 hours ago
Internet of Shit Retweeted David Zhou
Ok, David, setting the oven to 200%!
Internet of Shit added,
David Zhou @dz
Alexa controlling the oven feels optimistic and maybe a fire hazard?? Last time I asked Alexa to tell me the weather she turned on my TV
17 replies 132 retweets 312 likes
Internet of Shit Retweeted
Paul M. Watt‏ @codeofthedamned Jun 20
Replying to @internetofshit
years from now, we'll be looking back wondering how we ever lived without a monthly subscription fee to work the thermostat
10 replies 150 retweets 422 likes

He who would sacrifice personal liberty for "national security"June 22, 2017 6:09 PM

Although Big Brother has long since banned teachers from instructing their students on the basics of cybersecurity, such as the operation of EFF's PrivacyBadger (a Firefox plugin designed to hinder cybercriminal malvertising and illegal collection of Personally Identifiable Information), any of the practices described in LinuxJournal (practices required for your Linux systems to be any safer than Windows), a href="">Tor Project's TBB (a browser that saves women and children in witness protection programs, journalists who decide to report abroad on the evil communist dictators who hate us for our freedoms and our liberties_, boum's TAILS operating system (an OS that prevents cyberterrorists forcing your computer into a botnet and using it to attack American cyberinfrastructure), and so forth, Trump has taken 1984 to a whole new level with this latest scandel.
He's having all teachers in India now be required not just to avoid teaching their students how to be safe, but to ">actively instruct them to avoid all safety habits, such as avoiding VPNs and onion routing, and to avoid anything else that they could use to keep themselves safe from stalkers, hate groups, ex-employers/employees/domestic-partners, and anyone else who might want to spy on them. Note that these instructions do not simply make it easier for abuse of power, such as "LOVEINT" (which sounds like a conspiracy theory except the government themselves are the ones who named it that), but also for common criminals and hate groups to spy on and stalk our children. Expect similar changes to American schools once the remainder of civil liberty has been destroyed by terrorists such as Donald Trump who are hijacking America in their best effort to sabotage the land of the free.
Support the American Civil Liberties Union and Electronic Frontier Foundation if you want your children to grow up in a free world outside of the brutal clutches of evil tyrants and terrorist dictatorships.

JG4June 22, 2017 10:16 PM

@He who would sacrifice

Unfortunately, ACLU and EFF may be sockpuppets, otherwise known as controlled opposition. I saw the same claim advanced recently in regard to the shop that investigates malware.

marital security workers in the news

water security in the news

financial security in the news

health security - stay away from crazy toxic chemicals

your pet is someone else's food security - they're made of tasty meat

data security in the news
I suspect that blockchain will have multiple uses, including voting security. it fundamentally is a system for voting on what happened

banking sector rent security in the news

RachelJune 23, 2017 3:20 AM

@He who would sacrifice personal liberty for "national security"

Trump...He's having all teachers in India now be required not just to avoid teaching their students how to be safe

And how would he have all teachers in India do this?

JG4June 23, 2017 6:56 AM


On having people in India carry out tasks for various entities. I don't know anything about what the teachers there are doing or not doing, but I can tell you that the Indian experiment in forcing people into electronic payment systems was sponsored by banks in Europe and the US. I realized this morning that it also benefitted China, who were able to absorb even more gold at a more favorable price, because of the economic/financial convulsions in India. I assume that one of the US hegemony goals is to drive a wedge between China and India, because they are going to have a combined economic output that eclipses the US. The experiment with shocking the system with demonetization of 90% of the currency in a country where 90% of commerce is in cash is a major human rights violation. And was fatal for a countless number of poor and elderly who were not able to access medical care and even food. NakedCapitalism had excellent coverage of the experiment in money security, which is a profound conflict of interest between private sector and public sector criminal networks, legitimate government networks and the citizen/users of money.

from the brilliant daily compendium
Wikileaks Docs Show How the CIA Allegedly Infected Offline Computers Motherboard
...[human rights non-security in the news]
In Yemen’s secret prisons, UAE tortures and US interrogates AP
...[fire security in the news]
Building firm responsible for Grenfell cladding accused of supplying sub-standard panels to other council blocks Telegraph
...[health non-security in the news]
More than 40 protesters arrested in ‘die-in’ at Capitol. Many forcibly removed from wheelchairs Los Angeles
...[music and religion non-security; clearly a freedom of worship issue]
Family: Peter Tosh’s son left in coma following jail beating AP

JG4June 23, 2017 7:02 AM

minor typographical corrections to previous comment
...[computer non-security in the news]
Wikileaks Docs Show How the CIA Allegedly Infected Offline Computers Motherboard
...[human rights non-security in the news]
In Yemen’s secret prisons, UAE tortures and US interrogates AP
...[fire non-security in the news]
Building firm responsible for Grenfell cladding accused of supplying sub-standard panels to other council blocks Telegraph

RachelJune 23, 2017 12:04 PM

But I can tell you that the Indian experiment in forcing people into electronic payment systems was sponsored by banks in Europe and the US.

Thanks for the comment. I don't know if it relates to what you refer to, but I did read a book about mobile phone financial transfers unique to india and south africa and other parts of that continent, that was very helfpul where bank accounts are less common than they were 100 years ago in the west. people from the villages working in the cities are able to send money home via mobile phone instantly, bringing relative comfort to an otherwise oppressive life of travel days to get cash home.
In relation to your comment, certain denominations of rupee were withdrawn from circulation india recently (last year ) without warning, on someones whim, causing absolute catastrophes across the whole country. everything shut down

A cashless society is the reality we will all need to get used to in the not too distant future. several countries including Australia are making plans although the latter should be no surprise - it is owned by the UK (some will be surprised to hear the US is owned, legally, by the City of London)
I don't take the orwellian doom and gloom stance however with the cashless economy. i feel there will be surprising benefits for the regular folk and some disadvantages for corporations expecting 'buisness as usual'

JPJune 23, 2017 1:47 PM

Mercedes Benz is recalling thousands of cars due to a bug in the software that controls their brakes:

At least they can patch it this way. But eventually some genius will decide that the brakes should connect to the IoT (under the excuse that it will simplify their patching process - in other words, make it cheaper for them) and then we'll have* insecure brakes for every script kiddie to exploit!

* although I'm not stating we don't already have them

Clive RobinsonJune 23, 2017 4:22 PM

@ Rachel,

I don't know if it relates to what you refer to, but I did read a book about mobile phone financial transfers unique to india and south africa and other parts of that continent, that was very helfpul where bank accounts are less common than they were

There are a number of experiments using mobile phones for payment systems, including without the neywork being available. The UK's Cambridge Computer Labs has been involved in some of them. One of the regular readers here @Ross J. Anderson just happens to be involved with some of them,

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.