Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland

It's the second in two months. Video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on July 21, 2017 at 4:33 PM • 107 Comments

Comments

Ben A.July 21, 2017 4:36 PM

Apple patches BroadPwn in iOS 10.3.3; nearly 50 patches

https://support.apple.com/en-us/HT207923


Ways to infiltrate an iOS device

Multiple ways outlined: sideloaded app, jailbroken devices, malicious settings, via app store, malicious app (using approved certificate), leveraging OS vulnerabilities

https://www.skycure.com/blog/2017q1-threat-report-10-years-hacking-ios/


We'll Pay You to #HackTor

Up to $4,000 per bug report

https://blog.torproject.org/blog/we-will-pay-you-to-hack-tor-bug-bounty


Dark Net Trap

By "the grugq"

https://blog.comae.io/dark-net-trap-545ae5dd8476

https://www.justice.gov/opa/press-release/file/982821/download


United Kingdom: Porn ID checks set to start in April 2018

"Free porn sites are simply not covered by the legislation..."

http://www.revk.uk/2017/07/porn-id-checks-set-to-start-in-april.html


On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt

Troy Hunt discusses the lies being perpetuated by CAs who feel threatened by Let's Encrypt and their nonsensical arguments, how different browsers handle EV certificates (and that few users even know what they are) and the growing trend of automated certificates being used on phishing websites.

https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/


Free Certs Come With a Cost

"The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls."

http://threatpost.com/free-certs-come-with-a-cost/126861/


How I tricked Symantec with a Fake Private Key

"Symantec did a major blunder by revoking a certificate based on completely forged evidence. There’s hardly any excuse for this and it indicates that they operate a certificate authority without a proper understanding of the cryptographic background."

https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html


Let's harden Internet crypto so quantum computers can't crack it

https://www.theregister.co.uk/2017/07/18/quantum_safe_key_exchange/

https://tools.ietf.org/html/draft-tjhai-ipsecme-hybrid-qske-ikev2-00#section-2


Senator Calls For Use Of DMARC To Curb Phishing

http://threatpost.com/senator-calls-for-use-of-dmarc-to-curb-phishing/126931/

https://www.wyden.senate.gov/download/?id=9BABD0D8-B335-45BF-9B05-BDA34433C917&download=1


A History of The World’s Most Famous Cryptographic Couple

http://cryptocouple.com/


Play Protect: Android’s new security system is now available

"Play Protect is the amalgamation of Google’s Android security features, such as Verify Apps and Bouncer, and it’s integrated into the Google Play Store app."

https://blog.malwarebytes.com/security-world/2017/07/play-protect-androids-new-security-system-is-now-available/


Adobe Security Survey

64% of people update their software when new updates are available... and other interesting facts. Adobe surveyed 2,000 American adults.

https://blogsimages.adobe.com/security/files/2017/07/Adobe-NCSAM-Infographic.png

http://blogs.adobe.com/security/files/2017/07/About-the-Survey_071817.pdf


Rediscovering Vulnerabilities

By Trey Herr and Bruce Schneier

https://www.lawfareblog.com/rediscovering-vulnerabilities


Encryption Substitutes

"Policymakers should seek to satisfy both law enforcement and privacy concerns without unduly burdening one or the other."

http://www.hoover.org/sites/default/files/research/docs/woods_encryption_substituteswebreadypdf.pdf


Making web pages pretty is harder than building crypto

"An Australian computer scientist working in Thailand has offered his contribution to Australia's cryptography debate by creating a public-key crypto demonstrator in less than a day, using public APIs and JavaScript."

https://www.theregister.co.uk/2017/07/17/encryption_with_apis_and_445_lines_of_js/

https://brandis.io/


Formal Verification of the WireGuard Protocol by zx2c4


https://www.wireguard.com/formal-verification/

https://www.wireguard.com/papers/wireguard-formal-verification.pdf

https://www.wireguard.com/papers/wireguard.pdf


Beijing’s New National Intelligence Law: From Defense to Offense

https://www.lawfareblog.com/beijings-new-national-intelligence-law-defense-offense


China blocks WhatsApp services as censors tighten grip on internet

They're blocking images from being sent and only allowing text messages via WhatsApp. It's highly unlikely they've broken the Signal ratchet, instead they're probably blocking based on file size.

https://www.theguardian.com/technology/2017/jul/19/china-blocks-whatsapp-services-as-censors-tighten-grip-on-internet


Privacy Activists Suffer Legal Setback In National Security Letter Case

https://threatpost.com/privacy-activists-suffer-legal-setback-in-national-security-letter-case/126901/


Can You Hear Me Now? How to Protect Yourself From Voice Hackers

https://www.scientificamerican.com/article/can-you-hear-me-now-how-to-protect-yourself-from-voice-hackers/


The Rare-Book Thief Who Looted College Libraries in the '80s

"James Richard Shinn was a master book thief. Using expert techniques and fraudulent documents, he would ultimately pillage world-class libraries to the tune of half a million dollars or more."

http://www.atlasobscura.com/articles/house-of-bees

Ben A.July 21, 2017 5:45 PM

Thanks for the correction JG4, that was another unrelated story I'd been reading. Not sure how that got mixed up.

Long Term MysteryJuly 22, 2017 2:45 AM

Is it just me and my non-mainstream browser configuration, or did Amazon.com recently, *finally*, become HTTPSEverywhere compatible?

The monopolist/spook angles to this should be obvious enough to enough folks. The apologists that would defend the length of time this took, and point out the US ISP metadata/browswerhistoryForSaleToTheHighestBidderNewNormal angle can go to h*ll. Some serious Orwell going down with this issue IMHO.

David H.July 22, 2017 2:56 AM

@Long Term Mystery
"Is it just me and my non-mainstream browser configuration, or did Amazon.com recently, *finally*, become HTTPSEverywhere compatible?"

Re: Amazon, AWS, and HTTPS-Everywhere: Over the past month or so, there has been a large clean-up and update effort of the Alexa Top 100 and Top 1000 sites that likely led to re-enabling the Amazon ruleset.

I didn't really follow your second paragraph. A lot of rulesets have been disabled by default for a long time. No real conspiracy going on in the development world as far as I've noticed.

Long Term MysteryJuly 22, 2017 3:16 AM

@DH

I don't actually use HTTPSEverywhere though I tried it years ago and think I grok the basic idea. Setting asside it's complexities, I'm basically pointing out that even without that kind of extra browswer plugin, it appears to me, that since very recently, average joe can now just go visit amazon.com and finally bask in the comfort of the green padlock icon. In other words, not be leaking url metadata plaintext for all consumer browsing done on amazon.com. Prior to the last year's orwellian new normal of US ISPs having the public expectation of no-privacy WRT metadata (browser history, as leaked by non-https urls into ISP collect{able,ed} metadata), a company like Amazon could defend their http (or, browswer flagged 'mixed http/https') set-up as not a privacy threat to their customers, because that browsing information fell under the mutally agreed terms between amazon and it's user, and otherwise was only known by ISP's, who, prior to the orwellian-new-normal, had a public expectation of privacy in line with that of traditional voice communications over the phone system. I.e. AT&T was never legally allowed to sell random joe's call log metadata to the highest bidding magnum p.i.

I'm just saying that I'm seeing a suspected crafted narrative playing out, where amazon.com finally gets around to doing something that in a sane world would have at least been done within Snowden2013+1year timeframe. And the narrative we are supposed to eat is that now that amazon sees the light of day that by whatever newnormal interpretation of the law allows local ISPs to sell the amazon browswer history of all of their customers to whoever they want to (not just legal authorities with probable cause and warrants and all that jazz...).

Anyway, I'm not yet drunk enough right now. That should be coherent enough for the digital record I'm trying to establish.

Bottom line, amazon.com very specifically toggling to https from http in the year 2017 (versus 2007, 2014, ...) I consider worthy of some headlines with competetant journalistic analysis in the face of Snowden+4years etc. This is not something that doesn't matter.

ThothJuly 22, 2017 6:11 AM

@Ben A, Clive Robinson, all

re: China targeting WhatsApp with censorship

This isn't surprising and in fact should be expected.

A way to bypass this is to use a Box-in-a-Box method where data is chunked and sent asynchronously. One way is to internally over the chat app somehow take control of it's message sending and receiving function if possible and then inject your own functions in it to form a Box-in-a-Box scenario.

Once the internal Inner Box Key Exchange have been done, a "short-burst video/audio feed" can be sent but no real-time video/audio can be done as it is expected to lag since this is an asynchronous method.

How the asynchronous media feed works is to record the audio or video and break it into small chunks that are about the same size of text messages (300 bytes +/-) per chunk, encrypt and MAC the chunks with the Inner Box Session Keys. Fire off these chunks over a period of time either with random timing or fixed timing according to one's preference due to some preferring to mimic human messaging which is to send messages in a unpredictable timing since a predictable and consistent timing and message size maybe too uniform that becomes a metadata signature in itself.

Of course the fleet broadcast would not be immediately available as it requires more research but what I can suggest is for users to use Jabber/XMPP messaging servers or host Jabber/XMPP servers with TLS Certificate pinning to fix to a particular server.

The TLS-Jabber/XMPP message is for the Outer Box for blinding the network attacker and the Inner Box would be some other E2E secure protocol. This is a simple and better replacement to WhatsApp and the likes as it doesn't have the downsides of being controlled by some company like what WhatsApp, Signal and Telegram is.

WhatsApp, Signal and Telegram were never built to be robust against such levels censorship and attackers so the security they provide is what is at best described as cryptographic security. It is nice to have cryptographic security but wouldn't it be better if it has censor confusing security built on top of cryptographic security ?

Clive RobinsonJuly 22, 2017 7:46 AM

@ yggdrasil,

I was going to put that link up under a heading of,

If you thought OPM was bad

Or,

It's not just the OPM dropping personal secrets

albertJuly 22, 2017 10:57 AM

@Screaming Fat Pig,

I'm working on facile recognition software, and I don't care how many false positives it gets, as long as I can sell it.

. .. . .. --- ....

CallMeLateForSupperJuly 22, 2017 12:04 PM

@albert
"I'm working on facile recognition software [...]"

facile:
a) easily accomplished or attained
b) used or comprehended with ease
c) readily manifested and often lacking sincerity or depth

So, whatever is easiest to develop and use, regardless of its ultimate usefulness?
;-)

CallMeLateForSupperJuly 22, 2017 12:09 PM

Can't believe @InternetOfShit hasn't tweeted about this.

"Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

"Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped."
http://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/

RachelJuly 22, 2017 12:28 PM

CallMeLateForSupper


"Despite extra security precautions set up on the fish tank,

An electric eel?


hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped."

a relative of FinFisher no doubt

Ben A.July 22, 2017 1:41 PM

@Thoth

Signal does have a Censorship Circumvention option which reroutes data over a CDN like Google, Amazon, Cloudflare etc.

The problem with China is as you said: those applications weren't built with such restrictive censorship in mind. It'd be difficult to imagine most countries willing to block off huge chunks of the internet by banning popular CDNs but China don't care.

I believe the authorities express particular displeasure at President Xi Jinping being likened to Winnie the Pooh and the exchange of photographs depicting the same.

The box in a box method would only work until they decide that only content which can be readily inspected is allowed through the great firewall.

Certificate pinning on XMPP is a nice idea but I believe that they actively block connection to TLS certificates over which they have no control. I'd like to see DANE used more although it wouldn't solve their problems.

Both methods you suggested require technical skill as things stand and XMPP is not an ideal communication method because of RFCs stuck in the 90's and the problematic XML format.

You have OTR which is not compatible with all servers, others only support OMEMO and then other connections require both. I know you can use PGP but then you sacrifice forward secrecy.

At the minute Chinese citizens aren't in a good place - there is no platform universal, easy-to-use, app store accessible, reasonably secure, mainstream app which can bypass censorship.

Clive RobinsonJuly 22, 2017 2:01 PM

@ Drone,

Krebs scoops interview with Dutch cops involved with AlphaBay & Hansa take downs:

What Krebs fails to mention is the administrator was found dead in a cell hanging from a towel.

This is suspicious as "at risk" prisoners --which he would have been-- are usually not kept in cells with the equipment they can kill themselves with.

This has given rise to the claim Alexandre was "suicided" by the Bankock authorities.

Clive RobinsonJuly 22, 2017 2:50 PM

When Pokemon Go does not

A major Pokemon Go event with 20,000 attendees had so many things go wrong everything ground to a halt or crashed...

https://techcrunch.com/2017/07/22/pokemon-go-fest-attendees-to-get-refunds-as-technical-issues-break-the-event

One reason appears that the attendees effectivly did a DoS on the network.

Such "under capacity" failures are not unknow, in the past telephone networks have been crashed when ticket sales start for very popular artists or festivals.

The problem is that often such failures open up all sorts od attack vectors that would not normally occur. In one case of a phone network crashing, it stoped burglar alarms reporting back to control stations, thus alarms were raised on the assumption telephone lines had been cut as part of an attempted burglary.

Sunshine GirlJuly 22, 2017 2:54 PM

@Clive

You can't hold a jail in Thailand to the same standards as one in the west. He's lucky the rats didn't chew off his legs.

https://www.thelocal.se/20120803/42402

I doubt very much he was "suicided". The more likely explanation is that being a young man and facing a very very long prison sentence he did the action that he perceived to be in the best interest of his long-term spiritual health.

Clive RobinsonJuly 22, 2017 4:18 PM

When 2 Factors join

Somebody had a thought, what if something you have and something you are become one...

The result is the madness that is Dangerous Things VivoKey, an NFC Implant...

http://vivokey.com/learn-more.html

Why mad? Well aside from turning you into a target, it also means you can not go into NMRI machines and will cause you issues near high power HF transmitters (think RF burns inside you around the implant).

But there are "wish lists" of features people are thinking of to turn it into a "Crypto Implant"...

My advice do not be as daft as some Swedes implanting NFC Travel Cards in their hands... To open doors, pay for shopping and other things we traditional "use plastic" for.

After all think of it this way, how much do you value your right hand? Now how much do you think some brain dead drug addled lowlife values your hand, when all they have to do to get their next fix is steal your hand with an axe, hatchet, machete, or rusty blunt old hacksaw blade they found in a garbage bin?

WaelJuly 22, 2017 4:34 PM

@Clive Robinson,

Somebody had a thought, what if something you have and something you are become one...

Dumb idea that shows skin deep knowledge (pun intended) of the designers of such a concept. It's also a bad trade off between security-v-usability. Unfortunately, the idea may pickup sooner than we think. Perhaps in the future, newly born kids will have a chip implanted without a choice. It could also be a "felony" to refuse or remove the chip.

ThothJuly 22, 2017 6:23 PM

@Ben A

More complex cirumvention techniques can be used but as usual the "I don't care" attitude makes it in such a way by the time the techniques are implemented it is either too late or some circumvention already exists.

A peer-to-peer with support of commonly available DHT over XMPP/TLS would be rather useful. Also another thing that can be done for more network persistance is out of normal comms method via Bluetooth and Wifi Direct as Outer Box transmission channels so that a secure mesh can be done when no Internet is available and whoever has Internet would be used to forward Outer Box packets to those not within local mesh network. This is one technique currently sought after by milspec mesh networked and comms supplier for their future networked soldier system that I took a few pages off.

tyrJuly 22, 2017 11:28 PM


@Clive, Wael

Many years ago the going price for
a village assassin hit in Thailand
was 5 dollars American. If you used
the service too often they would do
you for free as a community service.
I have serious doubts that a cultural
institution like that has faded into
obscurity.

The worst problem with implants is
the human body dislikes such things
and reacts accordingly. So what is
assumed to be benign often turns
out very badly as they are really
an experiment on you rather than
a provenly safe technology.

You're going to see a lot more of
this experimentation on humans in
the near future and like the IoT
a lot of it will end badly because
the experts are too lazy to hire a
biologist for their staff before
concocting an implant.

WaelJuly 23, 2017 2:47 AM

@tyr, @Clive Robinson,

You're going to see a lot more of this experimentation on humans

It's already happening, and has happened throughout history. You're probably right. One thing that annoys me is the amount of pollution[1] we're producing, genetically modified foods, changing the features of earth, the amount of garbage we leave in orbit, electromagnetic radiation surrounding us from every direction... the list goes on. I'm also having second thoughts about the safety of long term use of cell phones, and started using a wired headset (BT doesn't help.)

experts are too lazy to hire a biologist for their staff before concocting an implant.

Minor correction: "experts". To be fair, some do. But long term effects aren't easily measurable. We'll need to reach the tipping point of destruction first. [clip from the movie: The day The earth stood still] It's only on the brink that people find the will to change. Or to put less eloquently: it'll get worse before it gets better.

[1] Light pollution is particularly annoying to me. There is hardly a spot near me where I can find black sky.

neillJuly 23, 2017 3:17 AM

@Clive Robinson

" ... steal your hand with an axe ... "

new crime MO : hand-jacking

BTW in the movie "minority report" from 2002 they do eyeball-replacement surgery to fool retina scanners

long time ago i read an interview with an AUDI executive, he claimed the tech was available to (almost) eliminate car theft - but that would increase the number of car-jackings, which in turn would get AUDI bad PR, so they decided not to implement those measuers ...

(will try to find that interview)

JG4July 23, 2017 5:56 AM


@Thoth and others

I like the box-in-a-box concept. Combined with fleet broadcast, it would be quite powerful, though limited in bandwidth. It defeats both metadata and content extraction. It could use data diodes to and from some modest ARM or microprocessor as the secure endpoints. An alternative to fleet broadcast is possible, if a secure server can be used. The potential bandwidth goes up dramatically, but requires a large user base to achieve useful levels of metadata anonymity/security.

@Clive and others

I didn't spell out my comment last year on biometrics:

https://www.schneier.com/blog/archives/2016/02/friday_squid_bl_512.html#c6716794

My recollection is that it was a thumbjacking. I hope that movie is a cult classic. Well worth the $2 to buy the DVD in a second-hand shop.

The plot of V, another potential cult classic, was revenge for unconsented medical experimentation on children. That is known in the US, in particular on California orphans with radiation, to pick a random example. I don't have the link handy, but I was shocked when I first read of it.

Another movie, The Iron Giant, does a very good job of articulating the mindset behind the abuses of national security, but I don't have the quote handy.

There is a phrase, "the Palestinian exception to the Constitution," in the boycott article that you linked. It turns out that there also is a DUI exception to the Constitution, which is very well articulated here:

https://www.duicentral.com/dui/the-dui-exception/

I think that the spirit of this quote is spot on, but perhaps the flow could be improved slightly.

"Every normal man must be tempted at times to spit on his hands, hoist the Jolly Roger and begin to slit throats" - H.L. Mencken

"The time comes for every man to roll up his sleeves, hoist the Jolly Roger and get down to the hard work of cutting throats." -JG4

I continue to demand fair and speedy trials before the hemp neckties are fitted to the criminals. I'd prefer to vote with my feet, which is in line with Clive's good advice. To the extent that the corruption is a scaling issue, a country like NZ or Australia will be somewhat better than the US. By scaling issue, I mean the larger the population and the larger the GDP per capita, the more concentrated wealth is available for turning politicians, and the more levels of separation there are between the elites and the peasants. My perception is that Australia has a laissez faire social order that reduces separation of the elites and peasant relative to the US and the UK. It was populated largely by peasants who had "fallen out of political favor" in the UK.

The debt levels in Australia allow their government some latitude in navigating the inevitable collapse of the housing bubble.

"There is no means of avoiding the final collapse of a boom brought about by credit expansion. The alternative is only whether the crisis should come sooner as the result of voluntary abandonment of further credit expansion, or later as a final and total catastrophe of the currency system involved." - Ludwig von Mises

Clive RobinsonJuly 23, 2017 6:14 AM

@ Wael,

Light pollution is particularly annoying to me. There is hardly a spot near me where I can find black sky.

Yup, if you look at those photographs taken from the International Space Station of the earth at night and clear skies you can see not just the light polution but urban sprawl.

If you look at the South East of the UK you will see that even though there is supposadly a "Green Belt" around London, it's hard to find a totaly dark spot for the likes of astronomy and photographing satellites etc. In fact there is a photo somewhere which shows the ISS lit up not by sun or star light, but by reflection of the light from Earth...

There is effectively nowhere within fourty miles of where I live where you can go to set up a telescope and not suffer light polution, either directly by line of sight or by reflection of clouds...

But the ultimate form of polution is further down the EM spectrum. As no machine or process is 100% efficient. The waste energy has to go somewhere and by the process of radiation transport ends up in the IR through microwave down into the lowest RF frequencies.

The problem with South East England is that even down at those low frequencies there is so much "polution" that radio astronomy and tracking satellites is to put it politely more difficult than it should be.

But that as far as mankind is concerned is a minor problem as heat energy is a major issue in "Global Warming"...

Wesley ParishJuly 23, 2017 6:16 AM

@Clive Robinson
re The Madness of some US Lawmakers

Indeed, that law is wierd.

About the time the Al Aqsa Intifada broke out, I got into a discussion of sorts with a member of the Simon Wiesenthal Centre over the intifada, the right of US students to see the Koran for themselves and make up their own mind, and the like. He made one comment which I've used since then to as a basis for judging Israel - I even wrote a poem around it: "Israel [Defense Force] only targets known terrorists."

What that makes of the thousands of olive trees the IDF has routinely uprooted ... one of the King Georges made a habit of talking to trees, but I presume this time when faced with torture from Shin Bet the trees reply? It still leaves the question of how olive trees are [known] terrorists up in the air.

It gets worse if one considers the blockade and attempted reduction of Gaza. Newborns known terrorists? Grannies known terrorists?

When I made my own commitment of "Never Again" as a teenager on discovering my own distant and not-so-distant Jewish ancestry - amongst my rather more prosaic British ancestors - I also concluded that it applied everywhere to everyone.

Speaking of Israel and the like, what's happened to @ianf? The last I looked he was somewhere in the UK. Has he been thrown to the King Charles Spaniels in lieu of wolves? there been a rash of extinctions of King Charles Spaniels resulting from massive cholesterol poisoning? Are London Double-Decker buses in peril of also going extinct from exactly the same cause?

Oh yes, the poem?

I Fear the Olive Groves Even Bearing Olives (Poem)

Tuesday, March 12 2002

By Wesley Parish

Now even the Olive Trees are Terrorists!
Guilty of bearing Olives against Israel,
They lie uprooted and disarmed:
The Olive Tree dreaming of the breeze
Is now food for the fire.

"But you have to be so careful!"
"They are sly, they don't want peace!"
"One put its branch though my bulldozer's roof!"
"They ringbark themselves,
"And leap in front of bulldozers!"

And a voice rings out from Sinai,
At Horeb the words are heard:
"Is the tree in the fields human,
That you beseige it too?"

And a voice echoes hollowly from Tel Aviv,
At session in Knesset a whining is heard:
"Not fair! God, is Moses pro-terrorist?
"I mean, is he pro-Olive?"
"I want him arrested for questioning!"

Then, in the visions of the night one hears
The Breaking News: The Mayor
Of Jerusalem declares - "Rejoice,
"O Daughters of Jerusalem.
"Olive Trees must be demolished.
"Olive Trees aren't safe to live in."

JG4July 23, 2017 6:48 AM


http://www.nakedcapitalism.com/2017/07/links-7232017.html
...
New Cold War

John Brennan and Jim Clapper trash Trump for his relations with Putin, attacks on intelligence community. Politico. A torturer and a perjurer, respectively.

* * *

The Long-Delayed Jeff Sessions Reveal emptywheel

How our Intel Agencies Screwed us by Letting Sessions, Trumpies get away with Russia Scheme Juan Cole (Re Silc). Cole:

Me, I’m angry. I’m angry because the US intel community had this information in summer of 2016 and they’re only leaking it now. You mean they could have blown the whistle on the Trump gang over the Russian contacts and they didn’t bother? It is too late now

...
Big Brother Is Watching You Watch

Amazon may give app developers access to Alexa audio recordings The Verge. Yikes.

Imperial Collapse Watch

Donald Trump and the Coming Fall of American Empire The Intercept

America’s New $13 Billion Aircraft Carrier Is Still Far From Ready Jalopnik. Can’t launch or recover aircraft, planned to be F-35Cs….

How the Pentagon’s Handling of Munitions and Their Waste has Poisoned America ProPublica (GF).

JFJuly 23, 2017 6:54 AM

@Thoth
"A peer-to-peer with support of commonly available DHT over XMPP/TLS would be rather useful. Also another thing that can be done for more network persistance is out of normal comms method via Bluetooth and Wifi Direct as Outer Box transmission channels so that a secure mesh can be done when no Internet is available and whoever has Internet would be used to forward Outer Box packets to those not within local mesh network. This is one technique currently sought after by milspec mesh networked and comms supplier for their future networked soldier system that I took a few pages off."

Is that not, more or less, what Serval Mesh does?

Clive RobinsonJuly 23, 2017 7:59 AM

Microsoft dump clover trail CPUs

Microsoft is dropping Intel CPUs that are considerably less than 5years from their release date, in new versions of Win10.

http://www.eweek.com/enterprise-apps/intel-atom-clover-trail-pcs-ineligible-for-future-windows-10-updates

And there are a lot of these Intel Clover trail 32bit CPUs around with not just consumers but businesses and schools. As they are SoCs moving to other OS's such as Linux may not be possible and still have full hardware usability.

This may prove problematic with more "XP" type issues arising.

CallMeLateForSupperJuly 23, 2017 8:32 AM

@Clive Re: The madness of some US lawmakers

Agreed.

Some of the congress critters who support this awful legislation are people who I mostly like. One of them, I admired. But that one lost appreciable "cred" with me because it appears that he did not read it (based on his answer when questioned). Voting "aye" on proposed legislation without reading and understanding it is what got us the POS inappropriately - but predictably - called Patriot Act, all of which still chafes me.

ThothJuly 23, 2017 9:33 AM

@JF

The use of Bluetooth and Wifi Direct mesh is what Serval Project does. The Box-in-a-Box with use of TLS/XMPP as the Outer box is what Serval Project lacks. The Inner Box architecture of using asynchronous message sending scheme via store-and-forward and the use of either fixed or random padded message length is also what Serval Project lacks. So technically the proposal is much more extensive than Serval Project.

RachelJuly 23, 2017 10:00 AM

i don't mind when the crew here go off topic as I mostly find it so stimulating, except when it's us politics related with zero context.
I do however, fairly consistently, feel guilty for my continual non sequiturs, such that I regular vow to cease posting entirely and be an observer. Ab Praeceptis made his feelings fairly clear (okay okay they were vague, opaque, fuzzy and meandering) on the topic of on topic a while ago. They echo in my mind to this day.
So, I propose a hard fork of Schneier on Security. Schneier Classic will maintain Schneier on Security hijacked by investors on a variety of topics in multiple , often anonymous, directions. Schneier on Security will be a purely security related- mostly technical- arena

ps - Tyr thanks I did know what a M16 was but I didn't know the M designation underwent the tricky switcharoo regularly. Amazed my mere 'i'm not paying attention whilst touch typing' swap of the I for the 1, got so much attention


RachelJuly 23, 2017 10:22 AM

Wael

electromagnetic radiation surrounding us from every direction... the list goes on. I'm also having second thoughts about the safety of long term use of cell phones, and started using a wired headset (BT doesn't help.)

*
i have been wondering if the dangers of Wi Fi broadcasts would get a mention here. In fact I am surprised the problems of Wi Fi are rarely discussed from an OpSec persective. I have just had to assume most specialists here know to use a hardwired connection

the general response is that 'we are cooking in it everywhere so there is no use doing anything about it' this is a really defeatist attitude for a couple reaons, the most practical being that local exposure is the worst and health symptoms respond the best when removing local sources

Because
i) the signal strength drops off fairly quickly proportionate to distance- all those stray signals outdoors are nowhere near as potent, biologically, as the router a few metres away.
ii) when indoors the signal bounces around the walls, potentiating.

Also, our biology is most vulnerable to pulsed microwaves when sleeping. So, turning off the router etc when asleep really does make a huge difference. as well as disabling the router broadcast,
turning off the search broadcast function from ones device is also necessary.
one really needs to get rid of everything wireless in the home environment, keyboards, mouse, the lot. how many hours of exposure can that eliminate?

for those really swearing by the need for convenience, is the option of D-LAN plugs for turning the household wiring into a local network accessed via the powerpoints. it can produce a fair bit of EMF too so some distance from the walls is preferable . It is possible to access the internet with apple via hard wire contrary to popular belief


PS Wesley Parish what's this ongoing thing about cholesterol and double decker buses? As for the entity in question, i vaguely recall they were worried about being doxed or something, about the time they disappeared. I just assumed they were instutionalised, or owned. It is possible they moved to Sweden to persue their infatuation with the leading actor in the tv series The Bridge, of which they were most enamoured

anonymousJuly 23, 2017 10:24 AM

@tyr

"The worst problem with implants is
the human body dislikes such things
and reacts accordingly."

Is this true for titanium implants and osseointegration into bone?

OT reading from the bottom up on 100 comments, you can usually tell a tyr comment is here, based on the formatting

ThothJuly 23, 2017 10:27 AM

@Rachel

It is just a small little test to show the state of security development :) .

Now that the post is somewhat old, I would consider it invalid proposal and proceed with life as usual.

Note that OpenPGP/GnuPG and many other security development (i.e. TOR, Signal, WhatsApp, Telegram et. al.) will still continue to have their security assurance problems and they will still continue to be developed with just crypto-security in mind and nothing else. They would not think much about secure execution, better user experience, more flexible security schemes and the many other things we have discussed.

The Community would continue as per usual as though nothing happened despite the 5Eyes push to make personal security and personal privacy illegal by international law and by precedence although there are many articles and dissatisfaction of these by policies, but no effective measures are taken against these policies and what we have are the same security and usability we see in the 1980s and 1990s.

Nothing will change. Thus, I have decided to simply move on and do my own business for now.

HumdedumJuly 23, 2017 10:52 AM

Re: Raspberry Pi OS

I can't imagine why anyone would use it in a PC. I have an old PC and it runs Linux Mint well. I don't perceive any real need for a new OS just for old PCs. If one's PC is super old DSL (Damn Small Linux) has existed for decades and I don't see how the Pi can do better than that. Also, Puppy Linux is very lightweight and secure as well. Those articles struck me as a marketing gimmick.

Clive RobinsonJuly 23, 2017 11:06 AM

@ Rachel,

Kind of in reverse order, have you ever heard the old saying about "throw them under the bus"? It's kind of a modern day version of "Et u Brute" but at arms length.

As for cholesterol modern science is increasinglyregarding it as kind of harmless on it's own. It's when you have certain "nano-virus" or carbs in your diet that it starts to be bad for you by getting stuck to the inside of blood vessels causing strokes, heart attacks and similar when it breaks away and blocks smaller blood vessels.

The funny thing is that it was a doctor to a US President that came up with the idea of filling people full of carbs to excess and cutting out fats. As has been shown even by his own experiments --that he lied about-- you can live indefinitely with no carbs in your diet, but no fats will kill you or make you very ill (Vegans suffer from this problem if they are not meticulous about nutrition as most vegetable fats are no where near as usefull to the body as animal fats). Experiments on animals have shown that no carbs improves longevity as does having a calorie restricted diet. It will be interesting to see thr results of a combined diet.

Oh and this might be of interest, it's kind of a must read,

http://news.harvard.edu/gazette/story/2017/04/over-nearly-80-years-harvard-study-has-been-showing-how-to-live-a-healthy-and-happy-life/

As for EM radiation and biology, most models used to set safe levels are based on the "heating effect" not any other measure. For two reasons the first is in most cases there are no agreed measurands, the second such studies are likely to be considered unethical currently.

FigureitoutJuly 23, 2017 12:45 PM

Clive Robinson
--Yeah, interesting hack. Attracts a little too much heat for me.

Thoth
--You gotta have a product ready to go, and it didn't have features I wanted (or too much I didn't want) so...it's a "free" world eh? ;p Best to always just focus on making money and get yours, w/ the way the world is moving w/ endpoint security, it simply won't matter and maybe we'll start seeing society shutting down from attacks.

Personalization Stifles Nations Creativity and InnovationJuly 23, 2017 2:00 PM

Apple, Amazon, Google & Facebook spent record sums to lobby Trump
Google spent nearly $5.4 million to lobby efforts on shaping self-driving car regulation, pushing for surveillance reforms and addressing potential competition concerns (record EU fine).
Facebook is fighting a proposal in Congress that seeks to impose new limits on how tech companies tap users’ data to sell ads

Amazon’s fast-paced growth spurt in Washington, D.C., where it even hired a top fundraiser for Trump from the 2016 presidential campaign as one of its lobbyists — perhaps hoping the president would stop slamming the company and its chief executive, WP/Jeff Bezos.

Techs Most Feared Act – Offering Consumer Choice
The so-called Browser Act, unveiled by Republican Rep. Marsha Blackburn, has drawn immense opposition from groups like the Internet Association, which represents Amazon, Facebook, Google and others. The group previously told Recode the bill “has the potential to upend the consumer experience online and stifle innovation.
https://www.recode.net/2017/7/21/16008504/apple-amazon-google-record-lobby-trump-immigration-science-privacy

Tech Companies Are Pushing Back Against Biometric Privacy Laws
Industry groups representing the likes of Google, Facebook, Amazon.com Inc., and Wal-Mart Stores Inc. have used various arguments to defeat or weaken proposals. The lobbyists point to what they say are practical benefits in using facial recognition, allowing them to develop new technologies for marketing and security.
https://www.bloomberg.com/news/articles/2017-07-20/tech-companies-are-pushing-back-against-biometric-privacy-laws

Taking Control of Bleak Future
The more hi-tech leads or takes control of peoples lives the less competitive and innovative they become. A unspoken but major reason why American tech prefers to hire from outside America.
This accelerating algorithms-are-superior/robot trend feeds in America’s marked decline as a world power:
theintercept-dot-com/2017/07/22/donald-trump-and-the-coming-fall-of-american-empire/

If people could keep their privacy, they could stop this terminal decline. But the majority actually like to be hand-fed, and frankly don’t give a damn.

To be fair there is evidence of similar decline in every country which allows-in American High-Tech personalization.
The developing up-and-coming world powers all reject this intrusive Hi-Tech data-mining. Trained to innovate, these students (future world leaders) all score higher as America continues its (sadly preventable) decline.

Dirk PraetJuly 23, 2017 4:59 PM

@ CallMeLateForSupper, @Clive, @ Wesley Parish

Re: The madness of some US lawmakers

At the risk of stating the obvious, but have none of these people ever heard of a thing called the 1st Amendment to the United States Constitution ? What exactly is not clear about "abridging the freedom of speech" ?

It's kinda different in the EU, where e.g. hate speech and incitement to violence is not protected speech, as illustrated by a recent ECHR verdict ruling against Fouad Belkacem, a Belgian hate preacher, Daesh recruiter and former leader of the Islamist Sharia4Belgium. Still I find it kinda doubtful that this sort of proposed legislation would ever pass EU scrutiny.

@ Wael

Also, our biology is most vulnerable to pulsed microwaves when sleeping. So, turning off the router etc when asleep really does make a huge difference. as well as disabling the router broadcast

It make sense both from a health and security vantage to always turn off and disconnect any equipment you are not using at any given time.

@ Rachel

So, I propose a hard fork of Schneier on Security.

I would prefer not. A while ago, our host has explicitly reiterated the rules of engagement on this forum, one of which was abstaining from partisan US politics. Which IMO is reasonably well complied with, even in the squid threads. It is also impossible to completely ignore politics altogether because of its impact on legislation and regulation that shapes the technology landscape.

@ JG4

You mean they could have blown the whistle on the Trump gang over the Russian contacts and they didn’t bother?

In the summer of 2016, there were very few folks in the US IC who saw a Trump presidency coming, an even less who considered him a threat that had to be stopped.

WaelJuly 23, 2017 11:01 PM

@Dirk Praet,

Also, our biology is most vulnerable...

I understand that attribution is a b*tch ;)

Clive RobinsonJuly 24, 2017 12:56 AM

@ ,

If one's PC is super old DSL (Damn Small Linux) has existed for decades and I don't see how the Pi can do better than that. Also, Puppy Linux is very lightweight and secure as well. Those articles struck me as a marketing gimmick.

It's not a marketing gimmick as such, but it's applicable to a small but rapidly expanding group of people.

As I noted yesterday, Microsoft are dropping support for Intel CPUs that are less than 5years old in Win10. These CPUs were still in items sold as new just a year ago, and were due to pricing purchased by parents who are not affluent for use by their children for school work etc.

The aim of making the Raspberry Pi OS available for other platforms is so that children who use the Raspberry Pi at school can have the same look / feel / behaviour on their computer at home, as well as extending the life of the computer the children have at home that their parents can ill aford to replace when the likes of Microsoft or Apple decide to drop support for it.

The reason behind Microsoft's behaviour is two fold. Firstly there is apparently --from market reports-- a global slow down on sales of their OS products. Secondly Microsoft envy the "Walled Garden" approach of some of it's compettitors and want to have the same market "dictatorship" "lock-in" advantage as can be seen by their behavioir with Windows 10.

History teaches us from the "Big Iron" days that such "lock-in" whilst very profitable for the manufacturer, is very bad for the consumer, who looses "freedom of choice" and rapid forced obsolescence etc, from what is in practice a monopoly market.

Thus whilst the moving of the Raspberry OS to older hardware may not be for "techy types" it will if made a simple install option find favour with parents who see a hard payed for computer become obsolete within an all to short period of time.

Clive RobinsonJuly 24, 2017 2:15 AM

@ anonymous,

Is this true for titanium implants and osseointegration into bone?

@Tyr's comment is broadly correct, however as with many complex things there are exceptions under certain circumstances.

Bone's are the structural heart of the body, and broadly what everything else not just wraps it's self around but moves around. Thus the fact that things move around the bone makes things a lot simpler. Further bones do not have the proliferation of nerves that other parts of the body have.

Finding materials that you can put in the human body is difficult. If I remember correctly the first material found where the body did not react to it by forming scar tissue around it was during WWII where aircrew had got splinters of plastic from canopies in their eyes. Getting them out was considered a very risky proceadure, thus they were left where they could be. Ophthalmic surgeons were supprised at the fact scar tissie did not form, and this observation gave rise to the idea of what we now call hard contact lenses.

It's not just titanium by the way, some stainless steels do not produce rejection reactions nor other long term issues when used in bone. However as has been found with "stents" the same is not true in blood vessels, much to the annoyance of numerous cardiac doctors and surgeons.

But the big problem in other places is nerves. Each time you cut into flesh you cut nerves, it's why scars tend to be quite numb when tested by external stimuli. However cut nerves produce another effect which is known as "Phantom Pain" thus to some people scars can be extraordinarily painful even though they can be shown to be numb to actual stimuli such as pin pricks and localised heating and even electric current.

There is also other problems, all surgery has risks and complications, one such is the weakening of the immune system in the surgery site. Due to an injury I have had surgery involving the implanting of foreign parts inside me, not only have I lost the use of nerves, I get phantom pain and repeated infections at the scar site.

Phantom pain is a very real problem for not just doctors and surgeons but the patients as well especially in amputees. Whilst my phantom pain is to me mostly an anoyance --except when the weather changes-- that disturbs both movment and sleep, I can at least live with/around it, which makes me lucky compared to many. I have friends who were injured on active service and their phantom pain is considerably worse to the point it has in effect destroyed their lives as it resulted in divorce, unemployment and the attendant depression etc.

The surgical trend these days is minimal invasion via key hole techniques and the minimisation of the use of implanted foreign objects. It's also interesting to see the difference it has to the type of health care system you have. In the US with it's insurance led payment system there was a trend towards implanting the likes of cardiac monitors and pacers, less so in other health care systems.

In the more shadowy world of body augmentation / art people are comming to the realisation that the down sides are more than the upsides even for tiny foreign objects like magnets, which even after they are removed leave scar tissue and loss of feeling.

Thus body augmentation is now looking towards stimulation suits and exoskeletons to avoid the very many implant issues.

Dirk PraetJuly 24, 2017 6:01 AM

@ Clive

Thus whilst the moving of the Raspberry OS to older hardware may not be for "techy types" it will if made a simple install option find favour with parents who see a hard payed for computer become obsolete within an all to short period of time.

Youngsters used to a slick MacOS, iOS or Windows UX may find the simple Raspbian GUI less than appealing, even more so when it turns out many of their favourite apps are missing and they inevitably run into compatibility and exchange issues when trying out alternatives. Another reason why many people stay on Apple hardware despite it being ridiculously overpriced and obsolete in on average three years time is the brilliant marketing and seamless integration of those devices.

In my experience, the only young people even remotely interested in trying out Linux on the desktop are those already technically inclined. Most others generally can't be bothered, even if they get the entire package for free. The only way I can think of for turning this around is local authorities and school boards adopting strong OSS policies and hardware longevity demands instead of allowing them to be locked in by the likes of Google and Microsoft aggressively targeting such entities with respectively Chromebooks and cheap licensing schemes. But since the UX is a decisive factor, I'd still rather go with something like Mint than Raspbian as a general purpose OS.

And yes, OpenBSD would be really well-suited to refurbish old hardware with too, but good luck finding decent and affordable support for it.

Finding materials that you can put in the human body is difficult.

Marcel of the "Toys for Boys" shop across the street vehemently disagrees 8-)

JG4July 24, 2017 7:15 AM


Part of the robot programming/control problem can be viewed in an OODA framework as an issue of aligning the frames of reference between O and A.

There should be analogs in automated computer security. I've mentioned before the idea of observing large numbers of instruction/data trajectories to identify normal and threat conditions. That is the second O, but allows the first O to be useful at runtime. D and A are more difficult.

http://www.nakedcapitalism.com/2017/07/links-7242017.html
...
Going Cashless? Bad for Tax Cheats, Privacy, Poor Bloomberg. Correction: Bad for the sort of tax cheat who doesn’t have an acountant or tax lawyer.

...
VPN crackdown ‘unthinkable’ trial by firewall for China’s research world CNBC

...
When student debt payoff becomes complicated by identity theft LA Times

...
Trump’s Special Ops Pick Says Terror Drones Might Soon Reach the US from Africa. How Worried Should We Be? Defense One (Re Silc). I can see the gaslights flickering all the way across the Atlantic…

...
Our Famously Free Press

Google’s New News Feed Is Scary-Good at Personalization Slate

...
Next Leap for Robots: Picking Out and Boxing Your Online Order WSJ (Re Silc). Re Silc: “Zero jobs except prison guards and cops soon.”

RachelJuly 24, 2017 8:42 AM

@Clive

As for cholesterol modern science is increasinglyregarding it as kind of harmless on it's own. It's when you have certain "nano-virus" or carbs in your diet that it starts to be bad for you by getting stuck to the inside of blood vessels causing strokes, heart attacks and similar when it breaks away and blocks smaller blood vessels.
*
Thanks for the comprehensive reply. I don't agree with the conventional concepts of athereoscelerosis. counter to establishment, I've been promoting the life essential qualities of saturated fats for decades. Interestingly their long chain supports adapation to a hot climate. You will appreciate the work of Weston A Price; And this book by the head of the Weston A Price Foundation which is about 50% recipes: rare is the superior health professional without a copy in their bookshelf

Sally A Fallon , Nourishing Traditions.
and a good blog http://nourishingtraditions.com/

She is big on organ meats for amazing nutrients not found anywhere else. And states that no indigenous culture ever was strictly vegetation, and ALL of them included fermented food products

@ Dirk

RE Hard fork of Schneier creating a Schneier Classic. I was completely joking. But you are correct

JG4July 24, 2017 11:04 AM


some rabid about carbs to brighten your day. thanks for jogging my memory about nanobacteria. I hadn't thought about them in 20 years. I vaguely remember being young and healthy when they were in the news as a cause of kidney stones.

Jail Them All
https://market-ticker.org/akcs-www?post=232242
...
And now, here comes the evidence -- that not only was the advice wrong the people pushing it knew it was wrong because they tampered with the data.
http://www.pharmaceutical-journal.com/20203046.article?clearcache=1

For instance, there are 44 randomised controlled trials (RCTs) of drug or dietary interventions to lower LDL-C in the primary and secondary prevention literature, which show no benefit on mortality[8]. Most of these trials did not reduce CVD events and several reported substantial harm. Yet, these studies have not received much publicity. Furthermore, the ACCELERATE trial, a recent well-conducted double-blind randomised controlled trial, demonstrated no discernible reduction in CVD events or mortality, despite a 130% increase in high-density lipoprotein cholesterol (HDL-C) and a 37% drop in LDL-C. The result dumbfounded many experts, sparking renewed scepticism about the veracity of the cholesterol hypothesis[8].

JG4 again:

The human body is a mechanism of stunning complexity and we really don't know how it works or what the ancestral human diet was, but you can bet your last piece of fiat scrip it wasn't potato chips or white bread. The only thing that the government hasn't lied about is that walking 5 miles a day is magic for your healthspan, lifespan and cognitive abilities. Many people who do it live well into their 90's with cognitive function intact. There are plant-based diets that work well for some people. I may have posted the link to Dan Buettner's TED talk, "How to Live to Be 100" It's not difficult to find. I've been low-carb for 5 years, but before that, I tended to avoid them. I look pretty good for old and broken down.


Bob PaddockJuly 24, 2017 11:55 AM

@Rachel

"Electromagnetic radiation surrounding us from every direction... the list goes on. I'm also having second thoughts about the safety of long term use of cell phones, and started using a wired headset (BT doesn't help.)"

Yes, BlueTooth being 2.4 GHz based it does not help. Mini-microwave next to brain? No thank you.

Look up 'Air Tube Headset'. Works like a doctors stethoscope to keep signals even father from the head.

"'we are cooking in it everywhere so there is no use doing anything about it' this is a really defeatist attitude..."

Follow Microwave News that covers the subject of Cell Phones, WiFi, etc. health research and has been for over a decade.

"Because i) the signal strength drops off fairly quickly proportionate to distance"

Some extremely obscure research indicates the biological effects are the square of the distance, not the normal 1/(r*r) measured with our current common equipment.

World Health Organization has a few things on EM health effects.

Then we have the anti-SmartMeter crowed that could not pass a double blind test comparing an actual SmartMeter to a sham Alarm Clock in a SmartMeter case in many cases. The teenage girl that texted her mother on her cell phone on how the SmartMeter gave her a migraine before her suicide is a sad state of affairs. I don't believe you can have it both ways can you, no problems from cell phone close to body yet SmartMeter on outside of house leads to your dead? Sadly the anti-SmartMeter agenda is promulgated by people selling things for "protection from SmartMeter Radiation" or trying to make a name for themselves without understanding the sciences.

In any case there is nothing at all wrong with prudent avoidance. Such as don't sleep next to your WiFi or SmartMeter or even old fashion fuse box, don't hold transmitters next to your head etc.

Bob PaddockJuly 24, 2017 3:32 PM


thanks for your comments Bob. I have come across that equation before so, not too obscure but thanks, will make a note. Microwave News is a good source, thanks for making it accessible here.

Yes, airphones, quality can vary - one gets what one pays for. we trialled a range that continued to fall apart fairly quickly.
A colleague demonstrated they don't shield the brain from wi fi quite as effectively as one may think however. I don't really trust them.

I am reading generalising and a confusion of correlation and causation in your post.

So if the anti smart metre crowd are selling things and making a name for themselves without understanding things, what are the pro smart metre 'crowd' who apparently do understand the science, by your reasoning, selling? See Clives many previous posts on the subject.

the argument usually made is that smart metres are such a low power burst it can't be harmful. Noting your equation above may offer insight into why this isn't the case. Or one offical documentary I came across that said, because the sun is so much more powerful a source of electromagnetic radiation, and apparently not harmful - wi-fi couldn't possibly be. Wow, coming ahead in leaps and bounds.
Science also makes a good habit of ignoring anecodtal evidence - yep that stuff provided by human beings. Anecdotal evidence, if you have the stomach for it, has tens of thousands of reports of people suffering mediume to severe adverse reactions from proximity to smart metres. Symptoms that immediately resolve upon distance from said metre. Most of the time they didn't even know what a smart metre was or that one was in their property.
The pulsed nature of the microwave is what makes it so toxic on a cellular level. According to my colleague the are over 10,000 published papers on the dangers of pulsed microwaves which includes, yes, smart metres.

Aluminium foil is a poor shielding material for pulsed microwaves as it decomposes fairly rapidly. Figureitout may have some things to say about shielding at least in the RF spectrum perhaps.
Something you may be interested in is the science behind the use of 'chicken wire' fencing to create a shield for smart metres. Plenty of youtubes illustrating how to do it. Something to do with the size of the hole in the wire that blocks the signal, fascinating. Clive will have experience with this perhaps.
There are also paints available for creating wi-fi shielding indoors. Quality varies. Some are very effective others not very much at all.
They can be expensive.

Many major public and private institutions not to mention countless schools, have banned wi-fi, the most significant in my memory being Bibliothèques Paris

Medical Records Security: Amazon vs MicrosoftJuly 24, 2017 7:26 PM

Windows 10 and HIPAA Compliance

“So, the Mods have moved this from the Question forum to the Discussion forum.  I don't want to "discuss" this, I want an answer from a Microsoft official as to whether or not Windows 10 can be made HIPAA compliant.” ... no answer ... LOL!
https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-10-and-hipaa-compliance/037e3f2e-8262-42eb-8909-05832e856645?tab=question&status=AllReplies&status=AllReplies%2CAllReplies%2CAllReplies%2CAllReplies#tabs

Amazon
HIPAA requires that business associates extend security and privacy requirements to its subcontractors. Does AWS use subcontractors, and if so, how does AWS ensure that subcontractors protect PHI?

Answer: AWS DOES NOT HAVE SUBCONTRACTORS with access to PHI.


If I process, store, or transmit PHI on AWS, but do not have a BAA in place, is AWS obligated to inform me of a security breach?

Answer: AWS DOES NOT HAVE ACCESS TO YOUR(!) DATA. As a result, AWS has no method of determining when PHI is processed, stored, or transmitted with the services used by any specific account.
https://aws.amazon.com/blogs/security/frequently-asked-questions-about-hipaa-compliance-in-the-aws-cloud-part-two/

WaelJuly 24, 2017 11:30 PM

@r,

Re: When the going gets tough.

Although Kite has no business model yet, it's widely thought in Silicon Valley that having users is the first step toward profitability

That's correct. Doesn't matter how dumb the idea is, doesn't matter if it violates privacy and undermines security, doesn't matter if it injects unneeded and unwanted links in code behind the developer's back. All that counts is money. And the more "users" you can show, the higher value the company is. What's a better place to embed bloatware other than the tool chain?

Wesley ParishJuly 25, 2017 1:24 AM

@Rachel

It's a long, long story ... apparently a CIA agent in the CONUS gets thrown to the wolves in some big national park, and the rangers get all het-up because the wolf pack die of cholesterol poisoning, as a result of the unexpected overdose of cholesterol in the form of said CIA agent ... then another CIA agent somewhere in the East, perhaps Karachi, gets thrown under a bus, which promptly dies as well. Upon expert examination it is proved to have died from cholesterol poisoning, as overweight CIA agents are not normally part of a self-respecting bus's diet.

Plans are apparently underway somewhere on Earth to present a secret petition to the CIA on behalf of innocent wolves and buses world-wide, so that wolves and buses don't suffer mass extinction events ...

Sweden? So that's where @ianf's got to? In search of his long-lost love Pippi Longstocking? Will wonders never cease? At least there he won't be covered in breadcrumbs and dog-biscuits and thrown to a pack of starving toothless geriatric King Charles Spaniels to be gummed to a gruesome death .... And all because his agency can't afford genuine wolves ... it's a tragedy, a real tragedy, I tell you!!!

(Does Poghril ring a bell? Zaphod Beeblebrox avoided visiting there in the Heart of Gold .... )

RachelJuly 25, 2017 6:40 AM

At Wesley Parish

...perhaps Karachi, gets thrown under a bus...

ghee wiz, soldier?


this is a piece of work, Captain. Priceless! I am wondering what happens when you and Wael occupy mutual cybernetic enhancements in some kind of twisted siamese twin fantasy, a la Ghost In The Shell plus Minority Report.
You could be the conjoined stand up act. In three languages.
'The Almight Sufferin' Cholesterol Twins, Daggnammit! Act'

And what, you thought the entity formerly known as entity, was a spook-troll? Could be. DOS status was high. Which commences a whole other round of stories for you

CallMeLateForSupperJuly 25, 2017 8:16 AM

@Dirk Praet
"What exactly is not clear about "abridging the freedom of speech" ?"

Just like the many other rights, the right to speak one's mind is not absolute. For example, an American who advocates the overthrow of the U.S. government can be prosecuted.

JG4July 25, 2017 9:23 AM


nothing compelling in the NC compendium today, but here are a few that flickered on the screen from other sources.

I coined the term, "projected intent" around 2009. can't recall the first time that I used it in this forum. This should make the hair on the back of your neck stand up. I think that my quote n weeks ago said something like "the infrastructure is all wrong for an environment where a quadrotor can put a [ninja] on the roof of a 10-story building in seconds." Just substitute thermite grenade for ninja and you've got a 5-alarm problem.

http://globalguerrillas.typepad.com/globalguerrillas/2017/07/robotic-systems-disruption-in-practice.html

a snarky quote for your entertainment

https://medium.com/@crwalker/peak-saas-86ac49cf5f5d
...
Somewhere in the unread Terms & Conditions of a SaaS product there generally lies a clause like this:
In exchange for your momentary and fleeting access to the Service, you agree to give us all of your data. We'll keep it forever and might sell it to anyone. How would you know, anyway? We promise to keep it secure. Trust us. You have no choice.

http://globalguerrillas.typepad.com/globalguerrillas/2017/07/welcome-to-our-global-censorship-and-surveillance-platform.html

Say cheese! New Singapore air terminal automates departures with face recognition
http://www.reuters.com/article/us-singapore-changi-airport-idUSKBN1AA185

I saw that someone dug into the NC compendium a couple of days ago and read the one about Trump accelerating the decline of US hegemony. The part about how the global empire is managed made the hair on the back of my neck stand up. The idea that 300 million people are going to generate wealth and ideas fast enough to stay ahead of 2 billions or 3 billions is ludicrous, especially when the sickcare-financial crime cartel is robbing the small businesses and people blind.

https://www.nytimes.com/2017/03/22/technology/china-defense-start-ups.html

read Renato MarinhoJuly 26, 2017 3:29 AM

https://isc.sans.edu/forums/diary/Uber+drivers+new+threat+the+passenger/22626/ :

Uber allows a customer to contact the driver without revealing his phone number
by placing his call through a masking number that is unique to your trip.

A rogue customer pretexted to work for Uber and said:

“Please, I have to confirm your identity. Give me your e-mail address and phone
number. Next, I’ll send you an SMS message and you’ll tell me the content.”.

As expected, the Uber driver received the 2FA message and passed on the content.

JG4July 26, 2017 8:56 AM


"A mind is a terrible thing to lose, or never to have had at all."

The perfect presidential security, because even the Russians didn't have balls big enough to put Dan in the driver's seat. They were forced to expend all necessary resources to keep George alive.

There were a few other interesting articles in the compendium.

http://www.nakedcapitalism.com/2017/07/links-7262017.html
...
Big Brother Is Watching You Watch

Newly declassified memos detail extent of improper Obama-era NSA spying The Hill (UserFriendly).

Roombas have been mapping your homes for years, and that data’s about to be sold to the highest bidder BGR


Clive RobinsonJuly 26, 2017 9:38 PM

@ Bruce and the usual suspects,

You might find this blog post on walking through a remote execution attack against Broadcom WiFi chips used in Android and Apple devices of interest,

https://blog.exodusintel.com/2017/07/26/broadpwn/

The point being, if you only secure part of your system to a high level, those parts at a lower level of security provide an attacker with a bridge head to attack the more secure parts...

WaelJuly 26, 2017 10:04 PM

@Clive Robinson,

You might find this blog post on walking through a remote execution attack against Broadcom WiFi chips used in Android and Apple devices of interest,

Well written article. Educational as well, thanks for sharing! I suspect I'll revisit it in the near future.

if you only secure part of your system to a high level...

Something like: the weakest link...

Good heavens, man! What are you doing up at this early hour of the morning? It's pushing 4:00AM! Mistress insomnia in town?

MathetesJuly 26, 2017 10:25 PM

Interesting crackdown by Russia and China this week

https://www.bleepingcomputer.com/news/government/russia-passes-bill-banning-proxies-tor-and-vpns/

https://www.bleepingcomputer.com/news/government/china-forces-muslim-minority-to-install-spyware-on-their-phones/

Not forgetting the previous news from China banning vpns by February 2018
some say only mobile services, with uncertainty about foreigners

https://www.theguardian.com/world/2017/jul/11/china-moves-to-block-internet-vpns-from-2018

Bloomberg and others have this also.

Clive RobinsonJuly 26, 2017 10:51 PM

@ Wael,

Good heavens, man! What are you doing up at this early hour of the morning? It's pushing 4:00AM! Mistress insomnia in town?

And now it's nearly 5AM...and I'm that little bit older but still not rested.

The problem, was not getting much sleep last night, thus being unable to stay awake in the afternoon and taking a short nap... So now even though I want to sleep, I find my mind wizzing around like a whirling dervish simultaneously giving me the equivalent of a "ten double espresso headache" and driving sleep.away :-(

This lack of sleep would not have caused problems as little as ten years ago, I would have "Manned it out" and just slept well over night. Now however age has wimpified me for the worse...

WaelJuly 26, 2017 11:19 PM

@Clive Robinson,

So now even though I want to sleep

You and me both. Eat a head of romaine lettuce ;)

Now however age has wimpified me for the worse...

Age is just a number like I told name.withheld.for.obvious.reasons eons ago. But the older you get, the less sleep you get, which accelerates the aging process, especially the brain cells that regenerate during sleep. Positive feedback cycle!

Clive RobinsonJuly 27, 2017 3:51 AM

@ Wael,

Eat a head of romaine lettuce ;)

It's now getting on for late morning --10AM-- and I've still not slept :-( Getting a head of romaine lettuce would only now be possible (shops can be like that in some hamlets). However I realy do not want the soporiphic effects to kick in and go to sleep during the day in what is vacation time in this part of the world...

WaelJuly 27, 2017 5:29 AM

@r,

You guys have a funny definition of positive.

Funny definition, or funny usage? Go count sheep (I'm still counting, in primes) 3,5,7,...

Besides, would you prefer the expression: negative feed forward?

11,13,...

JG4July 27, 2017 7:07 AM


@most everyone - Thanks for the great ideas and discourse.

@Clive - hope that you are feeling better. If I had been clever, I would have asked yesterday how much magnetic shielding is required to block sidechannels. I know that the short answer is "it depends..." The reason that I suggested silicon steel is that it is dirt cheap by comparison to mu metal and widely used in one of the most important types of magnetic circuits on your planet. For a portable application like a smart card where size and weight are important, mu metal might be preferred. For a fixed installation, the less expensive material is preferred. In fact, hot rolled steel is even cheaper than silicon steel and hysteresis losses are an advantage. Cast iron might even been a good choice, although the inclusions increase the resistance. Would you please illuminate the distinction between serf and peasant? I particularly like the exchange about serfs and tenants, which reminds of the crofters and other important post-medieval history in Scotland, Ireland, Wales and elsewhere. You may have noted my use of the term peasant some days ago. I think that I prefer serf, although both convey some truth about the circumstances of the common man.

Lee was the evil genius who picked Dan. Lee died of a brain tumour, almost certainly because he was a heavy cell phone user in the 1980's.

http://www.nakedcapitalism.com/2017/07/links-72717.html
...
EU Commission sets deadline for Facebook, Twitter, Google unfair terms and conditions New Europe (Micael)

...[fascinating - parallels to microprocessors running tainted code]
Did antidepressants help make this man a mass-murderer? BBC

...
Rogers and Todorov: New UK law creates liability for gross human rights abuses FCPA Blog

...
Big Brother is Watching You Watch

Feds Crack Trump Protesters’ Phones to Charge Them With Felony Rioting Daily Beast (Chuck L)

Every Swedish car owners’ details may have leaked in explosive IT failure ZDNet (Chuck L)

Sweden leaks details of almost all of its citizens in move that could bring down government Independent (Brian C)

These cheap phones come at a price — your privacy CNET (Chuck L)

...["do you have probable cause to believe that a crime has been committed?]
Teen allegedly harassed by police for mowing lawns in affluent neighborhood Fox23 (resilc)

Kill Me Now

Clinton book to double down on Russia, Comey message The Hill. Let us not forget that her last book was mainly pulped…but we’ll be unable to avoid encountering headlines of reviews.

...[still have not had time to dig into the Phreesia scam. I've been practicing "I do not consent to the use of electronic forms"]
Amazon has a secret health care team called 1492 focused on medical records, virtual doc visits CNBC

Clive,RobinsonJuly 27, 2017 9:34 PM

An OS for Smart Contracts

As most readers will probably know by now, the software for Ethereum Smart Contracts has caused the loss of tens of millions of dollars, due to fairly simple programing and design errors.

The Ethereum losses also showed that there are significant block chain issues, which generally do not exist in other value trading systems. Part of the problems with Ethereum was that something that was not even "beta test" ready went Prime Time without any checks or balances in place.

But sitting behind this is the issue of "Complexity", whilst conceptualy simple from a 30,000ft view, Smart Contracts are anything but simple in reality especially if they are ever going to work securely.

Think of it with the real world analogy of a safe or strong room. The 30,000ft view is "A box with a door and lock, to store things reasonably securely". The reality however is very complex systems that have more than half a millennium of development in them, and they are still not secure in any meaningful time frame, hence all the CCTV, alarms and guards that go with them.

Smart Contracts are supposed to work in what is a distributed hostile environment which does not need thus have any further security.

All the Ethereum fixes proposed involve heaping on more lines of code with rapidly increasing complexity... Which we know is probably the main fault with Ethereum.

So rather than looking to simplify the design such that it's properties can be evaliated not just effectively but securely. Someone instead has the idea of throwing on lots more complexity woth an Operating System for Smart Contracts,

https://blog.zeppelin.solutions/introducing-zeppelinos-the-operating-system-for-smart-contract-applications-82b042514aa8

Something tells me that this is not an idea that is even remotely close ti being "Ready for Prime Time". Unless of course you want to see many more millions of lost value for the entertainment value...

The "Elephant in the room" is that "Blockchains are cool/hot" at the moment. So there is the fizz and excitement of a new technology, and everybody is rushing to "add it's goodness" to their ideas. The problem is that fizz is a strong indicator of a hyped up "bubble market" and history tells us what usually happens...

My advice is by all means play with the technology and have fun, BUT as with all gambling, don't put in anything you don't want to lose.

Clive RobinsonJuly 27, 2017 10:29 PM

Making technical debt fun...

Most of us have heard of technical debt, and likewise the "Here be Dragons" and similar warnings. Some have experienced it and will show you their scars...

So you might think "uh oh no, I'm not going there" that is not going to be fun... But guess what, you do like a moth to a flame.

The question is why how did it happen, why do you now have scars?

The answer is because it's the path of least resistance and that is always seductive just like the "Sirens Song". And that's a problem because unless you are lucky you don't get to start realizing why untill your third or fourth spin in the "Hamsterwheel of Pain" that Technical Debt is.

There are many books on all sorts of disasters and how to survive them. In each one the first step is "realizing you are in trouble". They then generaly get dull and no fun to read (generaly because the author has to "fill a book").

So time for the short fun version, which will hopefully help keep you feet dry,

https://hackernoon.com/stop-building-car-boats-tech-debt-101-bc0b08312fa

WaelJuly 27, 2017 11:01 PM

@Clive Robinson,

So time for the short fun version, which will hopefully help keep you feet dry,

Fun read! Been a long time since I've seen the 12-picture graphic and it's variants. So true :)

JG4July 28, 2017 6:24 AM

I was slow to connect the dots from the first amendment to clear thinking as a society. It wouldn't be wrong to say "clear group thinking," or "collective cognitive abilities." It takes a robust debate to get the nuances of policy implications on the record. It's not enough that people have individual cognitive excellence, it is a necessity that they exhibit collective cognitive excellence. If there is any hope of succeeding as a company, village, town, city, state, country or planet. One way is to transmit the cognitive excellence, as Clive does reliably. The issue there is the limited number of willing recipients. Bernays, Rove, Goebbels, Atwater and the other practitioners of brainwashing are very dangerous, because they find and exploit cogntive weaknesses in people and societies, ultimately causing entire countries to act against interest by transmitting through mass media. Precisely what malware does to your modem/router/computing engine/refrigerator/etc. And that crazy virus does to caterpillars. You could hope that the media would help with collective cognitive ability but "that would require an act of journalism."

http://www.nakedcapitalism.com/2017/07/links-72817.html
...
Big Brother is Watching You Watch

New Google algorithm restricts access to left-wing, progressive web sites WSWS (Micael, Glenn F). NC traffic not affected, not because we are not on some sort of Google “deplorables” or “Bernie Bro” list, but because pretty much the only traffic we get from Google is people Googling “Naked Capitalism”.

North Korea Makes Hacking Into a Profit Center New York Times. Bill B: “Oddly, so does the American defense industry. To the tune of $70 billion a year: https://fas.org/irp/budget/.”

Imperial Collapse Watch

William Hartung, The Trillion-Dollar National Security Budget TomDispatch (Bill B)

ab praeceptisJuly 28, 2017 7:18 AM

Clive Robinson

"chromebook" - you are not serious but joking, right?

His first argument is tpm. His second argument is "the google people (whom he obviously considers as godlike) use it, too!". Possibly there were more "arguments" but I stopped reading.

Plus, of course: Why anyway? Isn't there a firefox "secure OS" plugin yet?

JG4July 28, 2017 7:49 AM


a few gems from yesterday

http://www.nakedcapitalism.com/2017/07/200pm-water-cooler-7262017-2.html
...
And speaking of IoT “driving” “seamless real-time network integration across the ecosystem players”:
TAKING DOWN A CHEMICAL FACTORY'S NETWORK [with a coffee machine]
https://twitter.com/intent/retweet?tweet_id=889579536177909760
...
The Bezzle: “The Drone Company That Fell to Earth” [Wired]. “The story of Lily [Drones] is about two ambitious college students with smarts and personality who wanted to change the world—or at least photography. But they didn’t have the right tools, and didn’t listen to those who did.”
https://www.wired.com/story/the-drone-company-that-fell-to-earth/
...
News of the Wired
“Doing Mathematics Differently” [Inference Review]. I can’t even see the author’s dust on this, but some NC readers may discuss and enjoy!
http://inference-review.com/article/doing-mathematics-differently

personal security in the news

http://www.zerohedge.com/news/2017-07-27/top-5-ways-%E2%80%9Cback-up%E2%80%9D-your-freedom

stumbled into this thanks to Clive's link to the car-boat

How to Launder $4 Billion worth of bitcoin
https://medium.com/@ben_longstaff/how-to-launder-4-billion-worth-of-bitcoin-156f1a401f3a

this is a disaster in the making, with 80 million boomers headed into the meat grinder. be sure to take a private duty nurse. did I link the brilliant article about how checklists evolved in aviation and recently were applied to medicine? death is the sculptor of life in the Darwinist frame

http://www.nakedcapitalism.com/2017/07/how-electronic-health-records.html

OODA

http://www.zerohedge.com/news/2017-07-27/amazon-hosts-robotics-competition-figure-out-how-replace-230000-warehouse-workers

what's the quickest way to learn Mandarin? when India throws off the shackles of the caste system, they've got a chance of surpassing China

http://www.zerohedge.com/news/2017-07-27/historical-turning-point-has-arrived
...
Strategic Culture Foundation headlined «The End of the ‘New American Century’ Pronounced by the Pentagon», and reported that, «The days of US-led dubious «coalitions of the willing» taking unilateral military action are over». He summarized an extremely important new study, which had been commissioned by the Obama Administration but was issued only recently (last month), titled «AT OUR OWN PERIL: DOD RISK ASSESSMENT IN A POST-PRIMACY WORLD», which calls for the US government to abandon unilateralism altogether, and to employ military power only in conjunction and cooperation — as equals — with a small circle of four historically long-term international allies

I haven't flogged entropy maximization nearly as much as it deserves, and it is a short step from there to energy security. there simply is not enough cobalt or platinum on your planet to make a difference, but I thought that iron nanophosphate cathodes avoided the cobalt issue altogether. btw, wasn't it cobalt in the Congo that led the US to underwrite a series of genocides in the 1980s? it is critical to the superalloys in jet engines. all that is required to outfit the planet with a fleet of electric vehicles is to divert all of the phosphate production from food to transportation. let them eat yellowcake

http://www.nakedcapitalism.com/2017/07/cobalt-production-as-the-hidden-choke-point-on-mass-conversion-to-electric-vehicles.html

JG4July 28, 2017 8:20 AM


file under "fly-by-night IT support." it's a good thing that nothing important is ever discussed in Congress. can't recall seeing a mention of this particular story in the forums. disclaimer, zerohedge are noted purveyors of doom-porn. I like the part where they are ever quick to call bullshit on any emanations from the fever swamp or the money power, which are joined at the hip

http://www.zerohedge.com/news/2017-07-28/why-hasn%E2%80%99t-trump-said-more-about-awan-brothers

RachelJuly 28, 2017 9:57 AM

Hallo everyone,
I am guessing many of you take this blog and the shared wisdom for granted. I do not. I am most grateful for the erudite, diverse and disciplined discussion. I wish to thank everyone contributing in a useful fashion, here, for your quality of expression and contribution and largely selfless spirit.
I am further impressed this morning to wake up and discover a series of posts about the so called smart gun, without a single digression into the emotions that appear to always accompany that particular topic. I wish to add, for those of us non-US folks not living in the US, we find the topic of guns a bit strange. Just that, it's simply not part of our reality. It's not in our perception.
I know it's incorrect to speak on behalf all of us. But, just like US folks take the reality of 'citizens got guns baby' for granted - those outside of the US barely have it in their vocabulary, unless their chosen career includes weapons handling. To be fair that no doubt includes many non-US readers of this blog.

The other thing that occurred to me reading the Smart Gun posts. Is that, we need to look at what's ahead. That state of things is that something akin to smart guns could simply be a cold fact, to quote Rodriguez, for all police in years to come.

I felt it was more appropriate to Squid this response.
I have posted this not so long ago but are sharing again in the context of the smart gun and it relates to many of the arguments

Jim Jeffries , sweary Australian stand up comic, why his famous take on
gun-control and how insane guns are. It's very funny, and very smart. It is essential viewing for anyone that has an opinion on guns for or against.

https://www.youtube.com/watch?v=0rR9IaXH1M0

This one goes out especially to Dan H, (bisous) whom I continue to wish receives the love, comfort and healing he sorely needs.
Others will appreciate it also.
It, again, is Jim Jeffries 'taking the piss' out of US-Americans feelings about their 'freedom'

https://www.youtube.com/watch?v=bjeq3NYUw2M

Clive RobinsonJuly 28, 2017 10:20 AM

@ ab praeceptis,

"chromebook" - you are not serious but joking, right?

Whilst I agree it's not very strong security, it is better than many other options at that price point (sub 200USD). Whilst importantly remaining usable by devs.

As we have talked about on this blog for some years now, security only gets tolerated by certain user types if it neither gets in the way nor slows them down.

Whilst I would much prefer devs used stronger security to protect their IP, it's not going to happen with "start ups" who have "Coffee Shop Offices". That as they say "is an unfortunate fact of life" with them.

Likewise if you are crossing a border you want to be "clean" but not "squeaky clean" and you want the capital cost to be as low as reasonably possible as there's a beter than fsir old chance you will be ditching it on return.

The problem with higher grade security is it's a red flag to those who decide to examin any kit you have with you. The level of any security is in two parts, one of which is the time delay element. In physical security this is usually the real aim of security especially with high value assets. You delay the perps untill appropriate strength guard labour appears and removes them. Thus whilst security be obscurity is frowned upon in information security it does have it's uses. The result of the setup is a semi-secure system that whilst convoluted to most is quite usable by a dev. Thus there is a degree of deniability in the setup, which you would not get with a more secure setup. As the device is clean to start with, even if the imigration man might be suspicious there is nothing fpr them to find. If the user suspects that the kit has been "got at" it's cheap enough to leave on the table and walk away from it.

It's about the best security you are going to get at even four times the price using more or less standard parts. But importantly it's security is at a point where a dev will accept it, thud use it and not try to fight it.

To be honest I am unlikely to use it, except for familiarity because I don't "coffee shop" commute or "cross borders with tech on me", because I'm way more tolerant of higher levels of security, which you don't take country hopping or mobile as it's bad SOP.

Clive RobinsonJuly 28, 2017 10:47 AM

@ JG4,

... there simply is not enough cobalt or platinum on your planet to make a difference, but I thought that iron nanophosphate cathodes avoided the cobalt issue altogether.

Nor a whole host of other metals more conductive than iron. It's a point I've been making since the mid 90's to various "Green Energy" people. The only way around the solar and wind peaks and troughs issue currently is by energy storage and it's something we realy realy suck at. The other is due to non locality of generation and IR losses at or above a quater of the power generated.

It's great to be able to generate 30MWhours in an off shore wind farm but if you don't use it you lose it without storage. The loss due to transmission and storage is up around 50%, and with only 25% of the day generation suddenly that 30MWhours is not looking so good. Worse with the variation you are probably only good for a couple of MWhours over the entire day...

It's why we need to look at what are mechanical gravemetric storage systems for fast generation of power and weird sound things like molten salt thermal storage where we have sufficient of the raw resources to make them viable.

ab praeceptisJuly 28, 2017 11:20 AM

Clive Robinson

OK, I get your point and seen from that perspective you are probably right.

I'm probably way too hardcore and paranoid and hence lightyears away from normal people. I notice increasingly often that I wouldn't even consider for a second what many out there accept as "secure".

And, bad news: I'm bloody right.

Just today I stumbled over a security check of the BSDs. Granted, it was but a hardly disguised hit piece by a linux fan who tried the old "them, too!!" trick with linux being utterly obviously carp to the cube.
But still, problems are problems and shouldn't be ignored. A couple of 100 problematic spots in OpenBSD should make one think hard.

But the real shock (in my minds eye) was that they still - and mercilessly stubbornly, it seems - cling to the assumption that C is the right way to go but that must be applied to achieve safe code.

That's just incredible in my view. No matter how hard the lousy outcome of their belief system hits them on the head, no matter how bloody obvious the hints - they stick to their C religion.

I was just looking at that slaughter-fest and shook my head in disbelief. The vast majority of problems were *of course* potentially stale pointers, off by one indexing and plenty of sheer "nobody would use an unreasonable value here" idiocy.

Even using just freepascal somewhat responsibly would kill bugs by the hundreds and increase OS security by a 2 digit factor.

Now imagine me reading your chromebook hint shortly after what I just described. Of course that sounded to me like "How to easily trim your beard with a chainsaw".

Have a nice weekend and don't you dare not to be well! ;)

Gerard van VoorenJuly 28, 2017 12:48 PM

@ ab praeceptis,

Even using just freepascal somewhat responsibly would kill bugs by the hundreds and increase OS security by a 2 digit factor.

I think you are a bit harsh to the OpenBSD developers. It's a small team and I have to say they are a creative bunch of people and when they implement a new feature they implement it system wide. The Linux world can learn (but won't) a lot from these guys.

But talking hypothetically. Clive Robinson said a couple of times a story that sounds a bit like this: A couple wants to go on a journey. They ask a local farmer the direction. This guy says that he can give the direction but that he wouldn't start the journey from here.

And that is the thing. If you want to fix C, don't start with C. If you want to fix C++, don't start with C++. And if you want to fix OpenBSD, don't start with OpenBSD. It will only bring you frustration. Better start with an environment that has been well thought out from day one, and implement the features you want to have in the language in which the OS was written.

My 2 cents.

ab praeceptisJuly 28, 2017 1:16 PM

Gerard van Vooren

Largely no. But first: I did *not* attack OpenBSD; I mentioned it like "Even OpenBSD, whose developers are amongst the best C developers one can find" (the other BSDs are much worse).

"Largely no" i.a. for two major reasons:

- One *can* (nowadays) mix languages. One can both call into C ode as well as from C code. So one *can* replace critical parts piece by piece. I'm regularly doing that both from and to Ada and other languages.

- About 300 troublespots (discovered so far in a single test!) in OpenBSD carries a very clear message, namely "Even the OpenBSD people are incapable of creating safe, trustworthy software using C - and they are among the best und most experienced".

I know that Ada is frightening many and/or considered inacceptable (because it isn't about "cool hacking" but about properly engineering). That's why I talked about freepascal as an alternative; it's well know by many and not more difficult than C. There are, of course, other alternatives, too.

Btw, I notice again and again that really attractive languages more or less drown while "cool" idiots languages bloom. E and occam-pi are but 2 examples. Even cylcone is an example (although handicapped).

I'm afraid it's like in a restaurant. You get what you order - and we seem to have ordered idiotic "cool" "hackish" choices; we celebrate languages that have proven over decades that they are inadequate and all but a crap guarantee and we ignored the accumulated wisdom of Dijkstra, Wirth, Ichbiah, P.B. Hansen et al.

Gerard van VoorenJuly 28, 2017 1:53 PM

@ ab praeceptis,

Well, it sounded a bit harsh to me. Let's not make a fuss.

I said I talked hypothetical. The real world is a complicated mess. The three biggest problems are being compatible with POSIX. If you are then okay, congratulations, everything works. But POSIX compatibility is also a big mess. Then there is networking. Everything has said about that by now. And third is the browser...

But if you really think about it (and you have) then there is another bothering thing as well and that is abstraction. UNIX solved the file and filesystem very well, with the right abstractions but then networking and the graphics on the screen got added and the guys who added that didn't fully understand UNIX. This was known already in the early eighties and with that knowledge the designers of UNIX designed Plan9. That is an OS with proper abstractions, compared with UNIX, of which OpenBSD is a modern version. What I am saying is that you can probably make OpenBSD memory safe but memory safety isn't everything, it's also about having logical and easy to understand and manipulate access control. It's also about secure by default networking, and you name it.

Clive RobinsonJuly 28, 2017 8:30 PM

@ ab praeceptis,

"How to easily trim your beard with a chainsaw".

Trim my beard that's sacrilege ;-)

Though there are people that slice their noses off whilst eating barbecue (see Argentinian Gaucho) because it's the macho style.

And that is realy the same problem with C coders. They will declare the use of any other language wrong / not traditional / sacrilege, --even though the language designers now admit parts are wrong-- and in the process "Cut off their noses to spite their faces".

One argument you will hear for using C over any other language is the "Closer to the metal" and "structures". However I would argue that removing most of Cs hidden pointer arithmetic and making the programmer take responsability would produce better code. Most assembler level programers actualy handle pointer more effectively because they get to see what they are doing, and thus don't go mad with pointers and structures the way some C programmers do.

But the sad fact is most C programmers do not range check or do other types of error checking. Which other languages either prevent arising or the language compiler specifically adds checking for out of sight of the programmer.

My view on C is that it's a half way house, trying to fill the chasm between assembler and a high level language. And in the process fails to adequately do either job, and in general makes everything worse. Usually because it fails to abstract things sufficiently.

This has happened because programmers have changed. Back in the mists of time, the only language system programmers used was native assembler, thus C fixed part of that problem and it's failings did not matter because assembler level programers were used to things like pointers and the arithmetic involved. These days programmers get taught a high level language as their first language because it abstracts away all those early learning stumbling blocks and need to know many architecture details explicitly. And by so doing a trainee programmer does not learn important lessons they realy should know before dropping down into C which creates all sorts of problems down the track. The managment mantra of "they will pick it up as they go along" or more explicitly "they will learn from their mistkes" has a very significant down side which is it builds up quite serious technical debt. The reason is the programmers don't learn to do things correctly, they learn to avoid the compiler warnings by finding ever more twisted methods to silence the compiler. Thus those twisted methods carry an unsupportable level of technical debt that there is no way managment will pay to sort out, so yet more twits get put in.

What is even worse is that those failings of the C language, mean it can not actually produce system level code. So the compiler becomes part of the programming language via "secret incantations" which produce their own twisted knarly technical debt of their own via the same "on the job avoidance learning".

But hidden away is something far more insidious. Because of "specmanship" the designers of the CPUs have made them "C friendly" in the micro-code. Thus there are myriads of instructions that are there just as "go-faster stripes" for C. This gave us the bloat of CISC CPUs and in the process put a serious choke on performance. Which as you can probably guess gave way to it's own twisted ways that have even more technical debt, this time where it realy hurts.

Thus although I do use C I'm not a fan, as for C++ ... Do I look like I need a straitjacket?

Clive RobinsonJuly 28, 2017 10:00 PM

@ Gerard van Vooren,

What I am saying is that you can probably make OpenBSD memory safe but memory safety isn't everything, it's also about having logical and easy to understand and manipulate access control. It's also about secure by default networking, and you name it.

In essence the issue you are describing is "backwards compatability" caused by unstructured "organic" growth which is possibly the worst type of technical debt.

Plan 9 was a sensible move to ditch most of the backwards compatability and organic growth of Unix. They had learned much of what was bad in the add ons to Unix and removed them, whilst adding new core features in a structured and logical way.

Unfortunately the market did not want Unix fixed due to the technical debt that would have to be payed back in porting existing code from Unix to Plan 9.

Thus we have "The Linux Way" which is to bolt on new stuff whilst not killing off that technical debt, just patching over the increasing cracks. It's kind of what Victorian steam engine artisans did, they kept bolting on bits and eventually they were wasting so much efficiency they had to make bigger boilers, that just kept blowing up in their faces... It actually took an Act of Parliament to stop the downward spiral, and in the process artisan craftsmen got pensioned off and both science and engineering were born as professions to replace the artisanal aproach with facts, tests, mathmatics and logic replacing the guesswork and "bodge it and bash it into submission" mentality.

As I am known to say on the odd occasion, it's well past time where actual computer science and engineering replaced the current artisanal approch of the majority of code cutters. But to be honest I suspect all of us will be long dead by the time that happens, if it ever does.

The reason is there is way to many vested corporate interests in not cleaning up the software industry. Some have realised that forcing technical debt on people is almost as good as a walled garden for tying customers in. Thus once captive exploit the customers dependence to vastly inflate their profit.

What is worse is we know they are doing it. We had a prime example of what happens with even simple technical debt when Y2K came along. Those that had over the preceding years had taken the time to weed out two digit years from their code saw little or no impact from Y2K other than verifying previous tests for their nervous customers and end users. Those who had not and were still dependent on 1960's two digit code at the core got mauled financialy and effectively had to stop normal business to clean their Augean stables (but unlike Hercules they had more than a day to do it).

The thing is we know there are other epoch rollovers heading our way, such as the 32bit signed int Unix rollover in 2038[1], will we fare any better?

[1] A lot of people don't get why dates that are in effect allways positive need to use signed ints not unsigned. The reason is you have to do comparisons with dates and the way most compares work is by simple subtraction in the CPU hardware. Thus -n is less than (sign bit set), zero is a match (zero flag set) and +n is greater than (both sign and zero bits clear). As the sign bit in two's complement arithmetic is the most significant bit you end up with 2^31 bits of positive numbers which if using seconds as the basic number gives you a little over 68 years from the Unix epoch of 1970. Back then the largest register size in the more common computers was 32 bits. IBM and others had different register sizes such as 36bits which gave full 3bit octal numbers as well as full 4bit hexadecimal numbers or nibbles (so called because "half a bite is a nibble" which says a lot about early CompSci's sense of humour). Of historical interest the original Intel 8086 machine code was based on Octal as can be seen from looking at the bit codings of the instruction set,

http://www.dabo.de/ccc99/www.camp.ccc.de/radio/help.txt

ab praeceptisJuly 29, 2017 12:13 PM

Clive Robinson, Gerard van Vooren, Thoth

Wouldn't we be well served by dismantling some of the glorified hero fairy tales?

My view: (like so often in a certain region) the C creators had a great idea which, however, was lousily implemented. In part due to a mindset infected by a strange disease that could be described as "results! results! It's all about results and getting them quickly" plus an unhealthy dose of ignorance, disrespect, and simple lack of understanding.

The great idea was the "meta-assembler" - one should keep the context in mind. The context then was that a new hw architecture (incl. a new processor) came hand in hand with a new assembler (of course) and often a new somewhat-higher language. Which translates to recreating major parts of the wheel after each turn and, of course, an immense waste of resources. K&R's "Let's have some kind of meta assembler" (or, depending on whom you ask, a common somewhat-higher language) was indeed great and very, very useful. K&R certainly deserve acknowledgement and honour for that.

However, both were relatively young and unexperienced and, to make it worse, befallen by the a.m. strange disease and so they didn't think it through *properly* and hacked and cobbled together their language rather ignorantly, from which C, despite quite some attempts, never really recovered.

At the same time one must be fair when looking at C and recognize that it was *not* meant to be a proper language per se, but rather a higher level meta assembler. Just look at the control structures and you'll find that confirmed.
While, for instance, Wirth approached the matter from the mathematical side leaving implementation details for a later stage, K&R came from the opposite direction. Their question wasn't about a language as such but about some kind of stuff (the complete set of which would be called 'language') that would enable them to have a common form of typical artifacts of any and every assembler for any architecture.

It is important to understand that todays analogon to C is *not* something like Pascal but rather something like a compilers IL or p-code. C approached that point from the assembler side while other ('proper') languages approached from the opposite side, the side of a language designers (in the best of cases some slightly weird version of a mathematician).

Maybe this also explains my seemingly inconsistent position on C. On the one side I use it and even laud it as a meta-assembler, on the other side I condemn it and judge it to be a major accomplice in many IT safety/security crimes. It should be obvious by now, why: C still *is* a glorious (and btw. still the most universal) meta-assembler.
The problems arise out of a severe misunderstanding, namely the grossly mistaken assumption that C is a programming language like Pascal or Fortran. *Of course* C lends itself well to down-to-the-metal jobs! After all, it's a meta assembler! But's it's **not** a PL just like the GCC or LLVM ILs are not.

The point that the C people don't get - albeit hit again and again in the face - is that the kind of work that is needed to transform a PL to some kind of machine code not only is the very raison d'etre of compilers but also their strength - and the humans weakness.

We humans think in terms of e.g. "do xyz with every item in some iterable construct, e.g. an array". Questions like "which is the first one?" or "which is the last one?" are the strength of compilers, not of humans.

use foo;

text : char[n]; -- some text string
count : uint := 0; -- our counter for uppercase letters

for c in text do
if is_upper(c) then count += 1;
endfor;

println("There are", count, "uppercase letters in text");

*That* is how humans tick and btw. makes sense to mathematicians, too.

#include 
#include 
const N = 128;
char text[N];  
unsigned int count = 0;

for(int i = 0; text[i] != '\0'; i++) {
if(is_upper(*(text + i)))
count++;
}

printf("There are %d uppercase letters in text", count);

That is how *machines* tick, that's a construct that is as minimally abstract as any possible and as close to asm as feasible. It doesn't express *concepts* but rather constructs that are machine processable. And btw, there is a small and usually harmless but very typical error included.

"for c in text do" is what we humans want. It means "do with each and every element in text"; it's also pretty close to what a mathematician would write ("\forall c in T:"), which btw. is carrying along itself multiple statements wrt. analysis. That's important (and very handy) because it's in effect some predicates that are guaranteed to hold. "for c in text" for example guarantees that the implicit i array index created by the compiler is within the bounds of text'First and text'Last.

This is an important point to understand.

The C version, however, is but a representation of a universal assembler. It carries *NO* verifiable predicates along.

Now, we can see the problem: C is "cool" but to turn C source into something reasonably useful we need to annotate it for a verifier. And - oh surprise! - those annotations happen to just be what a real PL would carry anyway.

With just two desastrous differences: a) *We* ourselves must come up with those rather mathematical annotations which are beyond the reach of the vast majority of programmers. And to make it worse - and often overlooked but tragically important detail: there is no connection between code and annotations! Those, say ACSL (Frama-C) annotations may or may not be consistent, relevant, complete.

Considering that the ACSL for the very simple C construct above easily is longer (more (and much more complex) "statements" than the C code), which one would you thing more attractive: 5 lines of easy, say, Pascal code carrying along a lot of automagically self-generated verifiable predicates - or - 3 times the amount of lines with C plus the need to come up with, write, and verify plenty of predicates?

And that, ladies, and gentlemen, is what we are really talking about. That is why C code and code in real PLs can *not* be compared. If one wants to compare then one needed to put up C plus predicates and assertions plus verification vs. say, some Pascal code.

Finally, that's also where the shiny C bubble breaks down. In effect, what C programmers (in 98+% of cases) actually produce is but the easy and small part if the work. The fact that they don't do the hard part is why their code is almost always buggy and unsafe.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.