Friday Squid Blogging: Brittle Star Catches a Squid

Watch a brittle star catch a squid, and then lose it to another brittle star.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on August 18, 2017 at 4:27 PM • 147 Comments

Comments

Ben A.August 18, 2017 4:32 PM


Fighting Neo-Nazis and the Future of Free Expression

"Cloudflare’s CEO: "Literally, I woke up in a bad mood and decided someone shouldn’t be allowed on the Internet. No one should have that power."

https://www.eff.org/deeplinks/2017/08/fighting-neo-nazis-future-free-expression


Trump boosts US Cyber Command

"President Trump announced Friday he is boosting U.S. Cyber Command to a full combatant command, triggering a review of whether it should separate from the National Security Agency."

http://thehill.com/policy/cybersecurity/347085-trump-boosts-us-cyber-command


Inside the Kronos malware – part 1

"Recently, a researcher nicknamed MalwareTech famous from stopping the WannaCry ransomware, got arrested for his alleged contribution into creating the Kronos banking malware.

https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/

https://arstechnica.com/information-technology/2017/08/code-chunk-in-kronos-malware-used-long-before-malwaretech-published-it/


New feature in iOS 11 quickly and temporarily disables Touch ID

"Pressing the power button on an iPhone rapidly five times will bring up an emergency screen, allowing you to either call 911 services or enter a passcode to enable Touch ID."

This'll be useful for those living in a jurisdiction where you can't be forced to give up your password but you can be required to use your fingerprint. This new feaure will prevent your fingerprint working until you've logged in again with your password or PIN.

https://arstechnica.com/gadgets/2017/08/new-feature-in-ios-11-quickly-and-temporarily-disables-touch-id/


It’s Not Exactly Open Season on the iOS Secure Enclave

"Despite yesterday's leak of the Apple iOS Secure Enclave decryption key, experts are urging calm over claims of an immediate threat to user data."

http://threatpost.com/its-not-exactly-open-season-on-the-ios-secure-enclave/127533/

http://www.techrepublic.com/article/hacker-claims-to-have-decrypted-apples-secure-enclave-destroying-key-piece-of-ios-mobile-security/


FBI pushes private sector to cut ties with Kaspersky

Kaspersky "simply wants the opportunity to answer any questions and assist all concerned government organizations with any investigations..."

https://www.cyberscoop.com/fbi-kaspersky-private-sector-briefings-yarovaya-laws/


Take Part in a Study to Help Improve Onion Services

"To be eligible, you must be 18 years or older, have used onion services in the past, and ideally you aren’t an expert in the field."

https://blog.torproject.org/blog/take-part-study-help-improve-onion-services


Making Visible Watermarks More Effective

https://research.googleblog.com/2017/08/making-visible-watermarks-more-effective.html


f.lux has had a "big update" - version 4.43 is now available

You can now go down to 1200K

https://justgetflux.com/news/pages/v4/bigupdate/?v=4.43

ResearcherAugust 18, 2017 6:35 PM

re: Take Part in a Study to Help Improve Onion Services

The way that study is being run is an embarrassment to Tor. Several people have posted valid concerns about the study design on the web page but the response to those concerns has been unprofessional and snarky. The single biggest problem is that the author wants to reach out to people who have used hidden services in the past but then the survey instrument he designed insists that Javascript be enabled. Who the hell does that?! No on who uses hidden services does so with Javascript enabled, not if they value their privacy. Even if the study author manages to find enough brave souls to generate a large enough sample size to produce statistically valid results there is no way that the sample who respond will be representative of the population, rending any data generated meaningless. So the whole thing becomes an exercise in futility.

The study design employed would not pass muster in a undergrad research methodology course. It looks terrible that Tor is pushing such nonsense.

CarpetCatAugust 18, 2017 8:20 PM

So tor peeps have been making noise. Any comments? Weird to have the developers of a secure communications tool lament the use of their tool, isn't it?

Maybe tor is afraid the lynch mob will topple their statuesque standing.

RatioAugust 18, 2017 9:16 PM

Experts sound alarm over news websites' fake news twins:

Fake articles made to look like they have been published by legitimate news websites have emerged as a new avenue for propaganda on the internet, with experts concerned about the increasing sophistication of the latest attempts to spread disinformation.

Kremlin supporters are suspected to be behind a collection of fraudulent articles published this year that were mocked up to appear as if they were from al-Jazeera, the Atlantic, Belgian newspaper Le Soir, and the Guardian.

The creators of the articles made them look genuine at first glance by building doppelganger sites that have domain names extremely similar to the news organisations they are purporting to be. The stories were then pushed out to the world through sharing on social media and other websites – often Russian – following up on the article.

Curious QubesAugust 18, 2017 9:20 PM

@Researcher

Why not make a Tor VM in Qubes OS that is used for this survey. Enable Javascript. Then delete the VM of Tor when you are done.

Still learning, I am humble and may not be correct on thid idea?

DroneAugust 18, 2017 9:37 PM

Take Part in a Study to Help Improve Onion Services

"To be eligible, you must be 18 years or older, have used onion services in the past, and ideally you aren’t an expert in the field."

Pffft... Proof why you should NOT use TOR.

CedricAugust 18, 2017 9:54 PM

@Researcher,

The way that study is being run is an embarrassment to Tor. Several people have posted valid concerns about the study design on the web page but the response to those concerns has been unprofessional and snarky.
It's an internet comment section. Snark and unprofessionalism is to be expected, but AFAIK it wasn't Tor people or the survey authors responding. The Tor blog posted a link but doesn't claim it's anything "official".

"Embarrasment" is an overstatement, but there are problems. Like "To be eligible ... ideally you aren’t an expert in the field"—what does that mean? Are experts ineligible, or eligible but not ideal? Should non-ideal people fill the survey or not? Maybe fill it but feel a little guilty? (Conspiracy theory: the Javascript thing is actually a clever mechanism to make the "experts" disquality themselves.)

@Curious Qubes,

Why not make a Tor VM in Qubes OS that is used for this survey. Enable Javascript. Then delete the VM of Tor when you are done.
Sure, I'd even do it with TAILS in plain qemu, if I cared enough. But I clicked the link to see what was involved, found it didn't work, and left. I mean, I don't owe any favors to the people running the survey--never heard of 'em--so why would I jump through hoops?

wendiAugust 18, 2017 11:18 PM

> Literally, I woke up in a bad mood and decided someone shouldn’t be allowed on the Internet. No one should have that power.

Perhaps he could start by allowing Tor users to at least *view* Cloudflare-hosted websites.

AndrewAugust 18, 2017 11:19 PM

"f.lux has had a "big update" - version 4.43 is now available"
I thought I was the only one using this. I also have Bluelight Filter for mobile.
It seems the danger is real, led lights damage eyes. We will probably see some big buzz about it in several years, for the moment everybody enjoy "bright colors and vibrant contrast" of current devices.

ClipperAugust 19, 2017 12:29 AM

@CarpetCat, Ben A

I was also taken aback by the tor (and clouflare) statement. When you have a monopoly upon a market segment (and tor is a monopoly the same way google and cloudflare are in their respective sectors), taking sides is where it all starts to go down.

Few months ago tor people said how proud they are of riseup.net, which belongs to the extreme of the political spectrum. Now this statement. Cloudflare destroyed what was left of the internet with their statement and others just follow suit.

It reminds me of Paypal and Visa cutting out Wikileaks. Now more and more people distrust traditional banks and currency channels and go with bitcoin.

Now that neutrality went out of the window, maybe intel and cisco will come forth as well with similar statements and there you have it. A new cold war era. Gab.ai and hatreon were the beginning, expect to see more alternatives and finally it will reach hardware and escpecially CPU and SOC products.

But it's a good thing this happened because it would be dangerous to have too much power in the hands of tor. Another step towards decentralized networks.

ClipperAugust 19, 2017 12:32 AM

@Andrew

Probably because most gnu/linux users go with redshift.

I think there is eyeware that can remedy blue light and you can buy at your local optical technician or sites like gunnar. Wouldn't that be a better solution instead of a software one?

ThothAugust 19, 2017 12:36 AM

@CarpetCat

They could literally search the Schneier forum for our comments but I think that is going to be tough for them so below is a bunch of stuff they should handle in small increments before the 'big stuff' gets pushed to them.

The more tricky stuff which requires updates to protocols would not be discussed here due to the complexity and work involved to revamp the entire Tor network so we will go with the more easily do-able stuff.

1.) Use OpenBSD as OS for Operating System.

They could easily excuse themselves by saying they have no control over Tails but this is a basic requirement they have to push down - somehow.

2.) Review through their Tor Browser package and ensure to disable Javascript and warn if Javascript have been re-enabled or is executing.

3.) Create a RPi image using either OpenBSD (RPi 3 and above) or FreeBSD (via RaspBSD flavour) with all the GUIs and additional packages stripped out except the necessary core packages (i.e. networking, crypto) and then build an official RPi based OS with Tor. This RPi should be used as a middle man between the PC and the modem/router to tunnel all traffic through as some sort of hardware tunneling solution. This will ensure that all traffic would go through Tor and attempts to exploit some Javascript vulnerability to reveal IP address would not be too easy to pull off.

They could again easily excuse that they have no control over the Mozilla Browser.

Notice that these are very basic security requirements that are the frequent cause of de-anonymization of Tor users which could have been managed and solved but the fact is these issues have not been ironed out and mostly left in the open and leaving the users exposed. Easy for excuses to be made as well.

ClipperAugust 19, 2017 12:46 AM

@wendi

You are right, this cloudflare thing has been very annoying for so many months. I just stop visiting cloudflare sites when I see these captchas, and it's very annoying on the clearnet as well.

Am I the only one who gets reminded of the BOFH figures of the old days?

Ben A.August 19, 2017 6:04 AM


@Researcher

I'm not connected in any way to the survey but JavaScript can be used safely in a sandboxed environemt (like Qubes) or on an ordinary computer assuming you trust the site and practice good hygeine - clearing cookies and cache and using something like NoScript or uMatrix to lock down everything else; if you don't trust the site then don't use JavaScript.

I think the majority of internet users will never disable JavaScript it because it provides useful functionality on many sites; others will use their blocking software to automatically determine what's safe and what's not.

Java is a different matter entirely.

@Curious Qubes

This would work and is one of the methods that people serious about their security may choose to take. Some people use Tor not because of an overwhelming desire for privacy but to bypass geoblocks (instead of paying for a VPN) or to access Onion sites.

@Cedric

I think it has the approval of the Tor Project and the results will be going to them - it was posted on the official Tor blog and the author has said that the feedback will help improve services in the future. (P.S. Redshift in Linux for me has always been unreliable, YMMV.)

@Clipper

Now that Cloudflare have demonstrated their willingness to take down content arbitrarily, even though the content was distasteful, it's going to be much more difficult to resist government/offical requests.

@Andrew

f.lux is extremely popular especially on Windows as it's been around the longest and offers the most functionaloty.

Microsoft took a long time to integrate their own version into Windows 10 and I think they call it Night Light. Mac devices (iOS and MacOS) use Night Shift which is built into the OS.

I don't know how good the apps are at actually reducing blue light but I do know that the feature helps reduce eyestrain which is the main reason I use it.


US DoD, Brit ISP BT reverse proxies can be abused to frisk internal systems – researcher

"While trying out the invalid host technique, I noticed pingbacks arriving from a small pool of IP addresses for payloads sent to completely unrelated companies, including cloud.mail.ru,” Kettle explained. A reverse DNS lookup linked those IP addresses to bn-proxyXX.ealing.ukcore.bt.net – a collection of systems belonging to BT, PortSwigger's broadband ISP. In other words, sending malformed HTTP requests to Mail.ru resulted in strange responses from his ISP's servers."

"A TCP trace route revealed that attempts to establish a connection with cloud.mail.ru using port 80 (aka HTTP) were intercepted by BT within the telco's network, but traffic sent to TCP port 443 (aka encrypted HTTPS) was not tampered with. “This suggests that the entity doing the tampering doesn't control the TLS certificate for mail.ru, implying that the interception may be being performed without mail.ru's authorisation or knowledge,” Kettle explained."

https://www.theregister.co.uk/2017/08/19/reverse_proxy_war/

JG4August 19, 2017 8:04 AM


Thanks to all of the usual suspects for the many helpful discussions. We could hope that the Evil Overlords at Umbrella Corporation and OverWatch Corporation can learn something here about computer security, as well as being benevolent despots in a way that leads to global prosperity.

I had a stunning quip, but then I realized that it is trademarkable. I'm way behind on trademark filings.

I'm an equal-opportunity hater when it comes to most Democrats, most Republicans, most psychopaths, and most sociopaths. It's about time that I went on the record as being an equal-opportunity friend of all ethnic origins. MLK and Ghandi were two of the greatest people to ever live. I expect that came through my comments reasonably clearly in the past. I'll go a step further and say that any beliefs or suspicions that some races are inferior are flat-out wrong. The differences between groups are miniscule and at the level of, "people who can run faster tend to have brains that can process visual flow fields better." We won't be getting through Grinspoon's gauntlet without some political skills and trust. The ultimate security test for your species is managing destructive forces and scaling trust. The history indicates that you have a failing grade.

https://www.nakedcapitalism.com/2017/08/links-81917.html

...[included because of the deep analogy between immune response to pathogens and what anti-virus software should do adaptively. if the response is too strong, a false alarm could be crippling or fatal. like when the police distribute hardwood shampoo to the innocent bystanders. or shoot black people in the back for being scared 5h1tle55. if you'd been beaten senseless by the police a few times, you won't be calmly standing there with your hands up while being stopped. you'll be running, just not faster than a bullet]

Peanut allergy cured in majority of children in immunotherapy trial Guardian. Chuck L: “A old friend of mine died of this allergy several years ago. At a cocktail party he was incorrectly told nothing on offer contained peanuts.”

...[the audio monitoring is quite similar to one that I proposed two or three years ago between cell phones]

Big Brother is Watching You Watch

How A Pop Song Could “Watch” You Through Your TV Fast Company

...[signal integrity - breaking the enemy's OODA loop]

Imperial Collapse Watch

The Islamic State May Be Failing, but Its Strategic Communications Legacy Is Here to Stay WarontheRocks (resilc)

...[included for the brilliant energy-maneuverability diagram - now your packages will drop from the sky and drone to your house. the term of art is gradient descent. processors and toolchains also have differing energy-maneuverability diagrams. everything on your planet, in your star system, galaxy and cluster that moves is an entropy-maximizing gradient descent thermodynamic system. the non-equilibrium ones require a constant source of high-quality delta G to maintain homeostasis]

Wal-Mart Applies for Patent for Blimp-Style Floating Warehouse Bloomberg. Peak Walmart, in both senses of the word.

...[self-driving cars and trucks have the potential to provide a useful level of protection against drunk driving and terrorist uses, so long as the software/hardware integrity is maintained. unfortunately, the news is abundant proof that we are nowhere near being able to do that consistently]

Laguna Beach Installing Barriers To Protect Pedestrians Against Weaponized Cars CBS Los Angeles (resilc). If we ever get to self-driving cars, which we at NC doubt, no one appears to have considered that they would make for ideal weapons, whether with bombs in them or not. Just imagine a car set to rampage on a freeway during rush hour, where cars would be even more tightly packed in a driverless regime than now.

...[another signal integrity issue - discriminating between unproven theories and actual best practices in security or public policy. and even worse when it is disinformation to induce action against interest. that is an attack on system integrity]

Economic Update: Economics as Deception Truthout. Interview with Michael Hudson.

[and there you have it in a nutshell, true intelligence and/or wisdom is the ability to act in the best interests of the cohort. it is difficult enough to program that into a desktop PC and you want to centrally plan and manage a global economy? it is far more practical now that the sensors, monitors, transducers, processors and data telecom components are dirt cheap. beware of unintended consequences and mis-steps on the path to entropy maximization. we touched on information theory in biology yesterday. the economy also is a data processing engine comprised of billions of distributed wetware processors with significant cognitive limitations]

JG4August 19, 2017 9:03 AM


Can't recall if anyone linked one of the "news" stories about the rumor floated that Trump might pardon Assange. I'd like to see that happen and it would be a masterstroke worthy of Bannon, say cutting a departure deal. Even better if Snowden is included. I haven't been able to evaluate Bannon's moral compass, but I'm impressed with his political acumen. And I'm glad that he dissed the white supremacists. Violence is the opposite of civilization. I'm heartily in favor of a robust debate of many topics and national security is a worthy one. I couldn't find any indication that I commented on this story previously. My comments should not be construed as an endorsement of any politician. If you are going to experience imperial collapse, you might as well enjoy the imperial intrigue. The scandals are right out of the Roman times. Speaking of national security, we have some barely visible apparatus.

Big Brother has a name and a house. The company name actually is Overwatch Systems Limited, but Overwatch Corporation is close enough to convey the hair-raising part, and better evoke the overlap to Umbrella Corporation. If I knew as much as they do about what is in the event pipeline, I might want a giant concrete house too. If the spooks think that they need this, then we might be in for serious trouble. James Jesus Angleton was notoriously paranoid (for good reason as it turns out), so it may go with the territory.

The [square brackets] are my comments, but you've been trained by now. The last time I checked, this link had not aged gracefully, say in 2014. But I was able to find plenty of corroboration and more recent articles. The security implications of a giant concrete house, staffed with mercenaries hardened in the midEast disaster, should be fairly obvious. If you had gotten a slice of the squandered $3.7 trillion, you might not see it as a disaster. That much money would have built enough solar thermal infrastructure to power the entire US from a 60 km x 60 km patch of the southwest desert. And put the same profit in the same pockets, and had an impressive effect on geopolitics, global security and climate.

Living large: Home going up in Highlandville to be one of country’s largest.
http://ccheadliner.com/news/article_fca0c66e-1db0-11e0-93d8-001cc4c03286.html

[excerpts follow; there were good pictures embedded in the web version]

The stretch of U.S. 65 between Ozark and Branson has some of the Ozarks’ most impressive scenery. There are lush, rolling hills, distant horizons and, if you look east, one of the biggest homes in the United States.

[In spook-speak this is called a "compound" It sounds rather more difficult to penetrate than bin Laden's, although it will be much easier to get land Blackhawk inside the perimeter, with or without acoustic suppression]

A house currently under construction near Highlandville spans almost a full acre from wall to wall, on a 500-acre site. The ambitious project, nearly three years in and barely at the first floor, totals 72,000 square feet.

["Overwatch" is a little Orwellian for my taste. There are some interesting hints in the article about their technology, including video surveillance. Apparently, he also has some money, a staggering amount of it. If you've seen the Resident Evil series of movies, you might catch the overlap between Umbrella Corporation, who were willing to do anything for money and power, and the Overwatch Systems Lmited name. Unfortunately, the compnay is too hidden/secretive to evaluate, except for the software, firmware and hardware stubs that they put on your computers. But you can rest easy knowing that your your government would never do anything to harm you or your family, or act against any of your interests.]

The property’s deed says the Steven T. Huff Family, LCC is located in Leesburg, VA. Available online records of political campaign contributions show a Steven T. Huff of Leesburg to be an engineer and chief technology officer of Overwatch Systems, Ltd.

According to the Overwatch website, the company “delivers multi-source intelligence (multi-INT), geospatial analysis and custom intelligence solutions to the Department of Defense, national agencies and civilian organizations. ... More than 25,000 analysts in the U.S. Department of Defense and the larger intelligence community utilize Overwatch solutions.”

Clive RobinsonAugust 19, 2017 11:09 AM

@ JG4,

... the rumor floated that Trump might pardon Assange.

It's not the first time people have floated the idea that a sitting US President "might" pardon those seen as "National Security" turncoats /
whistleblowers by much of the administration.

As it turns out mostly it's wishful thinking, or a bid at influencing. The few live ones that have got pardons are often because they were seen as "insiders" or "friends" to the administration.

The thing is Julian Assange is not going to be easy to prosecute. He's not a US citizen, he did not take anything from the US Gov and he did not publish that from within the US. Under international norms he might be an embarrassment but not a criminal.

However US exceptionalism gives rise to hypocritical behaviour by the US Gov. That is they insist that their "writ" applies where ever they say ie globally or into space, but... nobody else may extend their writ into what the US Gov regards as their jurisdiction.

unloved hand lotionAugust 19, 2017 11:46 AM

Since we're discussing Tor, one of the most fucked up things about Tor Browser Bundle (TBB) for Linux was made public in a recent update:

Tor Browser 7.0.3 is released (major security bugfix release for Linux users only) - 2017-08-01 - via SoylentNews

"This release features an important security update to Tor Browser for Linux users.

On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though." "We believe that previous versions of Tor Browser are affected as well (definitely 6.5.2 which I tested). There is no particular version this bug got added as the offending code has been in Firefox for years."

Milo M.August 19, 2017 1:07 PM

@Andrew:

Had read about sleep disruption from blue light, but had to look up eye damage.


https://www.ama-assn.org/sites/default/files/media-browser/public/about-ama/councils/Council%20Reports/council-on-science-public-health/a16-csaph2.pdf

"Many early designs of white LED lighting generated a color spectrum with excessive blue wavelength. This feature further contributes to disability glare, i.e., visual impairment due to stray light, as blue wavelengths are associated with more scattering in the human eye, and sufficiently intense blue spectrum damages retinas. The excessive blue spectrum also is environmentally disruptive for many nocturnal species. Accordingly, significant human and environmental concerns are associated with short wavelength (blue) LED emission."

Shang YM, Wang GS, Sliney D, Yang CH, Lee LL. White light–emitting diodes (LEDs) at domestic lighting levels and retinal injury in a rat model. Environ Health Perspect. 2014:122(3):269-76.
https://ehp.niehs.nih.gov/1307294/

Lougheed T. Hidden blue hazard? LED lighting and retinal damage in rats, Environ Health Perspect. 2014;122(3):A81.
https://ehp.niehs.nih.gov/122-A81/ "


The circadian rhythm effects are caused by blue light response of the photopigment melanopsin, which in turn controls release of melatonin for inducing sleep.

https://en.wikipedia.org/wiki/Melanopsin

http://www.cell.com/trends/neurosciences/pdf/S0166-2236(13)00197-5.pdf

https://www.health.harvard.edu/staying-healthy/blue-light-has-a-dark-side


Lots of stories lately about negative impacts of blue LED street lights.

http://spectrum.ieee.org/green-tech/conservation/led-streetlights-are-giving-neighborhoods-the-blues

http://www.bbc.com/news/magazine-38526254

CzernoAugust 19, 2017 1:33 PM

A question, Re: blue-light considered harmful.

Is it /just/ about some wavelegnths predominently present in white LEDs used for lighting (that I don't use, am still burning good old cheap if inefficient incandescent bulbs, including a few of the halogen-gas type)?

Or is /any/ and all /blue/ lighting dangerous per se ? In particular, should I now rush to change away from the solid blue color that I happen to have as preferred background of the MS Windows "desktops" on my computers ? All CRT monitors still, by the way...

TIA !

WaelAugust 19, 2017 1:57 PM

@Czerno,

A question, Re: blue-light considered harmful.

I wouldn't rule it out. I heard from the "grapevine" that different wavelengths have different effects. Green light is good for ya. Next time you have a headache, get some "green" ;)

AnuraAugust 19, 2017 2:19 PM

@Czerno

As far as your body is concerned, blue light = daytime. When you are exposed to blue light for an extended duration, your body produces serotonin, which tends to make you more awake. If you are staring at the computer before bed, this can easily be a problem.

WaelAugust 19, 2017 2:36 PM

@Anura, @Czerno, @Milo M,

Blue light decreases melatonin which is needed for sleep. 'Grapevine' doesn't know about serotonin.

CzernoAugust 19, 2017 4:00 PM

@Wael, @Anura : thank you, guys. I'm not that concerned about effects on sleep and circadian rhythms,
much more so about alleged irreversible harm which said blue light might have over the retina - IF I understood well, which is a big if (here I must confess I haven't read the external article).

Oh well I might as well change screen bg to green. I had it green with windows 2000, and since I multiboot, I opted for blue in XP in order to gimme immediate visual clues, back then...

Sniff, I'll miss the blue, I like blue :=) In my experience it's not easy to set your typical superVGA CRT to a solid green hue that is pretty to the eye. I'll have to copy the RGB values from that old Win 2k desktop, I guess that will be quicker than fiddling with whatever control pannel applet MS provides for picking colors :=)

Clive RobinsonAugust 19, 2017 4:27 PM

@ Wael,

Blue light decreases melatonin which is needed for sleep

It is one of the lesser chrmicals. The one you want to look at is known as "visual purple" and it has some interesting properties in that like various silver hailides it is chemically altered by light.

More technically,

    Rhodopsin is a light-sensitive pigment receptor protein found involved in visual phototransduction in the rods and cones of the retina, where it is chemically changed on exposure to light and in the process stimulates production of a nerve impulse.

Like many chemicals in the human body it has multiple functions. The form of Rhodopsin that has not been exposed to light acts as a soporiphic. Thus as you feal tired you blink longer which feeds back to make you close your eyes it thus builds up and helps you sleep. To stop excessive build up it ends up in your bladder and some years ago French researchers looked into the effects it had via "drinking the first passing of water"...

Rhodopsin is more susceptible to certain photon energies, and without looking it up I vaguely remember it's the upper end of the visual spectrum (dawns pale blue light and all that).

As for serotonin the easiest way to up the quantities of that is to eat a whole bunch of starchy carbs a couple of hours before shut eye.

Serotonin is a neurotransmitter chemical that has a strong influance on your mood. Those with certain mental health issues like chronic depression have been found to have low serotonin levels thus poor nerve firing etc. What is not known is if it is because not enough is being produced, if it is being taken up to quickly or a combination of both.

Thus much anti-depression medication focuses on serotonin and often blocking the reuptake process hence "Selective Serotonin Reuptake Inhibitors" (SSRIs).

It's also why if you want to not just loose weight, but not get the "sleepy lows" at work you should not eat starchy carbs for breakfast or lunch, but eat a moderate quantity before bed.

The medical proffession is slowely comming around to the idea that different racial types have different responses to food types. One thing that is known is that carbohydrates do not stop you feeling hungry. In fact there is growing evidence that for some racial types their body actually responds to carbohydrate by making you want to eat more, a lot more of it, that gets laid down as fat. The reason for this is that it is a survival strategy that works. Where there are quite noticable seasons, carbs only appear in the "natural diet" shortly before the onset of autumn, then winter. Thus laying down fat stores is crucial to survival. However we generaly do not eat a natural diet any longer and carbs are present throughout the year. Hence certain racial types put on lots of weight and damage the pancreas thus getting type II diabetes.

Whilst humans can not survive for long without eating protein and fat, they can survive indefinitely without carbohydrates, especially the simple sugars. As was once noted "Puting sugar in your diet, is like pumping nitro into a mini engine, you know that whilst it will take off like a rocket, it will quickly burn out and die"...

Wael August 19, 2017 5:59 PM

@Clive Robinson,

I'm told parts of what you said maybe true. May not be the whole story. Most of the what readers have done was to use blue wave length. "We" have not seen much research with purple.

FoxyAugust 19, 2017 10:19 PM

There have been some articles about Mozilla/Firefox testing the waters about blocking "fake news" so you won't be able to visit sites freely, and that some questionable billionaire is going to fund the endeavor. What's going on with that?

IMO, Firefox has gotten too big and will have more problems keeping away from security problems, and such initiatives just make things worse. I just wish browsers kept things simple and focused on speed and security instead of following the latest fad.

AnonAugust 19, 2017 11:16 PM

This is just what I heard, so needs checking:

Blue light (any) keeps you awake for the reasons stated above. Wavelength isn't too important, but must be in the visible blue range.

As for LEDs damaging eyesight - it is not the color but the intensity of the light. LEDs are extremely bright to look at (to the point it hurts my eyes - e.g. LED daytime running lights on cars), compared with incadescent bulbs which while bright, don't hurt nearly as much.

LEDs also have the intriguing property that they can be painfully bright, yet nearly useless as a general area light, compared with dimmer-looking incadescent bulbs that adequately illuminate doorways.

White LEDs can not only emit very high levels of blue light, but many emit UV as well. The UV component may or may not be an issue depending upon whether it is behind a polycarbonate lens, as it filters out the UV light. Where UV is emitted, it can be sufficiently strong enough to cause sunburn if used as a desk lamp.

I'm utterly convinced that in the future we will see an increase in eye problems as a result of LED lighting. I have avoided getting LED bulbs so far, but considering them now it's possible to get bulbs that change color, so the blues can be eliminated.

AndrewAugust 19, 2017 11:17 PM

About the led blue light, there are different issues. They say its the high frequency that damage retinas, if we look at a colors frequencies table the highest is for violet and blue, the lowest for red and yellow. Green is somewhere in the middle, closer to blue.
https://en.wikipedia.org/wiki/Color#Physics_of_color
I don't know if this is completely true and why this happens only for recent led screens (or led backlite LCDs), I was looking at CRT screens for years, sometimes even 16-17 hours a day and never had eyestrain - those had blue lights too.

Anyway, this is different from the psychological effect that colors induce or from their hormones chemistry effects. For example a green room may have a relaxing effect while a red one may stimulate activity or even irritate. Tones also count a lot in this case, a light purple room or beige can be relaxing too.
http://www.colour-affects.co.uk/psychological-properties-of-colours

AndrewAugust 19, 2017 11:23 PM

One more thing, blue walls may amplify the led blue light while some yellow one may act like a filter and reflect less blue light back.

Clive RobinsonAugust 20, 2017 4:39 AM

@ Wael,

"We" have not seen much research with purple.

It's called "visual purple" because of the chemicals colour not it's frequency response. The more formal nane of Rhodopsin likewise referes to it's colour not it's frequency response.

As I said it's one of several chemicals in the eye that respond to light. Not all of them are involved with "seeing" via the rods and cones.

Just before the millennium intrest was sparked in another light sensitive chemical found in the eye but it was not involved with seeing as experiments on mice show. It was found that it was however linked strongly to the circadian rythm and was critically effected by blue light.

Called melanopsin, in humans it is found in "intrinsically photosensitive Retinal Ganglion Cells" (ipRGCs) not the rods and only a tiny fraction of the cones at the periphery of the retina. The melanopsin,

    communicates information directly to the area of the brain called the suprachiasmatic nucleus (SCN), also known as the central "body clock", in mammals. Melanopsin plays an important non-image-forming role in the setting of circadian rhythms as well as other functions. Mutations in the Opn4 gene can lead to clinical disorders, such as Seasonal Affective Disorder (SAD).

So we are talking about two effects of "blue light",

1, Potential damage to eyes.
2, Has effect on circadian rythm and potentially mental well being.

As for the problems with LEDs and efficient lighting in general, it is known that they have "perceived intensity" issues in humans, hence comments about them not illuminating as well as incandescent bulbs.

Incandescent bulbs are very broad spectrum devices (effectively black body radiators) the bulk of their radiation is below the visablr range, and in many cases do not emitt up to blue light. Thus we describe them as being "warm" or "perl" because of the level of red light. Halogen lights do emitt up in the top end of the visual spectrum and above which is why they are still available for "work lights", but you should not get your hands near them as they can quite effectively "roast meat" etc.

The first efficient lights were arc lights that were very intense in fact too intense to use. It's why welders use very dark welding glasses to stop "Arc Eye" which like looking at the sun will cumulatively damage your eyes due to the intensity of UV, which by the way also cumulatively damages silicon solar cells[1]

The next efficient lights were gas discharge lamps such as neon tubes and low preasure metal vapour discharge lamps. Such as those using sodium and mercury. Neither is very much use to see by as they have a very limited spectral output. Which is why the insides of the tubes contain a quite leathal cocktail of chemicals known as phosphors which absorb photons at one frequency and re-emitt them at a different frequency. For many years the only lights in a house that were not incandescent were the mercury vapour strip lights. This was not because they were more efficient but because they produced a "whiter light" often thought to be a "cold light" (as in the "cold light of day" you get in early winter mornings rich in reflected blue light from frozen water).

Mercury vapour lights are now known to effect a small percentage of the population in a number of ways which is why modern office lights using them use reflectors and diffusors that cut down the high frequency high energy photons at the blue end of the spectrum. As well as being driven not by low frequency (50/60Hz) mains supply but by Switch Mode PSU's working at the upper end or above the audio frequencies.
It was found back in the 1980's that as the drive frequency was increased to around 16KHz certain gas discharge lights became very much more efficient and did not require heaters and all the problems they caused.

Thus we got the first generation of "high efficiency lights". But they had the problem that the gasses inside still only produced a single light frequency for each gas. Thus if you use a DVD as a mirror to look at one when you get to the right angle it behaves as a defraction grating and you get images of the bulb at the different spectral frequencies it emitts (I've mentioned this in the past a couple of times).

The problem is that the human eye does not see at all visual light frequencies either. The brain interprets the output of what are limited band pass filters to "fill in" what the eye is not seeing.

Thus the differences in humans eyes and the monochromatic spectral lines emitted can and do cause problems with seeing that incandescent bulbs do not, as beyond our teenage years most of us have slowley degenerating colour vision and partial colour blindness.

LEDs are even worse in this respect. In fact there is little different between the way an LED works and how a Laser Diode works... Which should give people pause for thought. Naked high intensity LED lights used for lighting --not indicators-- should NEVER be looked at directly for the same reasons you should never look at the sun.

To understand a bit more look up on the likes of "light fatigue", "Snow blindness", "Arc eye" and other light related visual disorders.

Further never look at any light source directly if you are on various mind altering / central nervous system deprescent drugs like opioids or their analogues. Because it interfears with the control of your iris, so it can not close down to protect the eye from even normal indoors light levels.

Oh one last thing, also look up why "red light" does not cause "night blindness" whilst higher frequency light does. There are a couple of processes involved due to the time it takes for the "opsins" to build up, but also due to the way the human iris works which again is "frequency selective"

[1] When you buy solar cells for "of grid" generation you often get told something that is both true and false, that is you get told that solar cells have over a 25year life time. Whilst true for the visable spectrum it's not true for sunlight with a high UV content. Without an appropriate coating UV light reduces the solar cell life time to five years or less... Thus you need to be aware of just what coating is used on the solar cells you are offered...

The Keith Harding Tween Selfie ArchiveAugust 20, 2017 8:10 AM

Thank you Ismar for the heads-up. What pathetic lily-livered cowardice in publishing only the classification guide. Give that bumf to journalists with balls. Still, there's a couple drips of blood you can squeeze from that turnip.

CRITICOM and SOCOM, that's where we'll find all the smoking guns for universal-jurisdiction CIA crimes. Somebody drop that on us.

Classifying "system characteristics" Top Secret shows amazing contempt of the US public. Anybody think the targets can't reproduce that word-for-word? CIA is covering for its other satellite states that spy on their own people and on us.

JG4August 20, 2017 9:16 AM


Can anyone comment on a way to download to a CD all of the content from this blog for the past n years? In the event that it gets taken down for any reason, up to and including an asteroid strike or EMP event? I've put enough time in that I wouldn't want to lose access to these thoughts. BTW, this crowdsource effort should be abundant proof that Bruce could herd the cats to produce a wildly successful book. If they would have fed me a healthier diet in prison, I'd have been happier to stay there. I had forgotten that was a key step in my love of black people, when the biggest blackest inmates came to meet us at the entrance, hugged us and said, "We're so glad that you're here. We heard you were coming." I get that could have gone in a negative direction, but it went in a very positive direction, a fantastic experience. The library included Lucifer's Hammer. Protest is a feedback mechanism that is meant to correct the problems. Feedback is one of the most powerful phenomena ever observed on your planet. The sex and death feedback channels sculped every energy-manueverability diagram that you've ever seen walking on two legs, four legs, swimming or flying. I was vaguely aware of encryption technology at the time, probably because of my time in the imperial forces. PGP may have been a few years in the future. The most colorful bookie I've ever met explained how the cops took his $40K in cash, turned in $15K as evidence and disappeared $25K. They also broke his code and gave him hard time. It was yet another beginning of wisdom and insight into the many unseen systems in play. Troubleshooting of all types could be conceived as making the unseen readily visible. A nice overlap to dashboards and data visualization.

@Ben A. - Thanks for all you do. Ditto to all of the others acting in good faith.
https://www.schneier.com/blog/archives/2017/08/friday_squid_bl_589.html#c6758597

@Fall O'Through - Another instance of gradient descent and a great handle.
https://www.schneier.com/blog/archives/2017/08/friday_squid_bl_589.html#c6758606

It's a short step from watermarking visibly to invisibly. And another short step to steganography, and the fundamental tradeoff between detection threshold and data rate. I've wondered if "they" have a per-camera watermark that survives deresolving in the jpeg scheme. "They" is secret code for the large men in dark suits wearing dark glasses who come with briefcases of cash to make deals. They often say, "We were not here and this did not happen," but the times that you take the cash (which are the only ones that you survive) it generally is against your interests to disclose. There are two ways to get people to do what you want. Simple variations on the old theme of carrot and stick, including the thermo-rectal stick taught in various schools. The knuckledraggers can dispense various forms of pain as well as cash.

I hope that our guest Peter Smart wasn't offended by being called Brilliant Pebble. It was meant to be in good humor. A friend of mine who had blue eyes was a Hungarian Ashkenazi and friend of Edward Teller. His son had green eyes and could damn near see in the dark. The three most metabolically active tissues in the body are the retina, the hair cells and the Islet cells. Their dance with glucose are the keys to Clive's observation and the reason that people often lose their eyesight, hearing and become diabetic in later life. Or early, I know guy in his late 30's or early 40's who looks pretty healthy, and is only chubby, but already is having his foot sawed off piecewise.
https://www.schneier.com/blog/archives/2017/08/hacking_a_gene_.html#c6758387

Speaking of a guest who would enjoy topics here, some weeks or months ago, a spectroscopy company posted. I'm surprised that they weren't drawn into the LED discussion, in the event that they've been lurking. I've already forgotten both the name of the company and the topic they discussed. They would particulary enjoy this LED exchange, as I do. That company dovetails to Clive's handy dispersive spectrometer using a CD. A laser pointer will produce a nice series of dots with those, because of the orders. It's a short step to putting a $5 CCD on that and quantifying the results and filtering them to correct for the transfer functions. That dances up to CRI for LEDs, which is a topic that I don't understand well. I had a hell of a time with candelas and related topics. Someone posted how the organs of government hand out data to the press in a way that induces cognitive dissonance, during which the reporter is susceptible to accepting the government-provided analysis, which they cannot replicate with the incomplete data set. I ended up with cognitive dissonance in trying to compare differnt light sources. We quickly realized that you could color code maps to reveal only certain features with each switch setting via the LED color combination, but inkjet printers were roughly a decade in the future, at least as a common consumer item. I ended up with cognitive dissonance on the candela, millicandle, lumen road. Now I might be able to put it in a spreadsheet, and the data sheet are a lot easier to read.

@Curious Qubes - VMs are part of the solution, but the hardware and firmware from the modem through the router to the computer all should be locked down (no flash updates = toggling of undocumented features). The next best thing is filtering at each step in the progression in a way that insures undocumented "features" do not come into play. That requires a deep understanding of the threat model, or massive statistical data to infer the undocmented features that are used against the spectrum from high-value to low-value targets. To keep the datasets from toggling undocment features, homomorphic techniques could be used to implement a type of code polymorphism over a set of voting processors. Thanks to Nick P and/or Wael for alerting that there is an entire body of literature. I get that there are people much smarter than me, who not entirely coincidentally have a lot more money and power, but have already ploughed a lot of this ground, much of it behind a different curtain than the Iron Curtain, but also there. Can anyone name the black-budget curtain? That might be close to optimal naming, in light of the Chinese proverb, "The beginning of wisdom is to call things by their right name." Can't recall if yesterday was the first use of the term "spook-speak," but I like it too.

@Clipper - Nice analogies across a wide swatch of activities. The best-case scenario on the old blue marble is a profoundly dynamic balance of power, where the Overlords can maintain control as long as they act in good faith, but are subject the hemp and lamp-post treatment if they coss the line into bad-faith. I always mention the due process clause, after a fair and speedy trial. For the record, they have illegally subverted due process, which is treason and requires anyone who has taken an oath to uphold the Constitution to ignore any illegal directive as null and void on the face of it. The main use of the security state at this point is not to defend against very real enemies, but to use that as an excuse preserve and enhance the wildly inequitable divsion of wealth that has built up over the past 50 years and many times prior to that. The Overlords almost always have the upper hand, but the serfs are figuring out the reality one real news headline at a time. Unfortunately, those are needles in the hay-stack of state-sponsored fake news. If you do not partake of the news, then you are uninformed. If you do, then you are disinformed or misinformed. BTw, NakedCapitalism broke down this past week over cognitive dissonance in the aftermath of the Charlottesville incident. That should be expected to increase in frequency in a non-equilbrium system during state transitions. Scott Adams of Dilbert fame published a brilliant analysis of mass hysteria. In a computing system, that might correspond to running the wrong code in response to an input.

http://blog.dilbert.com/post/164297628606/how-to-know-youre-in-a-mass-hysteria-bubble

@Andrew also @Clipper and the rest of the gang - Nice work on amplifying one comment into a whole treatise on lighting. We could take as the baseline case sunlight. Equatorial people have eyes with very dark pigmentation, which presumably includes some protective effects against bright sunlight. The blue eye gene is quite recent in human history, arising perhaps 10,000 years ago in Europe or Northern Europe, where increased sensitivity to light is valuable. We could start by guessing that the tolerance to blue light will be a function of genetic heritage, including loss of tolerance by adaptation to storm clouds and subArctic winter. That loss of tolerence to blue light, includes ability to see in darker conditions where blue light is prevalant and genetic resistance to seasonal affective disorder. There may be an epigenetic control that fine tunes for variations like the little Ice Age. The first thing that sprung to mind from the BBC links was, "Have these people never heard of tinfoil?" I use the tinfoil designation for aluminum foil to evoke the connect to tinfoil hats, which are an excellent idea for blocking the thought control beams. I'm still interested in Clive's take on how much magnetic material is required to block various frequencies of electromagnetic radiation. If you've got unwanted light coming in the window, you can wrap a piece of cardboard with tinfoil and press it in or hang it. The cardboard is prefitted to slip in the window, or can be hung on pegs above the window. For LED lights and even mobile device screens to be used in dark settings, you'd like to have gel filters that block UV, blue, green, yellow and orange light, if the time of day indicates susceptibility to circadian disruption. It's a short step from there to some kind of compact goggles that have the same gel filter. In case you woke up in the middle of the night and want to go online without really screwing up your circadian rhythm. You could put those goggles on at sundown or any time after. The flipside of circadian disruption at night is seasonal affective disorder (SAD). Being under blue lights at the correct time of day can be a lifesaver for people who have it. We might again speculate that the genes for SAD are in dark-skinned populations, while they are less common in blue-eyed populations. It shouldn't be rocket science to produce LED lighting that has a tunable spectrum tied to a clock. It's a short step from there to tuning the color information sent to a screen. It would be bad if the default LCD lets through UV from red pixels. BTW, the whole circadian/melatonin/blue light loop is a nice example of a remarkably powerful feedback control scheme where most people are blissfully unaware that it even exists. Just like Eisenhower's unwarranted influence or "That Which is Seen, and That Which is Not Seen" @Clive - One common term of art for welder's eyes is flash burn, although that has other meanings. If you've never experienced it, it feels a lot like grinding sand against the cornea. The corneal cells die and slough off after the UV insult, exposing the nerves. I assume this also is taught at the torture schools. It may be approrpriate for us to publish the Israeli techniques for opting out of interrogation, as a counterbalance to the Overlord power. BTW, the Israelis are experts at interrogation. As always, with the correct safeguards, it is a good idea. We are light-years from the appropriate safeguards. The corneal cells have some very special genetic features, as well as being unusually transparent. A nice piece of history that is lurking here is that cataract surgery was just geting started in the US prior to WWII. In those days, they gave glasses that looked like Puritan window panes; the term of art sounds like bullseye glass. You had no lens in your eye, but you could see in the UV for the first time in human history. So the Navy, who were keenly interested in opening obscured channels, including TOR and the WindTalkers, had UV filters for the semaphore lights. I've forgotten the correct term of art, but the lights that they blink to do line-of-sight code transmission. Visible only to the Navy sailors who had their lenses removed. "We've got one who can see" BTW, all of these problems with blue and UV light from LED bulbs already existed with fluorescent lighting, but that usually was deployed at lower power per unit area. I was surprised by Clive's term of art, striplighting. We call them fluorescent tubes on this side of the pond. If you've ever seen a piece of paper with the usual dyes on it (e.g., yellow pad with blue lines) exposed on a shelf near the fluorescent lights, the blue is completely gone and the yellow is faded a lot after one to three years. We are dancing around the match between photon energy and chemical energy levels. The blue light is much more energetic than the red (nearly 2x) so near-UV, mid-UV and far-UV can drive increasingly more difficult chemical reactions, including blue photoreceptors all the way up to activating oxygen to a singlet state that plays a role in sunburn. This could turn into a book, but I'll stop with pointing out that the atmospheric window excludes a lot of those wavelengths, except when unintended consequences are in play. Midgeley is a whole treatise on his own. Life generally depends on visible wavelengths as the source of high quality Gibbs free energy (delta G) to drive substantially all of the bioenergetics we see, aka food chain and with it food security. There are a few exceptions like the crazy archea that live at hydrothermal vents. They'll be done when the radioactive heating of the earth stops in 20 billion years, long after the sun has changed character. No living system can survive the power law-governed disruptions to that energy supply chain without energy reserves. At the low frequency end of the energy supply chain disruptions, we have asteroids and comets. You may choose to worship the vacuum-cleaner named Jupiter for you even being alive. The amount of Gibbs free energy for potentially powering the existence of intelligent life in stars is staggering. The only two or three requirements for a life form to evolve inside a star are 1) an information storage mechanism, 2) an energy storage machanism, and 3) a replication mechanism for 1). Self-emergent order from intrinsic entropy maximization is an underlying reality across many systems, so the spontaneous emergence of order from thermal motion is expected in non-equilibrium systems like the sun. Bacteriorhodpsin can be seen as a pink color on the floor of your shower. It has been used as a prototypical (early) photosynthetic system to understand biological energy transduction. I think that the substance of it is an electronic energy transfer that is prevented from reversing by a molecular vibration. A sort of photon-activated trap door that produces something very similar to a charge-carrier pair in silicon PV. Preventing charge carrier recombination must be a critical design issue in solar PV. That may be an issue in the UV degradation. There should be various vapor/plasma depositions with transition metal or rare earth ions in silica that block energy in specific wavelength ranges.

@I'm walkin' on eggshells - Thanks for reiviving the "inaudible sound" threat model. I may have fallen short of saying this is an instance of system identification, where we (or "they") seek to extract a transfer function from an arrangement of physical objects. An early multiparameter data extraction example is radar, where bearing, range, and various aspects of wavefront can be extracted from the return signal. The term transfer function can be read as tensor, rather than the simpler vectors that would be used in a Bode plot. I don't think that we've seen a single comment from anyone on the insights that they gleaned from The Secret History of Silicon Valley and The Pentagon Wars.

The most powerful countermeasure for the audio threat model is to intercept the signals and paint a wildly different picture on them, before returning them for inspection. Speaking of which, one of my friends alerted me that he has a browser plug-in that will spawn a random search at random intervals throughout the day. The terms in it come from dictionaries and can include a cross-section of common maladies, consumer items and so on, so that your actual searches are obscured in a cloud of disinformation. "The plutonium comes in on the midnight flight from Kiev." and "We blow the bridge at dawn." were intentionally omitted from the dictionaries. I think that those gems showed up in the early 1990's at various forums. The audio diode that I suggested also can be used to study the hidden paths from other people's cell phones. We've touched on the hair-raising aspects where your voice prints on others phones can be used to serve adverts on your comupter at a remove. It would be good clean fun to spoof a day of social chatter into someone's phone using an audio data diode and see what adverts come up on the owner's screens and all of their friends'. Then add a voiceprint from someone that they don't know and watch what happens. If that doesn't make the hair on the back you neck stand up, you can't fog a mirror. There are more hidden feedback channels on the old blue marble than the most fertile imaginations can conceive.

@r - Thanks for bringing the new threat models to attention.

@Clive - Thanks for all of it. I am not trying to outClive you. And I didn't, in spite of the ideal combination of food, alcohol, magnesium and potassium.

JG4August 20, 2017 9:46 AM


Just for the record, I'm looking for opportunities, probably on on the one- to two-year timescale. It is two to fifteen years too early for NZ or Oz, although telecommuting would be interesting. South Asia would be interesting too, but I don't want to get in the middle of the geopolitical tussle between China and the US, which may be the defining event of the next 20 to 40 years. Ironic, because Oz and NZ are right in the middle of that tussle. Once you begin to see all of the hidden feedback paths, your life will be a lot more complicated. I'm willing to work on general security systems, but I am not interested in the peasant extermination programs or anything that directly supports them. It should be clear at this point that I'm a systems guy, with limited full-stack capapbilities "from quarks to galaxies, dollars to donuts, neurochemistry to politics." I'm pretty good at troubleshooting systems, but it drives me nuts when the diagnostics weren't designed into the system and it is a closed black box.

the printing press democratized information in a way that was very disruptive to some deeply entrenched interests

https://www.nakedcapitalism.com/2017/08/postal-system-printing-press-transformed-european-markets.html

https://www.nakedcapitalism.com/2017/08/links-82017.html
...[included for the system security and sensor system aspects]

Golden retriever discovers $85,000 worth of black tar heroin in backyard KATU (Re Silc). Good boy!

Thieves steal 20 tons of chocolate in German town Deutsche Welle

...[I include this for the tech company IT issue that Uber is one of the largest IT networks on the planet. There is a clear 1st Amendment right, including all of the antecedents back to the Magna Carta, to communicate a desire for a ride to anyone, anywhere. There is a clear right to commuicate a desire for gifting a ride to anyone who is not on private property. What is missing is the go-between who authenticates identity, which opens the door for a feedback system. There is a clear right to engage in commerce at the individual level, perhaps with some limited government oversight. There is a right to give gifts that is not subject to government interference, almost at all. the most powerful level of oversight is the peer-to-peer feedback system that is quite similar to the trust engine that powered Ebay to fame, with the same communcation and commerce rights. I'm open-minded on how this might all be regulated, but it does have the makings of a monopoly, which means that oversight will devolve into a revolving door through time]

Jeff Immelt has emerged as the frontrunner to become Uber’s CEO Recode (Hubert Horan)

...[they have to have some way to selectively block signals at the border; analogous to our need to secure the signals in our systems and in our minds. a secondary question to the need to observe signals at the border]

China

In charts: The rise and rise of China’s tech trinity FT

...

New Cold War

Large-scale Russian military exercises in Belarus feared to be set-up for Putin’s next conquest CNBC. Hoo boy.

Sweden is raising its military budget and reintroducing the draft amid Russia fears Business Insider

...[OODA; I seem to be doing a good job of not trolling political invective, but I intentionally steer away from politics in general]

Trump Transition

1 big thing: Bannon plots Fox rival, global expansion Axios

Ship Rudderless After Trump Drops Its Pilot Moon of Alabama. So I’m not the only one to be reminded of Kaiser Wilhelm II.

...[in case it hasn't become abundantly clear, the deep state use their surveillance of activists to disrupt the OODA loop of any organization or organization of organizations they perceive as a risk to the status quo. they even sought to disrupt MLK's internal OODA loop with the infamous letter. the persecution and assassination followed his public objections to the peasant extermination program in South Asia. speaking of assassinations by the deep state of people who stood in the way of the South Asia peasant extermination experiment, JFK said[1], "Those who make peaceful revolution impossible will make violent revolution inevitable." His comments on secret societies, are fairly chilling in light of the cast of characters involved in the headshot. Secret societies are just more invisible feedback paths dedicated to maximizing their entropy, not yours.]

Beauty, Cooperation, and the Hadza Hunter-Gatherers The D&S Blog. Lysistratic non-action is #57 on Gene Sharp’s list of non-violent methods of protest and persuasion.

Dick Gregory, 84, Dies; Found Humor in the Civil Rights Struggle NYT. The jokes are better than the headline.

[1] John F. Kennedy Quotes - BrainyQuote
"Those who make peaceful revolution impossible will make violent revolution inevitable." - John F. Kennedy quotes from BrainyQuote.com
https://www.brainyquote.com/quotes/quotes/j/johnfkenn101159.html

WaelAugust 20, 2017 9:47 AM

@JG4,

the Chinese proverb, "The beginning of wisdom is to call things by their right name."

Bamboo Curtain

CallMeLateForSupperAugust 20, 2017 11:04 AM

Another article about the surveillance site at Pine Gap, Australia, with five more documents from the Snowden pile.

"The U.S. Spy Hub in the Heart of Australia"
https://theintercept.com/2017/08/19/nsa-spy-hub-cia-pine-gap-australia/

"Documents published with this article:
Pine Gap site profile
NSA’s intelligence relationship with Australia
Pine Gap classification guide
NRO SIGINT guide for Pine Gap
M7600 & M8300 SIGINT guide"

book_reviewAugust 20, 2017 11:08 AM

@Foxy
"I just wish browsers kept things simple and focused on speed and security instead of following the latest fad."

Does anybody want to discuss their experiences with
https://www.mozilla.org/en-US/firefox/focus/ or
https://en.wikipedia.org/wiki/Firefox_for_iOS or
https://en.wikipedia.org/wiki/Firefox_for_Android

iirc, Chrome on the desktop had a fairly unique browser fingerprint.

"There have been some articles about Mozilla/Firefox testing the waters about blocking "fake news" so you won't be able to visit sites freely, and that some questionable billionaire is going to fund the endeavor. What's going on with that?"
references please

book_reviewAugust 20, 2017 12:21 PM

imo Fascinating
https://www.lrb.co.uk/v39/n16/john-lanchester/you-are-the-product , long article, for example
"Thiel’s $500,000 investment in 2004 was crucial to the success of the company. But there was a particular reason Facebook caught Thiel’s eye, rooted in a byway of intellectual history. In the course of his studies at Stanford – he majored in philosophy – Thiel became interested in the ideas of the US-based French philosopher René Girard, as advocated in his most influential book, Things Hidden since the Foundation of the World. Girard’s big idea was something he called ‘mimetic desire’. Human beings are born with a need for food and shelter. Once these fundamental necessities of life have been acquired, we look around us at what other people are doing, and wanting, and we copy them. In Thiel’s summary, the idea is ‘that imitation is at the root of all behaviour’."

Into the weeds with Assange, DNC, hacking, emails, potential pardons, Russia, gaining a seat at white house press briefings and so forth http://www.newyorker.com/magazine/2017/08/21/julian-assange-a-man-without-a-country I think JG4 posted a link to this long article above
https://www.emptywheel.net/2017/08/17/rohrabacher-cant-remember-talking-assange-pardon-with-trump-but-is-sure-trump-wants-mind-boggling-info-from-julian-assange/
http://www.washingtonexaminer.com/rep-dana-rohrabacher-will-consult-trump-before-giving-public-julian-assange-information/article/2631908

Huey PilotAugust 20, 2017 12:39 PM


@Clive and others - I am a lurker trying to figure out the heart of security. Can you tell us how to preserve privacy in posting here? By now our fate is sealed if/when policies go overt. I would be saddened to be "outed", as the liberal intelligensia has lately pursued. They could tar and feather a man in public media for just about anything. And some of us have given them more than enough ammunition in our words. But we ought let the truth speak, while free men may still share it, for a single ray of sunshine may yet illuminate the entire dark cavern of the abyss into which humanity has sunk.

There is no longer any portion of the business cycle that rewards honest men. The frugal, the conservative, the disciplined, the risk averse – all are burdened by the ever increasing issue of more fiat currency. They are offered no protections from the banking industry or their government. No method exists for them to reliably save their labors today, for equal purchasing power tomorrow. Indeed, the banks and the govt collude to capture much of their stored wealth and enslave them with their plans and policies.

It is clear that we all now work for the bankers, even our government is beholden to them. They (the bankers) are compact in number, organized, and unified in purpose. Their primary objective is to stay in authority, and secondarily to gain ever more. Directly or indirectly they own much of the worlds productive assets, major media, and politicians. They use their mastery of money to reward those who serve their purposes, with positions of greater power and authority. They draw favors from politicians, businessmen and media makers alike. They evolve, coordinate and disseminate their objectives through secret councils held throughout the world. These councils are run overtly as a vareity of non profit non governmental organizations, existing ostensibly to serve for the benefit of human kind.

A network of central bankers around the world coordinate their activities to better enslave one anothers nationals. Every bank embracing fiat currency is a member, whether wittingly or not. Each now challenges the other to further press their citizenry by devaluing local currency, and thus invigorating export sales of raw materials and finished goods of major corporations within that nation. It is a trade war wrapped in a fiat currency war, and we citizens around the world are all the victims/slaves serving it. There is no escape except mutual national collapse. And even in that it will be a stuttering collapse because with each shudder of the national currency relative to other, a surge of currency infusion will occur to purchase some of the now cheaper assets, restoring some wealth to the collapsing economy. While any measure of natural resources or productive labor remain in a nation, there is some wealth to be extracted, and thus some remaining lure for capital to acquire control thereof. Only total depletion, chaos and anarchy would repulse the infusion of capital. It will bring instead the infusion of war to decrease the population that no longer serves their needs and will be motivated if any natural resource remains.

We have therefore set ourselves up for a stuttering collapse, with no alternative destination than ever deeper impoverishment of the citizenry and government, as the bankers take more comprehensive control in their regions. We should be asking ourselves – is this an appropriate destiny for humankind? Do we now think that some elite group of bankers/financiers, holding sway over the nations and populations of the world, will deliver a better and more noble future for humanity? What is our objective, individually and collectively, for humanity? If we cannot agree on that, can we at least agree on what likely will not produce a favorable outcome – centrally concentrated control of all aspects of our existence? If opportunity and success is controlled by a hidden and unanswerable elite group, working behind the facade of representative democracy, all manner of policies destructive to our persons, our nations, and our environment may occur. The feedback mechanism of cause and effect, the meritocracy of reward for hard work services rendered, all can be altered by government policy as controlled by central banks, so that power and position is delivered by patronage and family, as it was in the days of monarchs.

Indeed now it is clear the governments are only agents working for the banks. They are the enforcement arm of the financial system – to burden with taxes or wage war, as their desires may dictate. We should look back at past wars with this new perspective and ask ourselves – were they really about irreconcilable ideological differences requiring war to resolve, or was it bankers fighting over control of the surplus of wealth which any nation or citizenry may produce?

Nick PAugust 20, 2017 2:04 PM

New tool for catching vulnerabilities due to uninitialized memory in kernels that result in data leaks. Caught the old ones and a bunch of new ones. No false positives by design. Added to a compiler. These are the kind of tools I like seeing being developed.

Count MeeoutAugust 20, 2017 2:51 PM

@Nick

Awhile back I found somebody from gatech.edu was hacking my ip cameras, apparently through the router. I speculated a lot about that. Count me out of anything from GA Tech.

Nick PAugust 20, 2017 4:12 PM

@ Count Meeout

That makes no sense. That some asshole behind a domain attacked you once doesn't mean you ignore security research from smart folks at the school. Additionally, you being unable to download and view a PDF without your box being compromised tells me you should improve your setup. Maybe look at it in a Linux LiveCD if nothing else to find it's just a research paper. Use muPDF since Marc Espie of OpenBSD recommended it here once as example of good coding for PDF readers. Use Chrome as the browser for its sandbox with surveillance being immaterial given you're downloading a public, academic paper. If you want to keep it, you can even run it by VirusTotal before storing it on your local HD.

ab praeceptisAugust 20, 2017 4:35 PM

Who?

While I commend the OpenBSD people for their good intentions and their striving for better safety I wouldn't expect much from RETGUARD. Save-xoring the pointer at entry and re-xoring it again before return will hardly deter attackers who are sophisticated enough to enter that kind of game in the first place.
Quite frankly, I sometimes feel seeing desperation more than effective defense.

But again, and I mean that, I very highly value that the OpenBSD people at least damn seriously try and work hard to reach better safety (unlike the people behind a certain OS rhyming with "sucks" who don't care a dead toads a** about safety).

ab praeceptisAugust 20, 2017 4:49 PM

Nick P

Thanks for pointing unisan out. Didn't know that one yet and from a glance both over the paper and the source, I'm rather pleased - by unisan and the thoughts and work behind it, that is.

However - and that's an ugly "but": (right from the paper)

To summarize, leaking padding bytes is a serious problem for three reasons. First, it is prevalent. Compilers frequently introduce padding for better performance. Padding is even more prevalent when porting programs from 32-bits to 64-bits platforms. ...
Third, it is often not visible to developers. ... from the developers’ perspective, they have properly initialized the data structures and this type of leak is hardly visible even to skilled programmers. On the other hand, from the compilers’ perspective, they have the benefit of not proactively initializing such padding regions to achieve better performance, because this design decision can be independently made by each compiler according to the C/C++ specification.

In my world that's worth more than 1 death sentence. How brain-dead and stubborn must the C/C++ people and those be who still think that writing sensitive core stuff in C/C++ is somehow acceptable?

So, it's the compilers, i.e. the implementors decision? Great. In other words: developing in C/C++ isn't just an ambiguity trap. It's bloody lottery gaming.
Just imagine! You properly initialize your variables and the #§@@!! C/C++ lottery wheel called "compiler" pads your data and leaves its turd uninitialized!

As much as I like unisan I can't but clearly state that it shouldn't be necessary in the first place. And: Any language (incl. standard tools) that are not clearly, fully, and unambigiously specified is simply not acceptable.

65535August 20, 2017 6:20 PM

@ Huey Pilot

It’s both technical and practical. There is no silver bullet solution. One of the biggest problems is operational security [OPSEC]. That is “loose lips sinks ships” and all of that. If your OPSEC is blown you are done. Then there is the technical side such as using Tor, secure email, secure messaging, and minimal uses of “smart phones” and “nest devices” and so on. This blog is full of technical items. You need to determine your security posture and do the best to complete that security task. Have to have at it.

Gerard van VoorenAugust 21, 2017 1:08 AM

@ ab praeceptis,

So, it's the compilers, i.e. the implementors decision? Great. In other words: developing in C/C++ isn't just an ambiguity trap. It's bloody lottery gaming.
Just imagine! You properly initialize your variables and the #§@@!! C/C++ lottery wheel called "compiler" pads your data and leaves its turd uninitialized!

You are right about C. I don't know about C++ but that's probably the same. The problem is that C today relies on external tools, all written by different people and stored on different places, so they aren't all well known and of mixed quality, to "get it right". The best way to deal with it is to "just update the standard" to deal with this history once and for all but thanks to all the invested money behind it that just won't happen.

The more you learn about the practices of the software industry... I leave the rest of that line to myself.

So I just point out the article written by Prof Wirth again. A plea for lean software

ab praeceptisAugust 21, 2017 1:43 AM

Gerard van Vooren

I'm not even so much pi**ed by the uninitialized data but by the mindset behind it. We had decades of painful experience and more than enough bugs, vulnerabilites, invitations to spooks, etc along the path ... and they still have that same ignorant debile mindset? As far as I'm concerned I call it criminal how they act.

Wirth? You are, of course damn right but what's the wise advice of people like Wirth or Dijkstra worth in a looney bin full of utterly ignorant "cool hackers"? Damn, I'm starting to wonder whether we'll sooner or later need guns and plenty ammo to cure our professional field.

We *know* about it. Everyone with a brain (which obviously excludes millions of cool C hackers) has understood since long that any not necessary complexity is a potent and dangerous enemy, that readability is *much* more important than some keystrokes saved when coding, etc. People like Wirth and Dijkstra have written plenty about it; it's not like that would somehow be secret well hidden wisdom - yet almost always when the name Dijkstra comes up it is usually accompanied by the oh, so funny remark about nano-Dijkstra being the unit of arrogance.

Now I'm angry enough to frankly respond: It's just normal that mindless incompetent cretins perceive a man like Dijkstra as arrogant.

keinerAugust 21, 2017 3:44 AM

"Old" saying:

Niveau sieht nur von unten aus wie Arroganz

(Competence looks like arrogance only from bottom up)

:-)

Wesley ParishAugust 21, 2017 5:25 AM

@Clive Robinson

Thanks for that discussion of rhodopsin (visual purple). Now I'm wondering how the rhodopsin "excites" the nerve cells. Guyton gives a systematic overview of the nervous system in his Basic Neuroscience: Anatomy and Physiology, but he never mentions just how various nerve extremities "log" the phenomena they "observe". (You do know the nervous system runs on a heady mix of potassium and sodium, don't you?) (I am using "excites" in its technical capacity.)

JG4August 21, 2017 6:24 AM


@Clive - The first one's a followup to our exchange.

http://www.zerohedge.com/news/2017-08-20/video-emerges-showing-clashes-between-indian-chinese-soldiers

It always comes back to the same question on the old blue marble of entropy maximization, "What are the highest and best uses of resources?" The usual approach to answering that question has been war (a remarkably effective method of entropy maximization, by the way), but we could hope to do better in the future, by adopting lower cost resolution mechanisms. Artificial intelligence springs to mind. We have to be careful, because the winner is the one who programs it. You want that to be managed very carefully to capture the widest cross-section of benefit. That is light-years from where we are now.

http://www.businessinsider.com/top-artificial-intelligence-companies-plead-for-a-ban-on-killer-robots-2017-8

I'd like to tie this into the free speech analysis that I didn't link yesterday, because it goes to the heart of the projected intent issue. Don't have time now, but the interested reader can work out the parallels. The portion of speech that is not protected could be defined as harms. It is easy to think of code as speech. If any harmful speech can be regulated, then any code that is harmful is not protected from regulation, and preferably deletion.

https://www.nakedcapitalism.com/2017/08/debunking-myth-free-speech.html

This makes full circle to the "right to repair," because if the code in my device is causing harm, I have a right to fix it. It also touches on the right to self defense in the ongoing surveillance assault that is largely hidden.

https://www.nakedcapitalism.com/2017/08/links-82117.html
...
Insider trading schemes using encrypted apps alarm FBI FT. Oh come on. Insider trading?! Why not RICO?

Supreme Court asked to nullify the Google trademark Ars Technica

Are your Google search results another kind of filter bubble? The answer seems to be: Kind of Nieman Labs

How secure is your car? Unpatchable flaw lets attackers disable safety features ZDNet

...
Imperial Collapse Watch

The Neocons Are Pushing the USA and the Rest of the World Towards a Dangerous Crisis The Unz Review (CL). Fun stuff.

Senior officer on damaged ship to be relieved of command AP. The USS Fitzgerald.

10 missing after US Navy destroyer collides with merchant ship off Singapore ABC. Like the USS Fitzgerald, a destroyer, based in Yokosuka, in the 7th Fleet. “Chatfield, there seems to be something wrong with our bloody ships today.”

keinerAugust 21, 2017 7:46 AM

@Wesley P

..usually transmission of information is via coupled, transmembranous receptors.

"Rhodopsin is a biological pigment found in the rods of the retina and is a G-protein-coupled receptor (GPCR)."

and

"The product of light activation, Metarhodopsin II, initiates the visual phototransduction pathway by stimulating the G protein transducin (Gt), resulting in the liberation of its α subunit. This GTP-bound subunit in turn activates cGMP phosphodiesterase. cGMP phosphodiesterase hydrolyzes (breaks down) cGMP, lowering its local concentration so it can no longer activate cGMP-dependent cation channels. This leads to the hyperpolarization of photoreceptor cells, changing the rate at which they release transmitters."

https://en.wikipedia.org/wiki/Rhodopsin

The input from receptors can be different (pressure, temperature, light), the outcome (G-protein reaction) is mostly generic...

vas pupAugust 21, 2017 8:45 AM

@Bruce: new research on risk taking by teens.
That may explain their hacking activity as well (at least partially)

https://www.sciencedaily.com/releases/2017/08/170816122345.htm

A popular theory in neuroscience proposes that slow development of the prefrontal cortex explains teenagers' seemingly impulsive and risky behavior. But an extensive literature review finds that much of the evidence for that theory misinterprets adolescent exploratory behavior as impulsive and that much of what appears to be impulsivity is behavior that is often guided by the desire to learn about the world.

Ducks on the PondAugust 21, 2017 9:17 AM

@JD4
“Senior officer on damaged ship to be relieved of command AP. The USS Fitzgerald.
10 missing after US Navy destroyer collides with merchant ship “Chatfield, there seems to be something wrong with our bloody ships today.”
Not the ships its the personnel!
Once again an American destroyer was taking part in combating China’s new man-made islands. The Chinese are aggressively expanding to rule the World. Probably China’s most aggressive critics was Steve Bannon. With him gone they have free reign in the White house too.
All we have left is a Navy who is obviously facing a superior stealthy gorilla force. Its like those horror movies Final Destination where deadly ‘accidents’ pick off one after the next. With such incompetent commanders I would not have my son join the Navy as they don’t stand a fighting chance. Its a new Pearl Harbor but in slow motion.
The choice of weapons are trucks on land and ships at sea. Is there distracted driving on the seas? Are smart phones allowed while on duty?

SockonitAugust 21, 2017 11:43 AM

@JG4, thanks for the link to Naked Capitalism sinking further into irrelevance. Naturally they join the mass hysteria to censor chubby right-wing sad sacks. Shows that hallmark of Ivy League indoctrination, fixation on US municipal law, oblivious to the USG's effort to squirm out from under binding state commitments and obligations.

The US already has hate speech restrictions in its supreme law: ICCPR Article 20. But CIA moles at State tried to gut them with a legally-void 'ratification package.' Why? Because restrictions would overwhelmingly affect the US state war propaganda that is ubiquitous in the Mockingbird media. Article 20 might affect a bit of what Unite the Right says. But it would wipe out the current content of the NYT, the Post, Time, AP, along with most State Department public statements. Because it's wall-to-wall war propaganda - Which wogs should blow up? These wogs, or those wogs, or those Russian animals, or wily orientals?

The rules are not rocket science, unless you're brainwashed Harvard tool or a past-it autodidact.

http://www.ohchr.org/Documents/Issues/Opinion/CCPRGeneralCommentNo11.pdf

http://www.ohchr.org/Documents/Issues/Expression/ICCPR/Vienna/CRP7Callamard.pdf

It's the best litmus test for idiots: anybody who mobs lonesome nazi wannabes but takes government war propaganda for granted - idiot. Only one of those things is a SERIOUS threat to peace and ordre public. Only one is banned in law.

Nick PAugust 21, 2017 12:03 PM

@ esp Clive Robinson, Wael, RobertT, and the guy building PCB's in bedroom

Inside a RAM chip, I found a counterfeit

This is really neat for the pictures and analysis. Especially how a few of the components aren't even wired to the power and ground, using substrate instead. The analog tricks are neat for people who rarely see that stuff. The bigger question is who was spending the fab money to clone an ultra-low-volume part that goes for $1 on eBay. Hell, just the packaging cost I see on shuttle runs (likely technique for cloners) is usually $10+. Talk about getting nickle and dimed. ;)

@ Programming Language fans

Probably the most interesting papers I've seen in a long time is on Noether language by Daira Hopwood:

Noether - Symmetry in Programming Language Design

How to Make Error Handling Less Error Prone

I'll start with error handling one since regular programmers might appreciate that one. Don't need to be a language expert. I think you'll find the section on restarts/rollback, claiming it can be done efficiently Prolog-style, to be very interesting. She also understands this stuff in a deep way that she presents understandably piece by piece. Even the type system stuff uses programming notation in some cases where it's not gibberish. She's very impressive.

Then, the Noether paper confirms my intuition about that. Like Dijkstra or Paul Karger (high-assurance), she uses layering to build a language ground up in pieces similarly to what I proposed a few years ago. Starts with limited, easy-to-verify language working up adding a justifiable increase in power at each step with increase in difficulty of analysis. You use just what you need. She keeps the whole thing amazingly consistent. Result is a strongly-typed, object-capability, parallel, concurrent, and optimizable design. As in other paper, she explains each in isolation in depth that's not too over head of readers like most papers on formal verification or type systems.

Currently, she just has alpha implementations in Idris language since she's mostly doing the design. Anyone looking for a practical language for secure, distributed programming should check out Pony Language since it's got quite a bit of momentum right now. Already being used in production, too, I think. I'm not endorsing it as I didn't look at it deeply. I just see a new submission on it every week.

Who?August 21, 2017 2:25 PM

@ ab praeceptis (Re: RETGUARD)

I think RETGUARD is an effective mechanism. You need to know either the return address (you do not know it, this one is the very reason to having RETGUARD) or the stack pointer.

If you can defeat RETGUARD you have a way to leak arbitrary memory, at attacker choice, what is worse. Do you think canary values are useful protecting against buffer overflow attacks? This one is not easier to defeat!

Think on RETGUARD as another security layer.

MajorAugust 21, 2017 2:43 PM

The squid video is creepy, specifically the researchers laughing at the death struggles of the poor little squid. Of course, life in the wild is hard, but laughing at misery? These are scientists? It's poor advertising for the NOAA.

Sancho_PAugust 21, 2017 4:56 PM

@Nick P, re counterfeit

”The bigger question is who was spending the fab money to clone an ultra-low-volume part that goes for $1 on eBay.”

Probably no one, likely it was a production (labeling) failure.

Huey PilotAugust 21, 2017 8:22 PM


65535 - Acknowledged.

further observations on the surveillance state

I watched the trash and recycle truck pull up to my home this morning. We are using the new big bins that get mechanically coupled to and then lifted/dumped into the truck.

I wondered how they catch people who are putting the wrong things in the wrong bins, or worse, dumping illegal trash. The guy barely looks as he couples the bin to the truck and flips the lid open. And even then he is only looking at the top.

And then I saw it. Strapped to a back of a panel on the truck way up high over the dumping location.

I watched as the truck proceeded down the street. The little red and green lights blinked and a flash fired a short while after every time the bin reached the top and the trash or recyclables were dumped upon the pile.

It is a box which records every toss of trash, reads the bar code on your bin, and time/date/location/ident stamps each image so they know who to go back to!

Pretty soon we will need a license and a permit, with fees paid, to scratch our ass.

65535August 21, 2017 10:42 PM

@ Huey Pilot

Yes, security is a balancing act that constantly has to be readjusted.

Your observations on the high speed cameras on Garbage trucks are exactly correct. I have heard of people being fined for dumping dead animals, building materials, and even the contents of a clogged toilet pipes in their garbage bins via those cameras.

Cameras are wide spread. They are used in toll roads, automatic license plate readers, radar traps, various retail stores [Walmart being one of the larger offenders], air ports, facial recognition devices, cell phones and data bases.

Digital security or Digital in-security is everywhere. Welcome to a world of being targeted, tracked and recorded. This is one of the aspects digital abuse discussed on this blog.

ab praeceptisAugust 22, 2017 1:11 AM

Nick P

I disagree. I remember earlier looks at the Noether language that left me quite desinterested. Now again my impression is that dr (daira hopwood; I reference him/her/it by 'dr' to avoid the 60+ genders plus correct words about I know nothing and am determined to keep it that way) likes to tinker, which is fine and possibly even interesting for some but, at least till now, utterly useless.

Starting a paper or presentation with a political statement re ferguson might be considered cool in certain circles; I, however, react simply by closing the window. My summary: noether is and will stay utterly insignificant and not worth a closer look.

As for pony, that's an interesting attempt, indeed, but of very little value so far and all but certainly that won't change. Not only due to the six attributes and a hole lot of housekeeping and boilerplate around them (although quite sufficient for most developer with actual work to do) but also because there is almost no "world" around it (editor/ide support, libraries, etc.). Finally, it's simply almost not needed. The mindless will keep using nodejs, the more serious ones will use go (whose only noteworthy achievement and imo worth is it simple concurrency and parallelism), or even Modula-2, or any of some other languages but with some library (like libev).
To avoid misunderstandings, I like pony, I think it's an interesting and potentially promising approach but one that is all but unusable and anyway too complicated and burdensome for most projects (and way too much focussed on (interesting) experiments rather than practical use.

Clive RobinsonAugust 22, 2017 2:47 AM

From Drone to fly on the wall

Anyone who has played with toy drones knows that the "coptor" don't stay up for long due to power limitations, and that whilst fixed wing drones can stay up for much longer, they can not hover.

As most people know birds have solved this problem many millennia ago. They swoop in and stall in the air just as their feet make contact with a branch or similar. Simply putting up a bird feeder in your garden will let you see this over and over. Ye call it "perching".

However few birds can do what insects do so easily which is to perch on a wall.

Well some academics have decided to turn fixed wing drones into fly on the wall perchers with some success,

http://spectrum.ieee.org/automaton/robotics/drones/reliable-perching-makes-fixedwing-uavs-much-more-useful

This brings the posability of a new dimension in surveillance. Whilst flying and hovering make visual surveillance a lot easier, sound is usually impractical due not only to engine noise but wind rush noise and turbulance.

A small perching drone will be ideal to place microphones in places to over hear or eavesdrop on conversations both outside and inside buildings.

rAugust 22, 2017 5:12 AM

@Clive,

RE: perching,

Looks like MIT is finally resurfacing 10? years later.

Some of the pictures might even be being reused not sure if ieee is to blame or another entity... If i ever get systems back up (backup) did you ever see the raptor/feline claw mechanism? This must be a refined sensor...

I'm missing the powerline lz stuff.

JG4August 22, 2017 5:41 AM


@Clive

Not to bust your balls, and you probably know all of this, and more. The copter vs. fixed wing tradeoff is both a power and energy issue. The physics is straightforward. One conceptually elegant path to derive it by looking at the mass of air and the acceleration it receives from the wings, whether fixed or rotary. In both cases, we will balance gravity with a a force generated by accelerating air downward. In the first iteration, we ignore drag and consider only the energy used to accelerate the air. The smaller the amount of air moved, the faster it will have to be accelerated to obtain the same momentum change, which is proportional to force, which is the flipside of lift and payload. But the energy expended is proportional to the square of velocity. The copter drone acts only on a small column of air in the rotor sweep, accelerating it to quite high velocity. The resulting energy consumption is much higher for the same payload. In forward flight, the helicopter rotor blades start to act somewhat like fixed wings and the power consumption goes down. It must be impractical to have a counter-rotating dual-rotorhead system that stops spinning in forward flight, because the centrifugal force is used to keep the blades roughly level. Another approach for transitioning from helicopter physics to fixed-wing physics is the V-22 Osprey. Not sure how many bodies were buried in that project, but it's more than a few. A fixed-wing aircraft acts on a much larger volume of air, which is proportional to the forward speed. The flipside of the Bernoulli principle, which produces lower pressure on the upper surface of the wing, including rotor blades, is that the air at the trailing edge of the wing has been accelerated downward. Continuing to ignore the drag issues, as we make the wing very long, like a U2, the volume of interested air becomes very large. Then the wing curvature can be adjusted to minimize the downward acceleration of air, and the energy consumption becomes very small. We express this in terms of glide ratio. I recall that the glide ratio of the U2 and similar wing/aircraft shapes is in the neighborhood of 40:1. Boyd called these tradespaces energy-maneuverability diagrams and the concept is widely applicable from animals to automobiles and even CPUs. The parameters shift to bioenergetics, to road forces to mathematical function spaces along that particular series. Energy-maneuverability diagrams are one of the keys to making aircraft fit for purpose. Apparently, the ability to make aircraft fit for purpose declines at the end of empire, as the perverse feedback paths sap more and more integrity out of the system.

JG4August 22, 2017 6:52 AM


I'm including the link to power grid as an element of computer security. Yesterday I spent a couple of hours transporting and installing 1500 pounds of lead-acid batteries into the Swiss national security infrastructure. There is a lot more to say on this topic, but I have only transiently touched on it in the past. We will use the codephrase Starfish Prime to refer to this topic.

I already forgot who trolled me about NakedCapitalism, but it was entertaining. Fair enough, the old money in the US started with smuggling (Sam Adams?) and very quickly devolved into the slave, rum and sugar trade. The old money still are doing very well with all three trades (each one a long and tedius rant on its own). The Evil Genius Lee Atwater and his Mentor Evil Genius The Oxygen Thief made many billions for the old money by using the Willey Horton advertisements to put millions of blacks in for-profit prisons. Whaling overlapped the triangle trade, and the opium trade replaced whaling. Was the Civil War good for the opium business? The Kennedy clan got their entre into serious money when the US decreed that the tide may not rise, on a planet where any sugar left out begins to ferment on its own. The Black Sheep's time at Harvard is a case study in how money distorts reality. You can't consider any security question without includinng the money and power involved, and the conflicts of interest that they bring into the picture. The Huey Pilot touched on "the money power" recently, without naming it.

It took me a few more seconds after posting yesterday to say wtff? My first suspicion was that the two Navy collisions were the result of GPS spoofing by a rising superpower, but they may involve hacked navigation and/or control systems. I'm disappointed that no one here was paranoid enough to suggest the possibility, or I missed it. Take a look at the names of the ships and the timing. Wasn't the inquiry of the first concluded on Friday? There is a powerful message in play, mark my words.

@Clive - Thinking hinky. Betraying trust may be the most profitable trade ever conceived, at least until the hemp tightens. Ben Hunt did a brilliant series on game theory in financial markets. He touched on the Corleone family and why they had to dump Freddy in the lake. A brilliant explanation of the threat model in information security.

Think Like A Corleone
http://www.zerohedge.com/news/2017-08-21/think-corleone
If you are offered a choice between having your tuition and expenses paid at a top of the line business school, or buying with your own money Mario Puzo’s The Godfather (the book and the movies, Parts One and Two) choose the latter. You’ll find them far more useful than the MBA.
Americans are frequently condemned for obliviousness to the lies and depredations of the people who rule them. Much of the condemnation is merited, but the obliviousness is also a vestige of a better time. The best gauge of a society is truth: its prevalence and how it’s treated.
...just like the Irish, but we got a new start in the US]
History is replete with such instances. Sicily has been ruled by a long line of outside powers. Starting in the late 1800s, the Mafia became the embodiment of the inverted morality that takes hold among tyrannized and brutalized peoples. That morality does nothing to advance the general welfare; it doesn’t promote prosperity or progress. It only allows the subjugated to survive.
...[Google is the greatest information extraction engine ever conceived. the more money you have and the more money you want, the more psychopathically you will behave.]
Probably 20 percent of Americans will tell you their life stories in a grocery store checkout line, and 50 percent over a cup of coffee. Many trade information about themselves as freely as they trade their money for groceries or coffee. Ask those who have escaped life in a totalitarian regime about it and they will marvel at the foolishness.
The oppressed learn to trust no one other than those who have demonstrated they deserve to be trusted, usually family or long-time friends. In response to disclosures that the government is monitoring them 24/7 and knows virtually everything they do and say, many Americans breezily assert that they’re not worried; they have nothing to hide. Behind omerta was the Sicilian peasant’s reality that any information, no matter how trivial or innocuous, was a weapon that could be used against him by the hostile and corrupt regime. American openness and trusting insouciance is quaintly naive—anachronisms from a better time—and pitiably foolish.
...

onto the daily news dump

https://www.nakedcapitalism.com/2017/08/links-82217.html
...[codephrase Starfish Prime]
US power grid passes a test as eclipse reduces solar generation Financial Times

Third party trackers on web shops can identify users behind Bitcoin transactions HelpNetSecurity

...[cross-discplinary skills are a good idea. just for the record, I am a polymath]
Does the world need polymaths? BBC. IMHO, yes. I’ve seen way too many experts who are dangerously blinkered. Economists, who overwhelmingly refuse to learn from other social sciences, are prime examples. Being cross disciplinary is very valuable, even if you don’t rise to the level of expert in your secondary fields of interest.

...[they got the message]
Imperial Collapse Watch

Pentagon orders temporary halt to US navy operations after second collision Guardian

We Asked an Expert Why America’s Naval Vessels Keep Crashing Vice (resilc)

Big Brother Is Watching You Watch

iPhone 8 3D face recognition system will be faster than current tech, to work in ‘millionths of a second’ PhoneArena. I am at a loss to understand how users can see having biometrics in their phones as a good feature, particularly since Apple also pushes users to synch their devices to iCloud.

...[spot on IT security]
Very Strange Indictment of Debbie Wasserman Schultz’s IT Scammers National Review. Expat flags the last paragraph:
…the indictment is an exercise in omission. No mention of the Awan group’s theft of information from Congress. Not a hint about the astronomical sums the family was paid, much of it for no-show “work.” Not a word about Wasserman Schultz’s keeping Awan on the payroll for six months during which (a) he was known to be under investigation, (b) his wife was known to have fled to Pakistan, and (c) he was not credentialed to do the IT work for which he had been hired. Nothing about Wasserman Schultz’s energetic efforts to prevent investigators from examining Awan’s laptop. A likely currency-transportation offense against Alvi goes uncharged. And, as for the offenses that are charged, prosecutors plead them in a manner that avoids any reference to what should be their best evidence. There is something very strange going on here.

...[the security implications of n x 100 million guns is fairly obvious. just for the record, guns don't kill people, bullets do]
Ambushed Ohio judge shoots gunman dead outside court BBC. Only in America….

...[included in response to the trolling]
Capital at 150: History in Capital and Capital in History Defend Democracy

Bob PaddockAugust 22, 2017 7:27 AM

Dinshah P. Ghadiali worked for 46 years to get people to pay attention on how Color effects one's health. See the 12th edition of the book Let There Be Light that explains the spectro-chrome therapy system, which involves exposing problem areas of the body to different wavelengths of colored light.

Should be interesting with today's technology of easy to change colors.

Also as far as blue light effecting the circadian rhythm, we can now make the time suspending weapon from the cult classic Si-Fi movie "LOOKER", 'Light Ocular Kinetic Emotive Response', a reality?

JG4August 22, 2017 7:42 AM


@Bob Paddock - Thanks for continuing the discussion of health implications of LED lighting and related topics. Someone makes a dazzler that projects a disturbing combination of colors, brightness and flash intervals. There's no point in having secure computers if your body out of balance from chemicals, fake news or flashing lights.

One of my comments is held up in moderation, so this may look out of sequence.

Talk about money, power and conflict of interest, I'd like to see fair and speedy trials for these bad actors, followed by speedy and fitting punishments. Long futures in popcorn, torches, pitchforks, tar and feathers.

WikiLeaks Outs 6 Republicans Bribed By Clinton - YouTube
WikiLeaks releases the name of 6 GOP who are on the payroll of Hillary Clinton. References ... WIKILEAKS OUTS 6 REPUBLICANS BRIBED BY CLINTON TO DESTROY ...
https://www.youtube.com/watch?v=TQFOq9pUifw

I should have suggested file under "getting the threat model right"
http://www.zerohedge.com/news/2017-08-21/think-corleone

two drones in four days may be a potent message from that superpower or another. file under communication security and navigation security. I think that I was clear that resilient systems have multiple backup systems for critical inputs to critical processes. it's relatively easy to back up GPS with inertial navigation and radar navigation, in much the same way that you'd vote three processors running different code on the same or different sensor inputs. that's why I prefer the Swiss approach to the US approach. it comes at a cultural price of rigidity in thinking, and I'm not sure how well that part will work out.

http://www.zerohedge.com/news/2017-08-21/back-back-us-drone-crashes-turkey-come-amidst-severe-strain-between-nato-allies
...
Two United States MQ-1 Predator drones have crashed in Turkey within four days, possibly cutting the Air Force's operational fleet of drones at NATO's main Turkish base down to half.

Bob PaddockAugust 22, 2017 1:32 PM

@Milo M.

"The use of colored lights would have no effect on health,” the FDA concluded, ". [October 1946] ..

Lots of things I can say here about the FDA but I won't...

lttsAugust 22, 2017 3:43 PM

Does anybody know any good web resorces for low-tech tech-support ("'ltts'") consulting issues from a provider's perspective. By low-tech I mean basics like help with email, phones, tablets, computers (Operating basics (macOS, Windows, Linux), migrating OSs, help with some applications like LibreOffice, basic networking and routing, security basics, and general tech support for individuals or , potentially, small businesses. In other words, I am interested in learning about things like:
) written agreements for ltts
) written agreements for ltts related classes or group tech support
) marketing stuff
) providing remote support
) general business related topics for a sole proprietors
) checklists for individual tasks (like changings OSs or start-up with a new device)
) trade-ins or supplying new or used hardware

I would like a no cost blog, website, or whatever, with good anonymity to try to not re-invent the wheel. Regardless of cost or anonymity I am interested in what web resources users of this blog might recommend.

Currently I am cobbling together a short draft written agreement for use in the USA. Regardless, I will probably post it here in the near future for feedback.

Mall MosquitoAugust 22, 2017 4:05 PM

@ltts

low-tech tech-support ... basics like help with email, phones, tablets, computers (Operating basics (macOS, Windows, Linux), migrating OSs, help with some applications like LibreOffice, basic networking and routing, security basics, and general tech support for individuals or , potentially, small businesses.

What you have described is a very difficult area. I hold a bachelor degree in computer science, and while I understand the desire to go back to the basics with "low-tech tech support," the applications you describe (in widespread mainstream use) are extremely fragile and depend very much on "high" technology built on layer upon layer of shoddy work in fundamental low-level computer programming.

There is no low-tech defense against high-tech enemies. The trouble with your "basic networking and routing" in particular is that the part of that industry which caters to the needs of individuals and small businesses depends heavily on vendor-specific "certs" etc. and has been shunted over to "blue-collar" workers who are not supposed to be aware of the fundamental shoddiness of the underlying "white-collar" computer work on which it all depends.

To even use a term like "low-tech tech-support," security and propriety have fallen by the wayside, and the Mafia is not far away.

Mall MosquitoAugust 22, 2017 4:19 PM

You know, I just don't like men who call themselves virgins, and that "low-tech tech support" idea really rubs me the wrong way. We have all been using computers for many years now, and we are all well aware of the unsavory activities that take place online. It's the same old dictatorship of the proletariat that I've been harping on. A carefully cultivated low-brow bar scene versus the high-brow intellectuals who are having trouble staying sober at the coffee shop.

Dirk PraetAugust 22, 2017 5:16 PM

@ ltts

Does anybody know any good web resorces for low-tech tech-support ("'ltts'") consulting issues from a provider's perspective.

You don't need web resources, but people willing and able to learn these skills. A good start is https://www.cybrary.it .

tyrAugust 22, 2017 6:01 PM


@Nick P.

I loved the hilarious explanation of the seller
(the chip must have been damaged in shipment).

I'm also glad to see Emmy getting some hard earned
fame as a language.

@All

The basic USN safety course should be " do not let
them run into you ". If you can outrun a civilian
ship by a factor of 4X letting them hit you is
pure incompetence. What I find interesting is the
area hit. A retro fit of some battleship plate there
should cut casualties down to a reasonable level.

Hanging a couple of radarmen might go a long way
to ensuring crew safety.

@vas pup

The trying out of new things by the young always
look like risky behavior to the old. However no
society has ever figured out how to prepare the
young completely. Until we get a way to upload
the sum total of experience you're going to see
some risky behaviors. Like Mark Twain said you
should always let someone carry a cat by the
tail, they are getting valuable experience.

lttsAugust 22, 2017 6:14 PM

Draft letter agreement

___ ___
___ ___
___ ___
"you" "vend"

This is to confirm that you engaged vend to provide software maintenance support, application support, technical support, and/or other services. The scope of your work will be more particularly described in your written specifications.

We appreciate the opportunity to be of service to you and look forward to developing computer software in accordance with your functional specifications. As you know we agree to use our skill and experience to analyze, design and implement the software to meet these specifications. Other than such software complying with your specifications, however, since it is impossible to develope bug-free software or for us to thoroughly understand your business functions, we can make no other warranty regarding its performance or fitness for a particular purpose.

vend strives to develope reliable software for its customers by including certain established computer program modules into applications like yours, wherever such computer program modules may be useful. Accordingly, it should be understood, that vend does not own the software developed for you, but reserves the right to re-use portions of its proprietary and proven computer programs or derivations, to benefit all of our customers. However, vend agrees to safeguard the propriety of your confidential information, data, and procedures.

We respectfully disclaim any liability for damages you may incur either directly or indirectly attributable to the use of our software, technical support and/or services and you agree that our liability, if any, will be limited to the price of the software or its use.

Sincerely,
Sig1
vend, date

Approved
Sig2
you, date


Notes:
) in most cases vend will be walking into current setups for individual (home) users
) leaning towards staying away from remote support, other than phone
) regarding routing and the like, probably just set up NAT and choose DNS server type stuff
) customers are individuals of varying levels of expertise, and for the most part they have limited incomes, and usually want it done as cheaply as possible
) trying to limit liability
) feedback appreciated

Wars for Monopoly Control of LivesAugust 22, 2017 6:29 PM

JG4 stated:
It took me a few more seconds after posting yesterday to say wtff? My first suspicion was that the two Navy collisions were the result of GPS spoofing by a rising superpower, but they may involve hacked navigation and/or control systems. I'm disappointed that no one here was paranoid enough to suggest the possibility, or I missed it.

Ducks said:
“All we have left is a Navy who is obviously facing a superior stealthy gorilla force. Its like those horror movies Final Destination where deadly ‘accidents’ pick off one after the next.”

Or Die Hard.
Someone previously posted about the first highly suspicious billion dollar accident.

Finally the American ‘experts’ are forced to admit somethings wrong.
Encryption been broke? Multiple sensors spoofed or jammed? Sailors distracted somehow? Accident avoidance system hacked? Inside job? Collision avoidance systems failure? Floppy disc failure?

History shows major wars are won by breaking encryption and then spoofing. Like WWII… Now the USA (trailing in math and science) is on the receiving end. China publicly humiliated and backhanded, calling the US Navy ‘a danger’ to navigation. This ends American Exceptional ism as nation deeply divided cannot stand. An result of chasing diversity? (Following the EU lead, Canada today is planting the seeds of future terrorism).

Hobsons Choice
Americans overall are clueless. The best and brightest engineer are too involved in mass surveillance, data-mining and personalized advertising. Certainly not military designs or countermeasures.
The REAL question: is it better for Google or China take forced control of citizens? The best example is in the Google workplace, were surveillance, spies and snitches are everywhere. Reminiscent of North Korea.

Monopoly Control of Lives
Do you know how dumb young adults are? They don’t know you can use an antenna to receive free TV broadcasts. Instead they pay Google TV $40/ month to further seize control of the mush on top. A huge advertising war is taking place between TV broadcasters and Google, yet the public and press is clueless...instead did you hear what trump tweeted today? (conditioning for the 2020 elections).

Nick PAugust 22, 2017 9:34 PM

@ tyr

Yeah, the seller explanation was hilarious. "Emmy" getting hard earned fame as a language. Who or what is Emmy?

@ ab praeceptis

"Starting a paper or presentation with a political statement re ferguson might be considered cool in certain circles"

" Now again my impression is that dr (daira hopwood; I reference him/her/it by 'dr' to avoid the 60+ genders plus correct words about I know nothing and am determined to keep it that way) likes to tinker"

You ad hominem the author, dislike the political slide (I agree there), and then dismiss all the worth without further review or details. I'll similarly dismiss the your review of that one but without an ad hominem.

"As for pony, that's an interesting attempt, indeed, but of very little value so far and all but certainly that won't change."

It's getting some uptake... more than usual for alpha releases. It's not safe to make a prediction except it will be a niche language. Your other comment might be true about burdensome except for distributed systems where it might help. For those, we pretty much only have Erlang doing it natively in a robust way with an ecosystem. That focuses on safety (fault-tolerance). It would be nice to have a capability-oriented, distributed language for secure apps that mainstreams. I'm watching it at a distance instead of making bets at this point. Like with the Noether work.

ab praeceptisAugust 22, 2017 10:26 PM

Nick P

Nope, no ad hominem; simply observations and an explanation re. myself. I see a small but important difference: while I do not at all care about or put any attributes on or judge dr's felt gender, sexual orientation or preferences, I *do* care whether an authors main focus is on his/her professional field or on feminism, genderism, and whatnot. Kindly note that I *did* have a look at both noether and dr (i.a. his/her/its social profiles) and also that his/her/its own intro to a PL/IT presentation is purely social activist.

You are right; I did not make the effort to properly criticize noether. Simple reason: it's not worth it.

As for pony, I did have had multiple interested looks at it and even twice played through the design of a current project. Besides the factors I mentioned (which are grave enough to keep most developers away) I'm quite pessimistic about it for three main reasons: a) they are not (yet?) tick in terms of usability but largely in terms of experimenting (which translates to being next to worthless for developers). b) their approach imo isn't that brilliant, frankly. it basically comes down to "keep memory (and related e.g. race) problems away just like rust, but in another way. Funnily I *do* see some really good stuff in pony but that's not related to their attribute core idea. c) It isn't needed and it doesn't offer a good advantage/cost ratio. We *have* good (imo better) approaches and a good understanding of the problem field. Even modula, decades ago, could do most of what pony offers.

The main reason for me personally to like ponys approach is its (albeit clumsy) clarity and the "pedagogic" effect of making developers think about properties they usually largely ignore. Usually a variable has a type any maybe a const or a mutable attribute and that's it. pony provides hints, it's fertile in terms of making us look and think again. At the same time, however, it's of little practical value as a tool and I'm not expecting that to change.

And let's be clear about the main driver of concurrency: networks, the need to deal with tens or hundreds of thousands of events. Which means that not having solid aio lib support keeps developers away.
Being at that and at 'uptake' (you mentioned) - as much as I hate to admit it but we already have a winner there: googles go. And that's not because go would be such a great language or have such great concurrency support; actually it has *not* - but ask developers all over the planet and they will say it has. Reason: go offers a relatively *simple* support - and that's what 99% of developers want and need (as far as they are to decide).

Btw, I'm disappointed by my beloved Ada in that regard. They have some first (early abandoned, it seems) libuv binding but that's it. Shame. Ada of all not exotic languages had the best start position; their task mechanism would have almost everything needed since many many years but they slept it seems.

ThothAugust 22, 2017 10:30 PM

@all

Backdoor in Apple iCloud Keychain.

The supposed 'Exceptional Access' in the iCloud Keychain was for LEA usage but independent researchers like Elcomsoft managed to find a way into the iCloud Keychain on their own. This shows as to why it is a bad idea to create 'Exceptional Access' inside devices as it is only a matter of time someone would discover a way to access it without proper authorization.

Link: http://www.theregister.co.uk/2017/08/22/apple_icloud_keychain_easily_slurped/

Nick PAugust 22, 2017 10:45 PM

@ Ratio

Oh, yeah, thanks. I remember that from the presentation now where even Einstein was giving her props for her work. It was neat that the language was named after her.

ab praeceptisAugust 22, 2017 10:54 PM

Thoth

Oh, me sooooo surprised. But we need not worry, certainly the fairy tale of apple products being the most secure is going to survive and find some more millions of idi^h^h^h fans.

Time to honour that fairy tale with BSAL-4. Hereby done.

ThothAugust 22, 2017 11:40 PM

@ab praeceptis, Clive Robinson, Nick P, et. al.

The use of Apple's backdoored Secure Enclave (Apple's licensed spin-off of ARM TZ nonsense) is why the BSAL must be increased to BSAL 6+. Didn't 'they' say that only the 'Secure Enclave' (security co-processor) had access to sensitive information ? Now how did the 'Secure Enclave protected information' becomes accessible via some wizardry by Russian security firm, Elcomsoft ?

How secure is this 'Secure Enclave protected keys, PINs, passwords, data, biometrics etc' fairytale ? Apparently you can easily bypass the Secure Enclave security processor by not attacking the Secure Enclave processor (considered as the 'strong link') but by attacking the weakest link in the chain - the iCloud portal itself and humans.

Crypto and chip level attacks are not the most immediate point of attack and it is the weakest link as it is the additional services and 'features' and the human operator which is the where the bulk of the attacks are targeted at.

65535August 22, 2017 11:52 PM

A follow up on the camera problem.

Cameras can be highly deceptive. From the huge spider crawling on James Bond to “re-enactments” of drug busts:

“The latest video, according to the officer who turned it over, "was self-reported as a re-enactment of the seizure of evidence," Mosby's office said. The first two videos involved either the planting of drugs or the recreation of a drug crime scene…” –Arstechnica

https://arstechnica.com/tech-policy/2017/08/third-staged-baltimore-police-body-cam-surfaces-dozens-more-cases-dropped/

Base post on cameras:
https://www.schneier.com/blog/archives/2017/08/friday_squid_bl_589.html#c6758814

ab praeceptisAugust 23, 2017 12:15 AM

Thoth

Compromise: BSAL-5 plus a rotten apple.

I'm hesitating to give a higher level because, just remember how often we preached "they don't attack the crypto but they simply work around it".

So, the BSAL is mainly merited by implementing their funny trustzone based "137% bulletproof!!!" stuff so utterly [adverb self-censored due to desiring to follow Moderators wishes. But I can hint that the self-censored adverb was not "intelligently" or "well". Very much not at all].

I particularly liked the "HSM-Based Escrow System" box right next to the "SMS Verification" box. Although they missed adding a "4 digit pin must be entered (default 1234)" security option.

Honorable mentioning for tls, 'result' variable being of funny and questionable type, and the parameter "bool usePrimes" which is my personal favourite for showing their seriously serious "this is meant serious!" attitude. I mean, how much more security minded can you get beyond "we are even ready to occasionally use primes" (which next to certainly are *probable* primes anyway but we don't want to be picky, right)?

ab praeceptisAugust 23, 2017 12:27 AM

Thoth

Addendum: Here is an idea to build a billion $ business on.

296+% bulletproof security based on passphrase cloudstorage on cube-os using the virtual prime properties of the number 42 in tls 1.4 with built in symersky *virtual CA* and a *javascript firefox HSM plugin.*

Easily BSAL 7+!

P.S. Originally I had "300+% bulletproof" in mind but "296+%" sounds more scientific, digital, and prime.

P.P.S: Symersky, I want my 5% shares when you build the next large corp based on my idea!

Dirk PraetAugust 23, 2017 3:32 AM

@ tts

Re. Draft letter agreement

I recommend an industry standard contract and service delivery management course like ITIL. Was a real eye-opener for me and I am still practicing it to date.

@ Thoth

Backdoor in Apple iCloud Keychain.

Hardly a surprise. There's no such thing as NOBUS and storing *any* sensitive information in the cloud - especially passwords - is just asking for trouble. If you really have to, put them all in something like Keepass and wrap them in a hidden Veracrypt container, the inner volume holding e.g. your pr0n collection.

JG4August 23, 2017 6:23 AM


https://www.nakedcapitalism.com/2017/08/links-82317.html
...
Hackers Are the Real Obstacle for Self-Driving Vehicles MIT Technology Review (DL). Subject matter experts and NC readers who have followed this story know this headline is not news.

Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency NYT. Wait, now. Silicon Valley brainiacs forced me to give them my phone number for “two-factor identification,” and now hackers have stolen it?! To be fair, the phone was a dumb burner, but still….

Police find illegal Bitcoin farm at Ukrainian state institute Kyiv Post

...[Starfish Prime]
It’s Hard to Keep Up With All That Lithium Demand Bloomberg. For batteries.

...[IT security]
The Very Strange Indictment of Debbie Wasserman Schultz’s IT Scammers National Review

...[surveillance]
Big Brother Is Watching You Watch

AccuWeather caught sending user location data, even when location sharing is off ZDNet

Science shouldn’t stop at the border Institute of Physics Blog

Defending​ ​Internet​ ​Freedom​ ​through​ ​Decentralization: Back​ ​to​ ​the​ ​Future? (PDF) MIT​ ​Media​ ​Lab. Via Nieman Lab. Important.

Police State Watch

A 911 plea for help, a Taser shot, a death – and the mounting toll of stun guns Reuters

...[computer hacking]
Industrial hack can turn powerful machines into killer robots TechCrunch. Headline is accurate.

Clive RobinsonAugust 23, 2017 9:53 AM

@ Scared,

have devised a way of conducting surreptitious sonar surveillance using home devices equipped with microphones and speakers.

It's actually not that difficult to do and I think I've mentioned it here before.

Have a look at NASA JPL "Ranging Codes" made with "Gold Code Generators" and "Direct Sequence Spread Spectrum" to get the basic idea of how to make "psudo white noise" into a distance mrasuring system.

Then look at "Digital Watermarking" to see how such a code sequence could be added to a music track or jingle in an advert.

If done the right way you could not just get distances but low resolution images good to +/- 3cm in 3D.

Clive RobinsonAugust 23, 2017 2:52 PM

@ 65535,

to “re-enactments” of drug busts

These are "dumb-cops" that are the stain on the foor underneath the barrel. Those that are still on the inside at the bottom of the barrel scraping around, are slightly more inteligent or even lucky.

What is known from CCTV and street criminals is it won't take long for natural selection to take place. That is those doing wrong can smarten up real quick, otherwise they go to jail. Thus the cops turning off their cameras are showing "avoidence" which is the first thing street criminals did.

Thus "bad-cops" that are slightly smarter than "dumb-cops" will work the system to the point where they can still get away with it.

If you go by the known levels of criminals we can expect a minimum of 0.1% of cops to be not just criminaly minded but actually "at it".

What of course makes it worse is legislation that protects bad-cops going hand in hand with "incentives" put in place by legislators and politicians to meet campaign promises.

gordoAugust 23, 2017 7:06 PM

How the NSA tracks you
Perspective from the inside
Bill Binney | SHA2017 | 59 Min

Bill Binney will talk about his experiences as Technical Director at the NSA where he had a 34 yr career.

#Society #Privacy #SurveillanceState

https://media.ccc.de/v/SHA2017-402-how_the_nsa_tracks_you [video]

https://www.youtube.com/watch?v=P1JDqNKMaus [video]

https://media.ccc.de/c/SHA2017

https://sha2017.org/

-------

Whistleblower: “The NSA Is Still Collecting the Full Content Of U.S. Domestic E-Mail, Without a Warrant … The NSA Cannot Identify Future Terrorism Because 99.9999% of What It Collects and Analyzes Is Foreseeably Irrelevant”
Posted on July 7, 2017 by WashingtonsBlog

http://www.washingtonsblog.com/2017/07/creator-nsa-global-intelligence-gathering-system-confirms-snowden-right-government-spying-normal-everyday-americans.html

http://www.washingtonsblog.com/wp-content/uploads/2017/07/Binney-Affidavit-2017-07-05-Final.pdf

WaelAugust 23, 2017 9:35 PM

@Nick P, @tyr,

Inside a RAM chip, I found a counterfeit

A more expensive counter fit than the intended original. Not bad, what's the fuss about :) background memory tells me someone said something similar.

Nice article, but what's the purpose of this subversion? And, more importantly:

Doesn't this shake your confidence in old hardware, like I told you many moons ago? I am aware you agreed to that, but if the pentagons is getting 15%, what should we expect for us?

For instance, 15% of replacement semiconductors purchased by the Pentagon are estimated to be counterfeit. With counterfeiting this widespread, even an obscure chip like the 74LS189 can be a target.

That's comforting! Makes sense as there is a relationship between pentagone and 15.

The seller explained that the chip must have been damaged in shipping!

Unlike @tyr, had I been told that, my blood pressure would have doubled instantly.

Nick PAugust 23, 2017 11:14 PM

@ Wael

There's a difference between counterfeits that will hurt your personal security versus those that just randomly screw things up. Also, the older things when packaged as full systems sold used within my country by suppliers in my country should be less likely to be fakes. I'm not aware of even one after reading countless purchases or testimonies of computers for x86, POWER, MIPS, SPARC, Alpha, and PA-RISC. They all seemed to do what was expected in the expected way. So, if it happens, it must be rare.

WaelAugust 23, 2017 11:31 PM

@Nick P,

You make an important distinction between fakes and subverted. Isn't it possible the chip in the story was mislabeled?, Hanlon's razor, you know.

But

Also, the older things when packaged as full systems sold used within my country by suppliers in my country should be less likely to be fakes

Less likely to be fakes? Possibly true.

What if you added to your sentence above: "More likely to be interdicted"? This is one form of subversion to target people who trust older hardware. I know that's unlikely because "They" use commercial off the shelf parts. But it's also doable!

Clive RobinsonAugust 24, 2017 12:28 AM

@ In the moment,

Re ROPEMAKER vulnerability,

It's not a new idea, in fact it's been around for a while (arguably it goes back atleast as far as early MS Office documents).

The solution in this instance is to use a non HTML capable browser. But the problem with that, is that marketing types think HTML etc etc is "essential" to getting their message across...

If you have worked in a large organisation over the past quater century you will have no doubt seen "Corporate style guides" that almost always rely on a presentation template of some form or another which gets attached to the actual content in some way. Often the temolate is on some server within the organisation. Well this attack is just an extension of that failing.

Clive RobinsonAugust 24, 2017 1:20 AM

@ Wael,

Doesn't this shake your confidence in old hardware, like I told you many moons ago? I am aware you agreed to that, but if the pentagons is getting 15%, what should we expect for us?

The problem is the way the semiconductor market was set up more than half a lifetime ago. Put simply unless you are a very major user of a manufactures product you do not buy from them but a supplier who might have got stock from another supplier.

At one point I worked for a company that sold subscriptions to data on CD and DVD. Due to a problem in a very major manufacturing house the subscription customers got sent an update CD with the right lable but... Actually got an audio CD of the "Beatles" not the data they were expecting. I dred to think what the customers of record shops thought on getting a data CD labled up as the Beatles and put it in their CD players. How the mistake got through the major manufacturing houses QA process I do not know, as if it was operating correctly it missed twice...

Such mislabeling happens but usually gets caught by "Goods inwards test" (GIT), which is what would have happened if somebody had tested the ICs.

However you have to ask what happens to the "returned stock" from GIT failures. It rarely gets disposed of reliably, thus it can get back into the supply chain over and over again.

The reason for this is "mislabeling" is a rare cause of "returns from GIT", most often it's because of changes in the manufacturing process degrading specifications in some area where few customers will care. Thus putting the returned stock out to another customer will likely work out.

It's because of this that counterfitters can also get away with it. We saw just how bad the problem can get with those FTDI chips used in low cost Chinese computer peripherals when the original manufacturer changed the driver code in a windows update[1].

However "Trusting old hardware" is a different matter. There is a big difference between mislabeling/counterfiting and backdooring chips.

Putting a backdoor in a chip in a way it can be effectively exploited is more a question of "functionality" than "real estate". That is MSI/LSI/VLSI chips did not have sufficient complexity to be able to make a backdoor effective. It was only the rise of SoC hardware where it became a practical prospect. It's why Mid 1990s and earlier chips are likely to be trustworthy but those this centurey decreasingly so.

[1] http://www.zdnet.com/article/ftdi-admits-to-bricking-innocent-users-chips-in-silent-update/

WaelAugust 24, 2017 4:30 AM

@Ratio, @Nick P, @Usual Suspects, (and unusual ones too, don't be bashful)

She was the famous German mathematician Emmy Noether. Haven't heard of her, but now I did. My favorite is one is Gauss. Traversing links in the Wiki, I found this one about Martin and Mitchell defection, and this paragraph, in particular made me think...

A secret 1963 NSA study said that "Beyond any doubt, no other event has had, or is likely to have in the future, a greater impact on the Agency's security program."

Seems the 'fortune tellers' back then didn't read "Snow-white and the Seven Dwarfs" or my version of it, before it became a movie! I wonder which is a more damaging event: Losing a couple of cryptographers to the adversary or Losing several thousand documents! I say the later, unless the cipher algorithms had backdoors.

And that reminds me (the limerick on the previous link.)

@Ratio,
For your eyes only ;)

[Message confidentiality protection: Medium; your difficulty to decipher it: 1.2 - 2.0 / 10]

Delayed Subspace Message To:
Moon-Base Alpha / S2:E9

Star-Date: 739 - t => Roger That!

Cerebrum's Message Decoded. 

Sausage to Foundation Extremely Unlikely :)

Do you copy?
A delay in your response is expected due To:

Acute Quantum Latency ;)

The same exact message, in limerick format:

[Message confidentiality protection: Low+; your difficulty to decipher it: 0.3 - 1.5 / 10]

Remembered last year, and what was documented!

In an animal graveyard, where both were lamented!
They weren't the gullible fools

To trust whom goes by the rules

But the grammar is broken, and likely not connected!

In the future, I'll use the limerick format: I don't like pass-phrase; I use pass-limericks.

WaelAugust 24, 2017 4:35 AM

@Clive Robinson,

The problem is the way the semiconductor market was...

Makes sense. I'll have a comment or two later when I have a semi-fresh mind.

JG4August 24, 2017 6:44 AM


trust has scaling problems. there was a brilliant article at nakedcapitalism recently that touched on the game theory problems of super-elite hideouts in NZ. will the loyalty of the battle-hardened bodyguards be lodged with the billionaire/owner, or with the battle-hardened pilot, whose family have to be killed when they land?

I hope that I explicitly said that rock-paper-scissors can be cast in terms of energy-maneuverability diagrams, which are just another name for transfer functions. Boyd and Sun Tzu teach the limits of winning any conflict with any tools.

my quote about the moral high ground and ashes has potential

"if you you don't have the moral high ground, you're fighting over the ashes of your civilization"

https://www.nakedcapitalism.com/2017/08/links-82417.html
...[tech company tie-in]

The $199 billion problem: Ten US companies that could devastate Silicon Valley Pando. Uber isn’t the only unicorn with valuation problems.

...[this is a bit dark, but training in security is important]
Soldier Excited To Take Over Father’s Old Afghanistan Patrol Route The Onion. “Afghanistan is a permanent live fire exercise for the US Military to blood and battle harden troops” (Jehu).

...[the origins of intelligence operations]
China

“Merchants of War and Peace: British knowledge of China in the making of the Opium War” by Song-Chuan Chen Asian Review of Books

Imperial Collapse Watch

Korea, Afghanistan and the Never Ending War trap Pepe Escobar, Asia Times

Pentagon makes a 20-year plan, while Washington outsources its color revolution The Saker (MT). Interesting if true…

Three Questions Arising From Recent U.S. Navy Collisions RealClearDefense

...[surveillance can be a good thing, as noted by at least several participants. did I say advancing human rights, one viral video at a time?]
Police State Watch

Another staged body cam leads to 43 more dropped Baltimore prosecutions Ars Technica

Boston Police Protected Far-Right Rally-Goers, Clashed with Black Counterprotesters The Intercept

...[in security, we have to triage by addressing the most serious problems first]
Green finance for dirty ships The Economist. “By burning heavy fuel oil, just 15 of the biggest ships emit more of the noxious oxides of nitrogen and sulphur than all the world’s cars put together.”

...[AI may be the only way out of the jam that we are in]
I was hacked TechCrunch

The Intellectual Achievement of Creating Questions Daily Nous (MT).

Clive RobinsonAugust 24, 2017 9:54 AM

@ ,

For those who do not like "" because of it's snoopibg technology usage. linking to the original article or other one where JavaScript/cookies and heven alone knows what might be preferable.

So I suspect --bot having looked-- that this may be the original article,

http://www.sciencemag.org/news/2017/08/mini-antennas-could-power-brain-computer-interfaces-medical-devices

From my point of view it realy does open up the idea of nano surveillance devices.

Oh the use of such piezo-electric ceramics and acoustic waves is not new, have a look for "Surface Acoustic Wave" (SAW) filters.

Oh and I suspect that you could easily use the idea in a similar way to "Theremin's Thing" used in the "Great Seal Bug" that was foisted on the US Ambassador in Moscow.

ttsAugust 24, 2017 2:51 PM

@Mall Mosquito

""low-tech tech support" idea really rubs me the wrong way. We have all been using computers for many years now, and we are all well aware of the un"

tech tech support sounds better; sort of like knock knock; borrowed from @Dirk above response to tts

@Dirk Praet

"You don't need web resources, but people willing and able to learn these skills. A good start is https://www.cybrary.it ."
and
"I recommend an industry standard contract and service delivery management course like ITIL ( https://en.wikipedia.org/wiki/ITIL ). Was a real eye-opener for me and I am still practicing it to date."

Thanks for those links.

@C U Anon

"Basic Linux security info,

https://www.cyberciti.biz/tips/linux-security.html "

Thanks for that link

ttsAugust 24, 2017 3:29 PM

@Thoth
From your https://www.theregister.co.uk/2017/08/22/apple_icloud_keychain_easily_slurped/ link above
"Users of Apple devices who have not enabled two-factor authentication and have not set up an iCloud Security code do not have an iCloud Keychain stored with Apple"
That appears to say: Users who have neither two-factor authentication nor have set up an iCloud Security code are ok regarding this keychain slurping.

In general, I am leery of two-factor authentication. Can anyone recommend when someone should really, or definitely, consider the use of two-factor authentication.

ab praeceptisAugust 24, 2017 6:00 PM

tts

As I'm working on a project to check and verify crypto protocols I had to come up with a sensible definition of Eve the "opponent" (unbelievable as that may sound there is very little in terms of proper definitions of security, safety, reliablity, resilience, availability and of opponents) so I might help you.

To keep it simple I'll limit myself to 3 classes, namely a) low level (script kiddies, low end hackers, ...), b) mid level (typ. lea, and other mid to high level reasonably resourceful "hackers"), and c) high level (high level state actors, a handful of criminal groups).

2fa helps quite a lot against type (a), next to not at all against type (b) and certainly not against type (c).

Which isn't bad news at all because the target of type (a) attackers (in the given context) is usually to gain advantage, often monetary, at the victims cost. Plus: It's by far the most frequent attacks (besides state agency fishing).
If your desire is to protect from lea or pro hackers 2fa is of doubtful value or frankly, quite worthless.

So, in short: if your aim is to keep your accounts of diverse kinds (email, bank, etc) more secure then 2fa is a quite reasonable element of defense. And please note the "element", as in e.g. "do not do online banking on the same system you use to watch porn".

ThothAugust 24, 2017 7:07 PM

@tts, ab praeceptis, Clive Robinson
Regardless if 2FA is enabled on not, there were past cases where browser history from Apple's Safari web browser and call logs on the iPhone were 'accidentally slurped and left on the iCloud'. If that could happen, why couldn't they 'accidentally slurp' everything ?

It has less to do with 2FA but more to do with these big corporations and their desire to grab all data they have within their reaches including passwords and encryption keys. That is one reason @Clive Robinson and me keep advocating about the use of physically separated modules.

You have no control over the chipset and definitely limited access to the software and firmware. I have also cautioned on the use of devices with ARM TrustZone and derived Secure Enclave technologies pointing out that these blackbox Enclaves can be used as permanent hardware backed backdoors.

In essence, I heavily discourage use of conventional cellphones for handling sensitive materials or things that may affect privacy and security which includes mobile payment and banking technologies.

Most people simply do not learn from all those security breaches and the false claims of security and privacy that these big corporation peddles and mislead others.

WaelAugust 24, 2017 11:29 PM

@Clive Robinson,

Putting a backdoor in a chip in a way it can be effectively exploited is more a question of "functionality" than "real estate". That is MSI/LSI/VLSI chips did not have sufficient complexity to be able to make a backdoor effective. It was only the rise of SoC hardware where it became a practical prospect. It's why Mid 1990s and earlier chips are likely to be trustworthy but those this centurey decreasingly so.

Yes! I totally get that. Suppose a manufacturer was asked to manufacture an old 486DX-33 (today) with additional unadvertised "features", mark the manufacture date accordingly, and dump it in the channels as an old CPU. Unlikely, expensive, very low ROI, and detectable too. But one must make sure the old hardware is really old, not just pretending to be old.

Meaning: you can't trust the manufacture date on the chip. It's the easiest element to alter.

Clive RobinsonAugust 25, 2017 4:07 AM

@ Wael,

Meaning: you can't trust the manufacture date on the chip. It's the easiest element to alter.

Not quite the easiest[1], but few people actually know how to check the package date, or the chip step level that should be inside it any way.

There are also ways of comparing "like with like" with certain types of "dynamic testing" but it's at the levels of sophistication you would find in a laboratory not in a goods inwards test department.

The problem is still the old "prove a negative" issue.

It's why security can be not just expensive but beyond eye wateringly so.

That said their are non "commercial supplier channel" ways to get hold of older chips or parts which are easier for individuals than commercial organisations. They are also harder to attack by an Intel agency.

But security by using older parts does have a "shelf life" in that things break and can nolonger be replaced. Which is why other methods have to be investigated.

If you think about it the "sufficient functionality to hide a backdoor" issue is still there even with more modern parts. It might appear that the whole world has switched over to "Smart Devices" and the high level SoC and similar required to support it, but the reality is that more low end microcontrolers get sold every day than low end Smart Devices. It's a point I've made in the past a few times, and I've also mentioned that I use it.

The simple fact is "Big Brother" can only covertly backdoor a few devices before such a secret becomes public. Thus the overt "frontdoor" route is probably the way they will go. Arguably this has already happened with the "Ring -1" managment devices and similar Intel, AMD and ARM have put in their devices destined not just for servers but "Personal" computers/laptops/tablets/pads/phones and even smart watches. In part because all of these have "communications" baked into them.

It's the communications that is the "key factor" in both covert backdoors and overt frontdoors. Because "it does not matter jack" how much information is leaked if "it can not be communicated".

As both @Nick P and myself have discussed in the past you can at moderate expense build a computer into a small home/office safe. That with a little engineering knowledge and skill can become well screened cutting off nearly all communications channels and reduce the others (such as heat) down to very very low bandwidths.

The point that people tend to forget is that there are two types of surveillance "Mass" and "Directed".

Mass surveillance was eye wateringly expensive half a century ago and bankrupted the nations and organisations that tried to do it. Even in George Orwells imaginings "Big Brother" did not have the resources to monitor every microphone all the time. That has sort of changed, whilst the resources are still not available to monitor every channel, it's now generally accepted that they can all be recorded for later analysis. It's why I've refered to the supposed NSA storage facility in Utah as an attempt to "build a time machine" so that they can go back and listen in on long past communications. It's the rapidly falling price of technology that has made this possible and it is also making the ability of the SigInt agencies to monitor increasing numbers of communications channels in "real time" via AI possible. The simplest example being thst of tracking an individual. In the past it required a team of atleast six people, since mobile phones it's effectively automatic if you carry one. Of more recent times number plate readers and facial recognition from CCTV have made the need for the "Person of interest" to carry a phone of way less importance. Within a few years most city and urban dwellers will quite literally be tracked "from cradle to grave" with few if any places to hide inbetween.

The important difference between mass and directed surveillance is that directed surveillance is very resource intensive and at high cost. Mass surveillance would be impossibly expensive as well if those doing the surveillance had to pay for it all. That is mass surveillance only became cost effective when we as individuals purchased the devices and communications for them.

If we as individuals chose to stop making and leaving communications channels open then mass surveillance becomes to expensive for any government to carry out.

Thus cutting communications channels to the "enemy" is the way forward as it always has been since man could communicate.

Where it is not possible to eliminate all communications then reducing the amount of information that can be leaked is the next step. In the past I've talked about the difference between "online" and "offline" activities and how you maintain an effective gap between the two, such that the security end point is some distance beyond the surveillable communications end point. Thus with care the benifits of communications can still be used.

The problem is though, technology is making what was once hard for an attacker easier, whilst making what was once easy for the defender harder. And the major part of this change is due to our own desires... Thus we are effectivly the song bird trapped in a guilded cage of our own making. Thus our future is in our own hands, and it is our choice as to if we want to be surveilled or not...

[1] Think on how forged paintings are found to be forgeries and likewise how letters from typewriters used to be analyzed to find which one of many supposadly identical typewriters it was typed on.

WaelAugust 25, 2017 4:43 AM

@Clive Robinson,

Agreed, with some reservations.

It's why security can be not just expensive but beyond eye wateringly so.

Exactly! I shed a few tears when I read this :(:

"Ring -1" managment devices and similar Intel, AMD and ARM have put in their devices destined not just for servers but "Personal"

It could, more descriptively, be called a parallel ring 0. So-called Ring -1 is more suitable for the hypervisor/VMM.

well screened cutting off nearly all communications channels and reduce the others (such as heat) down to very very low bandwidths.

Generally speaking, yes! OpSec is a needed measure to cover the "unknown". Doesn't work on all devices: isolate a cell phone, and it'll lose some of it's functionality.

Thus we are effectivly the song bird trapped in a guilded cage of our own making.

It's a form of shielding. The wrong form of shielding ;)

Mass QR GraveAugust 25, 2017 5:09 AM

Re: Wael; Cc: All;

For instance, the reprogrammed 2gb micro sdhc cards being sold on Amazon and eBay as their larger [16,32,64,128gb] brethren after a simple solvent bath and fresh silk screening.

Who?August 25, 2017 6:44 AM

The ExpressLane project of the CIA

Something is very broken at the intelligence community:

Today, August 24th 2017, WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services — which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

https://wikileaks.com/vault7/#ExpressLane

RatioAugust 25, 2017 7:00 AM

@Wael,

Star-Date: 739 - t => Roger That!

[...]
Do you copy?

*chuckle* Ten-four. ;-)

I guess I'm late if that's really t - 739, assuming hmm. Both sss and mmm seem obviously too short, and hhh or even ddd seem too long. Will ponder later what, if anything, to make of the star-date.

Shame about your verdict on the grammar. Let's see if I can work out what it should've been, despite my considerable handicap in this area. :-(

RatioAugust 25, 2017 8:01 AM

Ugh. Only sss is "obviously too short"; hmm and mmm are both plausible (same order of magnitude).

WaelAugust 25, 2017 8:13 AM

@Ratio,

I guess I'm late if that's really t - 739, assuming hmm

Synchronization message time sent: 1800 - t (meaning the time I sent this message)

Shame about your verdict on the grammar.

Got nothing to do with your grammar! It's the same message as above in a different form. Every line in the limerick tells you part of the message, for example:

But the grammar is broken, and likely not connected!
Says the same thing as:
Sausage to Foundation Extremely Unlikely :)

Gerard van VoorenAugust 25, 2017 3:39 PM

@ Clive Robinson,

There used to be an industry joke of "Whatever the question is... The answer is not MicroSoft". Just substitute "cloud" for "microsoft" to bring it upto date (you could add it after MicroSoft, but then I might be accused of bias ;-)

That's not a joke or if it is than it's a bad one. The management of company I worked for once decided in all its wisdom to use Microsoft Dynamics AX for their ERP. I have never ever, really never ever in my life seen such a piece of c**p. You'd expect from MS to have all their products "look and feel" the like. That's not the case with AX. Everything is different. But that's not the reason why it stinks. Our productivity dropped 50%, and that was after "we got the hang of it". So I almost begged to go back to the old ERP system. That got rejected of course because of all the money they had already invested in AX. The only benefit of AX that I witnessed is that it "looked okay", but that's it. Everything got complicated, to absurd levels, and it drains energy out of you. The company that I worked for isn't big (a couple of hundred persons) and there isn't high volumes of data, nor any special circumstances. AX did cost a couple of million Euro to implement and two years, five guys full time, and it was/probably still is a huge pain. So I left. The power distance was simply too large and I can't stand long lasting stupidity.

ttsAugust 25, 2017 4:33 PM

@Thoth, @ab praeceptis, @Clive Robinson @Dirk Praet

Thoth wrote:
... "there were past cases where browser history from Apple's Safari web browser and call logs on the iPhone were 'accidentally slurped and left on the iCloud'. If that could happen, why couldn't they 'accidentally slurp' everything ?"

Thanks for this and the other points you make in the above post

First, without researching this, I think I recall deleted iCloud Notes not being deleted, perhaps, too. Awhile back I think Dirk mentioned something like just don't have an iCloud account. In other words, with just an Apple ID you can download apps, of course, and use iMessage, for example. Without an Apple ID Apple phones, tablets, and computers appear to still update in this country and provide limited functionality. Regardless of fanboism (word?), if x is never put in iCloud with user consent, I don't think Apple would want to get caught putting x in iCloud without user consent, especially if user doesn't have an iCloud account. Thus no content in iCloud; no slurping from iCloud. Slurping from elsewhere is another potential problem, of course. In other words I sort of trust Apple relative to its competitors, but try to maintain skeptical thinking at all times.

Second, I appreciate you, ab praeceptis, Clive Robinson, r, Dirk Praet, etc., supplying links and input in an ongoing basis.

ab praeceptis wrote:
"So, in short: if your aim is to keep your accounts of diverse kinds (email, bank, etc) more secure then 2fa is a quite reasonable element of defense. And please note the "element", as in e.g. "do not do online banking on the same system you use to watch porn"."

Thanks for this and other input in your post above.

EvilKiruAugust 25, 2017 4:47 PM

@Gerard van Vooren:

The reason for the UI discrepancy is that Microsoft Dynamics AX was developed by a company that Microsoft purchased in order to get a toe-hold in that market.

Here's Wikipedia's history of Dynamics AX, which says that IBM had a hand in developing it, which explains why it stinks: https://en.wikipedia.org/wiki/Microsoft_Dynamics_AX

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.