Bluetooth Vulnerabilities

A bunch of Bluetooth vulnerabilities are being reported, some pretty nasty.

BlueBorne concerns us because of the medium by which it operates. Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus. The vulnerabilities found in Wi-Fi chips affect only the peripherals of the device, and require another step to take control of the device. With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities.

Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are "air gapped," meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure.

Finally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack.

Fully patched Windows and iOS systems are protected; Linux coming soon.

Posted on September 18, 2017 at 6:58 AM • 44 Comments

Comments

Peter KnoppersSeptember 18, 2017 7:31 AM

"Fully patched Windows and iOS systems are protected; Linux coming soon."

Android will take a little longer (in many cases we'll have to wait a couple of years for the devices to be discarded/replaced). Billions of not so smart BlueTooth devices (head phones, mice, keyboards, GPS trackers, etc.) will never be patched.

JMMSeptember 18, 2017 7:37 AM

Windows and iOS (mobile) are covered. Linux is on the way. What about MacOS (desktop) and Android?

CallMeLateForSupperSeptember 18, 2017 10:06 AM

Examples of impacted devices:
Samsung Gear S3 (Smartwatch)
Samsung Smart TVs
Samsung Family Hub (Smart refrigerator)

Be interesting to learn how quickly, if at all, Samsung sends back to school (so to speak) all of its "smart" stuff that is already in the field.

(twitter)InternetofShit should have some fun with this.

GaryhSeptember 18, 2017 10:38 AM

"No action by the user is necessary to enable the attack". Not even turning Bluetooth on? Always off on my phone, to save battery I hope, unless I am cranking tunes while yard working.

Fred PSeptember 18, 2017 11:11 AM

@JMM - no vulnerabilities were reported in those OSes by Armis recently. That does not, of course, mean that no vulnerabilities exist in those OSes.

@OctopusTentacle - one of the sample devices given is the Pumpkin Car Audio System.

OctopusTentacleSeptember 18, 2017 12:19 PM

@Fred P The ones I'm interested in are the manufacturer-installed ones which exchange data between the entertainment system and the engine/brake/steering controls (normally used to lock out some features while driving). A 3rd party device which doesn't do that has much more limited consequences when vulnerable.

Notooth - turn it off now.September 18, 2017 1:49 PM

The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes. Once the attacker determined his target is using the Android operating system, he can use four of the vulnerabilities disclosed by Armis to exploit the device, or they can use a separate vulnerability to conduct a Man-in-The-Middle attack.

Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections.

New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited.

--"It is critical", but just take a look at which way the tide is going lately?

You can't just keep expecting 4 billion devices to get landfilled every time someone cracks a hardwired under-secured protocol like bluetooth. This is madness.

Clive RobinsonSeptember 18, 2017 3:01 PM

@ ALL,

A simple question for everyone,

    Does any one who reads this blog still think that the security of our communications end point devices is enough to stop end run attacks around any security apps that run on them?

WaelSeptember 18, 2017 4:02 PM

@Clive Robinson,

[...] the security of our communications end point devices is enough to stop end run attacks around any security apps that run on them?

Elaborate, please.

As for this BT thing... What's actually new... A buffer overflow?

JG4September 18, 2017 4:27 PM


@Clive - I'm not sure who gets the prize for harping the most on endpoint security, but you've said it frequently. it is going to take a long time to sink in. I'd guess that about 3 percent of the public have a clue. I would have thought that somewhere between 20 and 80 percent of the people here get it.


Jonathan WilsonSeptember 18, 2017 5:10 PM

If you dont own/use any Bluetooth devices then turning off Bluetooth completly is the best way to avoid this exploit.

Winston SmithSeptember 18, 2017 8:26 PM

@Clive Robinson

"Does any one who reads this blog still think that the security of our communications end point devices is enough to stop end run attacks around any security apps that run on them?"

Most agree that the market, like democracy, works efficiently only when the populace is educated and makes educated choices. Perhaps I assume too much when I believe that privacy and security should go hand in hand as top priorities for all when considering how I manage my own digital life and the necessary vehicles that enable it. Too many are too consumed with pleasures and their own selves and distractions and baubles than with the important things in life.

AlanS said it well in a recent post when he tossed out the term, "Constitutional Rot". Such is at the core of our problem-- and I might add that the effect is largely due to modern society's lethargy (apathy, too) enabled by its own success in creating labor saving devices and insulating our lives far and away from natural law.

To the point, not only do I think that the security is inadequate, but I think most of it is mere window dressing. Real security is hard work, and in an insidious way it's always a reactionary effort to attacks which always advance, and never retreat.

I pray for Plato's God/King or else all hope is lost-- Big Brother being disqualified, of course.

Clive RobinsonSeptember 19, 2017 1:49 AM

@ Wael,

Elaborate, please.

OK, back in the Victorian England affordable, timely and efficient long distance communications became available to a significant part of the population not just thr Government. With first the "penny post" then later early electrical/electronic communications such as the telegraph. Eventually giving the telephone and radio.

It was recognised that a sealed letter offered some privacy to the users in the Postal System and to encorage usage the British Government put in place certain rules to protect the contents of peoples postal communications. In essence that letters would not be opened and read by officials. Part of which arose from Queen Vicoria's assertion that she was not ammused by the unethical idea that corespondence should be spyed upon. A view Henry Stimson later expressed[1] more memorably, which had certainly since Queen Elisabeth the First been the founfation of what was layer called "The Great Game".

The British in general appeared to believe that there mails were sacrosanct, but later not their telegraphs, hence the invention and proliferation of "Commercial Codes" which caused the telegraphers all sorts of problems. Hence legislation for the protection of communications arose and also regulation about how the cost of sending a telegraph would be worked out[2].

The result was what we now call "Common Carrier" legislation, which realy is a Faustian Bargin, in that communications was and is to this day spied upon[1].

Importantly the Victorian public realised there were "end points" not just for communications but for confidentiality / privacy / secrecy and that they were not the same. Hence the Commercial codes that offered not just privacy but cost reductions as well (think on it as early compression). In the main because they could see the telegraph's reading their communications in order to not just work out the cost but convert them to the appropriate "line discipline" for transmission.

Thus the users especially businesses were warery of what came under anothers eye. And as is often told about feckless telephone opperators why the undertaker Almon Strouger and his nephew William designed the first automatic telephone dialing system, replacing the feckless operators.

It was this automation process that apparently took the untrusted humans out of the communications that has made most forget about the difference between a communications end point and a security end point. The result is that most trust their automated devices implicitly. Not just for communications but personall and business records. Thus what once required a personal assistant an office and filing cabinets with lockable draws and doors is in our pockets. Likewise excessive trust has been given by users as they don't see untrustworthy humans in the process.

It's fairly safe to say these days that when you buy a computer you are being at best misled if not directly lied to and spied upon. Because manufacturers and middle men hold title and control legaly of what the computer can and can not do, when and for how long before they decide to kill it off.

Lenovo, Microsoft and Amazon have all proved without doubt you have no ownership or control. Lenovo with it's BIOS malware, Microsoft with it's Win10 behaviour and Amazon with digital books and other content.

Yet the majority of users still trust their private thoughts and words to these devices, and delude themselves that they have control not the rapacious others commoditising the users intimate thoughts words and behaviours.

They get given at best half truths is not provably false stories about "security" and how an application can give them this.

It can not, because those computer manufactures can "reach out" via the communications and around any security or privacy application and see the plaintext of what the user enters into the computer or read off of it's screen etc.

Thus it gived levels of control over the users in their masses that the likes of Stalin could not even have dreamt of and George Orwell could only dimly see.

Untill the general population wake up to this they are "Sleep walking into a dystopia they can not imagine". But a few have felt the dystopia at the hands of authoritarian following state sponsored guard labour they call "Secret Police" or "Stasi", not realising just how impotent such organisations used to be, compared to what technology has made them today.

In essence there is no meaningfull "ephemeral" any more what we do in public and our private thoughts and words are all recorded way beyond our control. Even those we can not ourselves remember are saved waiting to be used against us should we earn the ire of someone with control...

What we as "technologists" should be doing is looking at ways to make "ephemeral" real again and beyond the hands of those who seek to control by "fear" and "making examples of the innocent but unfortunate".

How we do that is mainly by education not by technology. The one thing people have to realise is technology has no emotions --yet-- it has no directing mind it exists as a force multiplier offering both increased benifit and harm, depending on who has temporary control. Giving up control for whatever reason is an abdication of responsibility and makes people critically dependent on others whims.

Unless people understand that they will not give up the "drug of the masses" that technology has become. Thus they will not take the steps required to control the technology they use. Becaise of the illusion of benifit technology gives, they will often demand proof of harm and that they are not in control before thay will change their behaviour, it's this first hurdle we have to get over.

[1] https://www.theatlantic.com/international/archive/2013/06/gentlemen-reading-each-others-mail-a-brief-history-of-diplomatic-spying/276940/

[2] It's why a telegraph "word" was defined as five letters followed by a space by the ITU, and why you see most telegraph/telex super-encryption machines producing "five letter groups" to the line.

WaelSeptember 19, 2017 2:06 AM

@Clive Robinson,

Right. Good luck with that "people should give up...". Won't happen! They jump at the newest fad. Security is the last thing on their mind, if at all.

Needs some more thought and care of how to say things. We'll continue this topic...

225September 19, 2017 2:44 AM

"a BlueBorne attack spreads through the air" wow, and look at all the air there is in the world, the only way to stop this attack must be to remove all the air from computer rooms!

Clive RobinsonSeptember 19, 2017 4:39 AM

@ JG4,

I'd guess that about 3 percent of the public have a clue. I would have thought that somewhere between 20 and 80 percent of the people here get it.

You are probably not far off on your guesstimates though I would probably guess lower than 3% for the general population.

Which begs the question as to why, they have apparently abandoned all caution and "sold the souls for a handfull of promises" that history tells us over and over will not be kept. Especially the "If you have done nothing wrong..." nonsense.

If you ever speak to people who spent the earlier part of their lives living in countries with repressive regimes, they are absolutly shocked at the apparent "It'll never happen to me" attitude they see all around them. Especialy when they see the signs they saw from their earlier life happening here and now.

They tend to know about end points way way better than most of us and how little trust to put in not just those around you but thinks as well. When they here the Benjamin Franklin quote "Three can keep a secret..." they find it funny in a sad way that anyone could be that optimistic. Some years ago a Russian aquaintace --wife of a friend-- said about it "The only way you can keep a secret is when you are all dead, and then only maybe", she also said "Do you even know who the third person is? It's not just the wall that has ears".

The US has belief in "Technical Dominance" the UK has a belief in "Knowledge Dominance" the two are not the same. What the other FiveEyes belive in is less clear, especially south of the equator.

When you put Technical and Knowledge dominence together you have a very dangerous combination, something a few people in the US are starting to realise about Silicon Valley. We are starting to see it with the likes of the FBI trying to get leverage over organisations to obtain near cost free Technical Domination. When they don't have knowledge to obtain leverage, they are not afraid of paying researchers to give them a little information on how to get knowledge leverage over others (their attacks on Tor for instance and the --aleged-- $1million payed to a university to get the knowledge to make the tools).

The thing is knowledge dominance is like a plague, in that once you have some knowledge, once applied in the correct way it gets you more knowledge and so the process continues like a chain reaction. The only limits on it are the resources you have to store and process it. It's this asspect of AI that scares me the most because it will arive long before all the other almost ScFi fears people have about it.

For instance we know as this attack shows yet again that technology especialy software is riddled with faults. The only question is realy "Can you find them before someone else?". We already know that many faults can not be seen from looking at the source unless you have a very specific idea of what you are looking for and a very indepth knowledge of the way things work at all levels of the stack. It's why tools like Fuzzers were developed to find odd things that can be realistically investigated. Now think how AI could improve that?

Some attack vectors especially in protocols and standards have taken years to find. Think what an advantage that time span is to someone who collects knowledge. Better still realise that having it found by an AI rather than a human helps them keep it secret, thus last longer for gathering knowledge giving a much better ROI.

The only way to defend against this is not to trust the technology you have. That is work out how to mitigate any faults or defects it might have.

Many are obvious such as "don't have active mobiles in confidential meetings". But have downsides if you mitigate incorrectly. That is turning a mobile off sends a message to the network informing the network it's being turned off. That becomes a "third party record" that access can be gained to without your knowledge or control. So you have to put care into the way you do things. Less well known is that the network often "knows" the state of the battery in the phone in various ways. Thus running the phone battery low prior to turning off gives deniability. It also gives you the option to leave it somewhere "on charge" in a desk draw etc which would be preferable.

Contrary to what many younger people might think, humans are quite capable of functioning without their phone or computer needing to be within a short distance of their hands.

As has been pointed out in the past "Poor Planing leads to Poor Performance". OpSec is about "building and maintaining a legend / cover". There are two basic types of cover, being an image of yourself and being an image of somebody else. The former is far easier than the latter, especially if you can do it passively and have time to put it in place. The first step is to build in "usefull habits", like leaving your phone in the desk when you go out to get a sandwich. Or turning the phone off when you get in a car (you know that legal thing about not using whilst driving etc). Thus to anyone looking currently at you or at past records will see "habit" not "change of habit". Further if challenged about it you are not lying when you say "that's what I normally do, don't you?". The thing is what you are doing with these mitigating habits is "build space" into your life that gives you room to safely manover.

It's these sorts of things people should be doing not installing probably vunerable security apps on a known to be vulnerable device, that can end run the application to see the plain text.

Clive RobinsonSeptember 19, 2017 5:51 AM

@ Winston Smith,

Most agree that the market, like democracy, works efficiently only when the populace is educated and makes educated choices.

Thus the main part of the problem "educated". Not only should the populace be educated, it should be "honestly educated" as well.

Much of what children get taught outside of mathmatics and hard science can be, --and as far as I can see has been,-- an opportunity for propaganda by the nation state and those working within it[1].

One of the problems with educating the young is you have to be dishonest because they don't yet have sufficient information to understand the correct answer (it's why few adults can actually say why the sky is blue and the clouds white).

Thus having started telling half truths, and leaving out information the education process can easily be bent to suit an agenda.

The problem is that around the age of eight children start realising that people lie, but by then harm has already been done. Trying to undo this harm is an uphill battle that many university level educators can give you war stories on. In fact even in the hard sciences this happens, and there is the old line of "Physics is taught as a succession of lies, each a little more accurate than the ones before" with the implicit rider that we have not yet stopped lying...

History is a very notable example of lies of ommission, it's interesting to see how much gets left out and the selection process for the ommissions. It kind of tells you a lot about what "lies of ommission" are realy all about and why so much is classified as secret when the reality is it is anything but people hiding their failings etc.

Thus the question realy is how we as technologists correct the faux knowledge others have about technology that certain people with an agenda have promulgated.

[1] There is the Kow-Tow effect, in many academic areas where a person gets "eminence" and thus challenging them is "career suicide" untill after they are gone, or very rarely they have fallen. You can see this if you search the Internet for "Pure White and deadly".

WaelSeptember 20, 2017 10:03 PM

@Clive Robinson,

What we as "technologists" should be doing is looking at ways to make "ephemeral" real again and beyond the hands of those who seek to control by "fear" and "making examples of the innocent but unfortunate".

I say impossible, but I will listen to suggestions. I could make some seemingly unimplementable high-level proposals: How about self-aware data that knows how to destroy itself? How about data that lives for a certain amount of time then “disappears”; not like a Snapchat message! Really disappears. Self-modifying Data or “smart” data that knows how to find and destroy every clone.

Clive RobinsonSeptember 21, 2017 4:10 AM

@ Wael,

I say impossible, but I will listen to suggestions

Ephemeral may never have existed and may not exist in the "God sees everything" philosophical view point. After all I'm assured the echos of the Big Bang can still be heard in the cosmic microwave background. But from the more human asspect whilst we can hear the distant storm, we can not hear the individual waves. Because the combind signal is so complex and individual components are below the effective noise floor.

If we look back in history there is little or no record of the majority of creatures including humans. There had to be a cause for a record to be made and that record in turn had to persist or be kept for some reason.

Thus a model can be drawn up based on events and their cause-effect relationship.

1, An event happens and energy is converted into a force that in turn acts on other objects transporting the energy down through various forms to thermal energy (heat).

2, Such an energy transport is governed by the laws of thermo dynamics thus entropy, as energy moves fron an organised to disorganized state.

3, As part of the energy transport it may be in effect "paused" such as throwing an object up onto a shelf. Part of the kinetic energy gets turned into potential energy as the object now at rest waits on the shelf. It can be taken/drop down at some point in the future turning the potential energy back to kinetic energy.

4, Thus in effect the potential energy is a partial stored record of the object getting to where it is, by the fact the object is on the shelf.

5, However the potential energy stored does not record how the rest of the kinetic energy from the throw was transported down further, ultimately at some very distant time to minimal thermal energy levels I say impossible, but I will listen to suggestions(Universe heat death).

Thus the aim for "ephemeral" is to prevent any of the energy of an event getting converted to a potential energy being paused to create a record that is in a sufficiently "ordered state" to be of use to a third party at a future time.

Which brings us back to the "How?" question.

As I've noted before information has no tangible state, it is impressed onto either mass or energy to communicate or store the information. Thus it is the energy/matter that goes into making the record we should be looking at. When it comes to a record then it is only matter that pauses the downward energy transport by trapping it coherently if imperfectly for future use.

Thus the weasel word "coherent" which means the potential energy in the matter has to be sufficiently ordered that it can be used at a future point in time.

At which point you are probably thinking "encrypt everything and throw away the key" or some such. But that is not "ephemeral" because even though the information has been transformed it is still coherant thus still recorded.

It's ensuring that the energy transport from organised to disorganised is not paused that is important. Thus stopping the information impressed on the energy being held in a coherant form.

If we look at "Quantum Cryptography" we can see a way to communicate information that guarantees there is only one recipient (on the assumption that our current laws of physics are correct).

Which leaves the question of ensuring it is the right not wrong recipient that gets the information.

Your thoughts so far?

RachelSeptember 21, 2017 4:38 AM

> your thoughts so far?

if Wael sings a song, Dirk may come down from the shelf, be unpaused, and made coherent? he may even 'play a record'?

Clive RobinsonSeptember 21, 2017 5:08 AM

@ Wael,

On of the problems of "strap hanging" in public transport is the uncertainty of hitting a small target (key) with a larger object (finger) accurately enough so only the desired action occurs increases. Thus strange errors creep in...

As evidenced in my above where the cut and paste of your "impossible" statment has been accidently pasted befor "(Universe heat death)." in point 5 :-(

But re-reading the above I made a jump to QC without going through the steps between. So,

If we accept that a record is "potential energy" from the kinetic etc energy doing work via a force on an object with information impressed or encoded in it coherantly. We must accept that fundamentally it's the matter that is important to the making of the record.

We talk about the duality of energy / matter but forget that whilst energy is in effect waves matter is in effect particles, and not all particles are divisible, so unlike waves indivisable particles can not leak partial information it's all or nothing. Which is why there is only one recipient per bit of information.

The first idea to use this for recording information was back around 1970 with Stephen Wiesner's "Quantum Bank Notes". The idea spent something like thirteen years in limbo because it was "to far ahead" of what the peer review publishing process would tolerate.

I can not remember exactly what the tie up was from that to prompt Gilles Brassard into the idea of Quantum Cryptograhpy (but it's probably up on the net somewhere).

Thus the idea of the quantum bank note comes full circle. Rather than using it to store a secret serial number, it can be used to store a message where each bit can only be read once. Thus ensuring that each bit of the message only has one recipient.

Clive RobinsonSeptember 21, 2017 6:12 AM

@ Rachel,

Dirk may come down from the shelf...

One can only but hope. Dirk has disappeard in the past for a lengthy time, due to other commitments.

But it is clear that political events in the past year or so has done a great deal of damage in the West and not just in the Five Eyes. Sadly the Internet has likewise been divided and fractious, and a part of that is it has hurt this blog. We can se that other regular contributers have become noticeably more absent. Whether they come back or not is uncertain currently. I'm hoping the storm can be ridden out to calmer waters and more prosperous times.

However this blog is in effect an apex, and thus dependent on the food chains beneath it feeding in. The sad fact is technology has noticably become more complex in effect doubling up every year. Which means the industry is becoming ever more a "Red Queens Race" and there is thus a vastly increased barrier to new entrants, and once in, the scope of individuals view point is becoming narrower and narrower thus more disjoint. Which means the ability for general participation at an expert or even informed level is getting vastly more difficult. Which in turn can discorage participation by those putting their toe in the water.

Which is sad because everybody can learn something new from even the simplest of questions. As even in the mind of an expert rethinking their thoughts to make things easier to communicate to others helps clarify the thinking process (it's why teaching is considered a fundemental part of research).

Anyway time as they say will tell.

Clive RobinsonSeptember 21, 2017 6:36 AM

@ Wael,

To follow on with the thinking.

As I said information can be regarded as intangible and without tangible form or state. What we see hear and touch are actually tangible objects of energy and matter subject to forces thus behaving in a way understandable under our current physical laws. The information is thus impressed on matter to store and modulated on energy to communicate. As processing involves both it requires work to be performed.

So as far as information is concerned we can,

1, Store it by impressing on matter.
2, Communicate it by modulating it on energy.
3, Process it by performing work on matter and energy.

Using indivisable particles to prevent information leakage we can,

1, Store information on Qbit state.
2, Communicate it by using photons as Qbits.
3, Process clasically Qbits in appropriate logic gates.

And under what appears never ending research potentialy process Qbits quantumly.

As we know Qbits do decoher very easily sometimes in pico seconds, thus Qbit storage is curently a very hard problem, but one we are certainly making progress on.

Thus we have in place the building blocks that can not leak information. Which I hope you will see as a first step on at least partially negating the first part of your,

I say impossible, but I will listen to suggestions

WaelSeptember 21, 2017 8:09 AM

@Clive Robinson,

But re-reading the above I made a jump to QC without going through the steps between. So,

Good clarification (not that I understand this one.) I couldn't understand how you made that quantum leap in your reasoning. You violated the laws of causality their!

I'll have to punt this for the weekend as I have an early free massage appointment session at the airport.

Walled garden full of prisonersSeptember 21, 2017 6:09 PM

"If Bluetooth or Wifi is powered on, your system isn't airgapped in any meaningful sense."'

Now the question becomes "how can you be sure it IS turned off anyway?"

Ask Siri!

Einstein's greatest blunderbuss September 21, 2017 6:18 PM

(on the assumption that our current laws of physics are correct)

That's quite an assumption isn't it? People in the field are learning new things all the time now. The pace of new related discoveries seems to be very much faster than the pace of implementation.

Whatever quantum computing comes about in a physical implementation it will most likely be made obsolete faster than anyone is able to replace systems to utilize that extra security, until some major plateau is reached and we consider entanglement to be well-explored. That's still a ways off.

WaelSeptember 22, 2017 1:49 AM

@Clive Robinson,

as I have an early free massage appointment session at the airport.

So I have a Globlal Travel card; the international version of TSA Pre Check. And wouldn't you know! I got "randomly" selected for "additional checks". Wasn't too bad... only a swap of the hands for residuals and traces of interesting materials... No massage today.

@Rachel,

if [...] sings a song

I tried this one, but got stuck on the first line...

On the day I was sworn, the curses all lathered ‘bound

Pick a song! But not this one, it's too difficult, although it would be a good one! It requires me to be in an extra goofy mood.

Clive RobinsonSeptember 22, 2017 2:44 AM

@ Wael,

Wasn't too bad... only a swap of the hands

Was that "left for right" or with another person...

I've never regarded major surgery as "Wasn't too bad" ;-)

The brain isn't working at the moment.

Well maybe you should try "The Buccaneer" approach as a "hearty Swab" not an international plane swapper.

WaelSeptember 22, 2017 7:04 AM

@Clive Robinson,

Was that "left for right" or with another person...

I meant "swab" not "swap". Both hands. Told ya: the brain stopped working.

Clive RobinsonSeptember 22, 2017 3:51 PM

@ Wael,

I meant "swab" not "swap"

I know hence the left-right joke, and it your tired brain missed that then the Buccaneer joke about a "hearty swab".

But I guess you must have been realy tired as you missed both ;-)

I trust that where ever you have landed you've had the chance to "re-coop" by the time you read this, and have hatched "a cunning plan".

WaelSeptember 22, 2017 4:11 PM

@Clive Robinson,

But I guess you must have been realy tired as you missed both ;-)

Oh, no! I got the first one. The second one... I still don't get.

I trust that where ever you have landed you've had the chance to "re-coop"

I landed where I started - one day trip. No plans hatched yet. Plans are a dish best eaten cold ;)

Clive RobinsonSeptember 22, 2017 6:24 PM

@ Wael,

In the days of Buccaneers the ships were wood and sail, the major activity of the unskilled or those needed only to man the guns and sails was a form of makework such as "swabing the decks" with the likes of holy stones and buckets of salt water.

A "hearty swab" was one settled into the existence and possesed of a cheerful disposition.

Oh speaking of dishes eaten cold remember "not to count your chickens..." otherwise you may aquire to large a coop.

Spine MillignaSeptember 23, 2017 1:47 PM

Well maybe you should try "The Buccaneer" approach as a "hearty Swab" not an international plane swapper.

Gave me a hearty chuckle to see Clive join the typo police!

WaelSeptember 23, 2017 2:44 PM

@Spine Milligna,

Gave me a hearty chuckle to see Clive join the typo police!

+1

But to be honest with you, it wasn't a typo! I freakin clicked 'P' on purpose thinking that's the right word. I don't know what I was thinking...

Oh speaking of dishes eaten cold

The dish came warm to me. Plans cancelled :)

Clive RobinsonSeptember 23, 2017 3:27 PM

@ Spine Milligna, Wael,

Gave me a hearty chuckle to see Clive join the typo police!

Just for the LOLs, and only with people who have been around long enought to get my jokes (when they are awake ;-)

Which leaves me wondering if Wael caught the "Don't count your chickens untill they hatch" and "re-coop" joke (Hey this level of humour takes effort ;-)

WaelSeptember 23, 2017 3:35 PM

@Clive Robinson, @Spine Milligna,

Which leaves me wondering if [...] caught the...

Hey, man! Humor is supposed to be a no brainer! Don't we (theoretically) spend enough brain power at work? Do we need to pay a price to laugh too?

Nope - was a bit busy. Will try to "get it" today.

WaelSeptember 23, 2017 3:46 PM

@Clive Robinson, @Spine Milligna,

not to count your chickens

Don't count your fortune until it's a reality --> I shouldn't say I will plan to get you back, because...

otherwise you may aquire to large a coop.

aquire: a board game.

meaning: Don't threaten to outwit Sir Clive or you'll create more problems for yourself. The bolded expression is what threw me off.

Correct?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.